The main problem trying to be fixed here is "identity theft". What that crime is, I think, is not clearly understood. This is when a criminal defrauds a bank or other company by getting credit using your identifying information and then defaults. The bank then misinforms the credit bureaus that you defaulted on your loan and this lie by the bank hurts you when you want to get any type of loan. This crime would be better called "bank slander" and the banks that do it should be fined heavily with some money going to the person slandered.
Banks should have to know who they are loaning money to and if they make a mistake, that needs to be solely their problem. Then banks will figure out ways to confirm your identity better and people won't get into the hell that is trying to get the "bank slander" removed from their credit report.
You said it in your comment and I've seen it in other posts here on HN. It shouldn't be called identity theft. It should be called fraud. That's what it is.
The idea of an identity, especially a permanent one that travels with you throughout your life, is a relative recent one. 200 years ago, you could escape your past sins, so long as you didn't have an identifiable face and could speak the language at your destination. (If you couldn't you ran the very real risk of becoming a slave, which is caused by removing a person from their context; e.g. family, language and community).
There is a deeper question of "What is an identity?" and we also have to realize that the digital identities have never existed throughout history. Not in the way they do today. It's hard for us to imagine a world before passports, before real borders and before permanent numbers and documents that follow citizens throughout their lives.
And the principal reason we have digital identities today? Debt. It is solely to trace debt. It has nothing to do with proving you went to x university or worked at y job. There are other ways to track that, which are terribly inaccurate when you really start to look at them. The principal reason for your SSN, your digital identity, is to track credit and debt. I highly recommend the book _Debt: The First 5,000 Years_. It really goes into depth on this concept.
It's easy to understand why the victim of this type of fraud (the banks) would like to shift the damages onto an unrelated third party (the person whom the original perpetrator is purporting to be); it makes life much easier for them.
What's not clear is why anyone else would would go along with it. If someone breaks into my home and steals my microwave, I cannot then break into my neighbor's home, steal their microwave, and then claim that my neighbor was the true victim of the burglar. I am the victim of theft, and now that I've stolen my neighbor's microwave, he is also the victim of theft. It doesn't cancel out!
I think it's important to be clear about what's going on here, who the victims are, and who they are being victimized by.
‘No Way To Prevent This,’ Says Only Nation Where This Regularly Happens.
I don't understand why the US has identity theft. Is it because there's no national ID? Here in Europe we don't have any "secret" number that someone can just use to open a bank account in your name.
If you want to live in such a "free market" world then if I'm a bank and someone fraudulently used your information to obtain a loan then I don't want to issue any more loans to anyone who uses your information.
If one person used it fraudulently then there's a much higher probability that any subsequent loan application with the same information is also fraudulent.
It already is a crime if you tell the bank that they have made a mistake and they don't correct it. It's not hell to fix it. You just have to send a few letters.
It also already is almost all the bank's problem. After all, they are the ones that lose the money in the scenario you describe.
I think there are underlying issues beyond slander or misinformation.
In many ways, credit scores are an early example of data related problems that will become more common. Some will become serious issues in the next few years.
Credit scores are basically an estimate of credit-worthiness. The system is designed to solve the banks' problems, not consumers'. For banks, some number of false positives (creditworthy person with a bad score) is acceptable. It may narrow the market slightly, but it improves the quality of the remaining majority of customers.
This is true of a lot of statistical/algorithmic decision making. Paypal flagged me as "high risk" when I moved countries, so I can't use paypal now. For paypal, losing 1 of me to avoid 2 malicious users is an acceptable trade-off. For me, it's annoying but not a big deal because paypal is rarely the only option.
If paypal's "danger" flag were shared across the financial system, this would become a serious problem for me. It could freeze me out of online transactions entirely, maybe other things. If landlords had access to paypal's "high risk" filter, would it be worth using to filter out bad tenants? Seems possible.
The false positive problem goes from an annoyance to a fundamental rights vioation quickly, if data is shared.
Insurance is acquiring similar issues, though with very different mechanisms. As statistical inference improves, insurance ceases to be insurance... Risk gets pooled across ever smaller groups. The whole purpose of insurance is to pool risk widely. IMO, this is the problem the US' health policy architects underestimated. Insurance companies know too much to be insurance companies.
More such issues are coming soon. China seems to want a credit score system, with alarmingly ambituous and and political breadth... The Social Credit System.
Adtech companies and conglomerates (especially FB) are really hitting their stride. I wouldn't be surprised if they can score credit worthiness, insurance risk and other things using their web browser and app datasets.
Should adtech be allowed to service banks, insurance companies, real estate agencies and employers? If not, we should probably decide this now.
I don't know what the answers are, but credit score may be the place to start. I think approaching the problemfrom and identity/data protection perspective is fundamentaly flawed.
