TwinSpires HACKED!!!!

[Silver Charm]

Interesting they waited until Saratoga and Del Mar closed before they notified anyone of the breach.

[banditbeau]

Got the letter in the mail today - what are the odds of the encryption being decoded?  This seems pretty serious.  Experts on this type of issue on the board what do you think?  (not referring to finding another wagering service - what does this mean about our information stolen, in particular the social security number?)

bb

[Boscar Obarra]

A lot of people are getting these letters. So many, that I suspect the 20% figure is a lowball.

 And waiting so long to reveal the intrusion is pretty bogus.

[fjmb]

Why doesn\'t a wagering site come on here and offer some incentives for us to switch???   The most attractive feature of Twinspires is the EZ$$$ deposit in my opinion.  Otherwise I\'d switch.  As a business owner I see the oppurtunity for someone to prosper of this eror and why not give us some incentive to switch sites.  TW needs to credit customers with some $$$$ as good faith!!!!

[Rick B.]

banditbeau Wrote:
-------------------------------------------------------
> Experts on this type of issue on the board what
> do you think?  (not referring to finding another
> wagering service - what does this mean about our
> information stolen, in particular the social
> security number?)
>
> bb

I\'ve been in IT for over 30 years, have confronted
data security and privacy issues endlessly, and...
IMO, we are losing the battle: IT folks (application
developers) tend to think about this issue during
design and after a breach, while the hackers don\'t
ever quit. We used to do a better job with app
security, but the business world no longer tolerates
development cycles that take months; they want new
apps in weeks.

\"Quality, Speed, Low Cost...pick any two\" is a rather
common sign you can find hanging in most IT development
shops. The last place I worked as a project leader had
an unofficial slogan: \"Never Time to Do It Right; Always
Time to Do It Over\". I have been tinkering with creating
a metric that can be used to assess a given development
project, and rate its chances for success; I call it
\"ELF: Expected Level of Filth\".

As far as your SSN is concerned, forget it: that horse
left the barn ages ago. If I know your real name, where
you live, and your approximate age, I have enough info
to piece together a query to one of the many info search
companies on the Internet that will tell me your Social
Security Number, Drivers License number, etc. (no bank
accounts or other financial data...yet).

All I have to do is pay a fee, and check a box that says
I am willing to \"suffer the pains and penalties of perjury\",
or some such, if I don\'t promise to use the data in a
non-intrusive or confidential way. That should be enough
to make everyone feel safe and secure, right?

Riiiight.

[P-Dub]

Rick B. Wrote:
-------------------------------------------------------
> banditbeau Wrote:
> --------------------------------------------------
> -----
> > Experts on this type of issue on the board what
> > do you think?  (not referring to finding
> another
> > wagering service - what does this mean about
> our
> > information stolen, in particular the social
> > security number?)
> >
> > bb
>
> I\'ve been in IT for over 30 years, have
> confronted
> data security and privacy issues endlessly,
> and...
> IMO, we are losing the battle: IT folks
> (application
> developers) tend to think about this issue during
> design and after a breach, while the hackers
> don\'t
> ever quit. We used to do a better job with app
> security, but the business world no longer
> tolerates
> development cycles that take months; they want
> new
> apps in weeks.
>
> \"Quality, Speed, Low Cost...pick any two\" is a
> rather
> common sign you can find hanging in most IT
> development
> shops. The last place I worked as a project leader
> had
> an unofficial slogan: \"Never Time to Do It Right;
> Always
> Time to Do It Over\". I have been tinkering with
> creating
> a metric that can be used to assess a given
> development
> project, and rate its chances for success; I call
> it
> \"ELF: Expected Level of Filth\".
>
> As far as your SSN is concerned, forget it: that
> horse
> left the barn ages ago. If I know your real name,
> where
> you live, and your approximate age, I have enough
> info
> to piece together a query to one of the many info
> search
> companies on the Internet that will tell me your
> Social
> Security Number, Drivers License number, etc. (no
> bank
> accounts or other financial data...yet).
>
> All I have to do is pay a fee, and check a box
> that says
> I am willing to \"suffer the pains and penalties of
> perjury\",
> or some such, if I don\'t promise to use the data
> in a
> non-intrusive or confidential way. That should be
> enough
> to make everyone feel safe and secure, right?
>
> Riiiight.


Rick,

For those of us that have had their information breached, what next??

Am I at risk for the rest of my life for identity theft??  What steps should we take to monitor this?  What are some of the things that can happen to us that had this happen??  What recourse do we have against TS in the event something happens??

[miff]

Paul,  

Even if the credit card number was encrypted,cancel that card # and get a new one from the issuer.

Notify the three credit bureaus that you had personal info compromised and they will put a fraud alert up.

Anyone who has ever had their SS number stolen is at risk for having cards/loans fraudulently opened.While you will NOT be financially responsible, the hassle is substantial, been there!

Do it now and monitor your credit card mailings and your credit reports to check for possible new accounts that you did not open.

Morons at CD taking this way too lightly or are too stupid to understand the possible problems for those whose info compromised.


