Hacker News new | past | comments | ask | show | jobs | submit login

This class action will likely be settled in the same way the Ticketmaster case was settled ... with a coupon book good for 2 free credit reports.



To be fair, class action suits aren't really about recovering damages for the class members. Or at least, not entirely. That's almost incidental. Rather, they're most often about leveraging a large class of injured parties--whose injuries are usually relatively minor on an individual basis--to force a change of behavior by adding up all of those small injuries.

The cost of pursuing each claim individually would usually be sufficiently high as to make pursuing a claim unviable. The behavior would remain uncorrected, and the injured parties would receive neither compensation nor the knowledge that the behavior has been altered or eliminated. Nobody wins in that situation.

And while it's almost inevitable that discussions about class action suits will involve complaints about the lawyers fees, that's not really fair. Mass tort litigation is complex and involves significant investments of time and resources on the part of the attorneys involved. Especially if they actually make it to trial. It might seem unfair at first glance, but it enables the class to access the legal system and justice where it otherwise would not. They may be imperfect, but they're a hell of a lot better than the alternative and have had a profound positive impact on our society.


To be fair, class action suits aren't really about recovering damages for the class members. Or at least, not entirely.

That was exactly what they were supposed to be about. The way it usually works out, however, is that the lawyers don't really negotiate on the same side of the table as the class and the class members end up with very little. The lawyers, however, get their fees.

That's why everybody gets pissed about it.

There are other legal remedies to force a change of behavior. If the lawyer wants to use my name (as a class member) for leverage in the suit, he or she should be representing me. The class action is something that is supposed to be for the class members' advantage- working as a group for legal remedy. The tradeoff is you don't get as much legal remedy as you may have had you footed the entire bill and risk of a lawsuit yourself. But some of the negotiated remedies are, indeed, a joke.


>That was exactly what they were supposed to be about.

No, they really aren't, because as the parent says class actions are appropriate where the harm to each individual class member is small, but the small harm is spread out to many people. You as an individual were not harmed much, so you as an individual would not collect much even if you went it alone and recovered 100%. Litigation doesn't (generally) yield more than the harm you suffered.

Besides, if you want a lawyer to represent your interests alone, then you are free to not join the class and pursue your own individual case with the lawyer(s) of your choosing.


Believe it or not, they really are supposed to be about this. Here's a writeup [1] speaking about the Supreme Court's ruling on the matter:

"Purpose? According to the U.S. Supreme Court, the “principal purpose” of class actions is “the efficiency and economy of litigation.” [4]The Court has also noted other justifications for class actions, including:

    the protection of the defendant from inconsistent obligations;
    the protection of the interests of absentees;
    the provision of a convenient and economical means of disposing of similar lawsuits; and
    the facilitation of the spreading of litigation costs among numerous litigants with similar claims.[5]

In other words, people whose claims might be too insignificant to litigate alone can band together. The class action device can eliminate redundancy in the judicial system, streamline litigation, and in some cases, create significant institutional change. "

[1] https://apps.americanbar.org/litigation/litigationnews/pract...


>pursue your own individual case with the lawyer(s) of your choosing

Fewer people than most realize are actually able to do this. Good lawyers don't generally take contingency cases, and if the case is even remotely involved, fees quickly reach to six figures.

Perhaps worse is the stress. Once initiated, you have virtually no control over the process, and it can take over your life. The motions and counter-motions, delays and hearings will wear you down. If the adversary is much better-funded, then they can make it nearly unbearable.

The legal system is not what most people imagine, especially those who flippantly threaten to sue. You have to go through an action (or be close to someone who is) to really get that. Engaging is stressful and costly and, unless you're a combative type with deep pockets who just loves to fight, you'll likely feel like you lost, no matter the outcome.

This, as much as anything, is why class actions are so prevalent.


