http://www.boston.com/business/articles/2005/03/01/payroll_website_still_not_secured/ By Hiawatha Bray Globe Staff March 1, 2005 Boston software entrepreneur Aaron Greenspan, who revealed serious security flaws in the website of Tennessee payroll company PayMaxx Inc. last week, said yesterday that the site remains insecure. Greenspan said that a computer hacker still could use the site to obtain the Social Security numbers of hundreds of Americans. Greenspan called the management of PayMaxx ''incompetent," and urged Congress to investigate the company. ''They have no idea what they're doing," he said. Greenspan's company, Think Computer Corp., had its payrolls prepared by PayMaxx, of Franklin, Tenn., until late last year. After ending their relationship, Greenspan found that his name, address, Social Security number, and other personal data were still available on the PayMaxx website, which could be accessed by entering zeroes in the site's login windows. Greenspan also found that he could obtain the same information about other PayMaxx customers by typing random numbers into the browser's address window. He estimated that up to 100,000 files could be accessed this way. After being contacted by the Globe, PayMaxx shut down the insecure website service. But yesterday, Greenspan said he found another way into the system. This time, he demonstrated for the Globe how a data thief could obtain the Social Security numbers of people listed in the PayMaxx system. Greenspan said that PayMaxx apparently used workers' Social Security numbers to identify them to the website software. But the company's method made it easy to read those numbers by merely activating the ''view source" feature found on all Web browsers. A spokesperson for PayMaxx said that the company would shut down the site entirely until questions about its security were resolved. The spokesperson also said that there was no indication that anybody had stolen personal data from the site. Greenspan said he's contacted the office of US Senator Charles Schumer, Democrat of New York. Schumer has called for legislation to limit data-mining services that contribute to identity theft. Congressional concern over the potential privacy threat erupted in February, when ChoicePoint Inc., a Georgia firm that keeps files on millions of Americans, admitted that it mistakenly sold 140,000 files to criminals. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Tue Mar 01 2005 - 03:09:06 PST