Counterintuitively, this is evidence that the Equifax breach isn't necessarily going to cause massive harm. If someone wanted to impersonate you, they could already.
I remain hopeful that the full list of 140M SSNs will be posted in full. It's a rare opportunity: if that happens, the US will have no choice but to finally switch to a new system. One that doesn't rely on SSNs being private. That's the absurdity. It is easy to steal your identity because we have allowed it to be easy.
It's going to be difficult to switch to a new system, but the pain will be worth it. Imagine if the author could finally have peace of mind because nobody could impersonate him.
That is a fairytale, admittedly. It's always going to be possible to steal someone's identity if you're determined. But just look how trivial it is right now. Your driver's license plus the thief's photo is all they need. And it's possible to forge: they don't even need to swipe your physical one.
Those are “the keys to the kingdom,” said Bo Holland, CEO of AllClear ID, an identity-monitoring service. “Once you have somebody's name, social, birth date, and address, you can go and open new accounts.”
The SSN shouldn't be the critical key in that list.
The United States. I assure you that even though other countries have credit reporting, they do not use SSNs.
> will have no choice but to finally switch to a new system.
Really? I think they will just carry on unless and until the financial downside (losses from extending bad credit, or lawsuits from identity theft victims, or penalties from the federal government intervening directly) is shown to be really huge.
I think the eagerness of US banks to offer credit is a big part of the problem. Having people endebted is an essential part of the system of wealth transfer and class control, and the system is set up to make this really easy. In the Netherlands, where I live, it might also be possible to obtain a fake id if someone would go through the length this impersonator went through, but I think it would be much harder to open bank accounts and get meaningful credit without questions being asked.
What I do not understand is why victims of this have not sued their banks over this yet. Suing should be the US couterbalance to this. People are innocent victims of fraudulent behaviour of their banks, and those banks are being robbed by thieves. Banks are supposed to guard their customers' money, which in this case they are clearly not doing. Maybe they do it unknowingly, or they are incompetent, but in the end those banks are behaving fraudulently too.
While not a bank account, let's not be smug about our country: http://m.telegraaf.nl/binnenland/article/24095858/man-in-pro... . (For the non Dutch speakers, Amsterdam guy had several houses rented in his name, some of which were used for mj plantations, and various other expenses incurred in gis name).
Identity theft is not just because of ssn or other unique semi secret numbers. It's part of it, yes, but the root cause is a combination of culture and lack of inventive (ie, identity theft is just not a big enough problem for actors to care).
This is a HUGE issue in the USA, one which, apparently, too few people know about, or take seriously.
More and more companies are insisting on customers signing binding arbitration clauses as a condition of doing business: car dealers, banks, airlines, you mention it. It's all very well to say, well, don't do business with them, when all the competition are doing the exact same thing. If you need, say, a new car, well, good luck getting one without signing most of your rights away, and this is no exaggeration.
Binding mandatory arbitration clauses mean that you cannot sue the company, and agree to accept the verdict of the arbitrator, for which there is no appeal, and who is generally hired by the company having the arbitration dispute and is therefore impartial /s.
I have read FTC field reports about vehicle warranty claims where one arbitration decision was so outlandish even the FTC wrote that it was irrational, and the vast majority were in favor of the dealer.
Other countries have the equivalent of SSNs, i.e., a number issued by the government tax collector. However, other countries don't use it as a form of ID. In my experience, they use passports, ID cards, drivers licenses, etc., which are supposedly "hard to forge".
It's better than just trusting the SSN, but I'd still prefer a system that can't be beat with a stick and some chewing gum.
(Yes, I had an ID theft near-miss that involved a locked mail box in a locked stairwell. To me, the more obvious perpetrator seemed to be someone with access to the mail delivery pipeline, but the investigator I spoke certainly did not think terribly highly of the security of a locked mailbox)
These systems don't work well remotely, of course. Sometimes an organisation will accept an upload of a scan or a mailing of a photocopy. They sometimes require it to be signed by a somebody to verify that it's genuine (e.g., a Justice of the Peace). But by doing that, the "hard to forge" feature is lost entirely.
They do use a scan or a photocopy, but having that stored it is easier to check the identity of the real person once they claim there was identity theft.
The "verified photocopies" can be a bit of a joke. I know somebody who was having trouble finding enough ID for something. They printed an online bank statement, photocopied it, and got a JP to verify the photocopy against the original printout.
At first I was surprised by you mentioning Ukraine and BankID, especially since it's developed by Swedish banks. But reading about it now makes it seem like they are branching out to other European countries as well.
Over here it's basically used for everything that needs authentication / signatures - taxes, banking etc.
however, that clearly puts the blame where it's due. ssn changes being exceptions make easy to shield company from due process. id's, otoh, have specific procedures for handling.
> The United States. I assure you that even though other countries have credit reporting, they do not use SSNs.
They use ID cards with at least some features to make forging said ID cards more difficult, unlike the US SSN which is pretty much just a number on a piece of paper.
This is mainly an issue of authentification and as long as your credentials remain crappy/easy to guess/easy to forge (like the US SSN system), that long it will stay easy to game the system.
