Hacker News new | past | comments | ask | show | jobs | submit login

For the same reason when some fellow citizen acts against you, you may need to sue them yourself - Google provides a platform with some set of rules, but they can't proactively ensure nobody is doing something malicious to other parties (especially if the malicious act is allowed by the rules), nor they can codify and enforce "don't be an asshole" rule.

Your analogy doesn't really hold up. This isn't another person coming after you directly, it's the other person manipulating a third party to cause the third party to come after you, and the third party saying "not my problem that I'm easy to manipulate like that".

For a criminal-justice-system analogy, it's similar in concept (though not in extremity) to SWATting. And I don't think we want governments to wash their hands of that and say "not our fault our system is abusable that way, it's all on you to do something about it after the fact".

Identity theft is a perfectly reasonable analogy. If someone steals my identity and ruins my credit rating, the onus is on me to inform the credit reference agency. It'd be nice if Equifax could telepathically divine whether a credit transaction was legitimate or not, but it simply isn't possible. Google are similarly unable to distinguish between a blackhat SEO scheme and this sort of weird SEO DDoS.

>but it simply isn't possible

The credit rating agencies could establish reasonably secure channels directly to consumers (passwords would be a start, dedicated tokens would be best), and require explicit authorization through the secure channel for new lines of credit. No account system is perfect, but it'd be a hell of a lot harder to break than "prove your knowledge of full name, address, DOB, and SSN" which are shared and stored all over the place, and bound to leak.

The financial industry or the government (probably at the financial industry's behest) could sign/distribute cryptographic identities along with plastic ones. Opening a new account could require a signature from a signed certificate.

Banks could send prompts to your smartphone asking you to approve/reject ACH and even credit card transactions, ala Venmo. Or you could sign them from a device you control, as with Bitcoin. (Instead, when we get cryptographic signing for payments at all, we get cards which sign all transactions presented to them by devices the consumer doesn't control, without verifying the cardholder's intent except through the merchant's terminal, whose UI could be lying. And we're still stuck with shared secrets for online payments).

A lot is possible, the financial industry has simply chosen to put consumers (and itself) through the hassle and expense of cleaning up after fraud because it's cheaper than a serious attempt at an authentication system.

Except there are a lot of people (myself included) who see the handling of "identity theft" as banks and credit agencies trying to pass the buck for their own poor approaches to security and verification.

Exactly - In my opinion there is no "identity theft". There is criminal fraud, which the banks are a victim of. However, instead of dealing with that fraud they just pass the costs on to an unrelated individual and then shrug and say "you deal with it".

Google does something much like this - but without regulation or clear appeal process.

"Swatting is the act of deceiving an emergency service (via such means as hoaxing an emergency services dispatcher) into sending a police and 9-1-1 response team to another person's address, based on the false reporting of a serious law enforcement emergency, such as a bomb threat, murder, hostage-taking or other alleged incident."



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact