Hacker News new | past | comments | ask | show | jobs | submit login

"Identity Theft" is a marketing spin on "broken identification". An identity is unique by definition and can't be stolen. But if you use an inadequate identification technique, like my birthday that's on my facebook and everywhere else in combination with my social security number that I have to give out to just about everybody, anyone can aquire those two pieces of information and impersonate me.

The ways to fix it are numerous, but most of them would involve a widely used national identity card that's actually designed for identification (as opposed to social security numbers which were never meant to be used like this). Alternatively have the banks pay fines for each instance of "identity theft" they suffer, and watch how they figure out better ways to identify people (probably verifying them in person).

This is something that has always frustrated me when reading about identity theft in the US. It's a problem that can only be fixed through legislation, yet I haven't heard of any even remotely successful attempts at establishing an official form of identification. Smart cards would be ideal, but even a simple national ID card with a picture would prevent the vast majority of identity theft.

I've done some research around social engineering and the no. 1 thing that stopped us from getting into bank accounts etc. was that to do anything remotely dangerous, you had to present your ID card. Even if you got your hands on someone's IBAN, name, address, bday and national ID number - no card, no deal.

It's not impossible to get fake IDs, but it's a significant investment to do so, which stops the kind of drive-by identity theft I read about from the states.

Strengthening the technicals of verifying identity won't solve it. In fact, doing so will serve as justification to double down on the crutch rather than fixing the root problem of incorrect security assertions, causing the individual victims even more problems.

The real legislation that is needed is to statutorily shore up the banks' liability for the damage their negligence causes. A person that has to deal with fall out from a bank being defrauded (eg repudiating that bank's and surveillance bureaus' libel) should receive a decent hourly wage in liquidated damages.

That's a fair point - more accountability is definitely needed.

But while I agree that tech alone wouldn't fix much, using a single number (with no biometrics whatsoever) for identification is just asking for trouble. Even my bus pass has my picture on it!

Using a simple number for an identity makes sense. Using knowledge of that number to verify identity does not.

The real problem in the US is that for any newly proposed identity system, any protections that keep the private sector from hooking into it for their own commercial surveillance will get scrapped due to lobbying. At the present, even social security and license plates are just basic government mandates, but form a foundation for unrestrained commercial actors to implement totalitarian surveillance.

So given that, the sensible freedom-preserving USian position is to be against any new identity systems until some laws have actually been passed to prohibit abuses of the current ones.

> my birthday that's on my facebook and everywhere else in combination with my social security number that I have to give out to just about everybody

And that's generally the best case. Name, state, and birthday are considered unique in a terrifying number of settings, including traffic stops, DMV records, and voter registrations. It's baffling to me that a police officer can 'run a license' and act on the results without making use of the unique ID already provided on the license, but it apparently happens.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact