[HN Gopher] Confessions of an ID Theft Kingpin
___________________________________________________________________
Confessions of an ID Theft Kingpin
Author : 1run9
Score : 49 points
Date : 2020-09-09 19:59 UTC (3 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| Bnshsysjab wrote:
| I regularly wonder why we don't have some form of physical
| verification token which signs things with our identity, the
| whole system is broken in that regard.
| edouard-harris wrote:
| The closest thing to this are probably the seals or "chops"
| used in East Asian countries to authenticate contracts,
| invoices, and financials. Of course it's the seal's _imprint_
| you need to authenticate a document, but in practice physical
| control over the seal tends to be what confers decision-making
| power.
| rhexs wrote:
| That would be quite nice, but I'm not sure I'd trust the
| government to not store and then lose all the secret keys near
| instantly.
|
| If they can overcome that, sign me up.
| mlazos wrote:
| The usual, credit agencies ARE JUST AS BAD AS WE THOUGHT. They
| exchange all of our information with each other, and their
| security is so absolutely horrible that a 20 something hacker in
| Vietnam who just learned English could stay in their systems for
| years and build a business off of reading queries directly from
| these databases. It's actually insane.
| vkou wrote:
| The existence of these databases, especially given how insecure
| they are is, of course, a real national security threat, but
| the lack of reaction from the government is telling.
| adminprof wrote:
| Yet everyone is freaking out and moralizing about
| nonfinancial data voluntarily given to Facebook. If only the
| credit bureaus kept our financial and identity data as
| Facebook kept your list of favorite movies and your selfies.
| grey-area wrote:
| Facebook _sell_ your favourite movies, friends, political
| views and anything else they know about you to advertisers.
| it 's a very similar business model.
| adminprof wrote:
| They actually don't, unless you define selling as they
| allow advertisers to select what demographics/attributes
| their ads target. But the actual data stays on the
| Facebook servers. If you're referring to the apps having
| access to user data, that was not selling at all, but
| instead a permission originally granted by users by
| probably forgotten about. Basically, unless you contort
| the definition of selling to a very different meaning,
| that's simply not true.
|
| And if you do use that definition of selling, then
| everyone is selling your data. All the politicians who
| decry tech companies are selling your data using the same
| definition. Every advertiser, retail store, bank,
| basically every large business offers other businesses a
| way to access a specific subset of their users.
| cm2012 wrote:
| Yeah, no. They sell the ability to target groups of
| people based on these characteristics. They don't sell
| data on individuals.
| boogies wrote:
| (Please don't use uppercase for emphasis. If you want to
| emphasize a word or phrase, put asterisks around it and it will
| get _italicized_.
| https://news.ycombinator.com/newsguidelines.html)
| nottorp wrote:
| > (from TFA) stolen identity records that included a consumer's
| name, date of birth, Social Security number and email and
| physical address.
|
| Scary how little you need to steal an identity in some places...
| ghostbrainalpha wrote:
| Are there places that it would require more to steal an
| identity?
|
| What countries and what type of information do they ask for?
| colejohnson66 wrote:
| I'm gonna rant here, but a big problem is that SSNs were
| never designed to be used as an identifier. It was simply
| used to allow someone to receive Social Security, hence the
| name. They literally used to have the text "Not to be used
| for verification."
|
| As for its problems, there's quite a few, but the two big
| ones IMO are (1) no check digits and (2) (up until relatively
| recently) they're sequential. I don't know when the change
| was, but if you take a SSN issued before 2000, you could add
| _one_ to your whole SSN and it would be a valid one. They may
| even have been born on the same day as you _in the same
| hospital_. Also, you could find out a general area where
| someone was living when it was issued (usually birth) using
| the first 3 digits.
| 9HZZRfNlpR wrote:
| Well the modern countries use documents such as ID card or
| passport, you can't just walk to a bank and start opening
| accounts from that little data. It's actually insane
| Americans have that archaic system.