Imho this def con talk about birthing and killing virtual babies might also be quite relevant to the issue, tho it's not entirely focused on the US: https://www.youtube.com/watch?v=9FdHq3WfJgs
Fixed, thanks. What do you feel are some sensible systems used by the rest of the world? One that's hopefully hard enough to break but easy enough not to cause massive hassles.
In Belgium we have a national ID card which has a pin-protected chip and is required for all government and bank interaction. It is very hard to forge, and through a usb card reader I can use it for digital authentication (like for filing my taxes on the web). Getting one issued in the case of loss requires interacting with the police, so the threshold to someone fraudulently obtaining a real card in someone else's name is high.
Identity theft isn't something I hear about often here.
In Germany, my ID might be a form of identification but only in association with the person in question, the ID's number or data itself is not considered identifying by a few institutions (postal service, banks, etc; you always need physical presence for identification or use post-ident)
The ID is government issued, cheap to obtain in case of loss (30€ and a bit of waiting until the new one arrives) and contains a photo of you so it's of no particular value to someone who doesn't look like you.
IIRC identity theft isn't a huge problem in Germany but it exists, however most credit agencies offer options to lock down or delete data concerning such theft, I haven't interacted with any of them yet though.
In addition, each government service uses a different ID number and is forbidden from sharing information or using another service's ID number. So you have a fiscal number for taxes, a social security number for health things, an identity card number that only has meaning with the card itself. Your private (non-healthcare) insurance, your bank, and other private institutions can issue you their own number as well (or another kind of id key) but can not share them between themselves and cannot ask you to give them numbers of unrelated services. Citizens are responsible for forwarding themselves most information between separate services when needed.
In practice it makes it sometimes tedious to auth at any of these services (you have to find your number in whatever mail you received or card you got issued) but it really makes it more difficult to impersonate another citizen, as you would at most gain access to one service, and it wouldn't help you access any other.
It's certainly a weird process to witness in Germany.
A couple of weeks ago I had a friend over who used my WLAN to eID for some service (i think it was pre-paid CC? Neither of us can't remember at this point) over his android phone using some "AusweisApp2".
He ended up in a video chat with a lady who asked him to show his face/ID and swivel the ID in the light so she could see the reflections of the security features.
I was sitting next to that whole process thinking about how difficult it would be to put on a convincing facemask and create a matching fake ID that would pass a video inspection.
Shouldn't be that difficult, most certainly less difficult than trying to convince a postman in person by showing them a fake ID at an address matching the fake ID.
It's not impossible to fake and I don't think that'll ever be the point.
Rather, it's just very difficult compared to faking an SSN number on the internet.
The address in this case would be difficult since a lot of institutions pull your address from the local registry, so you can't convince them to not sent stuff to any victims address unless you manage to change their address in the registry too.
> A couple of weeks ago I had a friend over who used my WLAN to eID for some service (i think it was pre-paid CC? Neither of us can't remember at this point) over his android phone using some "AusweisApp2".
Ah, that’s the system you use when you don’t have any of the new eIDs, but one of the old ones.
It's worth noting that the perpetrator in the bloomberg article had a fake driver's license in the name of the victim. So ID cards aren't a complete solution either.
But you get that ID card using an SSN card. Other countries have a photo attached to your nation ID card and citizen identification number (and sometimes fingerprints too).
But think about America right now. Do you honestly think we could get national ID numbers? Could you imagine people being asked for a DNA swab or fingerprint to establish their identity? The blow black would be monstrous, and I don't think it'd be entirely unjustified. With 1% of our population incarcerated or on probation, with no national health care and being the largest state sponsor of terrorism in the world, there is good reason for Americans not to trust their government. Add in all the fundie religious people crying "sign of the beast" and Alex Jones followers yelling "national RFID chips" and you're stuck with a situation that cannot change.
Not necessarily. Not all states require an SSN in order to issue an ID.
> But think about America right now. Do you honestly think we could get national ID numbers?
Unfortunately (for all the reasons you mentioned and more), we're pretty close, as the REAL ID system is about to take effect.
That's going to be a huge problem for people living in the states that don't issue REAL IDs. It's also going to be a problem for legal immigrants and transgender people in every state.
Not all states require an SSN in order to issue an ID.
I was under the impression that every single state requires an SSN to issue a driver's license or id card in order to track and enforce child support order across state lines.
Which states don't require an SSN to issue an ID?
Legal immigrants have passports, and ID cards/driver's licenses from their home country. I'm not sure what will require two forms of REAL ID compliant identification.
> I was under the impression that every single state requires an SSN to issue a driver's license or id card in order to track and enforce child support order across state lines.
Nope. If they did, the impetus behind the REAL ID act wouldn't even be relevant, because illegal immigrants wouldn't be able to obtain a drivers' license or state ID.
> Which states don't require an SSN to issue an ID?
California is the biggest one, and in fact, California makes it illegal to discriminate against anyone who has a driver's license but cannot show legal residency.
Some states mark licenses as "not valid for identification" if they don't show legal residency, but it's usually subtle and easily overlooked or ignored. And the SSN isn't the only way to show legal residency, either.
> Legal immigrants have passports, and ID cards/driver's licenses from their home country.