> If the lawyer wants to use my name (as a class member) for leverage in the suit, he or she should be representing me

If you're paying them they're representing you. If they spend a single client's or their own time building a case, they're not representing you. They are representing your class. If you want to be represented, opt out and hire a lawyer.


> That was exactly what they were supposed to be about. The way it usually works out, however, is that the lawyers don't really negotiate on the same side of the table as the class and the class members end up with very little. The lawyers, however, get their fees.

The lawyers are getting their fees to pay for the service of causing class-action suits to happen. Even if the remedies for a class member are a joke, the amount the company pays is, supposedly, not a joke (and yes, a good amount of that is probably paying those lawyers), and that's supposed to be a deterrent for other companies who are thinking of making the same mistakes.

Whether this works out in practice is debatable, but the current system is coherent in theory.


> They may be imperfect, but they're a hell of a lot better than the alternative and have had a profound positive impact on our society.

No, it isn't better than the alternative. The alternative is to have regulators selected and overseen by elected officials regulate the behavior of companies. We instead of a system of regulation by self appointed ad hoc lawyer-regulators negotiating settlements they think will get past the judge overseeing their case and allow them to collect a fee.

The latter is perhaps better than nothing, but it isn't better than the alternative which happens to be in place in the rest of the developed world.


Regulators selected and overseen by elected officials aren't a foolproof solution either. Sometimes you end up with Scott Pruitt [1] running the EPA, whose objectives are apparently a) denying that climate change exists, and b) dismantling any environmental protections that businesses find inconvenient.

The self-appointed lawyer regulators at least have an incentive to do their jobs: they get a bunch of money.

[1] https://en.wikipedia.org/wiki/Scott_Pruitt


He didn't say foolproof; he said better.


That was his point. Pruitt is not better.


Yes because regulation is working out really well

That is why I have plenty of competition for Internet Access and Net Neutrality is vigorously enforced

That is why the FTC routinely issues fines for False Advertisers for all the false claims that are made daily in ads

That is why there are plenty of bankers in jail for crashing the economy in 2007,

Government regulation is grand


So vote for people who actually want to competently regulate, and work to encourage others to do the same.

Paraphrasing, we are currently getting the regulation we deserve - good and hard.


If you believe democracy is for people. Then you are mistaken. Democracy simply means more than one entity fighting for power. Usually both of them have their own agendas and only give a shit when it’s time to vote. And we all know lying, backstabbing and spreading propaganda on Facebook and media channels is a much better way to win voters than doing what’s good for them.

The system was always a plutocracy and will always be.


>And while it's almost inevitable that discussions about class action suits will involve complaints about the lawyers fees, that's not really fair.

Of course it's fair. It's not like the members of the class get to shop around for cheaper lawyers. The class gets shit either way, they just have to decide if they hate the company more than the lawyers that charge the obscene percentages. And you can't make any kind of cost argument because a billion dollar case isn't anymore complex than a million dollar case. The whole point of it being a class is that it impacted everyone the same so the dollar figures don't change the complexity.


Attorneys' fees in a class action have to be approved by the court, and for large class actions the percentage fee tends to be lower than what a privately-retained lawyer would receive. The privately-retained lawyers in NTP's lawsuit against Blackberry got an approximately 1/3 payout of a $600 million settlement. 20-33% is quite typical in a pure contingency situation. Most court-approved fee awards in class actions that large ($100m+) tend to be a lot lower than that, in the 10-20% range. Courts usually will demand that attorneys submit their billing records (or summaries thereof) along with their fee petitions, and will regularly cut down any fee requests that exceed a certain multiple of what the attorneys invested in the case.

This case is typical: https://www.paymentcardsettlement.com/Content/Documents/Orde.... $5.7 billion settlement, about $500 million in attorneys' fees, or less than 10% of the fund. $160 million worth of time invested by the attorneys to get to that point.

> And you can't make any kind of cost argument because a billion dollar case isn't anymore complex than a million dollar case.

