I think the entire credit system needs to be changed. If credit bureau's can't be responsible then citizens should get a choice in the matter. These companies have us by the balls and we have no recourse. It's a monopoly complete with price fixing and everything, except the price is privacy and you don't get any options.
It reminds me of an episode of Hotel Hell I saw where the front desk stored all guest credit card numbers, expiration date, and security code in a white lined notebook unlocked behind the counter. Gordon Ramsay walks up to an unstaffed counter, grabs the book, and walks off with it.
Now imagine that the hotel blatantly admits to not giving a shit about your credit card details, and you don't have the option of checking out and taking your business elsewhere.
The congresswoman asked the Equifax CEO to provide his birthday and social security number publicly for the record. He of course refused and when asked why, he said because that is sensitive information.
All the while, Equifax attorneys are arguing in court that there is no harm in leaking private data like SSNs and thus they shouldn't be held liable for any damages.
So where are the inquiries? Where are the task forces? Where are the subpoenas? Where are the subcommittees? It's been over a year. Are you confident with "changes will come at a later date"? Seems to me like changes will happen never.
My point is one shouldn't expect immediate effects from a congressional hearing. They are merely the start of a long process that can get derailed at many points along the way.
Some politicians got an opportunity to issue strong statements that they can later leverage during reelection?
Some examples either me or my husband have gotten:
-What month was [person] born? [person] was my mom and one option was "I don't know [person]." Luckily they didn't ask the date, because I don't know that, but I do know the month.
-Which of the following people are/were you associated with?, my ex-roommate as one of the answers. Makes sense to connect us if we had the same address at the same time.
-Which of the following people are/were you associated with?, my ex as one of the answers. This one baffled me because we never lived together and never had a bank account or loan together.
Which town did/does [person] live in? Where [person] was my husband's brother. Of course, useless if everyone still lives in their hometown.
I've also been asked about the previous cars I've owned, which are from DMV and insurance databases, not credit reports.
The entire concept of KBA is flawed and pretty shitty all around.
I literally have no way to know which one of these they think is correct. At least 2 of them were correct at some point, depending on how up-to-date the data was, and the last three were indistinguishable, even when looking at my actual statements for my loan... So I failed out of my KBAs 4 straight times because they kept giving different variants of the same question, just with different sets of answers, until I could venn diagram out which one must be right because it was the only one that came up in all 4.
Then, of course, what if you get a question about your sister when she's toxic and you've cut her out of your life. Or even just naturally lost touch with her over the years.
When I was a kid I was briefly a ward of the court. During that time, I had an official address that was not where I actually lived, and somehow the credit bureaus got ahold of that information.
So whenever I need to answer the suite of questions for identity verification, if I get the "which of these places have you lived", there's a good chance I won't know the answer, because I was a kid and never actually lived there.
So when that happens, I guess at one of the addresses, inevitably get it wrong, fail my own identity verification process, and need to jump through a ton of hoops to either re-try the process and hope I don't get that question, or verify my identity another way.
It should be free (apart from postage).
I've had online car insurance instant-quote systems show me a list including both my current and previously owned cars with just a name and address, so that's encouraging that it's being used as a critical authentication measure.
Yikes. Where did they get that from? I wonder if they also collected tons of info from FaceBook like it seems everyone else has.
We never had an insurance policy together or anything else like that either.
What's weird is that they get this information from random sources and use it for verification without verifying it's actually accurate first. That's just bonkers.
Beneficiary, certainly not, I was in college, broke as fuck, and living on student loans, didn't have any sort of assets to speak of (besides a $900 car), no retirement accounts or insurance policies (besides the minimum liability insurance required by the state).
That's aside from the fact that Equifax's site has never worked right for me anyway, and doesn't accept my information. Never been able to pull my report online from them. The other two major agencies work fine.
Yesterday, when opening a savings account with a major US financial institution, one of the KBA questions asked for my Zodiac sign. The other two were about a mortgage and the year I was born (±1 year). I do not understand why any competent institution would find these secure and it appalls me that is all the information needed to open an account in my name.
Edit: Here is the screenshot https://i.imgur.com/Mr8gOOA.jpg
They won't open a joint savings account for my wife and I because my wife doesn't have a phone bill in her own name "for verification." (We've been on the same Southwestern Bell/Cingular/AT&T, recently T-Mobile, family plan for the past, oh, fifteen years, and it's under solely my name because of employer discounts.)
When I mentioned this to the rep, she told both of us--we were all on speakerphone--that my wife could send in a copy of her driver license. Except Washington doesn't require us to get new licenses when moving and the address on both of our licenses is both the same...and four years out of date.
I get the need for ID verification but funny how we never run into this problem when my wife wants to borrow money in her own name. No one has ever cared about her license or a phone bill when she's taken out credit cards.
When I pointed out that a) he called me and b) this is, quite literally, exactly how scam calls trying to steal money go, he got upset at how I wouldn't "believe him." I told him that's exactly what a scammer would say and hung up.
My "private" information has been leaked to other governments and various malicious actors at least six times, just in 2018, so I'm a little more wary than I used to be and that pissed me off.
I then called Chase and asked if it really was them that called, and they confirmed it was actually them. But then they also apoligized and resumed the previous call from where I hung up.
It was just nice to not be judged for being cautious.
I have multiple Chase accounts in multiple tiers (business, etc...), so my guess is what kind of contact you get depends on the nature of the account.
I see it less as CYA and more as "we can make money off of you so the requirements are relaxed because we're making money"--that is, lending money that she'll presumably pay interest to borrow--versus "oh shit you want to put $1,000 in an account and our bank pay you better do the fifteenth degree."
One day these requirements are going to get out of hand. :D
It says it does here: https://www.dol.wa.gov/driverslicense/moving.html
The "security questions" you choose your answers, in "knowledge-based authentication" the questions and answers are generated based on the information on your credit reports and other databases, such as insurance databases. You don't make up answers, they already know the answers.
Wikipedia refers to "security questions" as "Static KBA".
So, for example, if you always went by "Ron Weasley", having your driver's license , your utility bills, your apartment lease, your animagus registration, and so on all under that name, but your name in their records was "Ronald Weasley", you would be out of luck.
Correct is too easy to guess.
Obviously wrong will be recognised by the customer service representative, who is a kind person, and will help you out by just disabling the question (anecdotes galore for this, to the point we can call it data).
Lie, in a believable way. Put the answer in a password manager. Open your password manager up before calling any CS rep. Be a star in the security theatre. :)
I look forward to password managers including generators for your birth date, family tree, childhood friends, favorite color and maybe also social security number, name and address if those aren't actually required for anything. Then you can have a value for your mother's maiden name that isn't incredibly common, but nonetheless looks like an actual person's name.
Q: Where were you on New Year's Eve in 1999?
Depending on the sources I scanned on the first two pages of results, the cutoff is somewhere between November 2 and November 21.
The thing is, the cost of identity theft of consumers to credit reporting companies is less than the cost to actually adopt secure methods to judge one's credit.
Apparently my bank checks cheques.
I once had to deposit cash in my own account but in different city in India. It was free if I deposited it, but fees for anybody third party. Cashier told me my signature doesn’t match with whats on file and thus either I need to re-sign or need to pay fees.
Here in US I have seen policies in Stores saying we accept check, but we will onetime use the account & routing number on check to pull the amount. I am so confused if by merely giving someone a cheque they are able to “pull” money from just two numbers, and can do it for any amount & any number of times.
That is exactly how checks work. It's optimized for happy-path, with a big mess of a process to handle fraud. The cash equivalent would be to carry a bucket with all your money and when you pay, you present your bucket so that the shop can pull out the amount you and them agreed on.
"Default trust" actually works in our economy. And because of that, friction can be low and things Just Work.
Default trust / happy-path optimization in turn works because of the backstop of a strong legal system, fairly clear precedent, and reasonably well defined property rights. Think: UCC across states; standardized Delaware Chancery precedent; etc.
One reason I'm not a cryptocurrency or smart contracts believer is that the robust exception-handling backstop we have in the US is a mostly-invisible but super-valuable resource.
I find the cryptocurrency "space" fascinating for reasons like this. Because cryptocurrency gets rid of so many of societies long-evolved backstops, it is a perfect demonstration of why our society is structured the way it is and shows exactly what happens when we remove many of its features (eg: removing "trust" is very expensive).
Does it though? I think there's a reason we've stopped accepting cheques - cheques were the best "easy" way to transfer relatively large sums of money at once, now that we're past that and have more secure credit and debit cards cheques are becoming banned. I don't think it was optimized for "happy path" per say, but just for convenience and was the only technology we could manage at the time.
> Does it though? I think there's a reason we've stopped accepting cheques
That's a very specific issue but this is a pretty general fact. With respect to checks, people still write and accept checks, we just have more convenient payment methods. Also checks are still the easy way to transfer large sums of money at many banks. More generally though, just look at how much can be done with a signature under penalty of perjury, and how relatively rarely these are forged. The trust-based system really works decently well in the US.
Humans are great at rallying and pushing and making change when they see identify something as wrong in their direct lives. We work as hard as possible, and develop solutions (vaccines, a strong legal backstop). Then, all is well, and the problems we solved are no longer part of our lives because the system works.
Years later a vocal minority becomes very suspicious (they're inflating away my wealth!, autism!) and tries to overhaul the system. Then they learn why we do things the way we do (scams/manipulation/etc, measles) the hard way.
One of mine, too; though only sporadically, it seems.
Now those people at the Board of Elections are hard-core about signatures. I've been hassled twice when trying to vote because my signature on their pad didn't match what is in their records.
I have a "good" signature, and one that looks like a doctor writing a prescription. I have no idea which one they're looking for.
I can tell you that I’ve faked a signature in harmless situations a number of times and nobody was the wiser.
You're technically supposed to sign and endorse the back of every check you electronically deposit; I have never done this since my bank offered mobile deposit and have never had a check rejected. It honestly just makes me sad.
Things like "What's your favorite flavor of ice cream?" Well, I dunno. It depends on my mood.
Or "What if your favorite vacation destination?" Another bad question because my favorite today may not be my favorite when I get back from the next place.
Unfortunately they were all mandatory — there wasn't an option to pick only the sane ones; all ten had to be answered.
Most of them felt more like marketing trying to build a profile on me rather than IT trying to keep my data secure.
Can't do that with United.
The answers are drop-downs.
Whenever I'm confronted with surveillance-based "identification" and I'm unable to just choose a better option like receiving a letter in the mail, I make sure to only answer questions that can be directly deduced from the basic information I've already entered, or otherwise researched online (like the ones about what street is in what city). When confronted with questions about past addresses and whatnot, I make sure to answer "don't know" lest I confirm something they actually aren't so sure of.
I haven't had any problems as a result of doing this. I wouldn't be surprised if there is some "confidence" score based on how much the surveillance databases have actually recorded about you, and even if they aren't super confident will still supply a pass result to keep the client from losing customers.
I would rather be asked my Zodiac sign, although that is definitely weird.
You shouldn't have to spend time doing research on different versions of road names to prove my identity. That's absurd. I can imagine some dystopian future where I'm strapped to a chair and my kidnapper is demanding I answer to obscure names of highways as my only reprieve from torture.
* Decreases the number of bots able to get into your account
* Make it harder for a foreign agent with limited knowledge of English to do the same.
No, I did not write that question for you to answer.
For my view, that's ideal: people should put real, explicit thought into obtaining new credit or debt products. It's too easy right now, especially with products like Credit Karma trivializing getting new credit cards.
This is why we need to legislate these companies now, and re-incentivize them to do the right thing.
It'd make the CRAs, various other financial institutions (credit card companies, banks), and the tech giants all stop doing a bunch of the most harmful crap they're getting up to. Or else actually pay what it takes to keep everything really secure, while ditching any data they don't absolutely have to have to operate.
A better way to start this conversation (imo) would be to make reference to the many mistakes Equifax has made over the years and ask what is preventing Equifax from facing real consequences, such as being shutdown?
It's the effort that people place into having genuine conversations that keeps me coming back here and not just hanging around Twitter and Reddit. If someone wants to be lazy and still get online validation, there are communities for that and if you want to have a real conversation here, but don't have the time/energy to start it properly then all you have to do is wait a few minutes and someone who does, will.
Either take the time to contribute meaningfully or don't comment at all.
Anything else is pollution.
In contrast to a low-effort farting of "break 'em up!" for karma. That doesn't bring anything new to the conversation.
The consequences of shutting down just Equifax are relatively mundane: lenders and other customers of Equifax take their business elsewhere, and Equifax's competitors have some motivation to be a bit better lest they suffer the same fate. The industry as a whole would get along just fine. The less realistic and more extreme hypothetical that you want to debate is irrelevant here.
My argument was in my last sentence, in response to the defense of pithy comments that millions already beat to death six months ago. I'm arguing neither for nor against the shutdown of Equifax.
Equifax is the worst. You can call them and ask to buy lists of names, addresses and phone numbers of people matching certain financial criterias. Facebook would look dull in comparison if people knew the extent of the Equifax abuse of privacy.
Don't be silly. The long arm of Equifax has a finite length. We know where they get their data from and you have to at least pretend to "consent" to provide it to them by initiating a financial transaction. The Breach aside, there are federal laws (FCRA, etc.) governing willful dissemination of the data they have on you, and the scope of the data they collect is entirely financial.
None of this applies to Facebook/Google. There is no "consent" or opting-in to their lifestyle intelligence pool. You start building a dossier a few seconds after venturing onto the internet for the first time.