For foreigners, passports are the only acceptable form of identification from foreign governments. Driver's licenses and other government IDs are not allowed, with the exception of driver's licenses from Canada.
Missouri didn't want to implement RealID not because they didn't want to require an SSN, but rather because they did not want to store copies of the identification documents in a central database. We ended up with a two tier system where individuals may opt for a RealID license or a regular license. For RealID licenses, the documents will be stored in an air gapped system, with criminal penalties for anyone who uses the system for anything other than RealID. (whether or not that gets enforced is another issue...).
Missourians have good reason to distrust the DMV, as they have been caught red handed illegally useing their databases in the recent past.
It was most likely a real license. Credit checks use the DL number. You need an SSN card to get a license or ID card and the SSN card is gained using security questions and has no photo, fingerprints or biometrics associated with it.
I remember needing to get a new SSN card once and it was creepy how easy it was.
We have national id + complete index of people, but still have credit check agencies.
The difference is probably that here those agencies aren't somehow trying to guarantee my identity. They just answer what credit rating my identity has.
Credit has little to do with income. I have over $70k in various credit lines and have never shown any proof of income whatsoever. I just name a number and they accept it (after checking my all-important credit score).
Giving people credit without seeing how much they already owe and how they're repaying it is insane. Rich people can go over their heads and default just as well as poor people. There is an obvious and valid need for credit reporting agencies to exist.
Usually multiple forms of ID. In Australia you have a "points" system (each form of ID is worth a certain number of points and they are additive) where you need 100 points to create a bank account. This translates to a drivers license and passport, or drivers license and existing debit card, etc.
In Estonia I believe the system is based on public key cryptography (every national ID has a private key that is used for signing things).
In Sweden I got an identity card with a chip that I can use with BankID (a system that uses a card reader + PIN for most transactions).
There is a Tax ID number but this is pretty much a public record (you can find out people's incomes very easily, in fact small local newspapers run every year "richest people in X articles")
In addition, every time a company runs a credit check on me, the credit reporting company must snail mail a copy of my credit report to my physical address. So it would be pretty easy for me to detect a fake account creation.
> In addition, every time a company runs a credit check on me, the credit reporting company must snail mail a copy of my credit report to my physical address.
Wow, that's really user-friendly, I wish it would be handled like that in Germany too.
Instead, German registration offices are selling citizen registration data in bulk to most interested parties and they couldn't even tell you to whom [0].
People can opt out of that process, by handing in a written objection with their initial registration, tho barely anybody actually does that because barely anybody is aware of their data being sold in the first place.
India is switching to biometric verification linked to the national identity card. The last lease agreement I registered and the last phone connection I obtained both went through the biometric verification process
These are implemented as biometric two factor auth. So you show your id card, scan your finger print and validate via a code received to the registered mobile device on sms
At this point, cell phone is a necessity in India to get any services. Mobile subscriber base is about 1.1 billion (1) which means almost all adults have a cell phone connection. So the question is practically moot.
Practically moot is a varied distance from moot. I was just curious if there was an underclass that was unable to get any services. It's much the same in my country, really.
In Canada you can't do anything meaningful without a photo driver's license or a passport. My wife got a passport just to have a quality ID. Before that she couldn't even open a chequing account.
That's not entirly true. The branch manager has discression. I know because when I first moved to Canada I had no such ID and opened an account after asking for the branch manager.
Until 2008, US citizens didn't need a passport to enter Canada. What initially changed in 2008 was actually that you needed the passport to return back to the US.
I don't know what the rules were back then for moving to Canada, but you could stay 180 days at a time back then.
Thanks for sharing. I didn't know that. I always assumed it was policy. I've spent my whole life needing a driver's license or passport when I do anything money or government related.
I'm glad they can make discresionary decisions like that for special circumstances, such as someone who clearly can't have an ID or passport yet.
Ditto NZ and Aus. Also means that no national ID card or number is necessary. Seems kind of obvious to me. The use of SSN as proof of identity in the US just seems like misuse to me.
> Ditto NZ and Aus. Also means that no national ID card or number is necessary. Seems kind of obvious to me. The use of SSN as proof of identity in the US just seems like misuse to me.
It's the same in the US too. The problem in the article is that the person had a legitimate driver's license issued in the stolen name with his own picture on it.
Better checks by the banks, they need to take responsibility when opening accounts and not rely on the credit bureaus. This could mean slightly more expensive banking services.
Five years on top of what you get for other crimes if you faked a government ID (in itself it can be as low as one year but combined with other crimes, it's five years). It's one good step among many.
Just make it impossible to get credit without any purpose.
+ Getting a mortgage as an identity thief? Fine. Easy to pay him a visit.
+ Getting a car? No. That's dumb. You can buy a car if you have the money.
+ Getting a bank account? Fine. Just force banks to disallow people to go below zero for several years (or forever). Replace all credit cards by debit cards.
That's basically the situation in the Netherlands for most part. Identity still gets stolen, but the impact is minimal.
> Counterintuitively, this is evidence that the Equifax breach isn't necessarily going to cause massive harm. If someone wanted to impersonate you, they could already.
This argument doesn't not follow logically. It's like saying you shouldn't lock your house because if somebody really wants to get in, they will do it.