"this should be solely their problem" - from a legal standpoint, it is. The only reason it "isn't" is because the credit bureaus suck and don't move fast enough. I'm generally not in favor of using regulation as a blunt hammer, but I think a regulation that makes total sense is to strongly punish anything resembling a credit reporting agency (credit bureau or otherwise) that can't demonstrate RESULTS (not effort) in remediating errors related to ID theft.
The FCRA put a lot of measures in place to RESPOND to consumer complaints, but they don't work well and only matter when the consumer decides to complain and is willing to put the time in to do so. That's not enough - if a CRA can't demonstrate success, they should either not be allowed to exist or they should be de-certified. CRA's that can't meet that standard could still exist as businesses, but the shouldn't get the government protected oligopolistic designation they get now.
Notice how the solutions proposed to solve "identity theft" tend to be things that make it harder for the individual to engage in financial activity. Not make the credit agencies or financial institutions get their act together, but force the individuals to engage jump through more hoops to manage their own money.
I agree with your assessment here. But the first thing I thought of when I saw this headline was fixing the fact that SSNs are massively bad as authentication. Instead of giving people a number to authenticate, we should be using public key crypto and digital signatures. If the Equifax hack is the catalyst that pushes us to public key crypto instead of SSNs, then I'm all for it.
> This is when a criminal defrauds a bank or other company by getting credit using your identifying information and then defaults.
ID Theft isn't just this. Illegal aliens use ID purchased on the black market to get jobs and pass ID verification. While they have those jobs, they have payroll taxes withheld, but don't file taxes leading to some Americans being hounded by the IRS.
Additionally, some American babies are assigned SSN's already associated with illegal aliens:
> Illegal aliens generally prefer SSNs that have not yet been legally issued or, failing that, the SSNs that belong to American children since these numbers can be used for years without anyone knowing it – except the IRS and the Social Security Administration.
> However, the Social Security Administration does not remove unassigned SSNs used by illegal immigrants from its database. That means the numbers are eventually assigned to newborn, American infants. Neither the Social Security Administration nor the IRS notifies American citizens when their or their children’s SSNs are used by others. In other words, the federal government has facilitated identity theft and protected the identity thieves.
> The main problem trying to be fixed here is "identity theft".
It wasn't a problem, at least it wasn't up until the point that creditors reframed it as "identity theft." It's fraud, plain and simple, and if it were treated as such, the burden would be on entities that have the resources to handle it (and who are also responsible for enabling it) instead of ruining the lives of normal people just going about their business. Oh, you loaned money to someone claiming to be me? I don't see how that's my problem. Sucks to be you. Maybe rethink mailing out pre-approved credit cards in the future.
> Banks should have to know who they are loaning money to and if they make a mistake, that needs to be solely their problem.
Just like any retailer who makes and delivers a sale over the internet without physical verification the issuers of credit should be held liable. this will mean getting instant credit for purchases and such will be very difficult but that is the price the lenders need to pay for the risk of having, not the consumer.
perhaps they will need to partner with local banks and such. I don't care. by default they should not be able to issue credit where the liability is on the consumer until physical verification is complete
“Bank Presidents and Officers must exercise great care in protecting the privacy of information they gather on people, because there are legal liabilities if a bank intentionally defames a person or invades the privacy of an individual”
This.
I once applied to my bank to take out a loan for my business and the questioning I faced was very vigorous and the process took almost a month. Contrast this with getting a Visa/Mastercard for almost equivalent amount-- the sales rep fills out the information in a minute in a big box store and the card is mailed to you within a few weeks.
Sorry you are wrong. SSNs and other identity mechanisms are an infrastructure provided by the government to facilitate business. It Should never be the responsibility of individuals/ business to validate identity. If there are flaws in the existing system that lends itself to be manipulated, then the solution should be that the government should fix it.
Edit: In my country we didn't have a unique id till a couple of years back. So everywhere you had to submit photocopies of your id proof and a nother of your address proof. Imagine giving copies of your id to the lowest ranking person of the business you are dealing with. You have extra challenges if you have moved recently.
> Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon chief privacy officer Karen Zacharia and both the current and former CEOs of Equifax on how to protect consumers against major data breaches.
So, ask the person who lost 3 billion accounts, the person who is stuck with the mess from losing 3 billion accounts, the person who lost 145 million SSNs, and the person who is stuck with the mess from losing 145 million SSNs how to protect against data breaches?
I appreciate the relevance of those individuals to data security, but they're clearly not subject matter experts. If I wanted to secure my home against burglars, burglary victims probably wouldn't be my first consultation.
That said, the mostly fixed nature of SSNs and their intrinsic potential for introspection is a huge liability and we should move away from them.
[edit: Karen Zacharia may well be a subject matter expert here, it's a little unfair to group her in with my rant.]
Burglary victims should be your first consultation, because most people who weren't burgled were probably just lucky, or were burgled but haven't realized it yet.
