Payroll site closes on security worries

R.A. Hettinga rah at
Fri Feb 25 19:17:48 PST 2005



 Payroll site closes on security worries

 By Robert Lemos

 Story last modified Wed Feb 23 15:54:00 PST 2005

Online payroll service provider PayMaxx shuttered its automated W-2 site on
Wednesday after a researcher claimed that two security holes had exposed
data on more than 25,000 people.

A description of the problem posted on Think Computer's Web site by Aaron
Greenspan, president of the software start-up, said the security issues
could allow anyone to view the W-2 forms generated for employees of
PayMaxx's clients for the last five years.

 PayMaxx did not acknowledge or deny the problems, saying that a
third-party security company was investigating the allegations.

 "No system in the world is 100 percent secure from a sophisticated and
determined hacker," the Tennessee-based payroll company said in a statement
sent to CNET "PayMaxx has made and continues to make every effort
to secure its system against any breach."

The incident comes a week after background-check provider ChoicePoint
acknowledged that data thieves had created dozens of fake companies to
acquire more than 145,000 records touching on the personal lives of U.S.
citizens. Federal legislators are considering strong protections on
identity data following the ChoicePoint leak, and a class action lawsuit
has been filed in California.

 Greenspan, a former PayMaxx customer, said he discovered the alleged
problems in the company's system more than two weeks ago, after he received
notification from the company that his W-2 tax form was available online
for download and printing. The link to access the W-2 included an ID
number, and he wondered whether the company had protected against an
obvious security problem: adding one to the ID number to get the next form.

 Instead of being denied access, Greenspan found that another person's W-2
was downloaded and readable. Sequential, rather than randomized, ID numbers
made it easy to call up numerous customers' data.

The hole could have allowed employees at PayMaxx's clients to access more
than 25,000 W-2 forms for last year and the W-2 forms for years back to
2000, he said.

 He said his investigation revealed that PayMaxx's database contained a
record for testing purposes that contained a Social Security number of
000-00-0000 and a password of all zeros. That could allow anyone to log
into the site and then use the lack of authentication to sequentially
download all the W-2 forms, Greenspan said.

 "Anyone could have been exploiting these security issues for years, and no
one would have known about it," he said.

 PayMaxx confirmed that the test account did exist as described in
Greenspan's paper, but took issue with other allegations. The company
stated that from a review of Greenspan's paper, it had found several of his
claims to be inaccurate, but did not specify which claims. While PayMaxx
did not confirm the problem, the company did qualify the extent of the

"Our initial analysis indicates that if Mr. Greenspan was able to
improperly access any W-2 forms, a limited number of forms were accessed,"
the company said in the statement.

 That does not contradict Greenspan's claims, since the researcher said
that he had only accessed enough of the site to confirm the issue and gauge
the extent of the problem.

 PayMaxx charged that Greenspan had "attempted to hack" into its Web site.
It said he had held back details of the alleged flaws and had requested
that PayMaxx hire his company.

 "Due to the lack of specificity provided by Mr. Greenspan in his obvious
sales pitch, PayMaxx did not view his communications as credible," the
company said. "Consequently, we declined his offer to hire his services."

 Greenspan acknowledged that he had given PayMaxx few details, but took
issue with their lack of response to his security concerns.

 "I did tell them that there was a problem, and gave them several options
to deal with it, and instead they chose to do nothing," Greenspan said. "It
is not my job to go around and fix problems for free."

 PayMaxx declined to comment on whether it had notified any of its
customers about the report of a problem. Under California's Security Breach
Information Act (S.B. 1386), companies that may have leaked personal or
financial data must advise their customers as soon as possible.

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list