As I've said before, it's time to wipe the slate on SSN's. They are de facto public anyway. A date should be announced when the entire database will be published. After that date all liability for fraud perpetrated using an SSN as a shared "secret" will be assigned to the party who accepted the SSN as "authentication". That would solve the problem.
As an aside: When it comes to an authentication source to take the place of silly shared public "secrets" I think it would be great if the United States Postal Service "pivoted" into issuing digital certificates to individuals. They already have infrastructure and procedures in place for identity verification and physical delivery. I suppose that's too much like a federally-issued ID to ever fly, though our "REAL ID" drivers licenses are, in effect, a federal ID anyway. I'd rather have a digital certificate out of the deal too.
I think that we need to somehow make it harder for companies to request SSN if that continues to be a "secret". I cannot tell you how many times a Doctor's office casually asks for an SSN on a sheet of paper in plain text and I am like Why. I always fight that and found out that in a lot of cases, they just have it there and they didn't care when I didn't fill it. Some of them do force me (probably for credit/billing reasons) but I always try not to fill it out.
Also why are these phone companies persisting SSNs in database ? Why can't they run the credit check initially and discard the SSN. There should be laws around this and enforced. It is time to hold these companies accountable. We are so tired of being worried that our ID may get stolen.
The solution to not being "worried that our ID may get stolen" is penalize companies who report false information to credit bureaus and penalize credit bureaus that give out false information. You don't care if someone impersonates you to a lender and a bank or mattress store loses money to a fraudster. You care that the company that lost the money can erroneously report that you defaulted on a loan to the credit bureaus and then the credit bureaus mark down your credit worthiness. This affects your cost on loans, ability to rent an apartment, get a job, etc. The "Fair Credit Act of 1970" gave credit bureaus immunity from liability from reporting false information as long as they don't to it on purpose and in exchange they have to give people access to the reports and fix errors (very hard to do in practice).
People were rightfully worried in recently emerging computer age that these credit agencies would have secret dossiers on everyone. At least this law let people look at them and in theory correct them.
It probably time to revisit that 50 year old act. I'm not sure how much lenders even use the standard scores anymore. Many calculate their own scores and probably include all sorts of info that we would be mad about them using if we knew what it was.
Ironically, having it in plain text on a piece of paper in some random doctor’s office is much more secure than having it hashed in some website’s database.
Possibly even more secure than that same doctor having it in their system.
Good point. But realize it's only on that paper for a few mins before being typed into their system.
Doctor's offices are so archaic at times. Only a handful let me do the forms online in advance. And even those have more paper for me to waste when I arrive.
A public system to enter data into, probably some sort of SAS or COT for most practices, has got to introduce far more insecurities than having the clerical staff enter it into the same backend the public system has to interact with.
Blame the insurance companies - most major insurance companies use your SSN as a mechanism for identifying the patient. The member ID #'s can be used but it's quicker to just input the SSN.
When I got my Covid shot at Safeway they asked for it. I just didn't fill it out and no one even asked for it. I still had the record show up in Washington's vaccination DB, so it wasn't for that either.
I hope them asking for it didn't discourage someone without an SSN from getting their shot, since immigration status isn't relevant to eligibility.
I agree, but I am afraid that our two party system, which is incentivized to 'politicize' (I dislike that broad term) everything, it would be quite hard. The one party proposes it, the other party will find "reasons" why it's either government overreach, or discriminatory, or something something something depending on the ideology. Purported ideology. Most likely it's another horse that gets debated in debates about a package of other things.
But yes, I wish we could be as modern as some European countries. I haven't heard of these identity theft issues in France, where everyone has a national identity card.
In Germany the postal service does what GP described by validating someone's identity for various purposes
> Deutsche Post offers a secure identity check service – to millions of users every year.
> On behalf of your contracting party
> To ensure that only identified persons have access to sensitive services
> To sensitive services including those from the financial services sector (such as opening an online bank account), telecommunications (activating a prepaid SIM card), health care (access to health information) or the mobility industry (including car sharing).
Let me point out that this service should not be necessary: every german ID has a physical key infrastructure necessary for any shop or vendor to do this with a local terminal, yet the enabling legislation deliberately didn’t instruct the government to build out any ecosystem.
Compare this with, say, Estonia where practically everything can be handled through the keys in the ID card.
Stories about foreign countries and their societal infrastructure, as an American, make me really envious and sad for my country's state of affairs.
It's kind of like the feeling I get looking at somebody with a very nice car or house: "Oh, it would be neat to have such a thing but there's no way I'd ever splurge and get that." It's difficult for me to conceive of some things other countries have as just being "normal".
only issue with Postident is that they are annoying and weren't accepting certain passports for foreign nationals for a time. also, they have an online system you can sort-of use now but also not really, and you cannot use a valid permanent residence card even tho it's issued by the german govt... it _is_ pretty alright though
it is selection bias -- the people with miserable and oppressive systems do not report it in detail, in English, on YNews right?
second, many systems of law treat individuals quite differently.. many systems that are not repeated in detail, on YNews, do not give much choice to an individual by design
I'm not suggesting that the United States is particularly bad. There are definitely many places in the world that are much worse off from so many perspectives (lack of rule of law, system of governance, economy, social safety net, class mobility, corruption, etc).
It could be better in so many ways, though, too. It would be nice if younger people (say, sub-70) would (and could be permitted to) take up the mantles of leadership.
It would be nice if younger people (say, sub-70) would (and could be permitted to) take up the mantles of leadership.
I'd really like to read a speculative fiction/scifi where every generation operates under its own system of laws, and you can opt in to a neighboring generation's laws instead once every N years or something.
To mitigate criminal activity ranging from stolen phones, to cellphone-activated bombs to evading wiretaps. I’m not arguing this is a good reason, but likely the reason this exists as a requirement.
There's still some identity theft issues, because "everyone asks your SSN for no reason" becomes "everyone asks for a scan of your id for no reason".
For instance, when I was looking for an appartment, the State had a service to both authenticate and watermark some documents (id and proof of income, among others).
The watermark was a bunch of big bars with "this is intended for rental search" written on them. Kinda low-tech, and it feels like a creative attacker could use software to strip them out, but it's cool they did that.
In theory, we have some very good APIs for securely authenticating someone (France Connect in particular), in practice administrations are slow to adopt them.
This is the problem with having the public and private key be the same. Anyone should be able to access your public key, and anyone you deal with should be able to ask you to use your private key to verify your identity. The problem is when that entire process is reduced to "give us the number the government uses to ensure you're you. Don't worry, we won't use it to convince anyone else we're you ;) Or leak it so anyone else can do the same ;) ;) ;)"
> Anyone should be able to access your public key, and anyone you deal with should be able to ask you to use your private key to verify your identity.
First, let's assume the identity would be backed by a somewhat decentralized system; e.g. the identity could be backed by any state/territory's existing ID cards.
The problem is making the request signing step secure and accessible to... well, anyone, tech-savvy folks included. Software for installation to a computer is an obvious no-go. A mobile app is probably a good idea but in any case I think we can assume a website will be a necessity. You've got to be able to give that website your private key. Guess what, you've already lost - as soon you tell people to type their key into this website, people will type their private key into any old website now. (I remember when my mom, with the best of intentions but without my prior knowledge, filled out my FAFSA info, SSN and all, on a scam .com site despite how many times we were told "fafsa.gov" or whatever.)
But let's pretend that's a solvable problem, just for the same of argument. Let's assume it's a federal government provided site which you can provide with your private key on demand to do signing on your behalf and it's relatively secure actually keeping the key in your browser. And there's a mobile app option which can store the key locally with better security and do signing in memory which can actually be wiped after. Fine. Now convince the public that this site/app do not constitute a Federal database of identities. You and I know it wouldn't, as described, but I would not blame anyone who objected on those grounds one bit, because without the necessary knowledge it absolutely would seem like a Federal ID, and folks are right to be wary of a single source of identity information. After all, all that does is take the SSN problem and add to it civil liberties problems. The distinction between SSNs and a [somewhat] decentralized PKI scheme with a centralized signing app for security/anti-phishing reasons is a distinction essentially impossible to convey to any but the most tech-savvy.
How much would it cost to give everyone a device from which the private key could not be removed?
Worried about "mark of the beast" based objections? Make it optional. Those who wish can retire their SSN and receive their public / private keys and then the government publishes their SSN as a trashed SSN. Everyone who still wants just a SSN can take their chances.
