I.D.-Theft Watchdog Finds the State of Texas is Wide Open for I.D. Thieves

Steven Peisner, whom Dubner and Levitt wrote about recently in a column on identity theft, has made a career out of trying to stop people from hacking or otherwise stealing valuable information from websites.

So Peisner’s ears perked up when he learned of Texas Attorney General Greg Abbott‘s announcement on May 31 that Texas now requires companies to shred documents that list customers’ personal information, rather than simply tear them in half. In a televised press conference, Abbott blasted stores like the EZ Pawn chain, charging that its practice of throwing unshredded documents into dumpsters “put hundreds of Texans at risk” by giving fraudsters access to confidential information. EZ Pawn is being charged with violating the new law, Abbott said, with penalties of up to $50,000 per infraction.

Hearing this, Peisner went straight to the Texas Secretary of State Web site and found his way to the Secretary of State Online Access database, which “provides subscribers with up-to-date, on-line computer access to a variety of information maintained by the Office of the Secretary of State” including corporate records, UCC documents and filings by local and foreign financial institutions. Upon locating the Direct Access Subscriber Login page, he clicked on the temporary login form and proceeded to register using his own credit card number and a bunch of bogus personal information. Here’s a screen shot of Peisner’s registration page:

To his surprise, Peisner was allowed to proceed (without giving the three-digit security code on the back of his credit card, no less), and within moments he had access to the site’s database. For $1 per search, he ran searches on several common last names including “Campbell,” “Smith” and “Jones,” as well as “Greg Abbott,” the attorney general.

The result? Hundreds of PDF’s for the common names and a handful for Abbott, many of them containing addresses, Social Security numbers, and other personal information. Lucky for the attorney general, Peisner chose to publicize his findings here rather than sell them to the highest bidder — though he did receive an invoice for the searches within minutes of completing them.

This morning, he contacted the office of Texas Secretary of State Phil Wilson to let him know of the vulnerability, and was told that the matter would be directed to the office’s I.T. department. Meanwhile, the site’s security hasn’t changed; Peisner was able once again to access the database using the name “Ima IDThief” and the same credit card information.

While this sort of vulnerability may not be as scary as the nuclear ruse carried out by undercover Congressional investigators, it is a lot easier and a lot more common.

Leave A Comment

Comments are moderated and generally will be posted if they are on-topic and not abusive.

 

COMMENTS: 18

View All Comments »
  1. edwinlee says:

    Another example of Texans shooting from the hip, saying what you’d like to hear, and not doing their homework. Any chance we could return the state to Mexico?

    Thumb up 0 Thumb down 0
  2. edwinlee says:

    Another example of Texans shooting from the hip, saying what you’d like to hear, and not doing their homework. Any chance we could return the state to Mexico?

    Thumb up 0 Thumb down 0
  3. egretman says:

    Under the continuing theory that free information is powerless information, why doesn’t the US guvment just publish all social security numbers?

    They will become useless. What business would take an SS# as the sole source of identity? In fact, what stupid companies still do?

    It is my contention that they are already becoming useless due to such stupidity posted above.

    As for the stupidity of Texas, our attorney general Greg Abott mentioned above, is wheel-chair bound from a tree limb that injured him. He promptly sued and won $10 million, most for mental anguish. Then he turned around and ran for Texas attorney general. What was his campaign issue? Why lawsuit abuse, of course!

    Thumb up 0 Thumb down 0
  4. egretman says:

    Under the continuing theory that free information is powerless information, why doesn’t the US guvment just publish all social security numbers?

    They will become useless. What business would take an SS# as the sole source of identity? In fact, what stupid companies still do?

    It is my contention that they are already becoming useless due to such stupidity posted above.

    As for the stupidity of Texas, our attorney general Greg Abott mentioned above, is wheel-chair bound from a tree limb that injured him. He promptly sued and won $10 million, most for mental anguish. Then he turned around and ran for Texas attorney general. What was his campaign issue? Why lawsuit abuse, of course!

    Thumb up 0 Thumb down 0
  5. egretman says:

    Any chance we could return the state to Mexico?

    Yes, but you have to promise that every 4 years you will still come to us for your U.S. president.

    Thumb up 0 Thumb down 0
  6. egretman says:

    Any chance we could return the state to Mexico?

    Yes, but you have to promise that every 4 years you will still come to us for your U.S. president.

    Thumb up 0 Thumb down 0
  7. lermit says:

    Good find!

    .lermit

    Thumb up 0 Thumb down 0
  8. lermit says:

    Good find!

    .lermit

    Thumb up 0 Thumb down 0