
Our entire credit bureau system is broken - LopRabbit
https://www.theverge.com/2017/9/8/16276584/equifax-breach-social-security-number-broken-system
======
colejohnson66
The fact that your SSN is still used as a national ID in today’s age of
tecgnology is what astounds me the most. Why is it my fault and my credit
ruined when my identity gets stolen? All it takes sometimes to steal an
identity is to convince a teller or whoever that you’re someone you’re not! If
that happens, that’s the business’ fault, not mine.

Here’s a scary fact: take your SSN and add 1 to it. That’s a valid SSN!
There’s no checksums or any security features at all. If you were assigned
a(n) SSN at birth, that new SSN has a high likelihood of even being someone
born in the same hospital as you.

~~~
stephengillie
What LOE (Level of Effort) would it take to replace our current SSN with a
public/private key system? More than just a massive bureaucratic shift and
public reeducation movement?

Could we have a memorizable public key and still have any meaningful level of
security?

~~~
AnthonyMouse
> What LOE (Level of Effort) would it take to replace our current SSN with a
> public/private key system? More than just a massive bureaucratic shift and
> public reeducation movement?

You are thinking about this from the wrong direction. The problem isn't that
the government hasn't provided a PKI, the problem is that social security
numbers are being used for identification.

This was a serious fear when social security was originally created. For many
years social security cards had the words "not for identification" printed on
them. They contain no biometric data, not even a picture. Their purpose _is
not identification_.

So the solution is obvious. Actually prohibit social security numbers from
being used for identification. Don't allow creditors to even ask for them.

Then people will figure something else out on their own. Instead of a credit
reporting agency existing at all, new credit applications could ask for your
account numbers at existing creditors and then the new creditor can get your
credit history directly from them. It would be straight forward to automate
this -- and even require you to prove that you're the account holder by
presenting your card from the other bank (or signing into its website if
online).

There is no need for a national identification system. Having a bad one was
the original problem. Replacing it with some differently bad one is no better.

~~~
cm2187
But it is used that way for the lack of a better alternative. In my opinion
the solution is a free federal ID card, where all the information on the card
(including the picture) is digitally signed, to make forgery nearly
impossible.

The only non trivial element is how to sign the photo. I guess there must be a
way to sign a degraded version of the picture so that even an average scan of
the ID card would be verifiable. Or the card could contain a small, cheap,
water resistant memory chip which contains the picture in digital format. Then
you can have a high degree of confidence in this physical document.

And there could be other usage of that card. Like if you make it a chip & pin
so the card could become an unforgeable digital signature (physical signatures
are absurdly unsecure too).

~~~
steventhedev
Many other countries have these exact cards. They are not new technology.

In fact, your US passport has that. Look for the biometric symbol on the
front. It means there's a chip inside (not sure how to read off it) that
includes your digitally signed identity details, including photo.

If you're willing to go the centralized route, then a minimalist ID card would
just be a QR code that anyone can open and compare the official photo to you.

~~~
masklinn
> If you're willing to go the centralized route, then a minimalist ID card
> would just be a QR code that anyone can open and compare the official photo
> to you.

"Just a qrcode" would be a weird and inconvenient format.

Other countries (Estonia, Spain, Belgium) have smartcard IDs. You can add a
qrcode to that, but the primary data store can be secured (and accessed and
updated) in much the same way a regular smartcard is, you can access it from
your home with a regular card reader and the relevant access application. And
of course the size is completely standard. And you can add contactless support
to it if desirable.

Plus the US already has experience with these types of IDs: DoD has issued 17
million Common Access Cards.

------
mindslight
Erm, what do you mean "our"? This system cannot even be justified via the
usual democratic collectivism - the commercial surveillance complex is a
purely independent adversary that has formed on its own!

It certainly has had help and encouragement from government mandates (SSN,
drivers license/plate, monetary surveillance, etc), but even if those were
eliminated it would continue just fine using its own primary keys.

As such, it can't really be top-down reformed much [0] except for correctly
assigning liability for the fallout from its negligence. For instance, having
to repudiate an incorrect debt from a libelous bank or surveillance company
should entitle one to easily claim reimbursement for the expenses occurred
(including time) to do so.

In the coming weeks we'll undoubtedly see calls to "reform" this system
through the technical strengthening of the identifiers it assigns onto us.
This is a recipe for rekindling belief in the authority of private
surveillance as well as an invitation for it to invade even more aspects of
our lives. This is not the direction we want to go!

[0] Of course we can all work on solving the problem from the bottom up by
cloaking ourselves. Spend cash when possible, rotate your grocery psuedonyms
often, etc.

