Posted 6:56 AM

It's not about data

Making the rounds of identity and security blogs and tweets is the news that a repository of all credit card PIN codes had been leaked. My friend Mark Dixon posted a selection of them. The joke is, of course, that the list is every four digit number from 0000 to 9999. The punch line urges you to go out and change your PIN right away.

I've no proof, but think this was suggested by the recent breach at Yahoo! According to a story in the Washington Post, the usernames and passwords of over 400,000 accounts were taken by a hacking group recently. Incredibly, the file was stored in clear text!

But what was mostly overlooked by the press was that there was little, if any, chance of damage from this breach. The malefactors  had stolen data, true, but they hadn't stolen information.

A list of passwords, like a list of PINS, is data but really only useful as the basis of a dictionary attack on an account. Does it improve a hacker's chance of accessing your account? Only if your unique or obscure password is in the list - and the thief can guess your account name.

Put together the password with the account name, though, and you have information. And information is always useful. A list of telephone numbers is data. List the numbers with the address associated with them and you've got information. A list of women's maiden names is data. Put it together with their children's names and it's information.

Even a list of persons' names and the a password they use is data, good data but just data. Add the company they work for and you might have information - if you can discover the email address template for that company, for example, or the account name template (e.g., first initial + first 7 letters of last name). That information isn't an automatic entree into the account but it gives the experienced cracker enough to be getting on with - much more so than the data alone.

Don't worry so much about losing data, but be scared to death of leaking information.