That's not true at all. Big dollar value cases involve either large harms to relatively fewer people, or relatively small harms to large numbers of people. The former kind of case often involves complex subject matter, such as financial transactions, medicines, etc. The latter kind of case often involves a very diverse class and complex issues of causation and damages. Consider the TicketMaster lawsuit: the basic theory of damages is that class members would not have purchased the tickets had they known that TicketMaster was marking up things like UPS charges. Well, clearly lots of class members would have purchased the tickets anyway. Coming up with a realistic damages model in that scenario is difficult. Furthermore, in big consumer class actions like that you've got class members in fifty states with fifty different sets of laws.


Is it weird to also observe that the opposition in a billion dollar case will be significantly more expensive to overcome than in a million dollar case? It seems obvious to me that billion-dollar cases would be more expensive to pursue.


Definitely. E.g. for a $1 million case, the defense likely won't even hire an expert. For a $1 billion case, you'll be responding to thousands of pages of expert reports prepared by half a dozen PhDs in various specialties (and deposing them, fighting over the admissibility of their opinions and the reliability of their methods, etc.). Not to mention that you'll get buried in discovery, etc.


Still, class attorneis will settle faster and for less. That often drives total comp and remedies a order of magnitude more than fees percents, like in the recent antipoaching litigation.


>Attorneys' fees in a class action have to be approved by the court, and for large class actions the percentage fee tends to be lower than what a privately-retained lawyer would receive.

>$5.7 billion settlement, about $500 million in attorneys' fees, or less than 10% of the fund. $160 million worth of time invested by the attorneys to get to that point.

How often to private retained attorneys get $320 million in pure profit. Additionally the 'time invested' already has income for all of the involved lawyers.


This is contingency work. The winning cases have to pay for the losing cases. When they lose, the lawyers invest $160MM worth of very real payroll and consulting fees and get nothing.


> It might seem unfair at first glance, but it enables the class to access the legal system and justice where it otherwise would not.

The fact that it requires so much expertise and money to "access the legal system" in this way is in itself incredibly unfair and unjust. It's a completely broken system.


Yeah, but how can that be solved? The law is very complex in any advanced country (I'd argue necessarily so), and requires specialists to navigate it.


Exactly. It's hard to measure the value of class actions without knowing how the behavior of companies would change without them. I expect we'll see that natural experiment play out now that arbitration clauses are commonplace.


Your first point is only sometimes valid as damages do depend on the severity of the injury, just as in any other case. See http://www.nytimes.com/1999/10/08/business/fen-phen-maker-to... for a class action suit involving serious injury.


Probably for good reason. $500 per class member is an insanely high damages estimate. 99.9% of people will suffer zero damages because their identities will not be stolen. Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.

As to the Ticket Master case, you can read the complaint yourself and see if $5 or so per class member settlement value was reasonable: http://www.ticketfeelitigation.com/docs/Fourth_Amended_Compl.... The theory was that TicketMaster didn't disclose that it was marking up fees for things like UPS delivery and order processing, and that if customers had known they wouldn't have ordered the tickets. That's a weak damages theory, because customers don't care about line items they care about the bottom line. Either they'll pay $X for the tickets or they won't. Unsurprisingly, that weak damages theory lead to a small per-class-member settlement.


> Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

Are credit card companies now in the habit of reimbursing consumers for the considerable time and headache required to sort out fraudulent charges caused by insecure data storage practices in the credit reporting agencies that the credit card companies contract with?

There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.


What headache? Get with Capital One, Chase, Citi, or one of the other big names. They are very professional about replacement cards and zero hassle.


Replacement credit cards are not the issue. Whoever has this data has the complete dataset to open new credit cards in your name, buy a car in your name, get plastic surgery in your name, etc.

The hassle will be convincing all those companies that you do not in fact owe them thousands, and there is no automatic protections for these types of harms.