SSN already is optional. Nobody forced your parents to register you, but your parents wanted to claim you on the IRS tax form each year so they sold you out.
USA passport for my children didn't require SSN. And a passport complies with TSA id checks.
It's infuriating, because with the proper messaging, this is a bipartisan issue. Righ, left and everyone between have had identities stolen. Stolen identities cost businesses money - I'd wager millions, maybe billions collectively every year. There's literally no reason why a more secure form of identify verification needs to be a partisan issue.
Third world country here. Even we have ID cards and no identity theft issues. I don't get why the US doesn't get on with the times. Same for the metric system.
It seems like someone could do us all a public service by combining a few of these lists and making a very public and hard to take down website with them all listed. Create a forcing function for a replacement.
Not recommending anyone do this as it's obviously illegal, but..
I'm not sure if it is illegal since the US expends a lot of energy keeping privacy rights out of its civil rights.. But it would be a chore to process gdpr requests from dual citizens, etc.
Yes! SSNs are already not private given the number of hacks that have occured. Today, the real damage comes from the fact that people/businesses still believe they are private. Publish a list of all SSNs would eliminate the misperception once and for all and force people to verify identity in a better way. SSNs should only ever be used for your employer knows how to report who paid what taxes to the IRS. If someone else wants to use my SSN to claim that they paid my taxes, fine with me!
Not sure if it's a problem of perception or just the lack of legal responsibility. As long as the legal and financial risk isn't owned by the party using the SSN for a purpose they shouldn't (identification), nothing will change.
100%. The very concept of "identity theft" feels like corporate newspeak to shift the onus of remediation from the party that actually got defrauded (the company) to someone uninvolved in the transaction.
> SSNs should only ever be used for your employer knows how to report who paid what taxes to the IRS. If someone else wants to use my SSN to claim that they paid my taxes, fine with me!
That could go the other way, with someone else filing their income under your SSN without any corresponding withholding. This, too, needs better authentication than a mere SSN can provide.
Proposed alternative - you get your own private-key as an identifier. Nobody ever can ask for the private key, they can only ask for a signed message that proves identity. Thus a lot of categories of fraud are no longer possible because there is no shared reusable number in the event of a leak.
In Denmark, you are issued a one-time pad. You get a new one with some frequency. If you lose it, you are issued a new one.
In that case, third parties could use a government website to get a row/col and ask you to verify, and the website could say yes/no. Yes, there is a risk of your one-time pad being stolen, but it is no greater than the current risk that any US citizen's tax documents or SS card can be stolen.
That's an annoying denial of service attack; and you would typically do this by making the burn require very little authentication and the recovery a visit to a local government office, such as the police or a court.
We do have one thing in the US that’s physical proof, and that’s your birth certificate. But I’m sure people lose them and they can be pretty easily fabricated.
I would say that most Identify Theft issues will be resolved if you are forced to do a 5 min video verification call. I can show my ID (DL, Real ID etc) just like I can do in person. It may add a little bit of hassle but I would trade that for peace of mind that some random person cannot steal my identity that easy just because they know my DOB, SSN etc and can fill out an online form etc. The video call can easily weed out the scammers especially because a lot of ID thefts happen where a young person is stealing an older person's identity or vice versa or it is a different Gender etc.
Should have it where your social security is a public key and government has your private key. You're given a device that has your private key to confirm things but you don't know it directly. Public key is used in replace of discussi security number. If your public key gets compromised the government blacklists it and gives you a new one.
This is just a knee-jerk thought and I'm sure it can be improved, but I believe asymmetric keys are the solution.
You have it totally backwards. Public keys are called public keys because they are intended to be public. You should be able to freely advertise a public key on a billboard.
On the other hand, you can't really expect the average citizen to properly curate a private key, and a private key also doesn't work for verification purposes.
I think the problem would be easily solved without encryption or keys by using the social security number in combination with a user-selected PIN number.
Any time you apply for credit somewhere, you should have to provide the social and a PIN. There should also be an easy way to generate single-use PIN numbers that can be used when applying for credit.
They already have a lot of the infrastructure for doing this. You can already put a credit freeze on your social security number and protect the credit freeze with a PIN, for example.
Whenever I am applying for credit, I simply "thaw" out my social security number for a couple of days. This works pretty well, but it's a hassle because you have to do it for all three agencies. It also suffers from the problem that my credit could get compromised if I left it thawed out too long.
Do you mean private key? Or am I about to have a TIL moment? Because your public key is, well, public so I wonder what a compromise of that would look like.
> After that date all liability for fraud perpetrated using an SSN as a shared "secret" will be assigned to the party who accepted the SSN as "authentication".
lol. How do you think it works right now?
The party who accepted the SSN (or their insurance) is liable for footing the bill for the fraud, except in the ridiculously unlikely scenario where they’d manage to collect money from the fraudster.
> After that date all liability for fraud perpetrated using an SSN as a shared "secret" will be assigned to the party who accepted the SSN as "authentication". That would solve the problem.
Except that the problem isn't which party is legally liable. The problem is that the legal system is almost entirely inaccessible to the vast majority of people.
I'm strongly partial to a wearable token. The NFC Ring is one highly attractive option.
- It's inobtrusive enough to wear all, or very nearly all of the time. Contrast cards or similar carried-but-not-worn tokens.
- It can be readily use to tap a sensor for identification purposes. Contrast cards or similar tokens (e.g., USB keys), which are far less immediate.
- It is replaceable. That is, if it's compromised, stolen, or lost, it can be replaced. If it becomes unadvisable to possess, it's readily discarded and reasonably easily destroyed. This contrasts with biometrics or permanently embedded sensors.
- Its absence is reasonably immediately determinable. Again, contrast carried-but-not-worn tokens.
- The existing prevalence of ring-wearing makes use of an NFC ring less obvious or evident (mostly a concern in early-adoption periods), or the opting-out of wearing one (which ring is the NFC ring?), without directly querying each individual, which ... might not work regardless (depending on implementations).
- There are relatively few people who would be entirely unable to use such a device. Ready alternatives for most such cases exist: wrist bands
- Unintentional validation (e.g., surveillance) is relatively easily avoided, if devices require immediate contact with a sensor/receiver. That is, a surveillance entity couldn't mass scan a crowd or region quickly, but would have to individually query rings in close proximity. (This might be achieved through high-volume transit points already, but this already raises the ante.)
- It's possible with a query/response system that multiple identities with the same root, but not immediately correlated, could be supported. (Deanonymisation or identity linking remains a significant problem, however.) Ideally, such a system could be limited to only satisfying minimum qualifying criteria (e.g., "I've paid a fare for this trip"), rather than transmitting either a full personal dossier or an absolute identity.
Key (so to speak) challenges are in agreeing on a single standard, ensuring crytpgraphic robustness, and protecting privacy, surveillance, and other concerns, as well as distributing the detector infrastructure for desired uses.
This all sounds very reasonable, albeit I'm partial to chip-and-PIN for preventing unintentional validation and to render the token useless if lost or stolen. The ring form factor doesn't lend itself to PIN entry, but otherwise it sounds reasonable compelling. (Granted I can't make myself wear a ring without taking it off, fidgeting with it, and ultimately losing it. I've tried, failed, and lost three as a result.)
An NFC ring can still require secondary authentication (e.g., pin) in some contexts. That would be application-dependent.
There are cases (e.g., mass-transit turnstiles) where this isn't desirable --- the intent is to maximise throughput. (The quesiton of whether or not validating or fares are a net benefit is also open.)
For a more secure facility, or payment system, tag + pin (and potentially other identifiers) would be preferred.
Maybe we need to tell each individual company that our SSN is public when they ask for it and why they rely on it to identify me... another form of ID that they like to use when you apply for credit is previous addresses/cars/etc... as if that isn't public.
It would certainly be a nice time to stop using SSNs as keys, SMS as 2FA, and more importantly having next to zero consequences for this kind of stuff.
At this point we just expect this to keep happening over and over again with nothing changing, it's a very strange thing to observe...
SMS as 2FA is so stupid. So many banks and financial institutions are doing it in America and it amazes me. I mean what are they spending million of dollars in compliance/security/SOC etc on if they can't get a basic 2FA done correctly ? And don't get me started on stupid password requirements where a more secure password generated in keypass etc won't be valid. Who builds this stuff today ?
