Hacker News new | past | comments | ask | show | jobs | submit login

Criminal networks do benefit from a bread-and-butter businesses like drug distribution. These innovations likely wouldn't be taking place at all if altering one's own consciousness with substances hadn't been criminalized - when the law is made to be at odds with society, society adapts to being at odds with the law.

But unlike say murder, "identity theft" isn't some serious crime - it's in the same basket as "war on drugs" in that they both attempt to fortify a nonsensical top-down design at odds with the underlying reality. It's arbitrage against a broken authorization paradigm, and will continue as long as banks (et al) choose to just bear the cost rather than actually fix their systems.

How could identity theft need fixed?

"Identity Theft" is a marketing spin on "broken identification". An identity is unique by definition and can't be stolen. But if you use an inadequate identification technique, like my birthday that's on my facebook and everywhere else in combination with my social security number that I have to give out to just about everybody, anyone can aquire those two pieces of information and impersonate me.

The ways to fix it are numerous, but most of them would involve a widely used national identity card that's actually designed for identification (as opposed to social security numbers which were never meant to be used like this). Alternatively have the banks pay fines for each instance of "identity theft" they suffer, and watch how they figure out better ways to identify people (probably verifying them in person).

This is something that has always frustrated me when reading about identity theft in the US. It's a problem that can only be fixed through legislation, yet I haven't heard of any even remotely successful attempts at establishing an official form of identification. Smart cards would be ideal, but even a simple national ID card with a picture would prevent the vast majority of identity theft.

I've done some research around social engineering and the no. 1 thing that stopped us from getting into bank accounts etc. was that to do anything remotely dangerous, you had to present your ID card. Even if you got your hands on someone's IBAN, name, address, bday and national ID number - no card, no deal.

It's not impossible to get fake IDs, but it's a significant investment to do so, which stops the kind of drive-by identity theft I read about from the states.

Strengthening the technicals of verifying identity won't solve it. In fact, doing so will serve as justification to double down on the crutch rather than fixing the root problem of incorrect security assertions, causing the individual victims even more problems.

The real legislation that is needed is to statutorily shore up the banks' liability for the damage their negligence causes. A person that has to deal with fall out from a bank being defrauded (eg repudiating that bank's and surveillance bureaus' libel) should receive a decent hourly wage in liquidated damages.

That's a fair point - more accountability is definitely needed.

But while I agree that tech alone wouldn't fix much, using a single number (with no biometrics whatsoever) for identification is just asking for trouble. Even my bus pass has my picture on it!

Using a simple number for an identity makes sense. Using knowledge of that number to verify identity does not.

The real problem in the US is that for any newly proposed identity system, any protections that keep the private sector from hooking into it for their own commercial surveillance will get scrapped due to lobbying. At the present, even social security and license plates are just basic government mandates, but form a foundation for unrestrained commercial actors to implement totalitarian surveillance.

So given that, the sensible freedom-preserving USian position is to be against any new identity systems until some laws have actually been passed to prohibit abuses of the current ones.

> my birthday that's on my facebook and everywhere else in combination with my social security number that I have to give out to just about everybody

And that's generally the best case. Name, state, and birthday are considered unique in a terrifying number of settings, including traffic stops, DMV records, and voter registrations. It's baffling to me that a police officer can 'run a license' and act on the results without making use of the unique ID already provided on the license, but it apparently happens.


One "extreme" way would be for debts to require better documentation in order to be collectible. E.g. the credit card company would have to have an authenticated video of the debtor stating "I am Jane Doe and as of this date, January 14 2019, I owe "Capital One" five hundred dollars." Stealing social security numbers wouldn't be enough to accomplish "identity theft", if that were the requirement.

(Re)design systems so that they rightfully treat eg SSN as a mere database key rather than negligently imagining it some kind of shared secret. How this gets applied and the implications differ for each trust relationship.

For example, if you have a bank account at a brick-and-mortar bank (and haven't setup online access), anybody can obtain online access to that account by going to the bank's website and entering your name, social security number, and maybe the recent account balance. This is in fact the exact process a bank rep does when you open a new account if they setup that access for you, or sometimes they even tell you to go home and do this yourself! Similarly, if you forget your online banking password, you can reset it entirely online with access to your email account, making your email account more trusted than the bank account!

In actuality, your being in the bank in person is the primary trust relationship, and that needs to be leveraged for the above scenarios. So online access should only ever be setup in a branch, and perhaps password resets should even require going down there as well.

(Obviously this is just an example and does not also apply to online-only banks. As I said, the key is to stop treating quasi-public information as a shared secret)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact