If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to confirm the transaction. However, we don't have such a system when handling our most important information? Why is this allowed to happen? How many people have to be damaged before they stop watching Tom Brady throw touchdowns and get out there to make a difference?
It's allowed to happen for the same reason the US uses credit cards without PIN numbers - a lack of desire to spend money on security/upgrades (it's easier to pass on the cost of fraud via the transaction fees), a weak regulatory structure for protecting consumers, a glacial rate of technology adoption in banking systems, and ignorance/unwillingness to evolve by customers/businesses/executives etc.
Had the US implemented a proper citizen's registry it could be managed as that with all the security and personal details isolation that entails, including but not limited to biometric and chipped ID cards.
We've had public key infrastructure for a long time, we have also had legal attestation; the reason we don't use these things to secure this information is that nobody cares.
When the state does it, you get breaches, but nobody gets all that upset. Just look at what happened with the data breach and subsequent coverup in Sweden. One person had half a month's salary docked, and that was it.
The apathy is really more of a practical matter -- they don't feel like they understand the problem or know how to solve it, and they don't feel like they'd have the power to do something even if they did.
They correctly realize that we don't have a system where entities like Equifax are accountable to individuals that care. The only way you'd get that accountability is through some kind of collective action.
Same thing is true for widespread adopting of PKI-based schemes. Saying "nobody cares" is about as true as saying nobody cares if the oil in their car gets changed -- they don't want to have to pay attention, they don't want to invest in understanding/adopting, and maybe rightly so because there's so damn much that already requires attention. But you might get adoption among private institutions that matter by some kind of legal policy.
A state-run identity registry and authentication solution isn't the only way, to be sure, and I think it's a weird shibboleth in the context of democratic republic run by elected representatives, but since it's not the only solution, nobody needs to die on that hill.
But by the time you're talking about society-wide improvements that address the relevant problems, you're almost certainly going to be invoking government-like powers. The issue you've discovered here isn't about who/how many people care, it's about one of the limits of market-like institutions to transform some forms of concern into effective action. Something even for people who don't trust the state to think about.*
(Also: "people who use this kind of language to insist that the only way to achieve this is through the state are just looking for excuses to be mean to people who don't trust the state" deserves an eye roll so hard. It's manifestly true that there are people out there who enjoy trolling, but the idea that's the only possible motivation is a non-starter and not a good way to indicate you yourself are approaching a conversation in good faith.)
(* I also don't trust the state, just like I don't trust many forms of private power. But it turns out both can be situationally useful and beneficial if you can get the balance right.)
You can roll your eyes all you want, but there are valid historical reasons for being concerned about the extent and disposition of the data that a government collects on its citizens or subjects.
Corporations didn't intentionally kill 100 million of their own customers in the last century alone. It took governments to do that.
If you think Equifax's security is bad, wait until you see what it's like at any government agency that doesn't explicitly focus on security.
It's also pretty unlikely that a credit bureau decides to use vast stores of personal information to prosecute people, but governments have done this several times throughout history, perhaps most notably during WWII.
I'm sure the FBI is looking into the Equifax breach but not as hard as if someone breached the Social Security Administration.
This is interesting. I don't agree or disagree with it; I'm not informed enough to stake a position. But as a thought experiment, if we took it as given that any information a given entity tried to keep secure will eventually be revealed publicly, what kind of security infrastructure would we end up with?
In reality, we're in the world you hypothecate right now. Centralization is really convenient for a lot of uses, and security advocates are rarely in a position to impose the kind of privacy controls the rest of us might like. And the average people who buy services LOVE the convenience enabled by centralization - until there's a breach, and they disapprove for a few days.
That's the most politically significant opposing group, IMO.
What do you find odd about it?
Had the US implemented a proper citizen's registry
Thanks, but no thanks. We don't need to do even more to enhance the ability of the State to monitor and track out every activity.
And it's interesting to note that the use of an identifier like the SSN spread not because its wide use was mandated (in fact, it spread despite being discouraged) but because it turns out organizations both public and private have the same incentives that drive them to want increased legibility throughout their systems through such an identifier. And most individuals also have a motive to want them to be able to positively identify and authenticate them (and negatively rule out imposters).
