
The Equifax Breach Exposes America's Identity Crisis - prostoalex
https://www.wired.com/story/the-equifax-breach-exposes-americas-identity-crisis
======
tannhaeuser
I don't know. I found the argument convincing that even naming the breach
"identity theft" is beginning to push responsibility away from Equifax and
make it seem a personal problem of those affected, or a general societal
phenomenon. When in reality it's just Equifax's poor security practices.

As you probably know, the exploit basically is using Java's ability to
dynamically execute code from JVM bytecodes (supplied via XML in this case,
but that's just an implementation detail). Once you get remote code execution
ability, it's game over for most Java backend apps, because these are executed
in a single process/address space and thus lack basic process isolation. Even
if JAAS were used to propagate authorization contexts within the Java backend,
typically (almost always) Java apps operate in such a way that a single
database identity/credential sets is used for any and all database access.

Dynamic bytecode execution is a core feature of Java and other JIT execution
environments, so you can't use straightforward NoExecute bits (provided by
hardware and supported by OS loaders to disallow calling into dynamically
allocated memory) to prevent this from happening, and can't contain/isolate
execution paths with authorization contexts either. For these reasons, I think
this breach should make banks and other financial institutions rethink their
Java strategies mid- to long-term.

~~~
dboreham
Ability to execute data as code is present in many languages. Almost all of
them these days. I think you are saying that banks should only use C or C++ ??

~~~
bunderbunder
I don't know Java well, but at least in .NET it's possible to set a flag that
disable execution of dynamically emitted code.

Obvs, you should do this on every box that accepts connections from the
outside world.

Obvs, it's no easier to get people to do this in practice than it is to get
people to quit using string formatting to get parameters into their SQL
queries.

~~~
tomrod
Make it opt out/default behavior.

------
Haul4ss
Something non-US folks don't always get about the US -- in a lot of ways, the
US is more analogous to the EU than it is to any one country of Europe. That
is to say, the US Government is the national entity, but quite a lot of power
is still held in the states. There is a 200+ year wariness of federal power
here.

One of the ways this manifests itself is that identity is established and
maintained largely by the states. Your driver's license is basically your
national ID here, even though there are 50 different kinds of driver's
licenses.

In the 1930s we had Great Depression, New Deal, etc. and Social Security. Once
Social Security Numbers became a thing, they became wildly popular as a stand-
in for a national identifier. And now they're crucial, and they get stolen all
the time, and we have nothing better to replace them with.

National IDs are a nonstarter politically in the US. One side thinks it is
undue encroachment on local rights, and the other side thinks requiring ID
disenfranchises the poor and undocumented. That's the tl;dr version of course
-- reality is more nuanced.

~~~
Veratyr
> National IDs are a nonstarter politically in the US. One side thinks it is
> undue encroachment on local rights, and the other side thinks requiring ID
> disenfranchises the poor and undocumented. That's the tl;dr version of
> course -- reality is more nuanced.

As a non-American, this doesn't really make much sense to me. There's already
a national ID, the Social Security card. It's just a really really terrible
form of national ID.

~~~
VonGuard
Social Security card is made of paper, has nothing but the number and your
name, and 99% of people in the US have lost, destroyed, or never carried it to
begin with. Stupid paper card even says "Do not laminate" but mine is
laminated and thus intact after 40 years.

SS#'s were never meant to be personal ID numbers or national ID numbers. This
was a big thing when they were introduced. Unfortunately, companies use them
ALL the time. There should be a law against companies asking for your SS#.

Anyway, nothing about American government or the American people makes sense.
We're probably the most irrational, stupidest electorate in the world. I mean,
look who we elected president!

~~~
zanny
Except if the SS number was not meant to identify people, _what was it for_?
It was meant to track people throughout their lives to set the amount they get
paid by the program based on what they made / what SS tax they paid.