| vageli wrote:
| > Well the modern countries use documents such as ID card
| or passport, you can't just walk to a bank and start
| opening accounts from that little data. It's actually
| insane Americans have that archaic system.
|
| It's archaic to allow opening bank accounts completely
| online with no physical presence/authentication required?
| wmf wrote:
| Some companies are starting to use "knowledge based
| authentication" like "which of these streets have you lived
| on?" but of course they get that information from the data
| brokers so anyone who can access data brokers can still
| "steal" identities.
| outworlder wrote:
| Brazil would require a "CPF", which is a unique number
| assigned to individuals. If you are doing something simple
| such as an online purchase or monetary transfers(to someone
| else's account), the number alone could be sufficient,
| coupled with other information like full name and address.
|
| Many places will not be happy with just the number and will
| require at minimum a scan of the actual document - if you are
| lucky. Most likely, if you need to send in a copy, that copy
| has to be notarized. Which means that you have appeared in
| person with the actual document and got it notarized. You'll
| then send it by mail or drop off in person.
|
| Sometimes this is not an option and you need to be present
| with the actual document - like if you were selling property
| or opening bank accounts, or even starting a business (which
| requires trips to many governmental agencies).
|
| If you are filing taxes, then CPF is required, as well as the
| ID card, voter registration card(voting is mandatory). They
| have started to combine documents, but even then the actual
| hardcopy is required in most cases.
|
| Medical care... well that's free so there's no fraud needed.
| If it's for private insurance, you'll have to have your
| insurance-issued card, plus your ID card. Unless it's an
| emergency, but even then you'll have to provide these sooner
| rather than later.
|
| Financial institutions like banks: you'll either use internet
| banking, in which case any credentials or devices needed will
| have been issued in person by a branch, or you'll have to go
| to a branch.
|
| If your physical documents get stolen or lost, you need to
| report to the police and get issued new ones. In that case,
| ID theft can happen if they were indeed stolen, but it's
| unlikely to have long-lasting implications if you have made
| the police report. This usually requires some corruption as
| some of those documents have photo ID. In that scenario, you
| may have to do some work to clear your name and it is not
| very different from US ID theft.
|
| The bureaucracy is ridiculous so often you can have issues
| doing things _even if you are who you say you are_ . But
| actual ID theft is not that prevalent. If you search for
| 'identity theft' most of the results are about getting
| website credentials compromised.
|
| The main issue in the US is the use of a 'unique ID' which
| was never meant as ID, can't be changed and has no built-in
| security measures.
| vageli wrote:
| > Brazil would require a "CPF", which is a unique number
| assigned to individuals. If you are doing something simple
| such as an online purchase or monetary transfers(to someone
| else's account), the number alone could be sufficient,
| coupled with other information like full name and address.
|
| > The main issue in the US is the use of a 'unique ID'
| which was never meant as ID, can't be changed and has no
| built-in security measures.
|
| As someone with no knowledge of how Brazil does things, how
| is the CPF any different than an SSN? Is it the requirement
| to present a notarized copy of the document the difference?
| Or something else?
| forinti wrote:
| CPF and SSN are just numbers that uniquely identify a
| person.
|
| The difference is that in Brazil, because of bureaucracy
| and fraud, it is a lot harder to use somebody else's data
| to your benefit. Which is just as well, because most
| Brazilians are not careful at all and will readily give
| out their data.
|
| I will give an example of how insane the bureaucracy can
| be: I once had to show my personal documents to an
| authority (ID, work card, driver's licence, certificate
| of birth, and so on). Because I was not born in Brazil, I
| was asked to show proof that I was Brazilian, to which I
| replied: how could I possibly have all this documentation
| and not be Brazilian?
|
| But it is getting better and government offices speak to
| each (through databases and webservices) and so they can
| more easily identify a person and not require so much
| paperwork. Still, some older folks can't shake their
| mentality.
| [deleted]
___________________________________________________________________
(page generated 2020-09-09 23:00 UTC)