[ISN] New Jersey lottery Web site may contain security risks, experts warn

From: InfoSec News (isnat_private)
Date: Tue Dec 31 2002 - 01:01:01 PST

  • Next message: InfoSec News: "Re: [ISN] ComputracePlus deletes stolen data"

    By JOHN P. McALPIN, Associated Press 
    TRENTON, N.J. (December 30, 2002 2:41 p.m. EST) - New Jersey Lottery
    players who sign up for a VIP service offering discounts, bonus games
    and daily e-mails of winning numbers are risking more than the price
    of a ticket, Internet security experts warn.
    The lottery's VIP Club requires people to give a name, postal address
    and e-mail address. Also requested are their birth date and mother's
    maiden name, key personal details that have security experts worried
    about identity theft.
    "No matter how hard I think about it, it's tough to come up with an
    excuse for why that information should be required," said Lauren
    Weinstein, founder and moderator of the Privacy Forum online group.
    "The people who design these forms don't even think of this stuff. It
    doesn't occur to them that the combination of both birth date and
    mother's maiden name is something you should never disclose,"  
    Weinstein said. "They've asked all the key questions there except
    'What's your Social Security number?'"
    About 77,000 lottery customers have enrolled in the service, up and
    running for about a year.
    Linda Melone, the lottery's deputy director of marketing, said the
    information isn't collected for direct-marketing programs and won't be
    disclosed to outside agencies.
    Jaimee Gilmartin, a spokeswoman for the lottery, defended the
    requests, saying birth dates verify that players are over 18 and
    maiden names are often used as password protectors. The lottery has
    never had a case of identity theft or other security breaches, she
    "The New Jersey lottery is constantly evaluating and re-evaluating our
    procedures to ensure we provide the highest level of security for our
    players," Gilmartin said.
    Texas and Indiana have similar services that request birth dates.  
    Texas also asks for a maiden name, but Indiana does not.
    Consumers should make sure such sites offer clear privacy warnings and
    hold the government to the letter of the law, said Robert Ellis Smith,
    publisher of "Privacy Journal" newsletter. However, often customers
    just click past such statements, which are often written by lawyers
    and difficult to understand, he said.
    Potential security concerns about the Internet were cause for concern
    for some players interviewed.
    "It's too easy for someone to steal your identity, especially if you
    have to give your mother's maiden name," said Rich Froman, 39, who
    bought two Pick 3 tickets and one Pick 6 ticket at an Atlantic County
    convenience store recently. "That's one of the most private pieces of
    information you have. To get updated lottery results? That's a joke."
    Most players, however, are like Louann Elwood, 29, who didn't know
    about the VIP program even though she's a regular player and goes to
    the Web site sometimes. Elwood said she had no problem giving the
    "I'm addicted to the lottery," Elwood said while buying $10 worth of
    Pick 4, Pick 5 and Pick 6 tickets.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 08:01:35 PST