lornamatic

If you store the data, thieves will come.

At least 45.7 million credit and debit card numbers were stolen by hackers who broke into the computer systems at the TJX Cos. in Framingham and the United Kingdom and siphoned off data over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists.

TJX, the Framingham discounter that operates the T.J. Maxx and Marshalls clothing chains, also reported in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including drivers’ license numbers. ‘‘It’s the biggest card heist ever,’’ said Avivah Litan, vice president of Gartner Inc. ‘‘This was obviously done over a long period of time, in many locations. It’s done considerable damage.’’

Full story at boston.com.

I’ve got a bit more to say about credit card security, but for now I’ll leave it with this: Every two to three years, you should clear out your old credit cards. Get new numbers from your bank. It’s a hassle, but if you use a credit card regularly, there’s a great chance it’s stored in old databases all over. I’m not sure how that works for driver’s licenses, or how you’d go about getting a new one.

We might ask, what the hell was TJX doing asking for driver’s license numbers in the first place? Oh right, it was some clever store policy, collecting extra data to deter fraud, in this case when a customer returned an item.

That’ll really show those thieves.

May 6, 2007 from 1 - 9PM, $75, includes catered dinner.

Pre-registration required.

details at westsideworkshop.com

but nevertheless, here’s a nice point / counterpoint, from the Daily Breeze.

Just make sure nobody, not even hard-hitting investigative journalists, can spell your name right.

that’s h, e, r, F. As in Fingerprints.

Mythbusters spent 3 days experimenting with ways to break into a high security thumbprint lock. They did it in ten minutes using both a photocopy of a fingerprint, and a more complicated method of using a cast fingerprint lifted off of a CD.

For the few customers who do work with equipment that’s secured with biometrics, it is something to consider. If someone with less than honest motives was working at a car dealership that had access to your thumbprint, they would also have your employer’s name and information.

Check out the video.

Update: some interesting links via an old boingboing post:
Gummi bears defeat Fingerprint Sensors

More on the Gummi bears

Making homegrown cyanoacrylate fingerprints

Some dealerships say that thieves are deterred when thumbprints are taken. But since they don’t tell you about about this policy until the last minute, customers must make a very awkward choice: put your thumbprint in a box and feel like a criminal being booked, or say no thank you, and walk out the door knowing they believe you to be a thief, deterred by their clever tactic?

I believe their faith in this is misguided. When you can pick out any glass bottle out of someone’s trash and create a false prosthetic print from it with superglue fumes, how does that protect anyone? If it becomes necessary to use someone else’s thumbprint to steal a car, that’s exactly what thieves will do.

Imagine if every dealer uses this technique. It won’t stop the thieves. They’ll just get more creative.

What if your print was stolen and used to acquire a car? It could work like this: the print is run through the DMV database. Your name comes up - a perfect match, but you’ve never even set foot in that dealership. How can you ever hope to prove your innocence? Better hope you had a good alibi.

A forged thumbprint can be a damning indictment, far worse than a badly forged signature.