If there are 10 houses, a burglar tries to get into all 10 but only succeeds on 2, then you should talk to the 8 owners who successfully protected their houses. If there are 1000 houses, a burglar tries to get into 10 but doesn't tell you which 10, and succeeds on 2, you should talk to those 2 owners because they know for a fact what can fail. 990 owners will just say "do what I do" without having any evidence that their strategy is actually safe.
It's 2008 all over again. The US/International shit show we call a media tried to make Occupy seem like lost-goalless hippies. It was the ghost of Nixson. You know why people were mad? All those executives at the highest levels committed fraud, perpetuated fraud, created a culture from top to bottom of fraud where people who issued loans were encourage to forge documents, make up incomes and sell people on terrible mortgages. Then the media blamed those people instead of the people who put that system into place.
None of those executives went to jail. None of them faced any real fines. None of them faced any real consequences. Many of them walked away with millions. PNC bought National City Bank for $5 billion and got a $5b tax credit (National City wasn't allowed any TARP funding). Big banks knew 2008 would happen, and when it did, they used it to buy all their competition at the expense of millions of Americans who lost their homes, retirement savings, etc.
It doesn't matter if it was Bush or Obama or Hillary or Trump, because no matter which puppet is on stage, no one in the 1% who either allowed such terrible things to happen or made them intentionally happen or profited from things that happened to have fallen into their laps; none of them face any real consequences. The executives who sold off Equifax shares getting off without any wrongdoing is a perfect example. It's obvious they knew. They made money and they will never and can never be held accountable in today's world because they control, to various levels, all the world leaders and banks.
Is there a transcript of what kind of questions were asked? I can imagine useful information being gleaned by questions like, "what was the nature of the attack, how were people able to get in, what exactly happened here, how did you store the data, why were you confident it was secure, etc?" That gives you a starting point of what the facts are, what was really experienced. When you are working from a ground zero of zero knowledge (and I bet most of these committee members have zero knowledge, if not all of them), it's good to establish facts of what happened before figuring out solutions.
I was burglarized by someone who kicked my front door down. Everyone who hasn't experienced that thinks it's important to fully gate off your back yard. My first-hand experience tells me that that advice wouldn't be sufficient to secure my home. Why would you prefer speculation over experience?
Politicians need to look like they are doing something. It doesn't matter if they actually do anything. If they look busy, they are busy and are obviously working hard and should be kept in that position.
> So, ask [the people who lost billions of accounts and SSNs] how to protect against data breaches?
It's worse than that. These are the very people who profit on trading in data linked to identity information. It's like asking the fox how to secure the henhouse, after he ate all the hens.
Any new identity scheme has to be something that does not rely on security practices of any third parties. The public component of the identifier must be useless as an identifier without the private part held only by the individual.
> Multiple times throughout the hearing, Brazil’s Infraestrutura de Chaves Públicas system of citizen IDs through digital certificates came up as a potential model for the U.S. as it moves forward. In this model, a certificate lasts for three years at maximum and can be used to issue a digital signature much like written signatures are used now. Unlike its counterpart in the U.S., these identity accounts can be revoked and reissued easily through an established national protocol.
I believe most Americans are opposed to a national ID, so SSNs have been used as a (utterly terrible) workaround. Some reasoning for this, to quote an ACLU article on the subject[0], 'Former Senator Alan Cranston has described the national I.D. card as "a primary tool of totalitarian governments to restrict the freedom of their citizens." '
The Brazil solution mentioned seems pretty reasonable though. I like the built in expiration and ease of reissue. Anyone have experience with or thoughts about this sort of system?
The problem is if social security number is used not only for identification but authentication. Knowing someone's SSN shouldn't ever get you anything: SSN could as well be public information, ideally. I don't know about the US but where I live, bank account numbers are effectively public: you could publish yours on the internet and all people could do is put money on your account. The bank will then require official authentication if you wish to use the account number to withdraw money.
Using an unique identification number for authentication is authentication by proxy. Yes, it's highly likely that only the right person knows his own number but never guarantees anything.
Make authentication easy and solid and the bar for frauding through stolen identity goes up.
> Multiple times throughout the hearing, Brazil’s Infraestrutura de Chaves Públicas system of citizen IDs through digital certificates came up as a potential model for the U.S. as it moves forward.
That made it sound as if every Brazilian had one of these, and it were the main citizen ID. That's not the case.
Here in Brazil, the main ID is the RG (Registro Geral), which is an identity card made of paper, issued by any of the 26 states (plus the Federal District). Since it's issued by the states, a single person can have more than one RG.
We also have the equivalent of USA's SSN, here called the CPF. Like the SSN, it's used as the person's tax ID, and is a national number. It's also issued as a card made of paper, but unlike the RG, it cannot be used for identification, since it has no picture or fingerprint. For simplicity, if you already have a CPF number when your RG is issued (or re-issued), you can have the CPF number printed on the RG card.
It's with the CPF that the "Infraestrutura de Chaves Públicas" (ICP) comes into view: you can get a certificate associated with your CPF, and use it for instance to sign your taxes. But it's not required, and most people don't have that certificate, or even know that it exists.
