cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

Another day another data breach...

Car insurance provider Geico has suffered a data breach where threat actors stole the driver's licenses for policyholders for over a month. Geico is the second-largest car insurance company in the United States, with over 17 million policies for more than 28 million vehicles.

 

Switching to Geico can subject you to identity theft...Switching to Geico can subject you to identity theft...

 

https://oag.ca.gov/system/files/DL3_IndNoticeLttr_CA_Redacted.pdf

 

12 Replies
Caute_cautim
Community Champion

@AppDefects   Yet another statistic, so if media recognition and penalties do not work?  What is next to ensure that organisations, individuals take heed and recognise their responsibilities to reduce, or prevent these from happening?

 

Regards

 

Caute_Cautim

denbesten
Community Champion

The current standard of "1 year of credit monitoring" and a not-an-apology letter is not a very high bar.

 

Maybe we ought to also require Geico pay for new license numbers for all impacted parties.  Ditto for anyone that discloses national identifiers, credit card numbers, etc.

 

Even better would be for the DL#s to be changed every few years.  Back in "the day", each drivers license renewal came with a new number.  Somewhere along the line, this stopped and my new license now has the same number as the old one.   Classic example of convenience vs security.

Caute_cautim
Community Champion

@denbesten   But haven't you heard the word on the street?  Digital Identity will save the day with the full support of government entities? 

 

However, your response would be great, if it could be applied, so there is no wriggle room for them to worm their way out of the situation - leaving only potential door open i.e. bankruptcy or change the companies name and start again?

 

Regards

 

Caute_Cautim

tmekelburg1
Community Champion


@denbesten wrote:

The current standard of "1 year of credit monitoring" and a not-an-apology letter is not a very high bar.

 


You didn't get the, "We take your security and privacy very seriously...🤢" letter? I'm shocked!

 

 


Even better would be for the DL#s to be changed every few years.  Back in "the day", each drivers license renewal came with a new number.  Somewhere along the line, this stopped and my new license now has the same number as the old one.   Classic example of convenience vs security.


I 100% agree with this statement. Identity shouldn't be tied to any permanent number, e.g., DL #, SSN, etc. with how easy those are to steal. Is Blockchain our answer here @rslade?

CISOScott
Community Champion

But if your "proof" of identity changes, how will we know it's you?

tmekelburg1
Community Champion

@CISOScott 

 

And @Caute_cautim brought up another great point of a digital identity established through a company and they end up going out of business. What then happens to your digital ID at that point? I could be wrong here but it makes sense for the authoritative source for your digital ID to be kept at your State BMV (Bureau of Motor Vehicles) where you currently get your physical ID.

 

If they stay on schedule this year our State BMV will be rolling our digital ID's with the thought of most people will always have their phone with them. The next logical step here would be able to use that digital ID to authenticate with sites on the web and 2FA using biometrics stored on the phone.  

 

What are your thoughts on proofing? It makes sense for the systems to do all of the proofing on the backend

rslade
Influencer II

> tmekelburg1 (Contributor II) mentioned you in a post! Join the conversation

> Is Blockchain our answer here @rslade?

It's people like you what cause unrest ... 🙂

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

> CISOScott (Community Champion) posted a new reply in Privacy on 05-04-2021 09:33

> But if your "proof" of identity changes, how will we know it's you?

New [social media platform or personal access device]: who dis?

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

@CISOScott   Some great thinking here, Proofing is a good point - within New Zealand they call it a Digital Identity trust network - creating a trust network, whereby trust is manufactured:

 

https://www.researchgate.net/publication/337033946_A_Decentralized_Digital_Identity_Architecture

 

Yes, it uses Blockchain using a distributed decentralised network.

 

One thing to think about guaranteeing that the integrity of the individual's identity under the World Health Organisation (WHO) should last on average for 110 years.  Technology needs a refresh after 5 years, so in that case, one would have had to refreshed the underlying architecture 22 times for the average lifespan of a human being in a best case scenario.   Who should be in charge, and who will ensure that the backend processes are conducted correctly and audited regularly? 

 

Regards

 

Caute_Cautim