It is terrible at that, it is terrible as a general id, and its just another
example of doublethink in American politics - we want national welfare
programs that are restricted only to valid citizens, but we don't want to
actually know who the citizens are or keep track of them, or have any concrete
way to identify them.

~~~
maxsilver
> Except if the SS number was not meant to identify people, what was it for?
> It was meant to track people throughout their lives to set the amount they
> get paid by the program based on what they made / what SS tax they paid.

Sure, but there's a huge difference between identifying people's _accounts
with Social Security / IRS_ and being a National ID card used for everything
everywhere. It's was designed for the first, and _intentionally forbidden_ for
use as the latter, despite everyone using it that way anyway.

Social Security cards _literally said_ "NOT FOR IDENTIFICATION" right on them,
for 30 years, to try to stop this from happening. It did anyway...

------
codeulike
I never realised till now that American's SSNs were supposed to be kept
secret. That's absolutely ridiculous. The idea of trying to keep the UK
equivalent (National Insurance Number) secret is laughable. How can anything
function when an important id number is also supposed to be known by very few
people?

~~~
throwanem
The scheme was designed in 1935 as a way of identifying people enrolled in the
then-new Social Security program (hence the name), and was gradually made a de
facto national ID number over the intervening decades as the increasing scale
of national population and economic activity prompted a desire for greater
legibility to facilitate management and taxation.

Greater legibility, management, and taxation are values not shared by a very
sizable section of the US citizenry. _Without digressing into a pointless and
stupid flamewar over Humean oughts around these points of fact,_ we can
acknowledge that every attempt thus far to implement a national ID scheme has
been, and no doubt any future such attempt will be, energetically and, thus
far at least, very effectively countered by those who so strongly prefer that
no national ID scheme exist. Unfortunately, the US federal bureaucracy being
what it is, we _will_ have a national ID scheme whether well-designed as such
or otherwise, and the wide adoption of Social Security and (generally) 1:1
mapping between SSNs and citizens made it the obvious candidate for a de facto
national ID. Businesses followed government in adopting it as such.

Now, instead of a proper, admitted national identification scheme which would
at least have a _chance_ of being marginally secure, we have a motley
collection of the world's most hilariously shitty zero-factor authentication
methods, making a wide variety of frauds so trivially simple to perform that
we've had to spin them off into a new category of their own, "identity theft",
which we regard as just one of those unfortunate things that happens
sometimes, like cancer. Even after the Equifax breach, it'll probably still be
cheaper to continue looking at the problem this way than to roll back the
eight decades of technical debt that have gone into creating it. So it goes.

~~~
codeulike
The UK is also heavily resistant to any sort of national ID scheme, and so
National Insurance numbers (our equiv of SSN) are also a sortof proxy ID for
people in work etc. But the difference is we don't pretend they are secret. In
other words: we use it as a primary key, but we don't assume its a shared
secret.

~~~
umanwizard
So let's say you want to apply for a bank loan or credit card online, or look
up information about yourself on a government website - how do you prove
you're you?

Or is this simply not possible in the UK without visiting a bank branch etc.?

~~~
codeulike
You usually end up sending copies of your passport and proof of address (eg
utility bill) by post. Sometimes the copies have to be certified by a
lawyer/solicitor, to prove they are true copies of the original document

------
krzrak
"We need laws that limit the collection and use of SSNs."

The problem shouldn't be defined as "let's still keep SSN secret, but limit
its collection", because sooner or later your SSN will leak. The issue is that
SSN number shouldn't be considered as secret and some other measures should be
used to identify the person.

~~~
bsder
Anything collected will eventually leak.

The issue is that companies shouldn't be collecting _ANYTHING_ , and what they
do collect should get purged ASAP.

The problem is that every company got addicted to collecting information and
nobody made them pay the price for doing so.

~~~
scient
There are legitimate use cases where collecting and storing (in some manner at
least) is necessary. You cannot just stop companies from collecting
information, and furthermore stop them from storing any of it. Thats just
naive.

~~~
thanksgiving
The private university I went to used to issue student emails that were first
three letters of last name followed by last four digits of social security
number. It always seemed odd to me. Years later, they've switched and we don't
have that problem any more.

Companies can generate a unique identifier without using SSN. Of course, the
main problem is that they can't do authentication based on that identifier. So
why can they do authentication based on SSN?

~~~
kevin_thibedeau
SSN is the only reliable way to disambiguate duplicate names. Differentiating
all the John Smiths by mailing address is too intractable, especially when you
have JS Jr. and JS III living together. It is used to construct a primary key
for the database.