Even worse, is if you don't immediately notice a new account on your credit report, that then goes to collections. -_- 10 years later and I still get threatening calls from the shadiest of shady "collection agencies"


Do you know if there's any way to "notice" these new accounts without having to freeze your credit or otherwise mess with the normal process for getting new credit? I just want a notification, nothing else.


Credit Karma seems to do that OK. Their score is wildly different from their supposed source though.


Oh yeah I don't need the scores, I just want notifications for new accounts. Cool, thanks! I'll check it out.


must be terrifying. sorry about that. but free money is free money.


> Are credit card companies now in the habit of reimbursing consumers for the considerable time and headache required to sort out fraudulent charges caused by insecure data storage practices in the credit reporting agencies that the credit card companies contract with?

It's not a "habit", it's the law. It doesn't matter how the fraudulent charges came to be. If a person disputes a charge and has evidence to show it's fraudulent, then by law the credit card company has to investigate, and deal with it.

It also makes business sense. CC companies make a ton of money with legal transactions, and an anti-consumer, pro-fraud reputation would cost them customers.

> There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.

Why would the bank or credit card company send a check? Presumably they're not the one who committed the crime, so why should they cover the damages?

I've had my identity stolen, and it was a PITA to clear up, but the bank and credit companies were reasonable about it, IMO. In a case like this, where it's easy to point at the Equifax breach and say, "See? This is how they got my info.", it's probably even easier to clear up, though I'm sure it's still a hassle.


Time. I'm pretty old, retired, and have a few bucks. Time is my most precious commodity, and I prefer to give it to those who deserve it.

I'm not sure how much I'd want someone to pay me for an hour of my time. Clearing up identity theft can take many hours. Those are hours I can spend bugging the missus, or even bugging you folks.

I am clearly not to blame for their data exfiltration. Who is going to pay me for my time? What is my time worth to them?

This is all theoretical. My credit has been frozen for a long time. It has been that way since the OPM hack. However, for the sake of expression, I point out that my time is pretty valuable to me. Those who steal my time are worse than those who would steal my property. I can insure my property, I can not replace my time.


This has been hitting me hard lately. I'm pretty young at the tail end of my 20s, job is finally stable enough not to worry about money, and have really started to realize how few free hours I can find in a week. Work and its on call rotation, obligations to the girlfriend and social circles, maintenance on the house and cars, bills that don't have an auto pay option.

Last month my auto registration sticker didn't show up in the mail after renewing it. A trip to the county clerk, then the sheriff's office to file a report, then back to the clerk to get another sticker took almost two hours. Stopping by the local bank to change my address after the online system locked my account for two incorrect password attempts took 90 minutes. 6 phone calls after a cancelled auto insurance policy made an auto draft the next month. My coworker has a pile of kids, two with medical issues, it seems like his wife has a part time job dealing with medical billing issues.

Most of these rambling examples aren't the fault of the organizing institution (unlike the Equifax leak at hand), but in the end individuals are bound by those institutions' organizational practices in their pursuit of normalcy. I don't know how it could be implemented or enforced, but at a certain point it feels like individuals should be compensated for suffering organizational incompetence or negligence.


I got lucky and sold my business when I was just 49. However, I worked a minimum of 60 hours per week, for years.

Which gets me to my response:

Cherish that time. I don't care about longevity, I care about maximum value. I may be content to die today, but I'm not content wasting time on something that is forced on me.

I don't regret much, but I do regret my time that was wasted by others. As I look back, I see do many situations where I could have disallowed that while still getting the same eventual outcome.


They do it on purpose and have no intention of fixing their administrative inefficiencies. They know most people don't have the patience for this crap so that discourages people from creating a hassle for them with problem/things that they have to do.

For instance, in a past life I may call up to question a charge on my cable bill. Now that I have more money, I don't waste my time on such nonsense. If the cable company wants to charge me an extra $20 for no reason, they can do so, because it's not worth my time to call them up and get shuffled between departments for 2 hours.