In my opinion, the reason we don't have the same problem as the USA is not some fancy digital certificate stuff, but the simple fact that the CPF number by itself does nothing: everybody also wants to see the RG card. And for income taxes, the electronic form also requires a number found in the previous year's income tax receipt. The income tax return will be deposited into a bank account of your choice, but AFAIK it only accepts a bank account where the account owner has the same CPF, and to open a bank account you need the RG (plus other documents).
What I want is control. I want to know who is accessing my credit history and for what purpose. And I want control of what accounts and business are able to access it.
The government can accomplish this by providing your identify in a way that provides this control and transparently, and requiring that businesses/third-parties come through this gateway for identification.
Recently my grandmother passed away. We found her social security card (from 1932) and it says very clearly "NOT FOR IDENTIFICATION". It seems some lessons are lost.
To me, a good solution would be a chip-based smart card with a private key on it for physical proof of identity, and an oauth api for web based stuff. The api would also power the back-end of the in person transactions and issue the vendor a token which they would use from that point forward.
In this system, everything would be logged in terms of who/what accessed your data and it could be de-authorized at any point.
The cards themselves could just be each state's ID/Drivers License to avoid the scare of the national id that many are opposed to for one reason or another. Replacing an ID would be as easy as visiting your DMV (shudder) and them invalidating your old private key.
On a related note: have many in the US swicthed to locked mailboxes?
Without locked mailboxes, you can't even use the slow address/snail-mail 2FA that should be used for certain transactions when you don't have
E.g. if I want to take a loan, I'd say who I am and the bank would send the papers to sign to my mail address. Only after I sign the papers will I get the money. Someone pretending to be me would have to stalk my mail box (time consuming and hard because it's locked), or first change identity records to associate my name with his mail address. This greatly increases the difficulty of this kind of fraud.
From just needing a fake ID, to either having to commit a long stalk of my mailbox and commit physical mail theft OR having to do a multiple phase fraud where authority address records are first changed.
Obviously this all hinges on a) id required to open bank account, b) central registry that maps id to mail address, separate from the bank.
It is quite straightforward to upgrade SSN system. Social Security Administration can generate deterministic Private+Public key pairs for all citizens.
Public key is your new SSN. If it gets stolen, simply generate a new public key, and give it out as a new number. All public keys are easily verified since SSA knows the private keys.
SSN is FINE as a simple identifier. The problem is that organizations try to use it like a PIN code or password. It should NEVER be used as proof of identity per transaction requests. Software Engineering 101: Use the right tool for the job. If an org needs a PIN code or password, make one.
My first inclinations are that Apple and Google should be in these committee meetings. 77% of Americans own smartphones [1]. 99.6% of new smartphones run Android or iOS [2]. I would love for my iPhone to generate a private/public key pair, with the private key stored on the Secure Enclave.
To register my public key, I fill out, on my phone, a bit of basic public information: full legal name, place & date of birth, and my current address and submit it. My phone suggests a nearby SSA office and proposes several appointment times, reminding me the day of.
At the appointed time, I take my phone, passport, birth certificate, SSN card, driver's license and recent electric bill with my address on it to the local SSA office. [3] There, the administration manually inspects and verifies my documentation. Their systems then sign the authentication along with the current location, the time, the official's ID number, and a sha256 hash of a photo of me and the official holding up today's paper.
My phone chirps, I use my passcode/Touch ID/Face ID/Dance ID to digitally counter-sign their authentication. This assures me that when the SSA's private keys are rotated because of inevitable compromise or on a routine schedule, my public key was not overwritten by the attackers.
The SSA administration publishes my public key in their online directory. Private companies can download the public key directories and cache them, or pay Stripe-like vendors for just-in-time lookups. When I want to apply for a credit card, my phone chirps and I sign the credit request, just like Apple Pay. When I lose my phone, I run by the SSA office again before I apply for another credit card.
Empowered by this new security layer, Congress passes a law establishing that no one can be held liable for—and credit decisions may not be made against—accounts that have not been digitally signed for any citizen who has a verified public key.
And then I remember healthcare.gov and I wonder if I should even press submit.
[3] I wouldn't necessarily need to have all of these kinds of documentation, but the public directory system would be able to indicate which forms of identification I did have at time of authentication, for third parties to weigh the risk of identity theft.
Obviously it is a problem that social security numbers are often accepted as proof of identity, but the article seems to be saying that permanent id numbers are bad even apart from this. I don't understand what the argument is though
The problem isn't that we have numbers. It's that corporations have little incentive to protect them.
Right now it's cheaper (i.e. more profitable) to do as little as possible and when/if they get hacked just pay extra on PR/lobbying for a couple weeks/month until someone else gets the public's attention.
Enact Huge (like $1000 per person exposed) fines, corporate death penalty, jail time for people in charge. And, I can guarantee you, companies will start actually protecting their data.