It provides good security for most people and is a big ease of use trade off. Hardware can be lost, software is difficult for most people to install and use. You need solutions that account for 95% of people. Ideally there’s non SMS for the other 5%, but unless Apple/Google/telcos come out with something better that’s built in, integrated, and dead simple, we’re stuck with SMS for a long time. Security is a spectrum.
The challenge I’ve found is that I end up with a lot of different MFA options which makes it hard to track where my exposure is. In some places I have two methods because I set up SMS when it was available and switched to an authenticator app and forgot to turn down SMS. It’s a shame there’s no SSO for personal accounts that established dominance so that I could just have 1 account I need to secure (although SSO solutions never put you in control of being able to minimize data leakage and let providers force you to disclose certain information for using their service).
Just this week, I had to sign into a service for a very large transaction I'm privy to. My password? The last 4 of my social. It's unbelievable how dumb so many of our systems are.
On a similar note, I setup my utility account this week. It was suggested by the representative that I use the last 4 digits of my SSN as a pin for my account. Pretty disappointing how short sighted many companies are when it comes to security practices.
That's because if somebody gets in, it's not their problem for having lax authorization, it's your problem for being "victim of identity theft" and all the burden of proving it wasn't you rests on you. It costs them nothing to give out horrible advice, so they do it.
I'm in Ireland at the moment, where the health system, and vaccination process, appears to use mother's maiden name as a de facto password. There is no option to change it. It is often asked in person, and so can't be used as a placeholder.
For business reasons, my mother has her parents' last name, I have hers, and this fact is easily discovered online with a few minutes research...
And orgs (gov and private) will continue to just ask for completely unnecessary information because, why not? Throw it in some database with root:root as the pw and shrug when it gets breached. It really needs to stop. The only person that loses is the person that now has to potentially deal with identity theft or getting doxxed for the rest of their life...
When does this end? When do our useless governments put a stop, once and for all, to these ridiculous lax security practices in corporations?
I feel like I'm being forced to become a luddite--not because I don't love technology but because it's being used for such evil and potentially life-destroying purposes.
Our government is run by a gerontocracy born decades prior to PCs and the internet. They have no idea what the root problem is or how to fix it. How many of them even know the absolute basics? What a for loop is? Or Postgres? Or http vs https? Anything they actually do will be written by lobbyists on behalf of tech giants and other multinational corporations and big donors.
Between that and the increasingly fundamentalist, censorious, puritan, social justice takeover of tech companies, I also feel like I'm being forced to become a luddite despite my life long love for technology.
Of course they understand. The issue is that they don't care. They don't care about you or me. They don't care about whether you have Internet access and if you do whether it is slow or fast. They don't care whether you are homeless or rich or if you are high on drugs or a personal trainer to the stars.
If you make a big enough issue about how they apparently don't understand, they will create a committee to study the issue then ignore the findings. They don't care about you or your problems.
I think the takeaway is that government represents too many people and you cant satisfy everyone, so leaders listen to citizen action groups and lobbyists who are able to aggregate all these different viewpoints into more broadly popular legislation and show with their supporters that these ideas would be popular among a given electorate.
At the federal level I think the care is chiefly about re-election. At the state level I see a mix of people who are involved out of a sense of civic duty, and people who have designs on moving up and acquiring more power.
If politicians represented fewer constituents I think they'd be forced to care more about their constituents, if only because each individual voter wields more power. I certainly think that I have more power to influence my local politicians than I do my state representatives (let alone my federal representatives). My local politicians also live more proximate to me, and share more in the physical problems of the region. My US Senators live in my state, and that's about all they have in common with me.
This is what we get as a society when we aren't collectively involved. Why should our politicians care when we don't? How many of your neighbors have done the work to change politicians' votes or to raise their own politicians up?
I agree with you, but I also think there are many disparate problems we can point at. Ultimately, it all boil down to - we get the results of our efforts.
There's a both sidesism here - one party that's demanding censorship (because misinformation, danger, etc.) when they used to fight it, the other party seemingly defenders of classic big corporate entities, yes it does seem hopeless.
I think it has to get worse before it gets better. If almost everyone's personal information, SS and so forth, even IMEI's, addresses, mother's maiden, you name it, is available on the dark web, then that'll basically mean the corporate world will have to create a new mechanism. For example, the most obvious is the entire system in which credit worthiness is determined.