The difference between breaking into a house and hacking into a machine is that a burglar can only break into so many houses and has a significant risk of getting caught. A hacker can get into an almost unlimited number of machines and is unlikely to risk any retaliation.
As a result you have the equivalent of dozens of people trying to pick the lock of your door every day, and the law can't do much to stop it. That requires you to pay f*ing attention to the quality of your lock.
It sounds like he's saying "don't worry about getting fucked by the Equifax breach; you were fucked already." Which certainly isn't reassuring, whether or not it's true.
I leave my house unlocked. If not, everyone around knows where the key is.
Of course, this isn't something I suggest you do. It's certainly not practical for most people. I mention it only to show that there are varied security needs. On this particular subject, my credit has been frozen since the OPM breech.
If someone around here takes something, they needed it more than I did. I live way out in an unincorporated township. People aren't inclined to steal when they know I'd just help them out if they need me to.
It's pretty great to live here. The only crime in my area is growing weed and that's now legal.
We are talking about leaving door unlocked, not leaving the door open. I lock the door every morning out of habit but I'm pretty sure its unlikely that something happen if I don't.
The big problem is switch from SSN to what? Just another number that serves the same purpose?
SSN is fine, what we need is the right for our credit to always be frozen and anyone who grants credit outside of our approval is liable for the loss. We also just need to bite the bullet and make chip and pin mandatory everywhere.
We don't need to make identity theft impossible just reasonably hard. Other nations seem to have it figured out.
Don't switch from SSN. Just accept that they are public identifiers and ensure 1) everyone has access to photo ID with that SSN and 2) an authority can lookup addresses from SSN to perform 2FA.
This means everyone in the US has to accept national ID.
(It could theoretically be done at state level but it would be a huge hassle compared to national, and your tax authority and others are already national and need to know every person that lives in the country).
Basically you need to trust the federal government to solve your ID problem. And if the answer to that is "Whoa that won't happen, people won't accept national anything" then the simple answer is you'll keep being subjected to ID theft.
Why is chip & pin a bullet to bite? Isn't that just better for all parties involved?
I think the excuse is always that small businesses can't afford to upgrade their POS. I think the reason is that a lot of money is made by processors, etc. on all the fraudulent transactions. The credit card companies make plenty on high interest rates to cover this loss. It is like retail stores factoring in 20% (e.g.) loss into their prices so the consumer pays for it. I think capping interest rates on credit cards would force them to push chip and pin more. It is weird that we don't have chip and pin at the pump but now most places require zipcode which is worse than chip and pin.
For a long time SSN cards carried a notice that they were to be used only for social security and taxation purposes and never for identification. Maybe the government should take steps to make the SSN unsuitable as an identifier outside of those two agencies.
A big question in making credit providers liable for incorrectly granting credit is the specific definition of 'correctly'.
Sadly, just 'issued without approval' is a bit too wide a definition. You need to deal with 'john' helping others fraudulently impersonating 'john'. In that case, the bank should not be liable.
In general, I see potential for a weird type of coorperation. They verify identities for credit providers for a fee. In return, this coorperation takes on the liability of wrongly verifying identities.
Question is, given the importance of such a coorperation, how much regulation is needed? At what point is there so much regulation required that it is better left as a government-run service?
All they need is an ssn you can change if it gets stolen. To change it all that's needed is to go into a government office and do a biometric scan in person. That would be so ridiculously easy.
Of course the government will never let a good crisis go to waste. Instead, we will all get chips under our skin that can't be removed that will be passively scanned by the authorities everywhere we go.
The entire problem is that people started using SSN as a shared secret, but it was classic password reuse. Use the same secret every fucking where.
No. If you want to establish trust, use a random secret for each new trust relationship.
If you want to establish identity ask the identity providers what kind of anti-forgery guarantees they provide. Oh, nothing, you say!? Then don't use that provider.
Banks are trying to use easy to forge things to make sure they won't lose money. Sounds like stupidity. So they limit their stupidity (hence you can't just register for a credit card online, otherwise bored Russian teenagers would have already bankrupted them).
What if, when you replaced your SSN, banks could use a system that would return "invalid SSN" on any new credit application. The existing accounts would be suspended unless you called them and updated your SSN. It would be about as much as a hassle as updating all of one's autopays when a credit card number gets stolen.
I don't want to call up all of my business address book because one of them fucked up and leaked something.
They shouldn't even ask for it.
Currently fraud is held back by law enforcement. Which is triggered by fraud detection. Which is triggered when the wrong person gets a call from a collections agency.
And this chain of events is too long, but since there's no global (national) system to check if someone is a professional scam artist or a regular bloke, that's what banks are left with.
One irony is that for my US visa I had to have an interview, supply a photograph, have my fingerprints taken and submit to an eyeball scan. Making the US visa inside my UK passport more reliable an identifier than the passport itself.
I recently had the brilliant idea that someone should create a site where we all enter our social security numbers and personal information (DOB, name, etc), withthepromise that once the site collects, say, 100M verified records, all of them will be released.
Seems like an opportunity to force the hand. I, like you, imagine such an action would induce systemic change.
