A friend of mine forwarded me the post that went out to
interesting-people on the flaw I discovered at PayMaxx. While the
Globe article covers part of it, the real crux of the issue is
outlined in my white paper:
President & CEO
Think Computer Corporation
Payroll website still not secured
By Hiawatha Bray, Globe Staff | March 1, 2005
Boston software entrepreneur Aaron Greenspan, who revealed serious
security flaws in the website of Tennessee payroll company PayMaxx
Inc. last week, said yesterday that the site remains
insecure. Greenspan said that a computer hacker still could use the
site to obtain the Social Security numbers of hundreds of Americans.
Greenspan called the management of PayMaxx 'incompetent,' and urged
Congress to investigate the company. "They have no idea what they're
doing," he said.
Greenspan's company, Think Computer Corp., had its payrolls prepared
by PayMaxx, of Franklin, Tenn., until late last year. After ending
their relationship, Greenspan found that his name, address, Social
Security number, and other personal data were still available on the
PayMaxx website, which could be accessed by entering zeroes in the
site's login windows. Greenspan also found that he could obtain the
same information about other PayMaxx customers by typing random
numbers into the browser's address window. He estimated that up to
100,000 files could be accessed this way.
After being contacted by the Globe, PayMaxx shut down the insecure website
service. But yesterday, Greenspan said he found another way into the
system. This time, he demonstrated for the Globe how a data thief could
obtain the Social Security numbers of people listed in the PayMaxx system.
Greenspan said that PayMaxx apparently used workers' Social Security
numbers to identify them to the website software. But the company's method
made it easy to read those numbers by merely activating the 'view source'
feature found on all Web browsers.
A spokesperson for PayMaxx said that the company would shut down the
site entirely until questions about its security were resolved. The
spokesperson also said that there was no indication that anybody had
stolen personal data from the site.
Greenspan said he's contacted the office of US Senator Charles Schumer,
Democrat of New York. Schumer has called for legislation to limit
data-mining services that contribute to identity theft. Congressional
concern over the potential privacy threat erupted in February, when
mistakenly sold 140,000 files to criminals.
Hiawatha Bray can be reached at firstname.lastname@example.org.
Copyright 2005 The New York Times Company
NOTE: To read several hundred New York Times items on line here each
day with no login nor registration requirement, set your browser to
http://telecom-digest.org/td-extra/nytimes.html . PAT]