Steven Peisner, whom Dubner and Levitt wrote about recently in a column on identity theft, has made a career out of trying to stop people from hacking or otherwise stealing valuable information from websites.
So Peisner’s ears perked up when he learned of Texas Attorney General Greg Abbott‘s announcement on May 31 that Texas now requires companies to shred documents that list customers’ personal information, rather than simply tear them in half. In a televised press conference, Abbott blasted stores like the EZ Pawn chain, charging that its practice of throwing unshredded documents into dumpsters “put hundreds of Texans at risk” by giving fraudsters access to confidential information. EZ Pawn is being charged with violating the new law, Abbott said, with penalties of up to $50,000 per infraction.
Hearing this, Peisner went straight to the Texas Secretary of State Web site and found his way to the Secretary of State Online Access database, which “provides subscribers with up-to-date, on-line computer access to a variety of information maintained by the Office of the Secretary of State” including corporate records, UCC documents and filings by local and foreign financial institutions. Upon locating the Direct Access Subscriber Login page, he clicked on the temporary login form and proceeded to register using his own credit card number and a bunch of bogus personal information. Here’s a screen shot of Peisner’s registration page:
To his surprise, Peisner was allowed to proceed (without giving the three-digit security code on the back of his credit card, no less), and within moments he had access to the site’s database. For $1 per search, he ran searches on several common last names including “Campbell,” “Smith” and “Jones,” as well as “Greg Abbott,” the attorney general.
The result? Hundreds of PDF’s for the common names and a handful for Abbott, many of them containing addresses, Social Security numbers, and other personal information. Lucky for the attorney general, Peisner chose to publicize his findings here rather than sell them to the highest bidder — though he did receive an invoice for the searches within minutes of completing them.
This morning, he contacted the office of Texas Secretary of State Phil Wilson to let him know of the vulnerability, and was told that the matter would be directed to the office’s I.T. department. Meanwhile, the site’s security hasn’t changed; Peisner was able once again to access the database using the name “Ima IDThief” and the same credit card information.
While this sort of vulnerability may not be as scary as the nuclear ruse carried out by undercover Congressional investigators, it is a lot easier and a lot more common.