~~~
duncan_bayne
> This is not the direction we want to go!

Erm, what do you mean "we"? ;)

While I agree with you on all other points you mentioned, it's pretty clear to
me that the voting public are _perfectly_ okay with the authority of both
private and public surveillance, so long as it satisfies one or more of the
following criteria:

* Reduces, or is thought to reduce, the cost of credit to the individual concerned. ("I'm okay with it, if it means I can trivially get access to credit because my credit score is good.")

* Prevents, or is thought to prevent, the risk of terrorist action or harm to children.

* Is limited to "others" (poor people, immigrants, other races, etc.).

------
drawkbox
Freezing credit needs to be free and one button until we have this fixed.
Freezing and unfreezing needs to happen quickly.

We also need to know every time our credit is accessed and updated, not
monthly like current reports, realtime.

This right should be in the digital Bill of Rights that need to happen as well
that you should be able to protect yourself in the case of a breach at no cost
to you.

Blockchain seems like the direction, but with how slow we move in everything
legislatively, we need something now that allows freezing to be free, fast and
easy.

The three credit bureaus, because they are in a fixed market and not truly in
a competitive fair market with a privileged position, they got lazy just like
the ratings agencies during housing crash. Lack of focus on their core
missions due to no competitive threats.

~~~
Groxx
Freezing I can see being fast and easy. At best you can troll someone by
freezing their credit at an inopportune time - which might cause them to lose
money, but less likely in general, surely.

Unfreezing? The whole point is to delay access, it _can 't_ be fast or it
defeats the purpose. "They" have everything they need to unfreeze (otherwise
why would freezing be necessary), so the only real protection you have is to
forcibly delay access until you can prevent it.

~~~
anarazel
It's not hard to come up with a scheme where it's fast to unfreeze when you
have a key generated while freezing.

------
c3534l
I was intrigued by the idea of using a blockchain to anonymize and secure
lending, so I looked it up and a trial of such a thing was run a few months
ago. I found this gem:

> TransUnion and Equifax said they are always assessing new ways to secure
> consumer credit data, an area that is tightly regulated by governments
> around the world.

[https://www.reuters.com/article/us-canada-blockchain-
credit/...](https://www.reuters.com/article/us-canada-blockchain-credit/u-s-
credit-agencies-test-canadian-blockchain-identity-network-idUSKBN1802OR)

The irony aside, it seems like the exact sort of thing a blockchain is good
for: verifying transactions with a high degree of anonymity among parties that
fundamentally do not trust each other. If I say I've had transactions that I
say I have, I should be able to send you a code for you to verify it. There's
no reason why I shouldn't have to consent for my private financial information
to be disclosed to strangers in the first place.

~~~
harryh
I don't see how using an anonymous blockchain is useful for storing credit
data because it makes it trivial to walk away from a bad credit score and
start over from zero.

Also, FWIW you do have to consent for someone to run a credit check on you.

------
chaostheory
> This is a terrible way to manage identity. From afar, a Social Security
> number looks kind of like a password. But you can change a password, and you
> shouldn’t use the same one with every service.

Going on a tangent, Apple has made the same mistake with TouchID.

~~~
theshrike79
TouchID is better than no passcode, that's the purpose for it.

Joe/Jill Public won't use a passcode on their phone, because it's too much
hassle. But they WILL enable TouchID, thus rising the bar for random phone
thieves/hackers.

~~~
swiley
People didn't start picking my phone up and trying to get into it until I set
a pin. Back when I had an android there wasn't even a lock screen and no one
ever touched it.

------
beager
> I’m sure Facebook, Google, and PayPal would all love to take over from the
> credit bureaus, and there are real reasons to be wary of that. Some people
> will tell you we should put it all on a blockchain, decentralizing the
> system and querying discrete pieces of information as needed. New solutions
> bring new problems, and there’s no perfect answer to any of it.

This is what concerns me most as we move from this to implementing solutions.
We now have a glut of technology companies, some large and trusted, and many
that will be created specifically to address this, that will permute the risk
factors an pitfalls of such a business infinitely. One hundred companies doing
credit bureau things means 100 places you'll have to put your sensitive info,
100 places that will have some different vulnerability, and 100 more targets
on your attack surface.

Granted, one of these solutions may be sound, viable, secure, and advantageous
to consumers. But the extant bureaus and any company that comes in to compete
is a business, needs to make money, and will resist competition, will resist
security over profit, and will never capitulate to a better competing solution
until their last dollar is raised and spent.

------
perlgeek
Some government agency should publish a list of all SSNs, thereby ultimately
destroying the illusions that SSNs are secret.

If anybody still uses SSNs for authentication afterwards, they are grossly
negligent.