How does it work in countries where the opposite is true (e.g. Sweden, where the "personnummer" is public info)? Why is there not massive identity fraud there?
Isn't it obvious that this scandal was either provoked or amplified in order to make Americans get themselves mandatory government IDs with chips and biometrics?
...not that that would be a bad thing. Just getting in line with EU and the rest of the world, finally. Mass monitoring would at least become a few order of magnitudes cheaper hopefully spending those funds on more socially useful things. Offer a chip-less option for more privacy paranoid people, so that at least they can't be tracked remotely when they don't carry their phones (yeah, some countries have this option system). And it's all nice and dandy.
As an European, I find it mind boggling when I see people without adequately secured and mandatory IDs in the US...
I think one more thing that needs to be understood is how can one dynamically establish identity. I have never built a cryptographic system, but I thought maybe the following could be better:
Lets say Alice is a person wanting to establish Bob's identity.
1. Bob must be the only person who retains control over his identity.
2. Bob can verify he is who he says by a distributed system and Alice gets only a Yes/No answer.
3. All verification can be done using a distributed fashion, something like bitcoin/blockchain.
The most important thing here would be an implementation of the distributed nodes and how bob's information is authenticated. But I think all these parts already exist. Political and Business will is needed.
[+] [-] njarboe|8 years ago|reply
Banks should have to know who they are loaning money to and if they make a mistake, that needs to be solely their problem. Then banks will figure out ways to confirm your identity better and people won't get into the hell that is trying to get the "bank slander" removed from their credit report.
[+] [-] djsumdog|8 years ago|reply
The idea of an identity, especially a permanent one that travels with you throughout your life, is a relative recent one. 200 years ago, you could escape your past sins, so long as you didn't have an identifiable face and could speak the language at your destination. (If you couldn't you ran the very real risk of becoming a slave, which is caused by removing a person from their context; e.g. family, language and community).
There is a deeper question of "What is an identity?" and we also have to realize that the digital identities have never existed throughout history. Not in the way they do today. It's hard for us to imagine a world before passports, before real borders and before permanent numbers and documents that follow citizens throughout their lives.
And the principal reason we have digital identities today? Debt. It is solely to trace debt. It has nothing to do with proving you went to x university or worked at y job. There are other ways to track that, which are terribly inaccurate when you really start to look at them. The principal reason for your SSN, your digital identity, is to track credit and debt. I highly recommend the book _Debt: The First 5,000 Years_. It really goes into depth on this concept.
[+] [-] hoosieree|8 years ago|reply
Bank: Here is $100 from your account, Joe.
Joe: Hi bank, where's my $100?
Bank: Already gave it to you.
Joe: Wasn't me.
Bank: Well, Joe, you screwed up big time. You let someone steal your identity. Sucks to be (the real) you!
[+] [-] Terr_|8 years ago|reply
Followed by "and we compounded our failure by falsely telling lots of other institutions that it was your fault."
https://www.youtube.com/watch?v=-c57WKxeELY
There won't be any improvement until the legal system creates a stronger incentive for institutions to be more secure.
[+] [-] Lazare|8 years ago|reply
It's easy to understand why the victim of this type of fraud (the banks) would like to shift the damages onto an unrelated third party (the person whom the original perpetrator is purporting to be); it makes life much easier for them.
What's not clear is why anyone else would would go along with it. If someone breaks into my home and steals my microwave, I cannot then break into my neighbor's home, steal their microwave, and then claim that my neighbor was the true victim of the burglar. I am the victim of theft, and now that I've stolen my neighbor's microwave, he is also the victim of theft. It doesn't cancel out!
I think it's important to be clear about what's going on here, who the victims are, and who they are being victimized by.
[+] [-] StavrosK|8 years ago|reply
‘No Way To Prevent This,’ Says Only Nation Where This Regularly Happens.
I don't understand why the US has identity theft. Is it because there's no national ID? Here in Europe we don't have any "secret" number that someone can just use to open a bank account in your name.
[+] [-] vostok|8 years ago|reply
If one person used it fraudulently then there's a much higher probability that any subsequent loan application with the same information is also fraudulent.
[+] [-] harryh|8 years ago|reply
It also already is almost all the bank's problem. After all, they are the ones that lose the money in the scenario you describe.
[+] [-] dalbasal|8 years ago|reply
In many ways, credit scores are an early example of data related problems that will become more common. Some will become serious issues in the next few years.
Credit scores are basically an estimate of credit-worthiness. The system is designed to solve the banks' problems, not consumers'. For banks, some number of false positives (creditworthy person with a bad score) is acceptable. It may narrow the market slightly, but it improves the quality of the remaining majority of customers.
This is true of a lot of statistical/algorithmic decision making. Paypal flagged me as "high risk" when I moved countries, so I can't use paypal now. For paypal, losing 1 of me to avoid 2 malicious users is an acceptable trade-off. For me, it's annoying but not a big deal because paypal is rarely the only option.