It's almost like it'd make a good utility, though that's not the only possible solution.
And the anti-govt bend is odd for at least two reasons: in a democratic republic with an elected representative government, it's pretty weird to treat the feds as a hostile occupying power. And two, even among those that do, their opposition often seems to have a cargo-cult focus on certain lines as tokens of liberty (firearms, national id, taxes) rather than frequent demonstrations of insight about the balance between having a useful federal apparatus and different ways that it can be (and is!) limited and checked.
But that's exactly our ethos and, I think, our major problem. We believe the gov't doesn't work, so fight hard to make sure it doesn't work, then sure enough, when you need it to do its job, it can't, and so it reinforces the negative loop.
It's probably why we're at where we are now where a large percentage of the voting age population didn't vote on two candidates no one really wanted to run a gov't while ceding most of our representatives to the power of the corporate world, rather than the people actually being able to hold them accountable. But that gets even more off-topic.
Sorry. And thanks for the very cogent statement vs my ramble.
You don't explain why you think the sentiment "is weird". Maybe you have never been the target of repression so congratulations.
Government officials with lists are potentially very effective ashes-creators:
Read: IBM and the Holocaust
There is zero incremental security because of this. Why pick the lock on the door when the window is open?
I made a statement of fact. I'm making no normative claims, I'm describing reality. At this point in time, there is zero additional security provided by the implementation. Am I supposed to ignore reality and lie about it, because someday things will be better?
> protects against credit card cloning at a particular point of sale
A sieve stops water from streaming through at particular points in the mesh, too.
Your black and white reasoning is not how most humans think. What if the answer is "Bob graduates in a month."?
Which is great, as even some chip ATMs you put the card in far enough to have a magstripe skimmer work on most cases (presumably so that they work with the magstripe cards also)
Not the case for contactless!
(Of course here in Australia, Chip+Pin is Universal and Contactless is near-universal... I can use Apple Pay almost everywhere even small shops and have been able to for several years.. different story to much of the world)
Now the one thing that annoys me, is that currently shops here despite having separate payment terminals customer facing (largely for pin numbers) still operate sometimes on you handing your card to them - which is totally not necessary - especially in drive throughs. This is getting less common with tap to pay using mobile phones as people are (somewhat amusingly to me, given the value potential) hesistent to hand their phone to someone versus their actual card. I really wish merchants would enforce hard not letting the shop assistants handle cards (at least, prompt to handle it, if someone really wants help I'm not against that, but I don't like the default expectation).
But I also realise this kind of thing is much more common in some places so your mileage and feelings may vary.
As a warning before trying this for real: most ATMs annoyingly check both the chip and magstripe, so you won't be able to get cash out even in countries where chip & PIN are the widely used in payment terminals. Found out by carrying my cards in a phone case with a snap-close magnet.
Eventually banks are going to stop issuing cards with magstripes on them. But this will take years, until everyone has both on their cards and both readers in their terminals.
(Yes, really! I don't know what the delay is in the US.)
These terminals still have a mag stripe reader, and our cards have mag stripes as well. But they're just for compatibility: if you try to use the mag stripe of a chip-capable card on a chip-capable terminal, it beeps at your angrily and tells you to use the chip.
Do the terminals have an order of preference in terms of what's required for payment. For instance, try chip+pin first, then try chip+signature, then try mag stripe+signature? If that's the case, then I don't see why all stores that have chip readers won't start using chip+PIN as a first preference for payments with chip enabled cards.
Most countries have some form of universal photo ID, and a copy of it is usually required, along with a signature that matches. Not perfect but better than a simple number.
Some countries like Estonia include a cryptographic token in their ID, protected by a PIN. That's the 2 factor security you wanted.
But people in the US tend not to like the idea of government IDs. But when such a thing is needed, they use the closest thing they have, and that's the SSN.
And that's a Good Thing. Government should exist to protect property rights, provide rule of law, and maybe to enforce contracts. Managing everyone's identity is clearly not something that the State should be involved in.
In Denmark we have a government sponsored two-factor authentication system linked to the Central Person Register or CPR number which every citizen gets assigned at birth. The two factor authentication is used for all communication with state and municipal and for all banking. Works quite nicely from my point of view. Makes a lot of things a lot easier.
The US government actually does have a a convenient and reliable way of proving physical identity (a Green Card for example serves the purpose of identifying permanent residents), they've just declined to deploy it more widely.
It deals with them the way the government dealt with such cases before government identification ever existed - who do you say you are, and who do other people say you are? Where do you and other people say you live?
In your example, in the modern age, "John Smith" would have an arrest mugshot to aid with identification. Whatever criminal records are kept would probably just have the missing information blank. It's not as if there's a big database of citizens with Felon? Y/N as one of the fields, making you run the risk of marking the wrong John Smith as a felon.
The world is a very messy place - the US system does an okay job of treating it as one.
I still have a paper driving certificate, and it is still legal (https://www.gov.uk/exchange-paper-driving-licence). I used it 2 days ago in Germany to hire a car. I have resisted "upgrading" to a photo drviers license because my address is still valid, and the photo driving license isn't (at least wasn't) valid without the paper extra anyway. If it ain't broke...
In reality I carry my passport in my briefcase because I both travel overseas fairly often, and visit customers where it is necessary to show a photo id and that is all I have.
As I recall, you may be required to report to a police station and show an ID or proof of identity if necessary - within a few days. But without evidence to the contrary (and subject to powers listed above for police), you are believed when you identify yourself.
Unfortunately, most companies aren't worth their salt.
Until Equifax and the like get sued out of business, Equifax and its shareholders won't feel the heat.
It would be better if we could get the monitoring from one of their competitors on Equifax's dime.
They've already built out the infrastructure necessary for the monitoring product. The marginal cost of every additional person they add to it is probably quite low.
Equifax's breach might be deserving of it being sold to the government for pennies and having leadership reorganized (read: fired), but I don't think we can nuke it out of existence immediately. Primarily due to it being relied on by so many other banks and services.
Ultimately a major cause is that America doesn't have a national ID, PKI or 2FA systems. And, as such, there is the de-facto, cargo-cult tradition of ultimate reliance on inadequate systems designed for retirement pensions and drivers' licenses. People must give up the "states rights," delusions of privacy and other similar fallacies already and demand proper authenticated and authorized identity, banking and credit systems that require positive, possibly-interactive authorization to use details or complete transactions. Such tokens/documents could be physically enrolled/administered just like passports at USPS.
A government provided security token of some sort, backed by a government database? A lot of people have all kinds of problems with those, from trusting government's intent, to their competency, to their security.
A private party identity provider? Go start it.
A true public key system opens up each individual user to malicious spam. Given the current prevalence of phone, mail, and email spammers, such a system would create more problems than solve.
SSNs could technically be passwords. The problem then is that data servers need to not store SSNs in plaintext, but rather store hashes of them, just like passwords should not be stored in plaintext.
At scale $50K still adds up to a lot, and we'd probably have to cap it some other way too because at-scale breaches don't add up that far, because the system does in fact react to them. This particular breach would be a seven trillion dollar payout if we don't cap it, and the simple reality is that this breach, no matter how much pain it may eventually cause us, is not going to cause anywhere near seven trillion dollar's worth of damage to consumers, or the economy, or anything else. But $50K makes sense for isolated cases that don't get a coordinated response.
If you get it to work, we can then proceed to get rid of police departments.
I mean, really, once you get past the amount of assets that Apple holds, it's all the same penalty anyhow: Instant corporate bankruptcy. Arguing about whether we penalize a company trillions of dollars or quadrillions of dollars is not really an argument.
Too bad the current party in power has only one mandate: tear down everything the last guy accomplished.
I can imagine at least some companies would stop worrying about security since they are insured if something goes wrong.
Summarize what you think this law is preventing in your words and we can compare it to what the law actually says.
: But unfortunately they may be constrained by the aforementioned Privacy Act of 1974.
However, on the blockchain...well that might just happen, but it won't be a government running the identity system.
wouldn't disclosure of hacks (by Equifax) be strongly disincentivized with this scheme?
wouldn't Equifax just lie to the public if they discovered a hack so that their insurance premiums stayed low?
worse yet, would Equifax just eliminate security audits and stop looking for hacks altogether so they could plausibly claim their data was secure?
Maybe this would lead to a rise in secure storage firms that actually do their job with this so small outfits like employers could continue to identify employees without having to actually have a SSN in the database.
is the government going to do those? it doesn't seem to be able to do that sort of thing now. how will the government gain the resources, the capability?
i don't see the government doing a good job of regulation enforcement.
sometimes it's corrupt (e.g. building inspection approvals in Los Angeles, where I live, have sometimes required side payments to the inspectors).
sometimes it's underfunded. one source estimates that only 2% of imported food is inspected: http://www.nbcnews.com/id/44701433/ns/health-food_safety/t/f...
In fact, it's the best case scenario for the company, to make even more money by selling insurance for protecting the data you just gave them.
I thought it was a good comment, but I wonder if it matters.
How much would you get? I have been a member of these class action lawsuits before, and I get, like, $3 for my troubles at the end of the day, so I never claim the prize because it's another database where my SSN would be stored and stolen from.
I think the best is to freeze your credit report and deal with the troubles of having to unfreeze it when you need a loan.
If there are expert people from the Fin Svc industry here, is the above correct? Is freeze pretty much the only reasonable action now to protect ourselves?
Not to shamelessly promote, but as soon as this broke yesterday I brought this to the attention of my firm and we filed I believe this morning.
Better yet, lets do away with credit reporting agencies. Why should any oligopoly or, indeed any non-government entity be allow to have the power to cause so much harm to is with effectively no accountability?
That's right, billion with a B.
Maybe it was a different Target data breach?
This isn't Equifax's first data breach and the others are pretty recent too.
But I'm also not sure what the benefit of enrolling in their ID protection scheme is, given that the whole reason they're offering it is because they already gave it out to some rando on the internet.
It's rather like paying the schoolyard bully to stop taking your lunch money.
This meme is part of the problem. The lawyers take maybe a third of the settlement, after bearing most of the costs of litigation themselves, which they would still bear if they lost. It's high risk/high reward. Lowering the reward just means no lawyer will take the case.
There is a real issue where the incentives for the lawyers don't line up well with the interests of the class. The lawyers likely do pretty well if they settle a huge case for tens of millions and the main thing that happens for the class is they can't file a lawsuit anymore.
The financial penalty for the company is better than nothing, but it often isn't all that much and often doesn't do the class any real good either.
In practice it seems it basically just winds up being a big payout for whoever actually filed.
I'm not entirely certain that a class action settlement is a sufficient deterrent; do the payouts typically hurt the company enough to not take some given risk again?
A credit freeze is only effective if the entity using your information actually checks your credit/talks to the bureaus.
Tax fraud, healthcare fraud, shady car dealerships that don't care about your credit, buying a house where the seller 'holds the papers', etc, are all attack vectors that can be used with this sort of information.
A question that came up among my coworkers and I was: given the nature of the data that was accessed, don't the thieves already have all the info needed to unfreeze your credit?
What do you want to bet it uses stuff like your SSN to verify?
> Please provide proof of identification, such as a copy of your driver's license, passport, birth certificate or other proper identification forms.
Given that the hack included name, SSN, date of birth, and address, a fake copy of one of these should be incredibly easy to generate.
edit: Driver's license numbers were also leaked in some cases. Fun.
"If you lose the PIN that was issued to you when you added the Security Freeze to your credit file, you may request a new one in writing. Please provide proof of identification, such as a copy of your driver's license, passport, birth certificate or other proper identification forms."
Good luck to them trying to get that to hold in a court of law. Remember that it's ultimately a judge's decision on whether or not legalize like that has any real power.
We need a new word, "chutzpah" isn't strong enough in this case.
The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential.
The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care.
Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore.
OK, the odds of this actually coming to pass are not great. But I can hope.
I say this as someone who would strongly support a federal mandatory national ID system (and the ACLU, generally)
Oh, I doubt it's a left-right thing. I'm pretty lefty these days, and I oppose a national ID. Some minority groups, like say Jewish folks, might carry bad connotations about putting everybody in a big database so we can keep track of (and categorize) them.
But, of course, there's not much preventing the local government from sharing the info with the Feds.
It's something so unlikely to come up in day-to-day interactions that it's not really that important. I'm sure if I got stopped in, say, France, and had no passport to show, they wouldn't exactly lock me up on the spot, they'd find a way to accommodate me.
I still only have a really vague understanding of what happens if a cop in the US wants me to identify myself and I refuse. If I'm not suspected of a crime, obviously, I can just walk away. I'm not really sure what I'd do if I was arrested for cause and refused to identify myself.
For amusement's sake, I really enjoy his videos on geography, such as (his first video ever) this one on the UK (which I guess might need updating soon?):
or this one on Scotland:
or my favorite geographical video, on the Vatican:
That said, they're all pretty great, so I'd just start with this list of all his videos in ascending order:
Somewhat different, is the Hello Internet  podcast, which is by Grey and Brady Haran who you might know from the Numberphile youtube channel . It's basically the 2 of them chatting about random stuff, but I find it very entertaining.
Later on, I did a brief stint working for the federal gov't. In that setting, they used the SSN as our employee IDs. It was on all the personnel forms, and often seen on "list of people in the department" spreadsheets. Of course in order to comply with some law, these forms would also have a footnote explaining why they needed the SSN.
From these experiences, I have a very hard time actually thinking of the SSN as the sort of "secure password" everyone else wants to insist that it is. Unfortunately, I'm not aware of an alternative.
If my SSN & other personal details get out, it's my problem. If the SSN & personal details of half the country leak out, it's somebody else's problem.
Whose I'm not sure, but it would seem like banks. At this point, virtually all potential credit applicant's details have been leaked, and I believe it's the banks that ultimately lose when they issue credit to a fraud. So if you're the bank, hopefully right about now you're starting to think you need a much better method to authenticate credit applicants.
But... in this case, the overall cost may be high enough that there's a competitive advantage in not needing to charge this particular fee, and that will force the industry to do something about it. Maybe.
I'm not from the US. The first time i had an american friend explain me the SSN thing, I thought they were crazy, for the exact same reasons.
It is idiotic, as you say.
Here in my third-world country there isn't any number or code that I need to keep secret and I need to hand over to other companies at the same time.
We do have an specific identifier. Each person has an ID card, with an ID number. The ID number is not secret at all and used for many things everywhere. By the way, we don't have anything like a "social security card". Even kids have this ID card, their parents can (and ought to) request one for each kid.
This ID number has nothing in common with your birthday or anything. It is mostly a sequential number.
All aggregations are done using this (unique) ID number. So financial companies submit payment data associated to your ID number. So later credit scores can be computed as well.
The difference with this ID number versus the SSN is that our ID number is not used as a password of any sort.
How do companies or government institutions check out if you are who you say you are? They can take a look at your ID card. And usually they do have fingerprint scanners and signature scanners to check against the government's central ID registry.
By the way, last year we issued the Electronic Id Card, this one has a security certificate (public-private key cryptography) associated with it, and each person chooses (and keeps secret) a password. This password never needs to be revealed to anyone. With this password one can do digital signatures of any document, etc.
Nowadays SSNs are generally issued at birth, particularly since the IRS wants one for each dependent listed on the tax return. I believe this has been the case for at least twenty or thirty years; certainly my card dates from when I was born.
> This ID number has nothing in common with your birthday or anything. It is mostly a sequential number.
If it's a sequential number requested near birth that would mean that most people with the same birthday have similar numbers, doesn't it?
In practice it is not requested near birth. It is sequential to the time you asked for an ID card, so people who asked for one in the same timeframe get a close number
That ID number is public and allows government & any companies/organisations you show it to immediately verify that they are dealing with a specific person, instead of having to spend time figuring out which specific person named "John Smith" they are dealing with.
Having this number simply makes life more quicker and convinient. It also allows to remove any pointless duplications for cards.
For some examples: separate medical insurance card was discontinued, you can verify medical coverage by a simple number query. Same with drivers licences, they still exist in a separate physical forms for foreign trips, but but not inside the country.
There is no separate libary cards, I don´t have to carry a separate card for my gym or various retailers.
I can verify myself online quickly and securely. I can digitally sign documents and contracts and email them.
Honestly, I´m having hard time imagining my life without it.
I´m aware that all proposals for national identification methods in the US have failed thanks to fears of "mark of the beast" and big brother, but it seems pretty silly to me. All that data already exists and can be cross referenced. Making average person waste more time and money by having such massive inefficiencies in the system seems rather silly in these times.
There is a big difference: that ID is being used as a username whereas our SSNs are (usually) used as passwords.
For online verification(banking, contracts, taxes, voting etc) you need both physical card and PIN at the same time.
Otherwise it works just as any other normal ID.
Some even have federated systems where you can later ask the financial institution to hand out a 2FA crypto token that you can use to identify yourself to other institutions over the Internet without ever showing up in person.
If you switch to dozens up separate IDs, the entire system will get bogged down as everyone forgets all their ID #s
How about using something like an ID card with attached chip that can be used to digitally sign things? Works great in Belgium.
I get it, most people aren't always rational about these things.
The sentiment goes something like this:
- Conservatives gave up on minorities, historically stated that the less they vote, the better
- Conservatives push the narrative that voting fraud is a big problem, and that the liberals are doing it (many high profile member's of Trump's family/cabinet are registered to vote in many states simultaneously)
- They push for Voter ID laws and push back against weekend voting days, as it makes it harder for hourly/poor/minority voters to show up and vote.
So it would probably be a great idea, but since conservatives consider non-white franchising is an existential threat to their cause, they'll probably scream "state's rights" and block it from happening.
Secrecy (and privacy) aren't sustainable, and relying on them will just end up hurting people.
Identity must be solved, not through secrecy, but through transparency.
If AI overcomes us, it will be (in part) because we failed to adapt to this reality.
Remember, any legalize like this is worthless unless a judge says it's valid.
The entirety of federal government SF-86s being dumped to a foreign government has diplomatic and economic repercussions that will last for decades.
OPM: Office of Personnel Management, where all the 'blackmail' files for cleared gov employees and contractors are stored, in addition to many other more mundane functions.
DoD: Department of Defense, but this also refers to contractors in places like Lockheed and other smaller contrating firms.
SF-86: Standard Form #86, the form that must be completed to gain any kind of clearance with the gov. These clearance processes can run into the $20k+ range, though not usually, as they have to send agents out to talk to people to verify the applicant.
The 2015 data breach of the OPM was a BIG deal in the security clearance world, as it seems all the blackmail files were stolen. The a large issue was that the OPM worked on an entirely separate internet that the gov built, as in they had totally different wires and cables and everything, very expensive. How this happened is yet to be released AFAIK. Also, many people were trusting the gov with their darkest secrets, so as to be un-blackmail-able by others. Now, the gov is not so trustworthy and this then throws a huge wrench into all of the processes, including retention of employees and recruitment of new ones.
.. And I could go on. Yes, we love our acronyms.
Worst? For whom?
By strange coincidence, the missus was saying that she needed another drive to backup more photos. I told her she didn't need to, the NSA already has them archived. She did not see the humor.
It seems like it's sort of in Equifax's interest for a breach to happen and have 144 million people freak out and then buy their $20/month service
Wells Fargo is the biggest mortgage servicer in the United States and you don't have a choice over who services your mortgage- mine was sold to Wells Fargo without my say. I could refinance but that comes with significant fees (>$1,000), I'd lose my amazing interest rate, and there is no guarantee it won't end up back in Wells Fargo's hands again.
The bank that held my parents mortgage was acquired no less than four times between 1996-2012. In 2007 I got a credit card from my local credit union - right now it's being transitioned into a Bank of America credit card. The credit union still exists though, they sold their credit card division to another company which then was acquired by BoA. Funny thing is a several years after they sold their credit cards they decided to offer them again and create new ones.
Beyond that, this question is an imponderable for me because who can say what the future brings vs. the present. I guess one can refinance with some other credit union were this to happen in the future in a manner that was not desirable for one's mortgage.
I'm asking because the hubby is I'm the military and he's the primary on our mortgage.
Still, my point is. Equifax has the same conflict of interest as Wells Fargo. It feels scammy to me.
How hard is it to opt-out of whatever class action settlement is offered, and take this to small claims court?
Anyone want to setup a website to automate the paperwork? I'd love to see a not-for-profit do this moving forward when things like this happen.