~~~
dfox
This is the case in many european countries. European VAT IDs are usually
recorded in some kind of publicly accessible registry and usually build by
prefixing ID of tax payer with country code.

For example in czech republic:

\- everyboby has "birth number", which is more or less equivalent of SSN
except it in clearly encodes gender and for most people also DOB.

\- corporations and any entity that is licensed for trade (including sole
proprietorships) have "ICO" (which somewhat funilly translates into "personal
identification number"), in essence it is equivalent to US's EIN.

\- any entity which directly deals with tax office has DIC (tax identification
number), which for natural persons is "CZ" \+ birth number and for other
entities is "CZ" \+ ICO, same string is also an EU-wide VAT ID.

Once you start a bussiness or even own part of non-tradeable public company
(which includes things like homeowners association) all three of these numbers
are readily available in various open access government registries, together
with first and last name and usually with registered address and thus nobody
uses knowledge of one of these numbers as serious authenticator (but from time
to time it is used as kind of filter for who given bussiness is willing to
deal with).

------
yosito
When the system begins causing big losses for creditors, they'll start to take
notice and develop a better system. Until then, the best thing you can do is
freeze your credit and only unfreeze it when you need it.

~~~
anigbrowl
Thanks, 'free market.'

~~~
Faaak
Free market does _not_ mean "no regulations".

~~~
anigbrowl
That's not what I'm suggesting. Rather, the feedback loop you identified sadly
lends itself towards marketing or financial stratagem as or more easily than
making substantive changes.

------
fogetti
Here we go again. A new great example how the neoliberal thinking and
narrative just simply fails on humans. You want to give your data to corporate
America and assume that they will be careful about protecting it? Than I am
laughing hard at you. SMH The stupidity of free markets and the myth of self
regulation. Ridiculous.

That's why it's more important than ever that we support and implement new
important initiatives like that of Tim Berner Lee's. He wants a platform that
gives users control of their data. Very good idea IMO.

~~~
ThomPete
I am pretty familiar with the idea and conceptually I am a proponent for it
but the question becomes who pays for the hosting of your data, what's the
incentives to get me to store it and for others to use only the data that I
have?

I am also sceptic with regards to corporations having the data but government
owning it doesn't make it much better.

In Denmark you mostly need to get access to one place in the system and you
potentially have access to the data across the different verticals, Danish
system is also SSN based.

The biggest problem though is what is the alternative to a credit bureau
system?

------
somberi
[https://washpost.bloomberg.com/Story?docId=1376-OV5NGV6JIJUQ...](https://washpost.bloomberg.com/Story?docId=1376-OV5NGV6JIJUQ01-6G4M3JT0SU7I3KID9LHOC0L246)

------
gandutraveler
I have friends who are twins and they both were issued same SSN number.
Apparantly their primary key is first_name(first 6 chars)+last_name(first 6
chars)+DOB

~~~
swiley
I don't think that's quite right, the city you're born in is included as well.

~~~
PeterisP
Twins most likely have been born in the same city, unless the birth happened
e.g. on a high speed train and they decided to file different birth places
depending on the closest station.

------
noir_lord
We have an SSN equivalent in the UK called NIN (national insurance number).

I've never been asked for it as an authenticator though.

~~~
LeifCarrotson
> I've never been asked for it as an authenticator though.

What are you asked for as an authenticator? Do you have a drivers' license
number, or a tax identification number, or a birth certificate number, or a
passport number, or some other national identification item?

A consistently formatted identifier that's unique to every person in the
country just seems like it would be too tempting for businesses not to use.

~~~
DanBC
We're asked for a complex hodgepodge of government issued ID ("who I am") and
utility bills, benefit letters, etc ("where I live").

Here's the Gov advice for online services:
[https://www.gov.uk/government/publications/identity-
proofing...](https://www.gov.uk/government/publications/identity-proofing-and-
verification-of-an-individual)

Here's how they examine ID:
[https://www.gov.uk/government/publications/recognising-
fraud...](https://www.gov.uk/government/publications/recognising-fraudulent-
identity-documents)

------
rado
Damn you Russia

------
jonathankoren
Not only this, but the entire banking system is fucked up. I have an account
number and routing number, then I can do whatever I want to your account.
That's bizarre.