Last time a cable company charged me wrongfully (I wasn't even their customer anymore), I called my bank and had them reverse the charge, as well as block any future ones. Took me like 5 minutes. Now the only time investment I have is throwing their monthly threat letter in the trash about how they will cut my internet access if I don't pay up.


> It's not a "habit", it's the law. It doesn't matter how the fraudulent charges came to be. If a person disputes a charge and has evidence to prove they didn't make it, then by law the credit card company has to investigate, and deal with it.

But the time it takes on the phone to talk to an agent, review your records for legit vs illegit charges, etc. are not reimbursed, which is what they were on about.

> Why would the bank or credit card company send a check?

I think we're talking Target writing the check. Which they didn't exactly volunteer to do, but was covered in the class action at least: https://targetbreachsettlement.com/mainpage/CommonlyAskedQue...


"Even the ones who do have their identities stolen will likely be made whole by the credit card companies."

Fraudulent charges on a credit card are the least of my concerns. This opens us up to a lifetime of identity theft and insecure accounts of every sort. I'm not even sure how they can approach remedying the problem. Coordinate with the SSA to get 150 million people new SSNs at the least.


This is really the concern. With this level of detail, someone can open any kind of new account - not just credit card - dig into everyone's lives (or political opponents on social media for doxxing). And the threat remains in perpetuity.

There is mo way to even estimate the damage as some devious ways of it harming us may not even exist yet.


> There is mo way to even estimate the damage as some devious ways of it harming us may not even exist yet.

Scifi story idea:

Far future. Life extension possible. The government will provide it free (if you want it) - one time only though - when you are near the end of your first life. Upon extension, this technology also turns the clock back to renew you to 20 years old.

You're 78 years old, frail, ready to kick it, but decide to do the extension. You go into the clinic. Give them your information, etc.

Bzzt.

We're sorry, you've already been rejuvenated before. We can't help you, unless you want to pay $$$$$$ for us to go ahead with the procedure.

lolwhut

yep.


Why would people need new SSNs? It was the credit industry that misused them as combination of unique identifier and authenticator, and that is not the SSA's responsibility to fix. The government even tried to curb misuse of the SSN, but it was not binding on private entities, and they just ignored it.

The solution, whatever it is, does not include anyone continuing to pretend that the SSN is now or has ever been suitable for any purposes other than for tracking government benefits managed by the SSA, and possibly also for tax filings with the IRS.


> other than for tracking government benefits managed by the SSA, and possibly also for tax filings with the IRS

... and all of the other government benefits, programs, or mandated activities, many (all?) of which demand your SSN. Are you even sure that the credit industry, i.e. banks, originally misused SSNs? I wouldn't be surprised if they were required, by the government, to use them, precisely because it is the closest thing to an official "unique identifier".

Some people also might be concerned with not receiving their SS benefits either, which isn't entirely far-fetched given that others might now be using it for nefarious purposes (like trying to collect their SS benefits).


> I wouldn't be surprised if they were required, by the government, to use them, precisely because it is the closest thing to an official "unique identifier".

I read something somewhere else (maybe on a different HN thread, maybe here?) that this was changed in 2000 for something called "red flag laws", IIRC.

So yeah - it is required.


You're absolutely correct. We should move to a well designed identity system. However I'd SWAG the development and deployment of such a system around 10-15 years if all of the involved parties were on-board. Equifax could provide the SSA a pile of money and the victims could have a reasonably effective defense against identity theft within months.


wouldn't it be simpler to make ssn number last only five years? it's a partial workaround, but would immediately help by reducing the attack opportunity time massively, along with making it standard to have variable ssn thorough the system and making it easier for people to just renew their after breaches like this, since the current bar for obtaining a new one is quite high


honestly this is only really an issue because organizations are using SSN as authentication and not just as identification, caused probably by the lack of a federal id scheme, compound by the inability to easily change the SSN itself as you would with an id document (which is why here ids are relatively short lived and we can get away with ssn equivalents that are for life)


Bingo. In sweden as example our birth date plus 4 unique digits is your nation wide id/ssn. So obviously your ssn is not exactly a secret and instead you also have to proove that you are you with a photo id or online 2FA id.

