Comment by StillBored
3 years ago
"It is important to note that the exposed details do not constitute personally identifiable information, so it wouldn't be possible to use this data leak to track individuals unless the attacker knew the VIN (vehicle identification number) of their target's car."
Am I dumb or are they? If you know someones home address, then all you need is a geo lookup, and a filter which selects for cars parked near that address at 3AM over some time period. Which then gives you the VIN and the entire location history, right? Sure you might get more than one car if the someone lives in a city and uses street parking but its still going to reduce down to just a handful of cars which can then be cross referenced against place of work, relatives, etc.
And of course home address lookup can be made with any number of public databases with little more than a name and maybe some additional filtering (age, city, phone number, etc).
> its still going to reduce down to just a handful of cars which can then be cross referenced against place of work, relatives, etc.
You are correct, but I can't imagine why anybody would go to that much trouble for a speculative answer. Your idea requires quite a bit of intelligence collection as well (relatives' addresses, addresses of known hangouts, etc. that you have to vet for accuracy).
If you have a confirmed home or work address, just go to their home or work and take a picture of the target VIN through the windshield.
The scammer in the third world country folks may be at threat of this breach being exploited by does not have that ability.
But they do have the internet, and further no meatspace means scams can be automated/scaled.
Honestly, this seems very bad.
Reidentifyig anonymized location traces has been common for many years in the gray data market world. If you have multi-year traces, it’s not too hard. You just need some sparse location data for the target and then if the sparse data matches the trace at 4-5 times you can be pretty sure it’s the same person.
For example, if you ever use public wifi, and you hit a web page with real-time bid ads on it, your ip address and tracking cookie will be reported. The IP can be geolocated, and presto, you have one time/location datapoint. Credit card transaction data can also be bought, and a cc transaction often gives you a location and a time.
I read an article today about someone who was called by his daughter to transfer money. It turned out to be an AI deepfake.
The criminal networks are pretty sophisticated.
4 replies →
Going to everyone's house seems multiple orders of magnitude more trouble than looking at where a car is most often parked, and seeing if you have anybody in your database that lives, works, or has relatives (or facebook friends) that live at those addresses. I bet you'd get a unique hit 99.99% of the time if you have 10 years of data.
I think his point is just because the data in isolation isn't identification, we live in a world where multiple public datasets are easily used to make 99.9% correlation, yet laws still act like these associations are "technically challenging" Most of the problems are from actors who are very specifically motivated and we need to start a less isolated view of data breaches .
I know the VIN on my wife's car. It'd be beyond a few boundaries to track her vehicle and internal cameras if, say, we split up at some point.
You can read the VIN of neighbors and significant others pretty easy.
The VIN on my Toyota is displayed right beneath the windshield. Anyone can walk up to my car and read it.
VIN being visible through the windshield is a legal requirement in US.
2 replies →
VINwiki leverages this to form a community
> Am I dumb or are they
I don't think you're wrong. I wonder what incentive bleepingcomputer has to make it seem not so bad.
Avoiding getting rekt for defamation or a potentially libellous article.
Okay, massive tangent, but it's been bugging me for a while and this has finally tipped me over the edge - why is it called personally identifiable information? That would be information that someone can personally identify surely? Shouldn't it be personally identifying information?
Words mean whatever people who use them intend them to mean.
Because it's information that may be able to identify, but is not necessarily conclusively identifying of, a person.
Yes, all location tracking data is personaly identifiable.
Given any dataset like this it is trivial to pick any entry and trace where is home and where is work thus de-anonymizing it. Conversely given any home or work addreas it's trivial to find all other related entries for the individual.
If an IP-address is PII, then so should be a VIN and chassis number.
Definitely agree. If I have a time series of geo location information, which visits point x,y once per day at 5:00pm I can probably conclude they probably live at this location.
Of course it would all be incredibly boring to analyze. We can conclude that people live at a certain location, (dumbly for no good reason) drive to another one 5 times per week and go a few other places.
Sure you might be able to find the odd person that is doing something weird or illegal but if you already know location x1, y1 contains bad guys might as well just go there and arrest them instead of creepily analyzing data that you know you shouldn’t have.
Also, among these 2M customers there are surely a few high-profile ones that have implications for politics/crime/forensics/espionage ?
Also, just looking into the window of the car at the dashboard is usually all you need to get the VIN for a car.
Yes people can finally see if their spouse was cheating. Or learn when a target is typically not at home. Or what church they go to. You are not dumb. The statement in the article is dumb however.
If you commute from home to a job I think even with somewhat coarse information it’s easy to figure out who you are. The NYT did a story like this based on advertiser data.
In my state you can look up the vehicle property tax records of anyone by name or VIN.