

Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records - dthal
http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-access-200-million-consumer-records/#more-25125

======
spacehome
The focus of a lot of the coverage of this recent string of high-profile ID
thefts has been the security of the companies in question, but I think the
real fundamental problem of our system is that in order to prove your identity
to someone you have to give them enough information that they can impersonate
you to a third party. Information like SSN, address, mother's maiden name,
driver's license number, etc. is simultaneously proof of identity and
"private".

Credit card numbers and checking accounts have basically the same flaw. All a
merchant needs to pull money out of your account is the account number and
some pretty basic additional information. If you write someone a check for a
penny, you've given them enough info to drain the account.

What we really need is a complete overhaul of how we prove identity.
Identities should be linked to public-key/private-key pairs so you can prove
you are who you say you are by signing a nonce, and thus others won't be able
to impersonate you just by hacking a third party. Similarly, monetary
transactions should be signed by both the sender and the recipient and include
amount, date, memo, etc.. (Seriously, who initially thought that recipient-
initiated transactions with no sender involvement wasn't going to be abused?)

~~~
icebraining
Well, here in Portugal - and I know there are other European countries doing
the same - our national ID cards already include a public/private key pair and
can encode and sign stuff using standard APIs. You can already login on some
governmental websites (e.g. IRS) using it.

That said, I worry about having a single, State-granted identity; there's a
reason why assigning a single number to each citizen that links all their
records (health, criminal, etc) is unconstitutional here.

I wish we could have a vouching system instead, where people and organizations
could certify they do business with identity X. Something like Convergence[1]
but for people instead of websites.

[1]
[http://en.wikipedia.org/wiki/Convergence_(SSL)](http://en.wikipedia.org/wiki/Convergence_\(SSL\))

~~~
Spearchucker
This problem has been solved. The idea is to use identity federation, claims-
based authorisation, and a privacy-enhancing technology that lets the subject
determine which claims to share with a resource provider.

Such a system can verify identity without divulging that identity. For
instance, when you buy beer you need to prove you're over 18. The barman
doesn't need to know your name, address, what vehicle classes you're licensed
to drive, or age. All the barman _needs_ is to know that you're over 18.

The reason nobody uses it is that it's unpalatable to identity and resource
providers alike.

Imagine a world where you could buy anything without the seller ever knowing
who you are. Or your bank not knowing what you bought. Or your identity
provider (government) not knowing where you're using your authN credential.

The tech community doesn't like it because even though it's open source, it's
from Microsoft. And that it uses XML. So we keep on using broken identity
systems like Persona and OAUTH.

[http://research.microsoft.com/en-
us/projects/u-prove/](http://research.microsoft.com/en-us/projects/u-prove/)

~~~
icebraining
U-Prove is interesting, but it doesn't solve the problem I posed.

With our current ID cards, the identity provider is already ignorant where I
use it. All they did was sign the certificate in my card, and now third-
parties can check the chain without informing the IdP about me.

The problem with U-Prove is that it still relies on a single identity
provider. What happens when, by incompetence or malice, the State revokes your
identity? And assuming that you can voluntarily revoke identities (e.g. if
they're stolen) and not lose you bank accounts and so, there must be some way
of proving that your new identity is just a new version of the old one. So,
what prevents the IdP from creating fake identities that allow them to pass as
you?

The idea of applying Convergence would be to decouple the identity from that
single provider, and I don't see how U-Prove helps with that.

~~~
Spearchucker
U-Prove can use any number of identity providers. It can even create a single
new token assembled from pieces (claims, or inferred claims like age) of
multiple identity providers.

Decoupling an identity from a provider invalidates the identity. Identities
have value _because_ of the providers' relationships with subjects. It's up to
the resource provider to establish trust relationships with other identity
providers.

~~~
icebraining
Fair enough, it seems I have to do some reading on that proposal.

Still, what happens when a single IdP invalidates their claims? Is the whole
token invalidated?

~~~
Spearchucker
The token is invalidated, as with any identity system. That's how it should
work. Think certificate revocation lists, for example. The identity provider
_has_ to be able to revoke certs, or the entire trust model would fall apart.

------
PeterisP
Perhaps it's time to finally attack the source of USA's ID theft problem
instead of trying to hide the unhideable?

This is a problem mostly limited to USA and just a few other countries. In
most places worldwide such an information leak could be used at best for
marketing/spam targeting, not for stealing money through ID theft. The
differences are mainly in legislation and liability, which then get reflected
in policies of credit institutions that make it much less viable and thus much
less widespread.

To put it simply, the information that, say, your spouse or mother would know
should not be enough to get credit in your name, bill expensive services to
you or gain access to your accounts. If some lender gets duped by their
negligence to check who you are, then _they_ got defrauded and it should stay
as their problem - mostly to motivate them to put actual effort into
preventing this.

~~~
mmcnickle
Ross Anderson sums this up nicely in "Security Engineering":

"I write ‘identity theft’ in quotes as it’s a propaganda term for the old-
fashioned offence of impersonation. In the old days, if someone went to a
bank, pretended to be me, borrowed money from them and vanished, then that was
the bank’s problem, not mine. In the USA and the UK, banks have recently taken
to claiming that it’s my identity that’s been stolen rather than their money,
and that this somehow makes me liable. So I also parenthesise ‘victims’ — the
banks are the real victims, except insofar as they commit secondary fraud
against the customer."

------
kyboren
Some day, people will wake up and realize that _all_ aggregation of data on
citizens and consumers–including implicit aggregation, where information is
only transiently collected–by governments, data brokers, retailers, or anyone
else only makes the inevitable compromise that much more damaging.

Today’s highly connected world has ushered in an era with new hidden risks
along with the obvious new opportunities. We’re woefully unprepared for these
risks when policymakers don’t even know what an ISP is. Time and time again we
see appalling breaches of massive repositories of private information, and
time and time again we see our politicians and corporate leaders stick their
heads in the sand and ignore the root cause.

What’s needed is a new paradigm, where data aggregation is outlawed, and where
decentralization and previously-fantastic cypherpunk ideas for cryptographic
identity verification, blinded signatures, provably-anonymous digital cash
systems, and the like become standard.

PCI or HIPAA compliance will simply never be enough. Where cryptography can be
used to protect individual privacy while providing strong authentication, it
must. Where it (yet) cannot, information decentralization is the only way to
mitigate the inherent privacy risks. Unfortunately, I worry that a combination
of policymakers’ lack of insight, corporate leaders’ pursuit of cost
reduction, and “Big Data’s” (or, more aptly, “digital anal rapists’”) penchant
for massive warehouses of private information will prevail and ensure the
fundamental reforms we need will never see the light of day.

------
BIair
"Ngo’s ID theft business attracted more than 1,300 customers who paid at least
$1.9 million between 2007 and Feb. 2013 to look up Social Security numbers,
dates of birth, addresses, previous addresses, phone numbers, email addresses
and other sensitive data"

------
mschuster91
"Ngo was arrested last year in Guam by U.S. Secret Service agents after he was
lured into visiting the U.S. territory to consummate a business deal with a
man he believed could deliver huge volumes of consumers’ personal and
financial data for resale."

And now the poor schmuck is being tried in the US for crimes committed on
Vietnamese soil.

Not that I would dislike grilling that guy in court, but that is just plain
wrong. He did not do anything wrong on US soil so he should not be tried in
the US, but Vietnam instead.

Funny how Americans always believe they're the world police.

~~~
lostcolony
This is a crime that explicitly takes place across country borders. You're
saying that the trial should take place in the perpetrator's country, rather
than the victims' country. Why do you assume that is somehow more just?

Note that I'm not saying it should be, just that it's a sufficiently complex
issue that to just be dismissive, "Oh, there America goes again, being the
world police" seems to miss the fact that the millions of victims of this
persons actions are all in the US.

~~~
mschuster91
If I murder someone while traveling in the US, I can expect to be trialed
there (because I committed the crime on US soil). If I murder someone in
Germany, I can expect to be trialed by a German jury, under German laws and
standards.

Same goes for every crime. Trialing people in foreign jurisdictions deprives
them of their basic rights which a "resident" would get - like the right to be
trialed by a jury of local people, for example. Not to mention language
barriers and the exorbitant costs of legal defense in the US compared to
Vietnam!

~~~
aestra
Well maybe...

I know he wasn't arrested by the FBI, however, for example, the FBI claims
full jurisdiction to arrest as long as the person is on US soil.

[http://www.fbi.gov/about-us/faqs](http://www.fbi.gov/about-us/faqs)

>What authority do FBI special agents have to make arrests in the United
States, its territories, or on foreign soil?

>In the U.S. and its territories, FBI special agents may make arrests for any
federal offense committed in their presence or when they have reasonable
grounds to believe that the person to be arrested has committed, or is
committing, a felony violation of U.S. laws. On foreign soil, FBI special
agents generally do not have authority to make arrests except in certain cases
where, with the consent of the host country, Congress has granted the FBI
extraterritorial jurisdiction.

[http://en.wikipedia.org/wiki/Extraterritorial_jurisdiction](http://en.wikipedia.org/wiki/Extraterritorial_jurisdiction)

>Criminal codes in certain countries assert jurisdiction over crimes committed
outside the country:

>in France, the Code pénal asserts general jurisdiction over crimes by, or
against, the country's citizens, no matter where they may have occurred.[1]

>in Japan, the Penal Code specifies certain cases and applicable lists of
crimes over which jurisdiction will be asserted.[2]

>The ability of Parliaments of Commonwealth countries to legislate
extraterritorially was confirmed by s. 3 of the Statute of Westminster
1931.[12]

>In Australia, extraterritorial jurisdiction of the State Parliaments was
authorized by s.2 of the Australia Act 1986.[13]

>The Criminal Code of Canada asserts jurisdiction over the following offences
outside Canada:[14]

>on a Canadian aircraft in flight, or on any other flight which terminates in
Canada, for any indictable offence

>on any aircraft or in any airport in the world, for endangering such
facilities

>by a Canadian citizen, permanent resident, or stateless person resident in
Canada, for offences relating to cultural property protected by the Hague
Convention for the Protection of Cultural Property in the Event of Armed
Conflict

>against or on board a Canadian ship on the high seas or a fixed platform
attached to the continental shelf of Canada, or by or against a Canadian
citizen on any ship or fixed platform, or by any person who is found in Canada
after such offence

>on a Canadian ship or aircraft, relating to hostage taking, offences against
internationally protected persons or United Nations personnel, or terrorism
financing

>on the International Space Station involving nuclear material involving
terrorism terrorist activity against Canadian citizens or Canadian government
missions, or intended to compel the Canadian government, or any provincial
government, to do or not do a particular act relating to sexual offences
against children

>In the U.S., many states have laws or even constitutional provisions which
permit cities to make certain decisions about the land beyond the town's
incorporated limits.

>The US Criminal Code asserts the following items to fall within the special
maritime and territorial jurisdiction of the United States, much of which is
extraterritorial in nature:[19]

>The high seas and any other waters within the admiralty and maritime
jurisdiction of the United States and out of the jurisdiction of any
particular State, including any vessels owned by US persons that are
travelling on them[20]

>Any US vessel travelling on the Great Lakes, connecting waters or the Saint
Lawrence River (where that river forms part of the Canada–United States
border)

>Any lands reserved or acquired for the use of the United States, and under
the exclusive or concurrent jurisdiction thereof

>Any island claimed under the Guano Islands Act

>Any US aircraft flying over waters in the same manner as US vessels

>Any US spacecraft when in flight

>Any place outside the jurisdiction of any nation with respect to an offense
by or against a national of the United States

>Any foreign vessel during a voyage having a scheduled departure from or
arrival in the United States with respect to an offense committed by or
against a national of the United States

>Offenses committed by or against a national of the United States in
diplomatic missions, consulates, military and other missions, together with
related residences, outside the US

As you can see, most counties claim jurisdiction over offenses against their
citizens, including the US. This is hardly rare. The moment he entered US
soil, he was fair game for arrest as generally arrests on US soil are legal
(with reason of course - probable cause and all).

For example, if a US citizen was murdered, usually the host country would try
to prosecute. Murder is generally looked down upon. If they did not, you bet
the US would try to prosecute.

When Somali pirates took US citizens hostage, you bet the US was going to get
involved and not ask the Somali government politely to help. They wanted to
make sure the rescue got done. Would you suggest they ignore it in that case
too?

------
viraptor
I'm not surprised it's Experian. Maybe it wasn't their fault, but only
interaction I had with them was: "how do I provide my documents in a secure
way?", "here's a pre-paid standard class envelope, just stick a copy of your
utility bills, passport, driving licence inside and send it to us".

They're absolutely irresponsible with people's documents and data, at least
here in the UK.

