[privacy] City of Chicago Loses Voter Data

Mon Jan 22 19:02:08 CST 2007

You asked for comments.

My bank came up with a great idea. They called me, and asked me for my 
mother's maiden name. This, they said, would be used to prove my identity 
when I phone them up. It's good that my bank comes up with fresh and 
original security systems.

So, first of all I put them through the "Who are you, you're 
someone phoning me out of the blue, why should I believe you're my bank?" 
So she offered to give me the phone number so I could call her back. We 
both had a bit of a luagh about that.

Then she offered to email me; because it was email, I'd know it was coming 
from the bank.

I had a bit of a laugh about that, and told her to speak to her IT people 
to have the joke explained.

So I asked to speak to someone higher up.

Then I made a counter offer. "Look me up on the internet, maybe use a 
geneology web site. Find out my mother's maiden name yourself, then you 
can ask me for it each time I call."

Then there was a bit of a pause while the person I spoke to worked out 
that if they could discover my mother's maden name, so could anyone else.

"So," I said, "how about I call you back on this."

So I called my bank manager, using the bank's number. He denied that the 
bank would be so stupid, and said it was probably an attempt at identity 
theft, and he'd look into it.

Then he called me back. Apparently, it was the bank after all. "And we 
really do need your mother's maiden name." I put it to him that he didn't. 
He insisted that he did.  I said, "No, you want something that you can use 
to verify that it's me, it doesn't have to be mother's maiden name."

"Yes it does," he insisted, "it's a directive from Head Office. Nothing 
else will do."

"Hmm," I explained, "and what will you do when I tell you that this is 
confidential information that I'm not going to give you?"

He said he'd call me back.

I'm still waiting.

On Mon, 22 Jan 2007, Shyaam wrote:

> THAT REALLY STINKS. At this rate there is no use for passport or SSN or any
> secure ID as everything is being lost these days, infact not by individuals
> who are educated using "Security Awareness" but the ones who are supposed to
> maintain it.
> 
> Any comments ???
> 
> Kind Regards,
> Shyaam
> 
> On 1/22/07, Fergie <fergdawg at netzero.net> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Via The Chicago Sun-Times.
> >
> > [snip]
> >
> > About 100 computer discs with 1.3 million Chicago voters' Social Security
> > numbers have been distributed to aldermen and ward committeemen, and the
> > whereabouts of at least an additional six CDs with the same information
> > are
> > unknown, according to the Chicago Board of Elections.
> >
> > This follows another security lapse in October 2006, when voters' Social
> > Security numbers were available through the board's Web site. But unlike
> > the Web site flaw, which was fixed in a few minutes, it will be difficult,
> > if not impossible, for the Board of Elections to retrieve sensitive data
> > physically scattered on more than 100 discs throughout the area.
> >
> > The discs also contain voters' birth dates and addresses -- information
> > that along with Social Security numbers can be used to commit identity
> > theft.
> >
> > [snip]
> >
> > More:
> > http://www.suntimes.com/news/politics/222892,CST-NWS-data22.article
> >
> > - - ferg
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Desktop 9.5.2 (Build 4075)
> >
> > wj8DBQFFtUscq1pz9mNUZTMRAtX9AKCJSeWlRvqDLdd7mIyNFA/nOIDkcgCg/Upq
> > U3CFympEfBhxecNyDMkakSU=
> > =7yUx
> > -----END PGP SIGNATURE-----
> >
> >
> >
> > --
> > "Fergie", a.k.a. Paul Ferguson
> > Engineering Architecture for the Internet
> > fergdawg(at)netzero.net
> > ferg's tech blog: http://fergdawg.blogspot.com/
> >
> > _______________________________________________
> > privacy mailing list
> > privacy at whitestar.linuxbox.org
> > http://www.whitestar.linuxbox.org/mailman/listinfo/privacy
> >
> 
> 
> 
> 