An insurance company’s API exposed customers’ car location histories(andreascarpino.it) |
An insurance company’s API exposed customers’ car location histories(andreascarpino.it) |
I believe the frequent bursts of data from the car was given to insurance companies. Or they were trying to package insurance deal along with the car sale or something.
We need these "personal data for discount" transactions to become more explicitly consensual. Despite the well-tuned sensitivities of those in this community, we have a long way to go before most consumers are informed about this unwitting marketplace.
I suppose it's good in case your account gets leaked.
If the company providing the service were financially liable for these blunders, they would be careful to select contractors that are capable of meeting the security needs.
As it is now, there is no financial incentive to select the "security aware" contractor, and the "non-aware" one is so much cheaper...
There is a good chance that the lure of security consultancy $ is resulting in a degradation of the quality of the applications.
It will still be out there. For example, in a startup that's trying to get off the ground, going bankrupt because of security issues isn't that much different than going bankrupt because you failed to gain traction. It will still be put off to "later."
That said, with significant financial penalties there will be a point where the startup assesses the cost of security to be worth it (vs. now where there is no downside other than bad PR).
It's not a stretch that there should be laws that affect all companies that collect data on their users. I hope it happens soon! These companies should be paying quite a bit in fines for these mistakes, not just a few thousand for a bug bounty. Otherwise our personal information will most likely leak and be all over the web.
Name and shame, please!
Having a little third party controlled snitch hooked to your car is a security issue, period. The fact that the implementation is a shitshow is just icing on the cake.
The 15% discount for taking a black box still isn't worth it for me however.
Being part of a late 30s couple with pretty boring driving history in a small city pays I guess. I pay like $700-850 (depending on how you break out umbrella liability cost) for maxed out coverage in an above average cost US state. I think I paid around $1200 when I was a dumb kid with tickets. :)
Even if there were siginifciant savings, it wouldn't be worth it to me to have that kind of telemetry being gathered. It can only be used against you in a accident situation.
I've had a driving license for about 10 years and I've never been in a collision, never gotten a ticket, and never filed an insurance claim -- neverthless, my insurance premium was $95 a month (likely due to my age, credit report, not being married) until I switched to a pay-per-mile insurance that requires a "third party controlled snitch" connected to my vehicle's OBD port -- which cut my premium significantly.
> I can't believe that anyone would voluntarily sign up for this.
It saves me money and I don't have much money. Hell, it's why people even bother with insurance companies in the first place -- it's cheaper than depositing $60,000 in a surety bond to the DMV.
I'm speaking from guilt.
I went to an interview 3 years ago. The only 'evidence' I have is the UI looks vaguely similar, and my questions about their security posture were met with non-committal answers.
If you knew about the industry, they could have rebranded somebody elses software, bought a previous version, lots of things.
Why would I hold myself to something that may be libelous, without the evidence the OP has?
The point is to make the business-risk managers in other provider companies say to their executives: "We cannot take the risk of skipping cybersecurity hardening. If we do skip it and we get caught, our business will be forced into bankruptcy."
In the future, we'll see less revelations about this sort of thing, not because it has become rarer but because Google have chosen a course of action which obscures it.
(it also breaks things like personal or corporate CAs, but that's a different problem)
Some context: https://github.com/mitmproxy/mitmproxy/issues/2054
Your point is valid, but I think it's a negligible improvement that comes in hand with severe implications for privacy research.
I guess location tracking would make sense too, so they can bust you if the car stays in a place other than where it's insured for. Or god knows what else. All of this shit is only going to get worse, a lot worse.
Dismissing people focusing on "X" instead of "Y" is useless and disruptive.
Depends. A lot of doctor's offices are in "medical parks," so it's entirely possible they don't know which doctor you are seeing or why. They have easier access to that information via your calendar (if you use it) than your location.
For that matter, your location data couldn't be proven to be yours on merit alone. Anyone can be using my car, and anyone can have my phone, at any given time.
Unless you're someone with specialized experience (crypto), you as a pentester are worth around $100k/yr. That's excellent money, but it's not the massive margin that would drive people away from webdev.
Knowing like most industries, the layers of ODMs and OEMs etc, it's hard to pin down who exactly is responsible for a security cockup. And, funnily enough, having an interview there I wasn't inclined to do a recce on their infrastructure. Also, not having a device, I didn't have endpoints or traffic to test.
I guess you could buy some specialist insurance which would cover more but unless you are planning on crashing into multiple Bugatti Veyrons, it's pretty much impossible to hit that limit.
To me that's a content free statement, if you were either not anonymous or you named the company the statement would have some force as it is it is a big fat 0.