> if that happens, the US will have no choice but to finally switch to a new system.
Impossible. A large part of the American people is obsessed with "the government is going to oppress us all". National IDs or anything similarly working are therefore a big no-go.
If you could solve this problem, you could presumably also solve the gun debate to a large degree.
The hassles and inconvenience this problem causes victims is sort of an unpriced externality of the credit industry. If those extending credit had to compensate the victims for their negligence, maybe they'd stop being so negligent.
And it would help if individual making the faulty decision to extend credit lost all their commissions for the week. It should be a blight on their record, with more than 5 instances causing them to lose their jobs. And CEO of the worst offending company gets a hefty fine.
Maybe that would focus the industry on solving this problem.
The SSN shouldn't be the critical key in that list.
So it would a "Credit ID," Passport Number, DL #, or something related. What's the difference, it will need to be stored next all your stuff, awaiting to be stolen. Now the banks eat the small % caused by fraud (cost of doing biz), your life is hell, but not theirs.
Scan your iris before getting the new loan isn't going to happen either, too costly and slow. If they ever do that online, they'll find a way to recreate that based on your existing scan, stored at the future Experian.
I haven't seen password I'd or national card I'd used as identification, ever. The way it works is that you bring it physically and they look into it. Or that you send photo of the id (yes that is easier to forge, then again harder then forging utility bill) - that is done only where it is impossible to do physical check and never with loans and such.
Identity theft in Europe is extremely rare. It is possible to do something in your name, sure, but it does not happen nowhere near as often and damage is limited compared to ssn system.
>> The way it works is that you bring it physically and they look into it.
Not gonna happen, banks for now will rather swallow the relatively low loses due to fraud.
In USA you sign a piece of paper (pre-approved loan), or login online and the loan money is deposited in your account within a few days. All automated. So far it works out for them, if fraud loses increase, the banks, not us, will choose the next method. And Congress will approve it within weeks.
The issue is that fraud causes more loss than just for the bank. Whomever got impersonated is also fucked. At the moment, they have very little recourse to recoup their costs from the bank that got fooled.
> So it would a "Credit ID," Passport Number, DL #, or something related. What's the difference, it will need to be stored next all your stuff, awaiting to be stolen.
It should not be a passport number or driver's license number. It should be the original, physical passport or driver's license that you present in person. The physical object is much harder to steal or copy, and can be revoked.
You should not be able to open credit lines or accounts with a business without appearing at least once in person first.
It doesn't even have to be in-person at that specific business. In Germany, the post office will authenticate your ID for any business that pays them for that service (either at a branch or during daily delivery). Alternatively, identification startups now allow to authenticate yourself via video chat without leaving your home. Video enables them to check most security features on the ID.
The national ID also has an embedded smart card usable for authentication but for some reason using that has never took off.
You are required to respond to questions from them and verbally verify a) what you're are applying for b) read out the data written on the ID (passport or national ID) and c) move and wiggle the card around and occlude it with your finger so the agent can verify certain security features (holograms, picture, "shiny stripes" on the card). In my opinion, it would be quite hard to prerecord the whole process and/or reuse such recordings for multiple applications.
All in all this process makes it much much harder to steal an identity. Also, once you report your ID card stolen, its serial number will be blacklisted preventing it from being used. Add to this that there is a snail mail address on your cards which will typically be used to send login information such as passwords and PINS
Well, not yet, maybe? Given the state of the art in real-time video manipulation, including based in motion capture, I am not so sure that's gonna stay that way for long.
Also, please don't use terms like "steal an identity", that is how banks frame things in order to make it appear that they are not responsible. Banks don't employ reliable authentication, thus they get defrauded by imposters--nothing is ever stolen from those who the importers pretend to be, it's only between the bank and the imposter, noone else is a party to that fraudulent transaction.
You make some valid points here. I'm "excited" to see the influence of real-time machine learning.
For now, it remains somewhat secure in practice and will hopefully bye augmented by use of cryptography already available in many IDs (though, as other comments note, not widely used in some countries)
As for the cryptography available in many IDs: Those usually are a terrible idea, because it's a black box that decides who has rights and who has not. How would a court investigate the reliability of some smart card? Or does that effectively transform courts into institutions that sign orders from whoever actually controls the smart cards? If the card says you signed a contract, you signed it?
Because the kids these days will enter their SSN and their parent's Credit Card into anything that looks like flappy bird to unlock the extra jump boost or something like that.
I mean, countries may have national identity cards with chips and perhaps biometrics that make them hard to forge, but a) I believe there's opposition in the US to identity cards b) do they help establish identity remotely, e.g., online?
You can activate German ID cards to work as RFID smartcards for online identification. Practically, there aren't all that many places to do it, and not many people do so. You also need a smartcard reader, but those were available reasonably cheap (no idea if a smartphone with NFC can do it or not)
(You also can have a certificate on it, but they missed an opportunity and didn't make it default, you have to ask for and pay extra for that. Would have been a chance to widely roll out certificates of the standard necessary to legally replace signatures, instead of other crap that has been proposed as a replacement sigh)
Norway has a great system called BankID. To sign-up/login to all banks, government services and other places where you need to verify your identity you enter your SSN, personal password and code from your 2FA device (which banks give you freely)/phone app.
