New Jersey lottery Web site may contain security risks, experts warn

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/694805p-5149285c.html

By JOHN P. McALPIN, Associated Press 
 
TRENTON, N.J. (December 30, 2002 2:41 p.m. EST) - New Jersey Lottery
players who sign up for a VIP service offering discounts, bonus games
and daily e-mails of winning numbers are risking more than the price
of a ticket, Internet security experts warn.

The lottery's VIP Club requires people to give a name, postal address
and e-mail address. Also requested are their birth date and mother's
maiden name, key personal details that have security experts worried
about identity theft.

"No matter how hard I think about it, it's tough to come up with an
excuse for why that information should be required," said Lauren
Weinstein, founder and moderator of the Privacy Forum online group.

"The people who design these forms don't even think of this stuff. It
doesn't occur to them that the combination of both birth date and
mother's maiden name is something you should never disclose,"  
Weinstein said. "They've asked all the key questions there except
'What's your Social Security number?'"

About 77,000 lottery customers have enrolled in the service, up and
running for about a year.

Linda Melone, the lottery's deputy director of marketing, said the
information isn't collected for direct-marketing programs and won't be
disclosed to outside agencies.

Jaimee Gilmartin, a spokeswoman for the lottery, defended the
requests, saying birth dates verify that players are over 18 and
maiden names are often used as password protectors. The lottery has
never had a case of identity theft or other security breaches, she
said.

"The New Jersey lottery is constantly evaluating and re-evaluating our
procedures to ensure we provide the highest level of security for our
players," Gilmartin said.

Texas and Indiana have similar services that request birth dates.  
Texas also asks for a maiden name, but Indiana does not.

Consumers should make sure such sites offer clear privacy warnings and
hold the government to the letter of the law, said Robert Ellis Smith,
publisher of "Privacy Journal" newsletter. However, often customers
just click past such statements, which are often written by lawyers
and difficult to understand, he said.

Potential security concerns about the Internet were cause for concern
for some players interviewed.

"It's too easy for someone to steal your identity, especially if you
have to give your mother's maiden name," said Rich Froman, 39, who
bought two Pick 3 tickets and one Pick 6 ticket at an Atlantic County
convenience store recently. "That's one of the most private pieces of
information you have. To get updated lottery results? That's a joke."

Most players, however, are like Louann Elwood, 29, who didn't know
about the VIP program even though she's a regular player and goes to
the Web site sometimes. Elwood said she had no problem giving the
information.

"I'm addicted to the lottery," Elwood said while buying $10 worth of
Pick 4, Pick 5 and Pick 6 tickets.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.