If paypal's "danger" flag were shared across the financial system, this would become a serious problem for me. It could freeze me out of online transactions entirely, maybe other things. If landlords had access to paypal's "high risk" filter, would it be worth using to filter out bad tenants? Seems possible.
The false positive problem goes from an annoyance to a fundamental rights vioation quickly, if data is shared.
Insurance is acquiring similar issues, though with very different mechanisms. As statistical inference improves, insurance ceases to be insurance... Risk gets pooled across ever smaller groups. The whole purpose of insurance is to pool risk widely. IMO, this is the problem the US' health policy architects underestimated. Insurance companies know too much to be insurance companies.
More such issues are coming soon. China seems to want a credit score system, with alarmingly ambituous and and political breadth... The Social Credit System.
Adtech companies and conglomerates (especially FB) are really hitting their stride. I wouldn't be surprised if they can score credit worthiness, insurance risk and other things using their web browser and app datasets.
Should adtech be allowed to service banks, insurance companies, real estate agencies and employers? If not, we should probably decide this now.
I don't know what the answers are, but credit score may be the place to start. I think approaching the problemfrom and identity/data protection perspective is fundamentaly flawed.
[+] [-] unabst|8 years ago|reply
We already know what happens when the banks run out of money. They get bailed out. That means they will NEVER be the victim.
That means we can make them pay for bailing out fraud victims and taking the hit on their behalf. It should be a service, a duty, and an honor.
But that will never happen, because this is America.
[+] [-] tomasien|8 years ago|reply
The FCRA put a lot of measures in place to RESPOND to consumer complaints, but they don't work well and only matter when the consumer decides to complain and is willing to put the time in to do so. That's not enough - if a CRA can't demonstrate success, they should either not be allowed to exist or they should be de-certified. CRA's that can't meet that standard could still exist as businesses, but the shouldn't get the government protected oligopolistic designation they get now.
[+] [-] cratermoon|8 years ago|reply
[+] [-] mightybyte|8 years ago|reply
[+] [-] rs999gti|8 years ago|reply
ID Theft isn't just this. Illegal aliens use ID purchased on the black market to get jobs and pass ID verification. While they have those jobs, they have payroll taxes withheld, but don't file taxes leading to some Americans being hounded by the IRS.
https://www.ice.gov/news/releases/15-illegal-aliens-arrested...
https://www.usatoday.com/story/opinion/columnists/2017/07/03...
Additionally, some American babies are assigned SSN's already associated with illegal aliens:
> Illegal aliens generally prefer SSNs that have not yet been legally issued or, failing that, the SSNs that belong to American children since these numbers can be used for years without anyone knowing it – except the IRS and the Social Security Administration.
> However, the Social Security Administration does not remove unassigned SSNs used by illegal immigrants from its database. That means the numbers are eventually assigned to newborn, American infants. Neither the Social Security Administration nor the IRS notifies American citizens when their or their children’s SSNs are used by others. In other words, the federal government has facilitated identity theft and protected the identity thieves.
http://thehill.com/blogs/pundits-blog/immigration/327049-pre...
[+] [-] npsimons|8 years ago|reply
It wasn't a problem, at least it wasn't up until the point that creditors reframed it as "identity theft." It's fraud, plain and simple, and if it were treated as such, the burden would be on entities that have the resources to handle it (and who are also responsible for enabling it) instead of ruining the lives of normal people just going about their business. Oh, you loaned money to someone claiming to be me? I don't see how that's my problem. Sucks to be you. Maybe rethink mailing out pre-approved credit cards in the future.
> Banks should have to know who they are loaning money to and if they make a mistake, that needs to be solely their problem.
Agreed.
[+] [-] Chinjut|8 years ago|reply
[+] [-] Shivetya|8 years ago|reply
perhaps they will need to partner with local banks and such. I don't care. by default they should not be able to issue credit where the liability is on the consumer until physical verification is complete
[+] [-] paulsutter|8 years ago|reply
https://bootheglobalperspectives.com/article/1398476643WBG20...
“Bank Presidents and Officers must exercise great care in protecting the privacy of information they gather on people, because there are legal liabilities if a bank intentionally defames a person or invades the privacy of an individual”
[+] [-] manishsharan|8 years ago|reply
[+] [-] ACuriousSomeon|8 years ago|reply
https://securitybytes.io/quick-one-stop-calling-it-identity-...
[+] [-] markdavis33|8 years ago|reply
[+] [-] tlrobinson|8 years ago|reply
[+] [-] undersuit|8 years ago|reply
[+] [-] godzilla82|8 years ago|reply
Edit: In my country we didn't have a unique id till a couple of years back. So everywhere you had to submit photocopies of your id proof and a nother of your address proof. Imagine giving copies of your id to the lowest ranking person of the business you are dealing with. You have extra challenges if you have moved recently.