In other words, you also have a system of password reuse (a personal password instead of a per-account password?!)?
Also, how is the reliability of the 2FA device established? If there were some claim before a court that you authorized some sort of transaction, what would they have to demonstrate to prove your liability? What will the court do if you question whether the numbers generated by the 2FA device are actually cryptographically random?
The Netherlands has an OAuth system for online identity verification, called DigiD, for anything government-related (taxes, healthcare, etc.) Other than that, occasionally a service asks for a copy of your passport, although that's not really allowed.
It should be noted that DigiD is a terrible system. The government acknowledges that and is currently working on a new system.
For illustration, when I'm logging in, I get the option to login with my password, OR to login with 2 factors. When the second factor is optional, it doesn't provide much defense. Some select services require the second factor, but its very few. Until very recently, the second factor was SMS, which is rather easy to fool.
Also, as far as I know, Digid isn't related at all to banking. Instead, you need to show ID (passport or ID-card, drivers license does not suffice in this case) to open an account with a bank. After that, each bank has their own system.
National ID cards with biometric information along with PIN plus private keys for document signing and 2FA for online interactions isn't convincing enough for you?
>the US will have no choice [but to switch to a better, non-SSN based system]
I absolutely hope this happens too...
... but I have a feeling all of the banks and agencies involved will find a way to plug their ears more and pretend nothing is wrong.
They will look at how costly and complex it is to create a halfway decent identity system (even though it's really not hard, other countries do it just fine with digital and physical keys/tokens).
And they will just continue to push the burden of ID theft onto consumers, rather than their businesses.
This logic is so impressively bad I don't know where to begin. Okay how about this, I'm going to pretend I lack morals for a second.
I would do this with the information:
1. Write a script to webscrape sites like LinkedIn to find out if a name/address/ssn key could be tied to people like doctors, engineers and whoever else might have sufficient disposable income.
2. I would take out loans in their name. If I have to be there in person, I would go from city to city and find people I could easily get dirt on, like people that might be here illegally. I would then cut them in for a piece of the loan and then move onto a random city in a 200 mile radius.
3. Move away after I get away with enough to live on for the rest of my life.
4. Hell I might just sell the rest of the information and scripts to other people who lack scruples.
The flaw in your logic lays with the bank. You will need a bank account/visit branch/transfer loaned money somewhere where you can cash them. Banks have cameras + Irs will quickly find you and won't allow you disappear or use that money
The flaw in your logic is that you fail to realize i have access to 143 million bank accounts and can transfer any number of ways I want to. You also overestimate the competence of smaller banks.
Neglecting all of that you do realize that International wire transfers do exist right?
It takes 1-3 business days for a US bank to transfer any amount and I am sure it will be even higher if the transaction is not matching a usual pattern of your victim. So 144 million bank accounts mean nothing with such long processing delays
One of the few instances where American Banking still being in the 1990s is a benefit[1] .. but not really.
Australia, NZ, Singapore, most EU countries all have instant person-to-person transfers with little to no fees and supported via the government. 500 euro can be gone like that. Poof. But it's all within the same country. And when it's within the same country, it's traceable, reversible and enforceable by law.
So the 1-3 business days isn't where the protection is at. It's the way we mark and track transactions. The real danger, is SWIFT transfers. Once that money leaves the country, it's very unlikely you'll ever see it again.
Payments are immediate between countries too. On my vacation in Armenia (you know, former USSR and a pretty poor country) I paid in the supermarket with my Dutch debit card (chip with PIN), I immediately popped my phone and opened the banking app for my (small, Dutch local) bank, and it showed the withdrawal.
Tell that to all the banks that had been sued for millions for losses due to phishing attacks. My mom's bank was one of them. The criminals got the money out successfully somehow.
> “We demand convenience over security,” Velasquez said.
Banks send a constant stream of credit card offers through the mail and pay people to use credit cards (with rewards). Stores are always trying to get you to sign up for their credit cards and offering big discounts if you do, and car dealerships offer special deals - but only if you agree to finance your car. People might want more credit, but lets be honest - the financial industry is doing everything it can to shovel debt onto the American public.
Imagine if a loan shark went door to door in a neighborhood paying residents $500 to take one of his loans. That seems almost cartoonishly evil, but that's more or less what the financial industry does. And it's not hard to see why - the average credit card has an annual interest rate of 15%. Even after you factor in things rewards and people who don't pay, you're still looking at a very nice rate of return.
It's hard to see how identity theft isn't directly linked to financial institutions trying to make credit as easily available and as widespread as possible. Instead of viewing identity theft as a high price to pay for the convenience we want, it should be viewed as yet another terrible consequence of the financial industry's efforts to push as much debt onto Americans as they can.
> In an economic system where U.S.
> consumers carry $12.73 trillion in
> household debt, you shouldn’t be able
> to just call up, say “it wasn't me,”
> and leave thousands of dollars in
> obligations by the wayside.
Yes, you should, and the banks should be the ones left holding the bag. The author did nothing wrong, and was victimized by the banks' incompetence at adequate fraud checks.
