[HN Gopher] Confessions of an ID Theft Kingpin ___________________________________________________________________ Confessions of an ID Theft Kingpin Author : 1run9 Score : 49 points Date : 2020-09-09 19:59 UTC (3 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | Bnshsysjab wrote: | I regularly wonder why we don't have some form of physical | verification token which signs things with our identity, the | whole system is broken in that regard. | edouard-harris wrote: | The closest thing to this are probably the seals or "chops" | used in East Asian countries to authenticate contracts, | invoices, and financials. Of course it's the seal's _imprint_ | you need to authenticate a document, but in practice physical | control over the seal tends to be what confers decision-making | power. | rhexs wrote: | That would be quite nice, but I'm not sure I'd trust the | government to not store and then lose all the secret keys near | instantly. | | If they can overcome that, sign me up. | mlazos wrote: | The usual, credit agencies ARE JUST AS BAD AS WE THOUGHT. They | exchange all of our information with each other, and their | security is so absolutely horrible that a 20 something hacker in | Vietnam who just learned English could stay in their systems for | years and build a business off of reading queries directly from | these databases. It's actually insane. | vkou wrote: | The existence of these databases, especially given how insecure | they are is, of course, a real national security threat, but | the lack of reaction from the government is telling. | adminprof wrote: | Yet everyone is freaking out and moralizing about | nonfinancial data voluntarily given to Facebook. If only the | credit bureaus kept our financial and identity data as | Facebook kept your list of favorite movies and your selfies. | grey-area wrote: | Facebook _sell_ your favourite movies, friends, political | views and anything else they know about you to advertisers. | it 's a very similar business model. | adminprof wrote: | They actually don't, unless you define selling as they | allow advertisers to select what demographics/attributes | their ads target. But the actual data stays on the | Facebook servers. If you're referring to the apps having | access to user data, that was not selling at all, but | instead a permission originally granted by users by | probably forgotten about. Basically, unless you contort | the definition of selling to a very different meaning, | that's simply not true. | | And if you do use that definition of selling, then | everyone is selling your data. All the politicians who | decry tech companies are selling your data using the same | definition. Every advertiser, retail store, bank, | basically every large business offers other businesses a | way to access a specific subset of their users. | cm2012 wrote: | Yeah, no. They sell the ability to target groups of | people based on these characteristics. They don't sell | data on individuals. | boogies wrote: | (Please don't use uppercase for emphasis. If you want to | emphasize a word or phrase, put asterisks around it and it will | get _italicized_. | https://news.ycombinator.com/newsguidelines.html) | nottorp wrote: | > (from TFA) stolen identity records that included a consumer's | name, date of birth, Social Security number and email and | physical address. | | Scary how little you need to steal an identity in some places... | ghostbrainalpha wrote: | Are there places that it would require more to steal an | identity? | | What countries and what type of information do they ask for? | colejohnson66 wrote: | I'm gonna rant here, but a big problem is that SSNs were | never designed to be used as an identifier. It was simply | used to allow someone to receive Social Security, hence the | name. They literally used to have the text "Not to be used | for verification." | | As for its problems, there's quite a few, but the two big | ones IMO are (1) no check digits and (2) (up until relatively | recently) they're sequential. I don't know when the change | was, but if you take a SSN issued before 2000, you could add | _one_ to your whole SSN and it would be a valid one. They may | even have been born on the same day as you _in the same | hospital_. Also, you could find out a general area where | someone was living when it was issued (usually birth) using | the first 3 digits. | 9HZZRfNlpR wrote: | Well the modern countries use documents such as ID card or | passport, you can't just walk to a bank and start opening | accounts from that little data. It's actually insane | Americans have that archaic system. | vageli wrote: | > Well the modern countries use documents such as ID card | or passport, you can't just walk to a bank and start | opening accounts from that little data. It's actually | insane Americans have that archaic system. | | It's archaic to allow opening bank accounts completely | online with no physical presence/authentication required? | wmf wrote: | Some companies are starting to use "knowledge based | authentication" like "which of these streets have you lived | on?" but of course they get that information from the data | brokers so anyone who can access data brokers can still | "steal" identities. | outworlder wrote: | Brazil would require a "CPF", which is a unique number | assigned to individuals. If you are doing something simple | such as an online purchase or monetary transfers(to someone | else's account), the number alone could be sufficient, | coupled with other information like full name and address. | | Many places will not be happy with just the number and will | require at minimum a scan of the actual document - if you are | lucky. Most likely, if you need to send in a copy, that copy | has to be notarized. Which means that you have appeared in | person with the actual document and got it notarized. You'll | then send it by mail or drop off in person. | | Sometimes this is not an option and you need to be present | with the actual document - like if you were selling property | or opening bank accounts, or even starting a business (which | requires trips to many governmental agencies). | | If you are filing taxes, then CPF is required, as well as the | ID card, voter registration card(voting is mandatory). They | have started to combine documents, but even then the actual | hardcopy is required in most cases. | | Medical care... well that's free so there's no fraud needed. | If it's for private insurance, you'll have to have your | insurance-issued card, plus your ID card. Unless it's an | emergency, but even then you'll have to provide these sooner | rather than later. | | Financial institutions like banks: you'll either use internet | banking, in which case any credentials or devices needed will | have been issued in person by a branch, or you'll have to go | to a branch. | | If your physical documents get stolen or lost, you need to | report to the police and get issued new ones. In that case, | ID theft can happen if they were indeed stolen, but it's | unlikely to have long-lasting implications if you have made | the police report. This usually requires some corruption as | some of those documents have photo ID. In that scenario, you | may have to do some work to clear your name and it is not | very different from US ID theft. | | The bureaucracy is ridiculous so often you can have issues | doing things _even if you are who you say you are_ . But | actual ID theft is not that prevalent. If you search for | 'identity theft' most of the results are about getting | website credentials compromised. | | The main issue in the US is the use of a 'unique ID' which | was never meant as ID, can't be changed and has no built-in | security measures. | vageli wrote: | > Brazil would require a "CPF", which is a unique number | assigned to individuals. If you are doing something simple | such as an online purchase or monetary transfers(to someone | else's account), the number alone could be sufficient, | coupled with other information like full name and address. | | > The main issue in the US is the use of a 'unique ID' | which was never meant as ID, can't be changed and has no | built-in security measures. | | As someone with no knowledge of how Brazil does things, how | is the CPF any different than an SSN? Is it the requirement | to present a notarized copy of the document the difference? | Or something else? | forinti wrote: | CPF and SSN are just numbers that uniquely identify a | person. | | The difference is that in Brazil, because of bureaucracy | and fraud, it is a lot harder to use somebody else's data | to your benefit. Which is just as well, because most | Brazilians are not careful at all and will readily give | out their data. | | I will give an example of how insane the bureaucracy can | be: I once had to show my personal documents to an | authority (ID, work card, driver's licence, certificate | of birth, and so on). Because I was not born in Brazil, I | was asked to show proof that I was Brazilian, to which I | replied: how could I possibly have all this documentation | and not be Brazilian? | | But it is getting better and government offices speak to | each (through databases and webservices) and so they can | more easily identify a person and not require so much | paperwork. Still, some older folks can't shake their | mentality. | [deleted] ___________________________________________________________________ (page generated 2020-09-09 23:00 UTC)