[+] [-] beager|8 years ago|reply
So, ask the person who lost 3 billion accounts, the person who is stuck with the mess from losing 3 billion accounts, the person who lost 145 million SSNs, and the person who is stuck with the mess from losing 145 million SSNs how to protect against data breaches?
I appreciate the relevance of those individuals to data security, but they're clearly not subject matter experts. If I wanted to secure my home against burglars, burglary victims probably wouldn't be my first consultation.
That said, the mostly fixed nature of SSNs and their intrinsic potential for introspection is a huge liability and we should move away from them.
[edit: Karen Zacharia may well be a subject matter expert here, it's a little unfair to group her in with my rant.]
[+] [-] burkaman|8 years ago|reply
If there are 10 houses, a burglar tries to get into all 10 but only succeeds on 2, then you should talk to the 8 owners who successfully protected their houses. If there are 1000 houses, a burglar tries to get into 10 but doesn't tell you which 10, and succeeds on 2, you should talk to those 2 owners because they know for a fact what can fail. 990 owners will just say "do what I do" without having any evidence that their strategy is actually safe.
[+] [-] miles|8 years ago|reply
"Millions of Verizon customer records exposed in security lapse - Customer records for at least 14 million subscribers, including phone numbers and account PINs, were exposed." http://www.zdnet.com/article/millions-verizon-customer-recor...
"1.5M customers of Verizon anti-hacker unit hacked" https://www.usatoday.com/story/tech/news/2016/03/25/15-milli...
[+] [-] djsumdog|8 years ago|reply
None of those executives went to jail. None of them faced any real fines. None of them faced any real consequences. Many of them walked away with millions. PNC bought National City Bank for $5 billion and got a $5b tax credit (National City wasn't allowed any TARP funding). Big banks knew 2008 would happen, and when it did, they used it to buy all their competition at the expense of millions of Americans who lost their homes, retirement savings, etc.
It doesn't matter if it was Bush or Obama or Hillary or Trump, because no matter which puppet is on stage, no one in the 1% who either allowed such terrible things to happen or made them intentionally happen or profited from things that happened to have fallen into their laps; none of them face any real consequences. The executives who sold off Equifax shares getting off without any wrongdoing is a perfect example. It's obvious they knew. They made money and they will never and can never be held accountable in today's world because they control, to various levels, all the world leaders and banks.
[+] [-] PakG1|8 years ago|reply
[+] [-] bagacrap|8 years ago|reply
[+] [-] ProAm|8 years ago|reply
[+] [-] ams6110|8 years ago|reply
It's worse than that. These are the very people who profit on trading in data linked to identity information. It's like asking the fox how to secure the henhouse, after he ate all the hens.
Any new identity scheme has to be something that does not rely on security practices of any third parties. The public component of the identifier must be useless as an identifier without the private part held only by the individual.
[+] [-] eggpy|8 years ago|reply
I believe most Americans are opposed to a national ID, so SSNs have been used as a (utterly terrible) workaround. Some reasoning for this, to quote an ACLU article on the subject[0], 'Former Senator Alan Cranston has described the national I.D. card as "a primary tool of totalitarian governments to restrict the freedom of their citizens." '
The Brazil solution mentioned seems pretty reasonable though. I like the built in expiration and ease of reissue. Anyone have experience with or thoughts about this sort of system?
[0] https://www.aclu.org/other/national-identification-cards-why...
[+] [-] yason|8 years ago|reply
Using an unique identification number for authentication is authentication by proxy. Yes, it's highly likely that only the right person knows his own number but never guarantees anything.
Make authentication easy and solid and the bar for frauding through stolen identity goes up.
[+] [-] cesarb|8 years ago|reply
That made it sound as if every Brazilian had one of these, and it were the main citizen ID. That's not the case.
Here in Brazil, the main ID is the RG (Registro Geral), which is an identity card made of paper, issued by any of the 26 states (plus the Federal District). Since it's issued by the states, a single person can have more than one RG.
We also have the equivalent of USA's SSN, here called the CPF. Like the SSN, it's used as the person's tax ID, and is a national number. It's also issued as a card made of paper, but unlike the RG, it cannot be used for identification, since it has no picture or fingerprint. For simplicity, if you already have a CPF number when your RG is issued (or re-issued), you can have the CPF number printed on the RG card.
It's with the CPF that the "Infraestrutura de Chaves Públicas" (ICP) comes into view: you can get a certificate associated with your CPF, and use it for instance to sign your taxes. But it's not required, and most people don't have that certificate, or even know that it exists.
In my opinion, the reason we don't have the same problem as the USA is not some fancy digital certificate stuff, but the simple fact that the CPF number by itself does nothing: everybody also wants to see the RG card. And for income taxes, the electronic form also requires a number found in the previous year's income tax receipt. The income tax return will be deposited into a bank account of your choice, but AFAIK it only accepts a bank account where the account owner has the same CPF, and to open a bank account you need the RG (plus other documents).