I've been a victim of identity theft in Europe. Took many letters to several police departments in the UK and various states in Germany over the course of five years...
I've not been stopped at EU airports for awhile but I am still not 100% sure if my name is on the Interpol blacklist still. The process of clearing your name is totally opaque. A helpful officer at London MET assured me to undertake the work to do it.
The amount of times I've had to explain the very concept of "identity theft" to enforcement is just crazy. And sadly I don't think they fully understand it most of the time.
I'm a little afraid to travel to eastern Europe, since this "advance fee" for a VW fraud in my name is particularly common there and I am tired of receiving threats. Sigh....
This would be the final say in any credit accounts, accounts not listed here are not legal debt (ie they cannot be collected or sued for)
You can still use SSN for identification but authorization would require more. I imagine maybe a few different levels of security:
1. Password (or list of passwords) you can set/change in person at any post office. The company adding the credit account would need this password to register the debt.
2. Yubikey or other auth token you can register at the post office to create one time passwords for companies creating credit accounts.
3. Every new credit account requires physical confirmation at the post office.
Then just setup really good cameras (maybe face scanner or biometric scanner) at every post office and make it like a 10 year felony to impersonate someone at the post office. The scammers will be out of the system very quickly.
In my country, its the bank that has the responsibility to ensure that they are talking with the right person. If not, then its the bank who will pay, not the customer.
So, the banks here are pretty annoying, opening an account is a lengthily process.
> There’s a logic to the maze you have to run to expose fraudulent financial accounts. In an economic system where U.S. consumers carry $12.73 trillion in household debt, you shouldn’t be able to just call up, say “it wasn't me,” and leave thousands of dollars in obligations by the wayside.
Perhaps if it was easier to do that, there would be less of the predatory lending that created such a crippling burden of debt.
I think that one of the reasons is that the US does not have a central government registry of all the people.
In Austria, we have the „Melderegister“. Every person that stays in Austria is required to register the address of their current residence. Your name and address is always in this registry, from the day you are born until you die (foreigners residing in Austria are also required to register).
Everything relies on this registry — voting rights, taxes, etc.
I think that Banks can check this register to verify your address. So even if an identity thief is successful in applying for a credit card, that credit card would be mailed to the victims actual address, so the identity thief would have to intercept postal mail as well.
So many problems that I read about in the US (using utiliy bills to proof you are a resident, registering to vote) just sound like a clumsy workaround to the fact that there is no „Melderegister“.
Countries like Australia do not have a central government registry of all people, unlike most countries, including those in Europe. Each State does have a register of all births and deaths. There is no national ID. It surprises many that one is free to carry NO identification.
One can decide to not work (get a tax number), not drive (get a drivers license), not travel (get a passport), not get free healthcare (get a medicare card), not vote (evade census'). Unlike most countries, one doesn't need to register or let anyone know where you live, and there is no national service (conscription).
Here's the link to "obtain your forgotten or misplaced PIN".
https://www.experian.com/ncaconline/freezepin
And it says, "provide your e-mail address for faster delivery of your results."
FYI the latest Equifax press release (where it was announced 2 executives were being dismissed) had a small bulletpoint towards the end which said that pins would be randomly generated.
It is live. I froze mine last night after learning that equifax was waiving the fees (i.e., free) and the pin they returned was no longer the date/time of the freeze. It 'looked' reasonably random-ish, but looks can be deceiving in regards to randomness (http://dilbert.com/strip/2001-10-25).
https://en.wikipedia.org/wiki/Estonian_ID_card - everyone get's their own cryptographic certificate. I don't know why banks aren't pushing for a legit national ID, if anything it would make it easier to lend and eliminate a lot of expensive fraud.
Freezing doesn't protect the information, but it does protect your credit account from being added to. Once frozen, you are almost in a 2FA scenario where creditors are required to request any new accounts or credit hits, and the credit agency is required to then obtain your approval using the private information only you (should) know.
Freezing doesn't protect the information, but it does protect your credit account from being added to.
Going to take the liberty of adding to this because the imprecision might cause some people to develop a poor model of how financial institutions work: you don't have a "credit account." You have a few firms which have partial views of your "credit history", sourced by reports from some firms you've previously done business with before. What a freeze does is that those firms (CRAs) who could disclose your credit history to a bank will, instead, report to the bank "That file is frozen."
How is this different from your mental model? Because credit decision is between a financial institution and a bank -- they don't have to ask anyone else's permission, including the CRA, to lend you money. They also don't have to "respect" a freeze on your file; it's purely advisory. It may deter _some_ banks from issuing you _some_ credit but it will likely not deter _all_ banks from issuing you _all_ credit products.
I'm curious: say you freeze your credit and then take an action that should negatively affect your credit, e.g. skip out on paying a doctor. What happens? That's nearly identical to what a fraudster might do, except there is no fraudster.
How does the system differentiate between someone showing up and doing something in your name vs you actually showing up and doing something negative?
It works because nearly every institution that would "extend credit" relies on the reports from these agencies to decide to do so. So when they try to pull a report (for you or a fraudster) they get back "sorry, frozen" and that causes them to actually stop and try to actually verify the true identity of the person requesting the loan. If that is you (the proper owner) then you can 'unfreeze' for the purpose of obtaining the loan. If that is a fraudster, they will likely not have your pin's to do the unfreeze, so the bank/business says "no" to the request for money.
That the credit agencies are allowed to charge you $10 (each - that's 3 + 1 smaller one) both for freezing and unfreezing your credit make me wonder if this leak was had an ahem unintended side effect of increasing revenues due to this activity.
143M accounts - lets just say 2% are rich/active enough to consider freezes. That's almost $3M over the course of say a week - for each such agency.
Which is why you (if you are a US citizen) should look up your congress critter's contact info and send all three of them a message that given this breach, they need to make freezes/unfreezes 100% free for everyone, for ever.
If enough folks write their congress critters asking for "make freeze/unfreezing free of change to everyone", maybe they will do something useful for once.
Using the information leaked from Equifax, hackers can lift your freeze. All they need to know is your address, SSN and Date of Birth. See: https://www.experian.com/ncaconline/freezepin
So how should I protect myself other than monitoring my credit using creditkarma? What do people do who have millions of dollars, theres nothing else other than just pray?
You freeze. It sucks that it's the only option, but it's the only option right now.
The only way someone can open a new bank account, credit card or loan in your name under the freeze is if they A) have the credit-bureau-specific PIN to lift the freeze, or B) the account was somehow opened without doing any kind of credit check.
I had my "identity" stolen by someone who tried to open accounts at local banks after somehow managing to swipe a copy of my drivers license (from our mail box, as far as we know) and seemingly only was able to rent a Uhaul in my name (unbeknownst to me until I tried to rent one to move).
The banks kicked him back and he tried forging checks from others (not me).
I filed the reports with the police. And checked my credit. Nothing serious happened as he seems to have been pretty much thwarted by most places he went.
But then he got caught when he was pulled over for having a brake light out.
All in all I suffered no real harm from this guy. Seems like for the most part the system works...
My old flatmate was the victim of identity theft around 2010. After tons of paperwork, calling banks, closing accounts, working with the police .. he still lost about $3k that he didn't feel it was worth to try to recover.
I've been curious about the real-world impacts of identity theft for quite some time. In the article linked, the author's only obvious losses were a) on the home mortgage (couldn't cosign; worse rate) and b) at the airport, with TSA (which I don't get; how did his credit rating have an impact on the secondary security screening?).
It's unclear to me why I should care that much about identity theft, or what a thief can do. I'm not saying it wouldn't be a huge hassle to get calls from scammed creditors or be unable to obtain consumer credit, but I am fortunate enough not to need credit and I already have the credit cards and bank accounts I need.
There is the whole IRS fraudulent return thing, which could be quite tedious to sort out and meantime would take real money. But that's about all I can think of unless you need consumer credit.
You've never lived in a state where your car insurance premium depends on your credit score, have you. I think you understand perfectly well the problems identity theft can cause, but you're just being intentionally obtuse.
> It's unclear to me... what a thief can do.
Um... well... how about anything you can do with your identity, except it's someone else? Do you really not understand why that's a bad thing?
> You've never lived in a state where your car insurance premium depends on your credit score, have you.
Hmm, I don't know, to be honest. That hadn't occurred to me.
> I think you understand perfectly well the problems identity theft can cause, but you're just being intentionally obtuse.
Huh? No, I was asking a question. Why would someone be intentionally obtuse about something like this? I can't figure out how my comment was misinterpreted, but it certainly was. I apologize for my lack of clarity in the original post.
> Um... well... how about anything you can do with your identity, except it's someone else? Do you really not understand why that's a bad thing?
"Anything you can do" isn't very clear, hence my desire to understand the threat better. Assuming I have no need for consumer credit (like, actual loans), it's just not clear to me in which cases a bad credit score can be a problem. Auto insurance had not occurred to me, so thanks for that example.
Once again, I think you may have misinterpreted my comment in some manner. Do people really troll each other over, like, identity theft? Weird. But I wasn't. :)
Sometimes things get attention and sometimes they don't. Also sometimes it's a slow news weekend and other times there's a ton happening. Don't ever stress about whether your submission gets traction.
It feels shitty when someone else gets the points for something you submitted earlier, but life isn't always fair, and as long as you keep submitting good content and making good comments, things even out in the end.
I remain hopeful that the full list of 140M SSNs will be posted in full. It's a rare opportunity: if that happens, the US will have no choice but to finally switch to a new system. One that doesn't rely on SSNs being private. That's the absurdity. It is easy to steal your identity because we have allowed it to be easy.
It's going to be difficult to switch to a new system, but the pain will be worth it. Imagine if the author could finally have peace of mind because nobody could impersonate him.
That is a fairytale, admittedly. It's always going to be possible to steal someone's identity if you're determined. But just look how trivial it is right now. Your driver's license plus the thief's photo is all they need. And it's possible to forge: they don't even need to swipe your physical one.
Those are “the keys to the kingdom,” said Bo Holland, CEO of AllClear ID, an identity-monitoring service. “Once you have somebody's name, social, birth date, and address, you can go and open new accounts.”
The SSN shouldn't be the critical key in that list.
https://youtube.com/watch?v=Erp8IAUouus