I know two people with identity theft issues, and in both cases people opened up accounts that impacted credit worthiness. That's really lousy if you spend a long time searching for a home to buy, and when you're in contract something like this happens and your credit gets dinged. Blame the banks and the credit industry as much as the hackers. They made this impossible-to-contain information literally the key determinant of your ability to get a loan in order to purchase a home.
This situation could be greatly improved if these companies didn't have or need to have this data in the first place.
Prepaid mobile plans carry a lot of stigma with them - perceived to be "low-class", or even criminal by many. But at least your SSN and address won't be in their database.
I don't know about the US, but here in the UK prepaid mobile isn't necessarily looked down upon, but it's significantly more expensive than a contract. It's the main reason why people just go with a contract despite being locked in for 2 or more years. Even sim-only contracts are considerably cheaper.
In the US, prepaid is a much cheaper option for all but the highest volume users. The drawback is that you get deprioritized on the cell towers making mobile data nearly unusable in many cities or at large gatherings like sporting events.
I've been using Liberty for a while now and it's been fine. It's 2G but I'm like 90% of the time always around wifi I trust so not a major deal. No reason to blow tons on data I don't use.
If you want to use your mobile data, you get sent to the back of the queue. Higher priority users might get 50mbps. You will be lucky to get 1mbps and in some cases less than that.
I don't know if there is an impact on call availability as well.
A converstation earlier this week pointed out the EU system: eIDAS [0]. it looks pretty interesting how its decentralized.
I could see something like this running from each state's DMV (or the postal service if you didn't want to use your local state DMV) to help ensure you are you.
It would be interesting to hear what people that use it say, because i'm sadly stuck in a very US world :)
We already have systems for notarization, perhaps we could try to leverage that, updating it for more modern purposes. I could see them issuing things like smart cards. Then again we have some pretty hardcore religious zealots who refuse to do anything even remotely resembling a national ID system, so it will continue to be fragmented and subject to each state's implementation.
Interestingly, I stopped being an AT&T customer 4 years ago but just this morning I received a phishing SMS containing my real name and a mention of AT&T overpayment or some-such.
Could be a coincidence, or it could be the data is already out and being used.
Mine included a link. I already removed it so can't look at it now, but it definitely included one of those minified links that immediately scream "phishing".
Why is it so much harder and costlier for companies to be able to store credit card numbers, but not SSNs? I mean there is a whole certification process that costs hundreds of thousands of dollars to get pci certified, but you could say an SSN has the same of not larger risk profile. You can cancel credit cards, can’t get a new SSN. What is stopping government from implementing the same requirements? No one asks for your card number that is not certified, and certainly you would not give it if asked, even if they said it’s mandatory. So why the SSN leniency?
A globally unique id is incredibly useful to many businesses, particularly since half of America changes their names. Often repeatedly. So there will be incredible back pressure at implementing this.
Then make it both unique and worthless. Every other country has national ids, and you gain nothing by stealing it, you actually present it almost everywhere, same value as a driver's license. In fact, when pulled over, you are asked for the license and the card, to make sure the license is really yours. What you cannot definitely do is transact with only your nacional id, that's silly. Its identification, not authentication. Your pins, passwords, signatures, presence are required in addition to your ID number to do anything. While in the US, I always thought it was weird the importance that such a document was given, to the point that even laminating it is taboo, complete with a notice written on it. They tell you to not walk around with it. Never understood how it got to this point.
I’ve been wanting the government to roll out a zero proof ID mechanism so that businesses don’t need any info. Just have a unique ID that’s a representation of that one unique representation. Visit a new Dr’s office? Instead of an SSN generate a new ID they can use to contact you with the government as the intermediary. The business never gets your PII and the government already has your PII and needs to keep it secure (and is politically culpable to breaches). Some care needs to be taken to ensure that the government is actually blinded to the identity of the entity you connect with so that they can’t connect the dots about activity, but I think this is tractable.
Same thing with medical records. The current design is abhorrent. Every medical provider has an independent copy of your records. You should be the only one with a copy (or with a storage provider you designate) with strict timely access controls (eg doctor gets the records for 30 days for review or something). That I have to fill out a form to get my own medical records is retarded.
This stuff isn’t hard, but it’s hard to make money on so there’s perverse incentives to keep the status quo.