There's no such thing as loosing your ssn because it is already public.


> Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

No one will be paid for their time wasted over ID theft resulting from this breach. That's what "made whole" would mean to me.


> 99.9% of people will suffer zero damages because their identities will not be stolen. Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

The extent of the potential damages here isn't limited to credit card fraud. Having your SSN leaked along with your name, date of birth, every recent address you've had, etc. opens you up to a lot of other attack vectors.

Furthermore, credit reports can often inadvertently contain information that relates to one's medical history - you can request that this information be obscured or sealed in your report if you find it, but that means that certain medical information is also within the scope of the potential leak.


All of the identities have been stolen. It’s a matter of whether they’re used at this point.


True, but in the US you can not really sue for possible harms. You can only sue for actual harms which can be remedied by the court. Leaking your information isn't a harm the court can remedy. Abuse of the leaked information is a harm the court can remedy.


Fair point. I would argue that Equifax has breached one of the terms of the Fair Credit Reporting Act, and possibly other privacy regulations.


I don’t think that’s a generally accepted legal standard. It seems similar to saying that Edward Snowden and Chelsea Manning only released information, which the courts can’t remedy. If anything bad should happen due to that leak, then the courts can remedy that in the case of the people who committed those acts.

The government is clearly of the opinion that they can and should prosecute people for leaking information which could cause possible harms.

I’m clearly not a lawyer, but these scenarios seem pretty similar to my untrained eye.


The difference is that their intentional leaking of classified information as people with a security clearance is letter of the law illegal. The difference seems huge and obvious to my untrained eye.


To add to this, their acts were intentional. Yes, you're very right that they were very much illegal acts. However, it needn't be intentionally spilled classified information in order to be illegal. Under certain circumstances, even accidental 'spillage' is a felony. Negligent 'spillage' is also very much a felony.

I've been through quite a bit of training and held my clearance for years. I was a victim of the OPM hack. Well, I guess I still am a victim. Mens rea doesn't really apply when handling classified material/data. If it is accidental AND you report it properly, it's not jail - you are so losing your job, however. You also lose your clearance. It has been a while, but I'm pretty sure you lose it forever.


The State prosecuting someone for a crime is not the same thing as a private individual suing another individual for a tort. Basically everything is different: different rules of procedure, different rules of evidence, different standard of proof required, etc. etc.


> The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.

This is not true at all. They simply reverse the charges. Businesses who accepted the fraudulent transaction(s) are on the hook for it. Anyone who runs a business and handles credit card processing can confirm this.


A bank 'absorbing' a cost surely means passing on that cost to consumers in some way.


If there are 140 million members then any settlement will be individually quite modest (Equifax has annual income of ~600 million dollars, so multiple years of all of it to get to even $10).

It does seem like any penalty for something like this should severely impact the ability of the company to operate though.

I suppose a $0 way to penalize them severely would be to force Equifax to allow individuals to opt out of having Equifax store information about them. Lots of people would do so without understanding that it might impact their ability to get a loan, but so what.


But that would also make Equifax's product not that appealing to the companies that would purchase it. So organisations would have to use one of the other agencies as well.


$500 may be high, but $100 would be more reasonable even for those that didn't have their identity stolen, I've already spent an hour researching the hack to figure out what to look for and whether or not I was included in the set of stolen identities.


Do you think that the FCRA punitive damages ($100-$1000 per person) might apply here?


Unlikely since it doesn't appear credit report-related data was leaked, only PII.


The leaked PII makes it trivially easy to obtain the credit report data


There was a class action suit because a company was marking up the cost of the goods / services they were selling? Isn't this just called business?


