tag:blogger.com,1999:blog-2830084253401570472.post8613988181918377234..comments2024-03-28T09:22:36.967+13:00Comments on Offsetting Behaviour: EQC data - UpdatedEric Cramptonhttp://www.blogger.com/profile/15831696523324469713noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-2830084253401570472.post-47103064679047809782013-03-26T00:14:06.504+13:002013-03-26T00:14:06.504+13:00I fail to really see the issue. Yes it's a mis...I fail to really see the issue. Yes it's a mistake it was released but:<br />* Mistakes happen<br /><br />* Damage to peoples houses, and that there will be an EQC claim # is hardly secret information, hell its probably the biggest topic of conversation in Chch for the last 2yrs. Dicussion of the weather is waay down, comparing EQC costs is the new smalltalk.<br /><br />* Since when is the appropriate response to such issues to immediately make it a political issue?<br />* The only risks I see are to those pollies (you know who you are) who have made claims in the media about their EQC business, it could now be possible for the public to look up their address and see if they have been telling the truth.Mr_V4noreply@blogger.comtag:blogger.com,1999:blog-2830084253401570472.post-27490380376700763632013-03-25T20:55:08.489+13:002013-03-25T20:55:08.489+13:00If it were more than a table listing addresses and...If it were more than a table listing addresses and claim numbers, or if there were some other database out there using claim numbers as an anonymous identifier that then could be linked back to addresses because of this breach, I would agree with you entirely. Eric Cramptonhttp://offsettingbehaviour.blogspot.com/noreply@blogger.comtag:blogger.com,1999:blog-2830084253401570472.post-80015612320340210262013-03-25T20:29:23.378+13:002013-03-25T20:29:23.378+13:00"If you're complaining about EQC privacy ..."If you're complaining about EQC privacy violations on your Facebook page, and you're doing it because of privacy per-se rather than because of fraud exploits, you're exactly the kind of person I'm talking about."<br /><br />That's a really, really crap argument.<br /><br />Respecting privacy is about respecting people's control of their own privacy. There's a huge difference between voluntarily posting information to a website, and having information forcibly collected by a government agency being carelessly let loose into the world.<br /><br />The whole point about privacy is that people have very different attitudes about what is private to them and how they want to handle it. Just because you're open to some people in one area doesn't mean you want to be open to other people in another area.<br /><br />Sure, in this case the type of data lost doesn't seem like a major privacy leak but that's because most people would have no need to control it.Thomas Beaglenoreply@blogger.comtag:blogger.com,1999:blog-2830084253401570472.post-40097258272323467672013-03-25T17:52:44.764+13:002013-03-25T17:52:44.764+13:00Ok. Here is the better exploit. Letters to home ow...Ok. Here is the better exploit. Letters to home owners after using phone book to guess names. Ask for the $5k deductible on their insurance be wire transferred so the rest of the claim can be processed.Eric Cramptonhttp://offsettingbehaviour.blogspot.com/noreply@blogger.comtag:blogger.com,1999:blog-2830084253401570472.post-35684880575496440542013-03-25T17:05:55.812+13:002013-03-25T17:05:55.812+13:00It depends on what sort of harm. It wouldn't ...It depends on what sort of harm. It wouldn't be possible to extract huge sums of money, and the take would be a tiny fraction of the total EQC payout, but I don't see why the first approach couldn't extract tens of thousands of dollars. You'd want multiple accounts, but I would think "trading as" accounts would work. I think you are underestimating the persistence and overestimating the risk-aversion of the fraudsters. <br /><br /><br />Then there's phishing. You should be able to find out names and email addresses corresponding to a reasonable number of houses. You email them and ask for details needed to process their claim. The claim number provides added verisimilitude, especially if you've called EQC and talked to someone about the claim and can provide extra info. I see you've just tweeted a variant on this so I'll stop.<br /><br /><br />The harm done by any of this on average would be small, but it would probably be newsworthy and lead to further red tape on the part of EQC.Thomas Lumleyhttp://twitter.com/tslumleynoreply@blogger.com