I bought a new iPhone with cash, signed up for a Verizon MVNO using an assumed name and used an impersonal email address (and assumed name) for my Apple ID (which I seldom use).
Nobody in this chain has my real name or any significant PII. I don't care if any of them get "hacked".
Further, if my phone is lost I just recreate the chain and point my (twilio) number to the new SIM card. I can temporarily forward SMS to email for a day or three. Yes, of course twilio has an assumed name.
None of this was difficult nor illegal nor expensive.
The enabling factor is that Visa/MC do not actually verify cardholder name (even though everyone thinks they do).
So my bank sort of knows who all the providers are, but they'd need to collude with (MVNO or twilio or Apple) to have any real PII which could then be stolen ...
My threat model is PII theft via hacks (like this one) and wayward employees at each provider. My threat model is not state actors or LEAs.
Can you elaborate on "The enabling factor is that Visa/MC do not actually verify cardholder name"? Are you saying that you've got a credit card under an assumed name?
I appreciate the response and the link to the Stack Exchange question. I wasn't "getting" what you were saying, but now it makes sense. That's probably something I'll start doing too. Thanks for the idea.
I think OP is saying that they give a fake name to the vendor, not the CC card company. Walmart (maybe?) isn't checking that the billing name you give them matches the name on the card. I don't know how true this is across all vendors.
I have the same, real-name relationship with my bank and card issuers that you or anyone else has.
Rando-web-merchant, on the other hand, never gets my real name.
"I don't know how true this is across all vendors."
Almost 100%.
There is a rarely used program called "verified by visa" that takes you through an additional verification step and encourages you to create some sort of account linked to your issuing bank (or something) but I have only run into that once in the years I have adopted this practice.
Merchants can request Address Verification (AVS) from the network, but the result is purely advisory: the merchant can ignore a mismatch if they choose. In my experience, most do ignore it.
This is also true of the CVV/CVV2/CSC/etc. Most web vendors require it, but it is not required to complete a transaction. Theoretically the provision of a correct CVV indicates that the consumer has the card in-hand. Chargeback appeals are somewhat more likely to succeed if the transaction included the CVV.
> Here is the data that is available in this leak:
Name
Phone number
Physical address
Email address
Social security number
Date of birth
Not only the phone number but the physical address?
If this is true, absolutely outrageous.
> The hacker has said he is willing to reach “an agreement” with AT&T to remove the data from sale.
Might as well pay the hacker's ransom, AT&T to remove the data from sale otherwise if leaked; a massive fine (probably larger than the hacker's ransom) awaits you.
First T-Mobile and now (if true) AT&T. Let's see who is next to unveil another hidden breach... maybe Verizon has something to hide?
>a massive fine (probably larger than the hacker's ransom) awaits you. ... maybe Verizon has something to hide?
If we're just making stuff up, then maybe Verizon is the hacker trying to take down the competition? It's as likely as ATT being fined anything significant
Interestingly it looks like T-Mobile US also had a very similar data breach a couple days ago.
> We have determined that the types of impacted information include: names, drivers’ licenses, government identification numbers, Social Security numbers, dates of birth, T-Mobile prepaid PINs (which have already been reset to protect you), addresses and phone number(s).
I'm usually skeptical about denials, like AT&T is doing here. But in this case, there would be some incentive for the hackers to misrepresent the source/freshness/etc of the data.
Given the recent T-Mobile hack, if they can tag the data as coming from AT&T and being fresh, it might fetch a higher price either from AT&T, or data buyers. In other words, it could be a re-label of some older exposed data.
The hackers selling the info are well known for providing fresh data, to the point that they’ve given away old data for free. I doubt they’d risk their reputation on reselling a different leak.
I wonder if the price of leaked data dropped after Experian's data leak from Sep 2017 that included basically everyone in the US that uses credit.
I imagine the difference in data since the Experian leak are for people that became adults since Sep 2017 or immigrants or some information about new addresses/names from moves/marriages, etc.
Someone posts eight SSNs on a hacking forum and some wild claims, and reporters run it as a legitimate 70 million hack. And people wonder why the term fake news exists.
Knowing what we know about these companies and their security practices, I would give benefit of doubt to this "someone" who posted on a hacking forum.
except these companies are crap at security and the folks posting have a relatively good reputation? That said - yeah, maybe post 500? This could just be trash as you say.
Anybody who has ever worked in finance or any number of Finance adjacent industries realizes how easily accessible social Security numbers actually are. Anyone can sign up for a skip tracing service or an identity validation service and reverse search a name and City to find your social security number if they want to.
It's probably time to replace the old social security number system.
Given that legislation will realistically never keep pace with technology, would it be crazy to implement whitelist data collection law, i.e., no data can be collected unless explicitly allowed? Hypothetically, of course — congress actually putting something like this into law is a different story.
The only difference between what the cell carriers consider business as usual and a “hack” is getting paid for your data.
EDIT: And who knows, maybe after insurance payouts and tax write offs and the usual corporate B.S., it’s still as profitable if they just sold it directly
How are MVNOs able to offer a lower price than the carriers? I was interested but didn't switch because I was worried they are selling my info or something.
They usually spend less on advertising/store presence/... (e.g. around here the large mobile networks have branded shops and such, the MVNOs almost never have and either sell only online or a supermarket brand and piggybacking on that store network), their plans might have restrictions the main network ones don't have, ...
And in reverse, better brand recognition/(impression of) service quality allows the network operators to charge more and still get customers, the MVNOs need to be cheaper to compete with that.
The process of porting numbers between MVNOs is more difficult than using a main carrier with brick-and-mortar locations.
I ported my landline to Page Plus in the late 2000s (which took over a week). I still have that number, and I have never spoken to a person when porting it between MVNOs (always over chat or email). My last port to Red Pocket took two days to get right. This can be a frustrating procedure, and many people prefer the major carriers for in-presence customer service for issues like this.
I have repeatedly switched between Verizon and AT&T when necessary due to phone hardware or coverage, and MVNOs usually allow this to be done (a limited number of times) through automated simcard changes with no customer service interaction.
The one surprising thing about my recent move to Red Pocket is the lack of voicemail in the included plan (it's available with a surcharge). I'm not certain if I miss it.
My ATT pin may have been changed without my knowledge. I tried to pay for my pre-pay wifi today and was told I gave the wrong pin. I'm worried, but there doesn't seem to be anything to do about it now.
I think it's any contract with a carrier. They want the ability to go after you and hurt your credit if you refuse to pay, is my guess. It's disgusting.
How is it disgusting for a lender to be able to look up someone's credit history and determine if they are an appropriate credit risk for them?
The alternative is everyone gets (or does not get at all) credit on the same terms without regards to personal behavior or risk profiles, which is a valid option, but I would still think "disgusting" is a strong word to describe the prior scenario.
You're asking this question in the following context: getting a cell mobile provider contract requires a social security number. Social security number is used to pin a score on someone's credit worthiness. Mobile provider gets hacked, exposing clients to bad actors using social security number and associated data to open credit lines fraudulently and hurting users' credit worthiness scores.
The disgusting part is the whole reason the providers demanded SS # is to defend their own interests to threaten clients with collection agencies and credit score dips. The neglect of these same now cause clients to risk getting credit score dips through no fault of their own.
The only disgusting part is the one where vendors get to claim someone owes them without adequate proof and makes it a random person’s obligation to prove they do not owe the vendor rather than a vendor having to prove they did their due diligence in confirming someone’s identity.
> The disgusting part is the whole reason the providers demanded SS # is to defend their own interests to threaten clients with collection agencies and credit score dips. The neglect of these same now cause clients to risk getting credit score dips through no fault of their own.
I do not expect un-hackable systems and organizations to exist, so I would not find this “disgusting”, without knowing how the leak happened. It might be disgusting if there was a complete disregard for handling of the data, which might be true in this case, but I was responding to your comment as is there very idea that a mobile carrier can lend to a customer was disgusting.
In the US many companies publicly share their EIN (the equivalent of SSN for companies), and somehow the laws are set up that this isn't a source of identity theft.
As an aside: When it comes to an authentication source to take the place of silly shared public "secrets" I think it would be great if the United States Postal Service "pivoted" into issuing digital certificates to individuals. They already have infrastructure and procedures in place for identity verification and physical delivery. I suppose that's too much like a federally-issued ID to ever fly, though our "REAL ID" drivers licenses are, in effect, a federal ID anyway. I'd rather have a digital certificate out of the deal too.