[+] [-] matt_wulfeck|8 years ago|reply
The government can accomplish this by providing your identify in a way that provides this control and transparently, and requiring that businesses/third-parties come through this gateway for identification.
[+] [-] matt_wulfeck|8 years ago|reply
[+] [-] coleca|8 years ago|reply
[+] [-] tomschlick|8 years ago|reply
In this system, everything would be logged in terms of who/what accessed your data and it could be de-authorized at any point.
The cards themselves could just be each state's ID/Drivers License to avoid the scare of the national id that many are opposed to for one reason or another. Replacing an ID would be as easy as visiting your DMV (shudder) and them invalidating your old private key.
[+] [-] alkonaut|8 years ago|reply
Without locked mailboxes, you can't even use the slow address/snail-mail 2FA that should be used for certain transactions when you don't have
E.g. if I want to take a loan, I'd say who I am and the bank would send the papers to sign to my mail address. Only after I sign the papers will I get the money. Someone pretending to be me would have to stalk my mail box (time consuming and hard because it's locked), or first change identity records to associate my name with his mail address. This greatly increases the difficulty of this kind of fraud. From just needing a fake ID, to either having to commit a long stalk of my mailbox and commit physical mail theft OR having to do a multiple phase fraud where authority address records are first changed.
Obviously this all hinges on a) id required to open bank account, b) central registry that maps id to mail address, separate from the bank.
[+] [-] DonHopkins|8 years ago|reply
[+] [-] ActsJuvenile|8 years ago|reply
Public key is your new SSN. If it gets stolen, simply generate a new public key, and give it out as a new number. All public keys are easily verified since SSA knows the private keys.
[+] [-] tabtab|8 years ago|reply
[+] [-] nthj|8 years ago|reply
To register my public key, I fill out, on my phone, a bit of basic public information: full legal name, place & date of birth, and my current address and submit it. My phone suggests a nearby SSA office and proposes several appointment times, reminding me the day of.
At the appointed time, I take my phone, passport, birth certificate, SSN card, driver's license and recent electric bill with my address on it to the local SSA office. [3] There, the administration manually inspects and verifies my documentation. Their systems then sign the authentication along with the current location, the time, the official's ID number, and a sha256 hash of a photo of me and the official holding up today's paper.
My phone chirps, I use my passcode/Touch ID/Face ID/Dance ID to digitally counter-sign their authentication. This assures me that when the SSA's private keys are rotated because of inevitable compromise or on a routine schedule, my public key was not overwritten by the attackers.
The SSA administration publishes my public key in their online directory. Private companies can download the public key directories and cache them, or pay Stripe-like vendors for just-in-time lookups. When I want to apply for a credit card, my phone chirps and I sign the credit request, just like Apple Pay. When I lose my phone, I run by the SSA office again before I apply for another credit card.
Empowered by this new security layer, Congress passes a law establishing that no one can be held liable for—and credit decisions may not be made against—accounts that have not been digitally signed for any citizen who has a verified public key.
And then I remember healthcare.gov and I wonder if I should even press submit.
[1] http://www.pewinternet.org/fact-sheet/mobile/
[2] https://www.theverge.com/2017/2/16/14634656/android-ios-mark...
[3] I wouldn't necessarily need to have all of these kinds of documentation, but the public directory system would be able to indicate which forms of identification I did have at time of authentication, for third parties to weigh the risk of identity theft.
[+] [-] ykler|8 years ago|reply
[+] [-] njharman|8 years ago|reply
Right now it's cheaper (i.e. more profitable) to do as little as possible and when/if they get hacked just pay extra on PR/lobbying for a couple weeks/month until someone else gets the public's attention.
Enact Huge (like $1000 per person exposed) fines, corporate death penalty, jail time for people in charge. And, I can guarantee you, companies will start actually protecting their data.
[+] [-] gumby|8 years ago|reply
[+] [-] rrggrr|8 years ago|reply
[+] [-] nnq|8 years ago|reply
...not that that would be a bad thing. Just getting in line with EU and the rest of the world, finally. Mass monitoring would at least become a few order of magnitudes cheaper hopefully spending those funds on more socially useful things. Offer a chip-less option for more privacy paranoid people, so that at least they can't be tracked remotely when they don't carry their phones (yeah, some countries have this option system). And it's all nice and dandy.
As an European, I find it mind boggling when I see people without adequately secured and mandatory IDs in the US...
[+] [-] itissid|8 years ago|reply
Lets say Alice is a person wanting to establish Bob's identity. 1. Bob must be the only person who retains control over his identity. 2. Bob can verify he is who he says by a distributed system and Alice gets only a Yes/No answer. 3. All verification can be done using a distributed fashion, something like bitcoin/blockchain.
The most important thing here would be an implementation of the distributed nodes and how bob's information is authenticated. But I think all these parts already exist. Political and Business will is needed.