Mike

[P-Dub]

miff Wrote:
-------------------------------------------------------
> Paul,  
>
> Even if the credit card number was
> encrypted,cancel that card # and get a new one
> from the issuer.
>
> Notify the three credit bureaus that you had
> personal info compromised and they will put a
> fraud alert up.
>
> Anyone who has ever had their SS number stolen is
> at risk for having cards/loans fraudulently
> opened.While you will NOT be financially
> responsible, the hassle is substantial, been
> there!
>
> Do it now and monitor your credit card mailings
> and your credit reports to check for possible new
> accounts that you did not open.
>
> Morons at CD taking this way too lightly or are
> too stupid to understand the possible problems for
> those whose info compromised.
>
>
> Mike

Thanks Mike, I\'ll cancel asap and get another one.

Did the fraud alert thing with the company TS set us up with for protection.

Appreciate the advice.

[Rick B.]

miff Wrote:
-------------------------------------------------------
> Paul,  
>
> Even if the credit card number was
> encrypted,cancel that card # and get a new one
> from the issuer.
>
> Notify the three credit bureaus that you had
> personal info compromised and they will put a
> fraud alert up.
>
> Anyone who has ever had their SS number stolen is
> at risk for having cards/loans fraudulently
> opened.While you will NOT be financially
> responsible, the hassle is substantial, been
> there!
>
> Do it now and monitor your credit card mailings
> and your credit reports to check for possible new
> accounts that you did not open.
>
> Morons at CD taking this way too lightly or are
> too stupid to understand the possible problems for
> those whose info compromised.
>
>
> Mike

All good stuff, Mike.

One extra tip that I will share: open \"throwaway\"
accounts / cards, etc., if you are doing any sort
of business online.

I have a throwaway e-mail address, PO Box, Credit
Card, and Checking / Savings account. Suggest you
do the last two through your local credit union,
usually low or no cost (fees).

Due to the Patriot Act, you must supply your home
address to open credit card and other accounts, but
I make sure to put the PO Box down as the \"official\"
address whenever possible.

I keep the minimums in my credit union checking and
savings account ($0 checking, $50 savings) until I
need to pay a bill or fund my ADW account -- only
then do I transfer any money into the credit union.
I don\'t leave the money in there very long, and I
move pretty much the exact amount I need.

(I was paying a fee for transfers until it dawned on
me to open a sleeper account at the credit union --
one that I DO NOT disclose on the Internet, and I have
parked a decent chunk of money there. Transfers between
credit union accounts are free at my place, and can be
done with a simple phone call.)

The credit card is really a no-fee debit card linked
directly to the credit union checking account, but it
looks and act like a credit card. The limit? Whatever
is in the checking account NOW...and that\'s it.

The Internet has never seen anything relating to my
primary bank account or everyday credit cards. The way
I have things set up, if my \"Internet use only\" accounts
or debit / credit card are breached, 99.9999% of the time,
they can only get me for the $50 I am required to leave
in the savings account. If they beat me out of $50, I won\'t
like it...but I can live with it.

This approach can create certain hardships, like not
being able to fund my ADW after 12 noon on a Saturday
(credit union is closed), or not being able to sign up
for a porn site at 2 AM on Labor Day, or not being able to
buy (even more) shit off of e-Bay that I don\'t need, but
I\'ve learned to live with it, in return for the peace of
mind that keeping my financial pants pulled up and unsoiled
gives me.

Sounds like a PITA to set up, but it\'s not that bad. It\'s
your money; make it hard to get.

[Silver Charm]

I talked with someone who is very much in the know and they did take it very seriously. There was the initial discovery process once the breach was discovered.

But here is where it gets hairy. The biggest concern was if they went public with the issue during a peak part of the season...August....they would lose business!! The idea of temporarly shutting the Site down until they had a handle on things was quickly ditched. Again business would be lost and accounts moved that would.never come back. The fact that Customers could be getting unknowingly victimized without notification was deemed to be the Customers problem not theirs. So the solution was to remain quiet and wait until a slower part of the season before notifying anyone.

Lastly if someone does have an Identity Theft Abuse occur. TwinSpires is standing by the Policy that it must be proven the perpatraitor was from the TwinSpires HACK! If you cant you are on your own. Their defense is \"it wasnt us\".....

[Beau]

TVG and Xpressbet have the EZ deposit and withdraw as well.

[banditbeau]

Next question - Twin Spires has offered \"ProtectMyID\" but they want your social security also - online??? What is the best advice for this?? bb

[sighthound]

There is a service you can purchase online, who has your information and every time you sign onto a site (including this one, eBay, whatever) it encrypts everything, so no site but that one ever gets your real information.  It is always encrypted, and always goes through the protection site.

Can\'t remember the name - I don\'t think it\'s Protect My ID.  Would be interested in IT guys take on that service - and do you know the name?

I like the idea of the throwaway checking/savings.  Good idea.

[TGJB]

So I gotta question. How come this is not the biggest story in the industry right now, coverage everywhere.

[magicnight]

Maybe someone asked someone to sit on the story.