
A bad code push ? Really ?
"an email address and a URL parameter "
That is not a bad code push, that is 1990s Internet coding.
We have come quite a long way in 30 years, thank you for catching up.
Two separate internet affiliate networks have closed vulnerabilities that exposed potentially millions of records in one of the most sensitive areas: payday loans. US-based software engineer Kevin Traver contacted us after he found two large groups of short-term loan websites that were giving up sensitive personal information …
No, we have in fact retrogressed. Today web sites are written by art students using 'frameworks'.
Commercial websites of tier one banks are fatally flawed. No one cares. Bugs are never fixed. It took me over a year to get one bug fixed in a major high street bank so that I could use it without invoking Windows XP in a virtual machine. It still has the same bug, but only once, not twice. It features amazing minimalist graphics of light grey on white, but a marvellous picture of a black man looking like a happy investor. It tells me and has told me for over 18 months I have two messages. There are none.
It has less functionality and runs at half the speed of the site it replaced.
But it is fwightfully 'artistic'
Well said itzman. The results can be utterly stupendous.
A commercial web site I have to use to select engineering standard parts has pages the source of which is over 600kB. The actual readable text is around 3kB. That's a Shannon efficiency of 0.5%. The remaining 99.5% is massively redundant blocks of almost duplicate in-line style statements and javascript, although the pages impart all the necessary information for ordering statically (or at least they would if the links to supporting documents were not javascript driven). What's wrong with HTML link anchors? Oh sorry, I forgot - they're "old fashioned" (or is it "outdated" these days?)
If the presentation wonks that write web pages actually knew what they were doing technically, things might improve, but sadly both the concept that content is king has been abandoned and the current generation of tools makes it possible to generate output without any expertise. The results speak for themselves.
I was called by a Payday Loan company out bof the blue in the middle of one day. It was on my landline which had one day left before BT cut it off. Chap on the other end asked if he could speak to a MR XXXXX about a loan application he was going to be a guarantor for. When I said there wasn't anyone of that name here he became more salesman like. He asked If I needed up to five grand which had an interest rate of 50%. He said I just needed somebody to guarantee the loan.
I said that I'd spotted a flaw in their business model which the chap insisted I hadn't. I said If I needed the loan (which I didn't) it would be sensible to pick somebody with the odd 5k to spare to guarantee it. Therefore that person is on the hook for the 5k and will be coming after me if I don't pay the loan back. There's no upside for the guarantor in this situation it's all risk and no reward. Why wouldn't we just cut out their payday loan company and I borrow the 5k from the guarantor. I pay them 25% (or less) interest and I'm saving myself a fair whack of cash. The guarantor also benefits from some serious upside in the form of this interest I'll be paying them. I said that sounded like a much better solution and cost much less.
Chap on the other end of the phone says that won't work. Then says as I obviously don't need the money 'good day to you sir' or something like that. I think this was a genuine wrong number because I then dialed the two numbers with the last digits either side of mine on the keypad. I did end up speaking to a Mr XXXXX on the second one who was very pleasant and liked my idea.
My principle actually: If someone asks me if I want to be a guarantor for a loan, there are two possibilities: Either I have the money, and I'm willing to give them the money, then there is no loan. Or I don't have the money, or I wouldn't be willing to give them the money, then there is no guarantee, therefore no loan. It's rare for someone to fall into the first category.
It really is reprehensible. Why its not illegal to charge (lets say double the inflation rate) is beyond me.
They've regulated them a bit now I hear , so now they are merely
"scum of the earth , top of the list , still beating heroin dealers , but not by as much as previously"
So Mr Zoom Marketing says there is no evidence of a breach of confidential data, whereas Traver tested 170 records and had an 80% strike rate.
So were those particular records disclosed as being tested to Zoom Marketing and is the plonker excluding them in his report of "no breach"? Because if it were me, I would be very careful to state, "Other than the 136 records accessed by Travers between $DateTimeA and $DateTimeB, we found no evidence of any other PII breach via this route."
Because if the specific records weren't disclosed, they didn't do a very good job of reviewing their logs (assuming they had them).
Mnay US states have privacy laws which this stuff is breaching and their State AGs are more than happy to long-arm such laws
All someone has to do is show the sites have numbers of people from the state in question - and a suitably notified state AG may decide to do that themselves
(I seriously did not intend to make a pun)
Aside from the more than questionable morality of so-called payday loans on many, many grounds, I do at least appreciate this Weichsalbaum guy being frank about their problem, doing something about it quickly, and not doing the "a small number of our valued customers" bullshit. I guess he's the brains behind the idea and hired someone to do the API + backend and the latter was more on the cheap side than the good side.
I personally hate most corporate websites as they are triumph of design over usability, once designers started getting involved and restricted website widths (most website only fill a third of my screen) and what not, had lots of Flash/java nonsense and all that rubbish rather just deliver content, it was all down hill. We now have in-bedded videos that start automatically and all sorts of animation and cleverness and JavaScript stuff going on, it hardly surprising the basic coding is not up to anything and basic security is ignored or just not understood or seen as important...until the GDPR fines come in.
Birth certificates are not identity documents either (in fact they're embossed as such) but are commonly used as proof of ID (including for passports)
As I have my grandfather's one I've wondered a few times if I could be registered as a 125 year old geezer, just to prove a point
Yup.
I've seen stories of USA hospitals being assessed for major HIPPA violations after improperly recording patient data (one of the most common apparently is someone going into emergency room and being linked against a previous patent with the same name but a different SSN) and then sending out debt collectors/filing credit reports based on SSN