~~~
WorldMaker
Except that's not always been the case, either. SSNs have always been a
terrible way to disambiguate people. There are weird, crazy edge cases in SSN
history. Cases exactly such as JS Jr getting the same SSN as JS III in a
podunk town because the local SSA administrator was feeling lazy that day and
JS III was already deceased. The federal SSA website claims that that never
happened, but if you have a big enough database (say, Equifax) you can spot
all kinds of simple dumb human errors like that. For many, many years the SSA
left local administrators in charge: the first 5 digits and the weird way they
are hyphenated were local district numbers. For people born before 2011 (!),
when the new randomization scheme was switched to, there is a 90% chance you
can guess their first five numbers if you know their birth date and birth city
(which is why it is so ridiculous that PII rules to keep SSNs safe ever
considered it fine to show only the last four, those are only meaningful
digits for still the majority of SSNs in the wild).

SSNs were never designed for what the credit bureaus and banks and insurance
companies (and everybody else) use them for, and there are too many cracks and
failure cases. Companies need to admit their failures and come up with a real
solution; but companies have so much sunk cost in SSN-keyed databases they
aren't likely to ever actually do that. (Maybe this Equifax breach pushes more
companies to try. Cynicism says companies remain cheap and invested in their
sunk costs.)

------
nmstoker
The article goes a bit off the rails at the end, with all the focus on using a
changeable identifier ("And if this new identifier were easy enough to change
(unlike SSNs), breaches, leaks, and other unintended exposures would be less
consequential.")

There's no reason not to keep SSN as an identifier. Just the same as I
wouldn't change my name if I suffered identity theft. Instead there needs to
be authentication (eg via a method such as a token, 2FA or whatever) - and
it's that which needs to be resettable.

Simply making use of SSN _alone_ illegal in certain industries would be a
reasonable approach: it would stop current problems whilst not insensing the
"mark of the beast" brigade.

~~~
tim333
The government could bring in an auth service adding a password to your SSN.
Problem solved. Kinda.

~~~
bga
or a digital signature, or a MAC. Something where we could verify against a
publicly-known value safely, and without giving that secret part away to
anyone else. The secret would be between the Federal Government and the
citizen.

~~~
Simon_says
Why should the government have it at all? Just let private citizens manage
their own private key.

~~~
nindalf
And what happens when people inevitably lose their private key? How will they
regain access to their SSN?

~~~
u801e
They would probably have to through a similar procedure as they do to get a
replacement social security card. That is, they would have to present at least
a drivers license and US passport at one of the local social security
administration offices.

At that point, they can regenerate the key-pair and have the SSA official sign
the public key and keep that on file.

Now, presumably, it is possible to forge both documents, but I would think
that the government could check their records (federal and state) to verify
the authenticity of the provided documentation.

------
sagitariusrex
For everybody who isn't acquainted with how Social Security Cards work in the
US and how they came to be I highly recommend watching "Social Security Cards
Explained" by CGP Grey
[https://www.youtube.com/watch?v=Erp8IAUouus](https://www.youtube.com/watch?v=Erp8IAUouus)

He also explains why US citizens don't have an Identity Card as opposed to
many European countries.

~~~
sitharus
That’s quite crazy. Though here in NZ we don’t have a National ID number
either, we have several different numbers for different purposes. Most places
will work with a driver licence or passport number, but given there’s no need
to register a change of name it gets a little tricky.

If you don’t have any of those you can get a statutory declaration of identity
from a local court. You just have to swear you’re the person in front of a
justice of the peace and provide a passport photo.

------
thesumofall
Coming from another country I really have difficulties understanding why e.g.,
utilities would want to have your SSN. What do they get that they otherwise
won’t get? Isn’t a validated address and a credit card number enough for them?
What is the scenario that they try to protect against? That someone misses his
30 USD utility payment and has a CC that is not covered? That seems like a
rather weak argument

~~~
takeda
These databases are there essentially to punish you. If you don't pay your
utility bill, they report that to the credit agency, and reduces your chances
of getting credit elsewhere.

These credit information don't give much benefit to Americans, it gives
benefits to businesses[1]. It's essentially just a global black list where
business can communicate who not to do business with.

This business is there for other businesses and we are the product there. This
is why people generally have very shitty experience when they have to interact
with them, and this is why Equifax thinks the problem is solved when they
provide free one year credit monitoring service.

[1] note how Equifax thought it was important notice that the core database -
the one storing your credit records was not affected. None of Americans care
about this, but if the core database storing record was compromised Equifax
would disappear overnight without any help of the government, because none of
the businesses would want to use it.

~~~
JumpCrisscross
> _These [_ sic _] credit information don 't give much benefit to Americans,
> it gives benefits to businesses_

Americans own, work at and consume the products of businesses. If there is a
class American law generally holds above investors, in terms of protection,
it's consumers.

I would also argue consumers benefit from our credit rating agency system,
shitty as it is--it allows more people to get cheaper credit faster and more
easily than if we had to establish trust at every commercial interaction.

~~~
njarboe
I would suggest that getting credit faster and more easily is not a benefit
for consumers but a benefit to business also.

~~~
JumpCrisscross
> _I would suggest that getting credit faster and more easily is not a benefit
> for consumers but a benefit to business also_

Access to credit reduces poverty, internationally [1] and domestically [2]. It
is also critical to letting poor and middle class individuals start small
businesses [3]. Consumers and businesses benefit from financial systems that
efficiently allocate credit. That's why both consumers and businesses
voluntarily finance purchases with credit. (This is not a Panglossian claim
that our system is perfect. Credit is better than no credit for consumers. Our
current CRA system, while a complete mess, is still probably better than
forcing trust to be re-ascertained at every commercial interaction.)

[1]
[https://www.microfinancegateway.org/sites/default/files/mfg-...](https://www.microfinancegateway.org/sites/default/files/mfg-
en-paper-impact-of-microcredit-on-poverty-evidence-from-bangladesh-
may-2002.pdf)

[2] [http://www.nytimes.com/2013/10/29/business/microcredit-
for-a...](http://www.nytimes.com/2013/10/29/business/microcredit-for-
americans.html)

[3]
[https://pdfs.semanticscholar.org/9b12/726539fadbcaaebcd7ea9d...](https://pdfs.semanticscholar.org/9b12/726539fadbcaaebcd7ea9da5760d61862fce.pdf)

~~~
mmirate
My prior expectation of almost any of the aspiring business-owners that you
describe, is that they do not have the knowledge necessary to successfully run
their business.

------
rampage101
The problem is that SSN's are treated like a private key. If somebody has that
private key, and some basic information about you, they can basically
impersonate you electronically.

Meanwhile countries like Estonia use an electronic card reader with a PIN to
verify digital identity, making it nearly impossible for somebody to
impersonate you. Using this Estonian system, you can tell anybody your
personal code ID.

~~~
bonzini
In Italy the personal id is computed from name(s), surname, date and place of
birth (state of birth if born abroad) and a check digit. Collisions are pretty
rare (one every few tens of thousands of people), so it's pretty much a public
piece of information.

Electronic identification is available on three levels: id+password,
id+password+OTP (the most common), id+password+smart card (everybody has one,
but in practice it is only used by officers nowadays). Getting a password is
free and takes about 15 minutes plus a trip to the post office. It works
pretty well, and underneath it's just SAML2 so everyone can use it.

------
mcherm
We HAVE a set of laws and regulations mandating that SSN numbers be kept
secret. It doesn't work. We have laws restricting the use of SSNs (it is
illegal for most situations to demand an SSN, except for the situations where
it is mandatory). They don't work either.

There is, however, one simple solution. Inform banks and others who need to
verify identity that they may not use knowledge-of-someone's-SSN as a means of
verifying identity. After a brief adjustment period for them to change their
processes, publish a public list of every citizen's SSN. (Note: the Equifax
breach already did half the job here... so that part isn't hard.)

There is no problem with having SSN numbers, and we MUST have something of the
sort if the government intends to keep track of its citizens. There is no
problem with SSN numbers being public, and history has demonstrated that it is
impossible to design a system that successfully keeps them secret. The only
problem lies in the fact that we treat knowledge of this number as some kind
of proof of identity.

------
mdekkers
The real crisis here is that Equifax isn't being held responsible for
providing meaningful fraud protection beyond one year. When I lived in the UK,
the banks were constantly trying to sell me "fraud protection" and "identity
protection" \- trying to argue with the salesdrones about why you think it is
insane that they are trying to sell me protection against their own shoddy
information security practices was useless.

I'm not a big fan of over-regulating, but this is a specific issue that
requires a significantly heavier hand then "i'm going to another bank" as they
are all as bad as eachother.

~~~
takeda
Instead of heavily regulating I say we should make this service obsolete by
passing similar to European laws where people can request what information
given company holds about them, request removal and not allowing data
collection without permission.

Neither of those companies provides anything valuable to ordinary citizens and
the data collection they do comes with great price to us as it shown with
recent Equifax fiasco.

~~~
mdekkers
well, Equifax is big in the UK, mostly to keep track of your credit rating, to
allow individuals to borrow money.

I think you will find on closer inspection that EU data protection laws prove
to be surprisingly flexible when it comes to things relating to money. But
hey, at least we are protected from evil cookies tracking us! Talk about a
fucking sleight of hand....

------
animex
What we need is a system like a base key and derivatives keys that can be
revoked / issued via some central government system. If someone's SSN gets
compromised, revoke the base key and all keys are invalidated. If a individual
organization's use of your key get's compromised, revoke and reissue. Most
likely this all will have to happen transparently without the user really
knowing what's happening under the hood. Perhaps on the blockchain?!

------
fit2rule
I lived in the USA for long enough to get a SSN and a credit rating, but I
left some time ago.

I've now discovered that my details are in this leak.

Does anyone have any advice for how a non-US citizen, not currently living in
the USA, can secure their data and ensure that its not being used nefariously?
I.e. is there a way to permanently retire a SSN and credit rating, remotely
(which doesn't involve dying, lol)?

~~~
harryh
You can "freeze" your credit with each of the 3 rating agencies (Equifax,
Experian, TransUnion) which will prevent anyone (including yourself) from
applying for credit using your information.

------
Lazare
Any rational system needs to be able to: 1) Identify someone and 2)
Authenticate someone. A moment's thought will suggest that the mechanism used
to identify someone has different and at least somewhat conflicting goals to
what the mechanism used to authenticate someone has, and these must be
different systems.

For example: The identification token should be shareable, globally unique,
and probably mostly immutable. The authentication token should be secret, not
globally unique, and resettable if compromised.

The US system currently tries to use SSNs as both a means of identity _and_
authentication: Telling someone your SSN both tells them who you are, and
proves that you really are that person. Obviously, this can't work.

Either we need an actual unique ID number, and then we treat SSNs as a secret
password, OR we need to treat SSNs as non-secret usernames, and add some form
of actual authentication. Either will work I suppose, although the second
seems more practical.

~~~
jacquesm
The only option is the second because SSNs are already widely distributed so
have lost their use for authentication.

~~~
Lazare
As a practical matter, yes. I mean, in principle we could declare a do-over,
and re-issue any compromised SSNs (which would be uh...all of them), but
uh...yeah.

------
cm2187
I think we're mixing two different purposes here.

Authentication through knowledge of a SSN is an absurd practice, and is a non
problem in countries which have a national ID card scheme. Introducing ID
cards would be my obvious response to this leak. Not re-issuing SSN until the
next major leak.

Having a universal unique identifier for every individual across systems is a
different matter and I am not convinced this is even desirable. In a world
where no organisation is able to protect its data (or even willing since most
organisations now are looking for ways to monetize it), this is making it too
easy to link an identity across breaches. I don't think your utility companies
have any need to know your SSN.

~~~
thirtyseven
For the purposes of fraud, it's fairly easy to link accounts across datasets
even without a unique key like SSN. You can just guess based on name and
address or something and if you're only right 90% of the time that's still a
pretty big win.

~~~
cm2187
People move home, particularly in the US which has a quite mobile population.
Many people have many variants of their names, including middle names or long
composed last names, and you have a huge number of homonyms. So while you may
get a 90% hit rate on two, perfectly current, and breached at the same time
datasets, I would expect that number to reduce greatly in a typical real world
breach.

------
imh
It makes me wonder why identity has to be a centralized government thing. For
most purposes, my google account is my primary identity. If I forget a
password, resets go there, so it's my foundational identity online. Per-
purpose identity seems like an okay thing. I could have a financial identity,
and gaming identity, a communication identity, etc. Just like the government
doesn't need to know what I own on steam, it doesn't need to know my credit
score. And just like steam doesn't need to know my drivers license/social,
maybe my bank shouldn't either?

Writing this, I'm realizing how closely identity and privacy are related. For
any transaction with memory (like games I buy on steam) there needs to be some
identity. Connecting that identity to my other identities is a privacy
question. We're probably at a tipping point where we could go either way next.
It scares the crap out of me to think about it that way.

------
Kiro
In Sweden your SSN is public information. I posted the same comment on another
Equifax thread and got some pretty interesting replies relevant to this
discussion:
[https://news.ycombinator.com/item?id=15208223](https://news.ycombinator.com/item?id=15208223)

~~~
jaclaz
I believe that all EU has a similar approach, it is just the US that _misuse_
the SSN.

The way it is done in Italy (it is called "Codice Fiscale") it is composed
through a public algorithm from name, surname, place and date of birth with a
final "control" character (derived by the preceding characters) so - with the
exception of the very few cases of total homonimy - it can be recreated "on
the spot".

Nowadays it is however printed on an electronic card, with both a magnetic
stripe and a chip and it is the actual card (together with an ID document[1])
that "authenticates" your identity (in person) while on some government sites
you can use the card (with a smart card reader) to authenticate.

[1] actually the main thing is the ID document, passport, ID card or - in some
cases - driving license, with that you can declare your Codice Fiscale even if
you don't have the actual card with you.

~~~
slau
Thanks for the great content and information.

Just a minor nitpick: your identity can't be authenticated. You, as an
individual, can be identified, but the only thing that can be authenticated is
the piece of plastic (ensuring it is not counterfeit).

I wrote down an analogy for the different lingo some months ago:
[https://news.ycombinator.com/item?id=13635820](https://news.ycombinator.com/item?id=13635820)

~~~
jaclaz
Yep, sure, you are correct, that's why I put it in double quotes, more
accurately the identity can be "verified" or "vaidated" by the ID card (of
course authentic) or even more strictly by comparing the photo (and other
description data) on the ID card to the looks of the bearer.

I just checked and also en.wikipedia has a good description of the algorithm
used, JFYI:

[https://en.wikipedia.org/wiki/Italian_fiscal_code_card](https://en.wikipedia.org/wiki/Italian_fiscal_code_card)

------
youdontknowtho
a federal id smart card would be a great solution, but people won't let it
happen because it might be "the mark of the beast".

I'm not joking. I have heard that more than once.

~~~
mindslight
Because it _is_ the "mark of the beast", just as SSNs or surveillance bureau's
primary keys are. And no, I'm not joking either.

It's entirely sophomoric to trash a book of generational wisdom by taking its
metaphors literally for use as strawmen. A actual "beast" was no more a part
of their daily routine that it is of yours.

If identifying and cataloging people were against people's immediate interest,
then it would actually not happen and it wouldn't be a concept worth
mentioning. So the apparent fact that the practice looks fine and dandy to you
is an indicator of exactly nothing! The problems manifest themselves on the
scope of many generations, and true wisdom is to heed warnings from past
failed societies rather than laughing them off.

(For the record, I'm an atheist).

~~~
youdontknowtho
so you are opposed to drivers licenses?

and for the record, they meant the antichrist as an actual person, not a
metaphor...even though there's plenty of evidence that the book is referring
to roman coinage and caesar.

i really don't know how to reply. you are saying identification is wrong?

