Professor Farber,
A friend of mine forwarded me the post that went out to interesting-people on the flaw I discovered at PayMaxx. While the Globe article covers part of it, the real crux of the issue is outlined in my white paper:
Aaron
Aaron Greenspan President & CEO Think Computer Corporation
By Hiawatha Bray, Globe Staff | March 1, 2005
Boston software entrepreneur Aaron Greenspan, who revealed serious security flaws in the website of Tennessee payroll company PayMaxx Inc. last week, said yesterday that the site remains insecure. Greenspan said that a computer hacker still could use the site to obtain the Social Security numbers of hundreds of Americans.
Greenspan called the management of PayMaxx 'incompetent,' and urged Congress to investigate the company. "They have no idea what they're doing," he said.
Greenspan's company, Think Computer Corp., had its payrolls prepared by PayMaxx, of Franklin, Tenn., until late last year. After ending their relationship, Greenspan found that his name, address, Social Security number, and other personal data were still available on the PayMaxx website, which could be accessed by entering zeroes in the site's login windows. Greenspan also found that he could obtain the same information about other PayMaxx customers by typing random numbers into the browser's address window. He estimated that up to
100,000 files could be accessed this way.After being contacted by the Globe, PayMaxx shut down the insecure website service. But yesterday, Greenspan said he found another way into the system. This time, he demonstrated for the Globe how a data thief could obtain the Social Security numbers of people listed in the PayMaxx system.
Greenspan said that PayMaxx apparently used workers' Social Security numbers to identify them to the website software. But the company's method made it easy to read those numbers by merely activating the 'view source' feature found on all Web browsers.
A spokesperson for PayMaxx said that the company would shut down the site entirely until questions about its security were resolved. The spokesperson also said that there was no indication that anybody had stolen personal data from the site.
Greenspan said he's contacted the office of US Senator Charles Schumer, Democrat of New York. Schumer has called for legislation to limit data-mining services that contribute to identity theft. Congressional concern over the potential privacy threat erupted in February, when mistakenly sold 140,000 files to criminals.
Hiawatha Bray can be reached at snipped-for-privacy@globe.com.
Copyright 2005 The New York Times Company
NOTE: To read several hundred New York Times items on line here each day with no login nor registration requirement, set your browser to