Most businesses include their markup in their displayed price. Ticket Master was displaying one price and then sneaking in an extra fee later in the process.


You mean, with a coupon book good for 2 free credit reports... except with ridiculous fine print that will prevent 99% of people from using said coupons...


... 2 free credit reports with the purchase of 3 or more credit reports at the usual price


Is that what the lawyers received for taking the Ticketmaster case?


One scenario would be SSN being massively used by pirates, so companies would stop trusting SSN altogether. Let's hope a startup creates a "proof of identity" service with a photo ID with a chip, a code, and an online certificate for tax purpose.


ah lovely "papers please citizen" and what happen when friend computer with all this proof of identity gets hacked.

Maybe the USA needs everyone to have a new ssn and ban with very strict penalties is use by any one other than the state and then only for highly restricted usages as it is in the UK


Considering that Social Security numbers are not secure, and were never intended to be secure, I favor this approach. Unless you’re the federal government, you shouldn’t know or care about my social security number. Idiots are always going to think SSNs are a good UUID, and I’m always in favor of punishing idiots.


almost 20 years ago when working for british telecom we where read the riot act an where told any non permitted use on NI numbers would be considered gross misconduct and you would be sacked on the spot.


> ah lovely "papers please citizen" and what happen when friend computer with all this proof of identity gets hacked.

While it doesn't solve the "papers please" aspect:

1. Card holds biometric data of person, plus PIN. Card is the only thing that holds this.

2. All card does is output "yes or no" if you are you.

3. You have or use a reader for authenticating who you are. The reader takes you biometric data (fingerprint scan, face scan, or something else), and has you enter your pin. It takes this info, hashes it, compares to the stored info, and outputs the "yes" or "no" answer.

Very basic thing here. 3-factor, and the data about you is never stored anywhere, and the card/reader combo does the rest. The data about you never leaves the card (in fact, it can't - it would be write only for that data).

We have all the technology to do this today. What we don't have is the will. So it won't be implemented.

I'm not saying the above is perfect - but it is 3-factor (what you are, what you have, what you know), and that is what is needed most. The information stays with the owner on the card. All transactions can only be done with the card on-hand to prove you are you. You can change the PIN at will, maybe even the biometric data - but both are write-only, and can't leave the card. The card can read in data (an image for the biometric data, and the code for the PIN), but all it does is hash that together, compare it to the stored hash, and output a yes/no.

I'm not saying the above is perfect, and I am sure I have forgotten something. But it - or something like it - is what we ultimately need. But we won't get it. Ever.


If the card outputs "yes" or "no" you are creating new security incidents just waiting to happen - proxying, oracular attacks, faux cards that respond improperly to the binary question, etc. This means that your system is actually two factor, a pin and biometrics. A pin is extremely weak, and for sure biometrics need to be designed and implemented properly.

Also, notice the other subtle dependency that was introduced with the PIN only kept on the card - the PIN might as well not exist.

This is all known. The issue isn't how to design a security system. The issue is the fly by the seat of the pants lack of security with deadline driven products. Those products only appear to implement a feature set and really don't work, just appearing to work in order to achieve the release exit criteria of a minimum viable product. This gets compounded by products hardly ever revisiting their earlier phases, choosing in this case to add new web features instead of hiring a security team.


True only if the papers are issued by government. A private or non-profit scheme, if hacked, could be abandoned within hours and replaced. To post this comment i had to present some virtual ID to a private organization.


Where are the blockchain proponents? Oh, right, this kind of thing isn't a pyramid scheme. It would be a lot of grunt work and wouldn't be worth a VC investment.


I can hear it coming now... A VC backed military contrator is right now creating MilChain and DarpaCoins.


And after some time it'll become apparent it was a CIA front, and ultimately only achieved to fund the latest insurgency in $PLACE


It isn't paranoia if one is right. Sadly, we are both right.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: