[ISN] Payroll website still not secured

From: InfoSec News (isn@private)
Date: Tue Mar 01 2005 - 01:46:26 PST


By Hiawatha Bray
Globe Staff
March 1, 2005

Boston software entrepreneur Aaron Greenspan, who revealed serious
security flaws in the website of Tennessee payroll company PayMaxx
Inc. last week, said yesterday that the site remains insecure.  
Greenspan said that a computer hacker still could use the site to
obtain the Social Security numbers of hundreds of Americans.

Greenspan called the management of PayMaxx ''incompetent," and urged
Congress to investigate the company. ''They have no idea what they're
doing," he said.

Greenspan's company, Think Computer Corp., had its payrolls prepared
by PayMaxx, of Franklin, Tenn., until late last year. After ending
their relationship, Greenspan found that his name, address, Social
Security number, and other personal data were still available on the
PayMaxx website, which could be accessed by entering zeroes in the
site's login windows. Greenspan also found that he could obtain the
same information about other PayMaxx customers by typing random
numbers into the browser's address window. He estimated that up to
100,000 files could be accessed this way.

After being contacted by the Globe, PayMaxx shut down the insecure
website service. But yesterday, Greenspan said he found another way
into the system. This time, he demonstrated for the Globe how a data
thief could obtain the Social Security numbers of people listed in the
PayMaxx system. Greenspan said that PayMaxx apparently used workers'
Social Security numbers to identify them to the website software. But
the company's method made it easy to read those numbers by merely
activating the ''view source" feature found on all Web browsers.

A spokesperson for PayMaxx said that the company would shut down the
site entirely until questions about its security were resolved. The
spokesperson also said that there was no indication that anybody had
stolen personal data from the site.

Greenspan said he's contacted the office of US Senator Charles
Schumer, Democrat of New York. Schumer has called for legislation to
limit data-mining services that contribute to identity theft.  
Congressional concern over the potential privacy threat erupted in
February, when ChoicePoint Inc., a Georgia firm that keeps files on
millions of Americans, admitted that it mistakenly sold 140,000 files
to criminals.

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Tue Mar 01 2005 - 03:09:06 PST