
Confessions of an ID Theft Kingpin - 1run9
https://krebsonsecurity.com/2020/08/confessions-of-an-id-theft-kingpin-part-i/
======
dang
[https://news.ycombinator.com/item?id=24295501](https://news.ycombinator.com/item?id=24295501)

------
nottorp
> (from TFA) stolen identity records that included a consumer’s name, date of
> birth, Social Security number and email and physical address.

Scary how little you need to steal an identity in some places...

~~~
ghostbrainalpha
Are there places that it would require more to steal an identity?

What countries and what type of information do they ask for?

~~~
colejohnson66
I’m gonna rant here, but a big problem is that SSNs were never designed to be
used as an identifier. It was simply used to allow someone to receive Social
Security, hence the name. They literally used to have the text “Not to be used
for verification.”

As for its problems, there’s quite a few, but the two big ones IMO are (1) no
check digits and (2) (up until relatively recently) they’re sequential. I
don’t know when the change was, but if you take a SSN issued before 2000, you
could add _one_ to your whole SSN and it would be a valid one. They may even
have been born on the same day as you _in the same hospital_. Also, you could
find out a general area where someone was living when it was issued (usually
birth) using the first 3 digits.

~~~
maxerickson
The problem is that they get relied on for authentication.

(Name+SSN is likely to be unique, the issue is that knowing a name+SSN doesn't
prove you are the person with that name and SSN...)

------
Bnshsysjab
I regularly wonder why we don’t have some form of physical verification token
which signs things with our identity, the whole system is broken in that
regard.

~~~
rhexs
That would be quite nice, but I’m not sure I’d trust the government to not
store and then lose all the secret keys near instantly.

If they can overcome that, sign me up.

~~~
Bnshsysjab
The beauty of public key cryptography is they don’t need to hold your private
key, ever :)

------
mlazos
The usual, credit agencies ARE JUST AS BAD AS WE THOUGHT. They exchange all of
our information with each other, and their security is so absolutely horrible
that a 20 something hacker in Vietnam who just learned English could stay in
their systems for years and build a business off of reading queries directly
from these databases. It’s actually insane.

~~~
vkou
The existence of these databases, especially given how insecure they are is,
of course, a real national security threat, but the lack of reaction from the
government is telling.

~~~
adminprof
Yet everyone is freaking out and moralizing about nonfinancial data
voluntarily given to Facebook. If only the credit bureaus kept our financial
and identity data as Facebook kept your list of favorite movies and your
selfies.

~~~
grey-area
Facebook _sell_ your favourite movies, friends, political views and anything
else they know about you to advertisers. it's a very similar business model.

~~~
adminprof
They actually don't, unless you define selling as they allow advertisers to
select what demographics/attributes their ads target. But the actual data
stays on the Facebook servers. If you're referring to the apps having access
to user data, that was not selling at all, but instead a permission originally
granted by users by probably forgotten about. Basically, unless you contort
the definition of selling to a very different meaning, that's simply not true.

And if you do use that definition of selling, then everyone is selling your
data. All the politicians who decry tech companies are selling your data using
the same definition. Every advertiser, retail store, bank, basically every
large business offers other businesses a way to access a specific subset of
their users.

~~~
grey-area
Yes, that's how I define selling in the context of that sentence, as the only
other way to read 'they sell your favourite movies' is the wilful
misinterpretation that they actually sell movies, which would be a non-issue.

I think it's pretty clear they sell your preferences to advertisers and let
apps misuse your data (there have been plenty of scandals where people didn't
understand what apps would get).

This is emphatically not the business model of most businesses large or small.

~~~
adminprof
I think I see the confusion between us. You don't see the difference between
selling data to a company, and selling ad space where the advertiser can
choose for what demographics it shows up for.

Let me try to make it more clear. Do you see the difference between "hey Chase
Bank, do you want to buy this file containing data about grey-area's
interests, age, political stance, credit score, purchasing habits, etc."
versus "hey Chase Bank, do you want to put an ad on my website that is only
shown to people with credit scores above 600 and are interested in savings
accounts"?

If they both seem the same to you, then I don't think your perspective is one
that a reasonable person would take. If you do see the difference, then
Facebook is doing the latter, but the word "selling data" conjures the former,
which you do recognize as a different matter.

I'm going to ignore the nonsensical definition you gave of selling data =
selling movies, being the only other definition of selling you could imagine,
in hopes that it was just an oversight.