Your name ending up on a list of middle-to-upper-class sales leads is not a crime against humanity. There are many other ways to get the same data, starting with public records.
They provide safety for lenders, which allows those lenders to offer you cheaper prices. Is that worth it? Not sure personally, but I don't think it's fair to say that they are totally without benefit.
I'm afraid I don't understand your logic.
Again, I find that this only reinforces the fact that SSNs are not a useful identification system because there's nothing secure about them. Can someone explain where attackers obtain SSN/DOB data with such a widespread success rate?
Any good replacement should start with a set of APIs specifically targeting financial institutions/credit. Give the consumer a random, easily rotatable, numeric key (e.g. "14830-29928-8921-29"). The key + API can return a unique ID, but a unique ID cannot return its corresponding key (i.e. single directional flow).
The unique ID never changes for a given individual. If the consumer's key is lost, stolen, or breached the key can be re-issued and old one expired.
Make it illegal to store the numeric key itself in a database for long periods. Only the resultant Unique ID can be held. You'd never request from the consumer the Unique ID itself (otherwise it itself would become the new SSN); only their key for API verification.
Why is this a secure system? The information companies would store (Unique ID) is not the same information they need to process a new credit requests (Key).
Meaning the piece of information that identity thieves need to steel is short lived, and the long lived info cannot convert back to the short lived.
EDIT: Thinking about this more, it seems like a much harder problem than this quipped solution gives credit for. The agency wishing to validate a generated key would need to have enough identifying information to isolate a single row in the centralized database to validate the token. Because we don't want every token assigned to John Smith to validate every John Smith. So now this centralized database needs to have something that's unique to every single row... Or, in other words, the same problem as SSNs have to start with.
It replaces cardboard cards with a SSN on them, with a cardboard card with a longer randomly generated key on it. There's no electronics involved from the consumer's perspective at all.
The key is provided on your e.g. loan application. The financial institution sends that key to the government via API, and receives back a Unique ID assigned to you as an individual that never changes. The financial institution should then dispose of the key you provided them.
The Unique ID is essentially used like an SSN; but the major differences are:
- The consumer never provides it directly
- The consumer's version of it (key) can be rotated freely
- If the Unique ID itself leaks it has no value, since the API Cycle (i.e. Key -> Unique ID) is part of the system that financial institutions would use, supplying the Unique ID would just throw an error (since it isn't a valid key).
So it completely different from SecurID, and is more akin to SSNs with most of the core issues resolved. Issuing cardboard cards with numbers on them isn't inherently complex, and is what we're already doing.
The most challenging part is getting financial institutions to implement the API calls and update application forms. You'd also have to remain vigilant that they aren't storing the Keys themselves longer than absolutely necessary.
1. Client holds key.
2. Client exchanges key with central agency for token. Token expires after a short time period, making long-term storage and leaks useless.
3. Client gives token to company.
4. Company validates token with central agency.
And now we've reinvented OpenID. And SecurID is nothing but a piece of hardware that can perform (2) in a decentralized manner. We could maybe modify (4) to potentially be more useful for this specific use-case:
4. Company exchanges client identity token with central agency for a validation token that can be stored long-term. Validation token signifies that an identity token was received and exchanged, for legal purposes.
What I don't know is how to protect this validation token from becoming valuable beyond the above use-case. If it's proof of something, then it becomes valuable for that proof... So it would would have to be scope-limited in ways that make it useless for proving anything other than that exact exchange. Off the top of my head, obvious scope limitations are: client, company, and timestamp.
Bonus points: have tokens issued in XXX-XX-XXXX format so that existing systems don’t have to change anything- it’s still a SSN of sorts, just one time use.
In the first post I said quite the opposite:
> Make it illegal to store the numeric key itself in a database for long periods.
Using actual electronic tokens is impractical due to the costs. Even assuming just $1/each we're talking conservatively almost half a billion dollars (inc. shipping), and the upkeep would be similarly high.
The proposal above 1:1 replaces the system we have and are already paying for while solving most of the major weaknesses.
Multiple smartcard-like systems have failed spectacularly in other countries, a SecurID-like token would suffer from many of the same issues.
The only thing that makes SSNs bad static secrets is that you should basically assume yours has been leaked at this point. Like others have said in this thread, they're not bad identifiers, but they're a terrible choice for confirming identity.
Your system is just another static piece of data to keep secret. Which is where SSNs started when this crazy train kicked off. And no, "rotation" is not the secret sauce, because SSNs can already be rotated under certain circumstances.
I also don't understand how the "unique ID" doesn't have value. OK, you can't confirm an identity with it on the centralized system. But as far as I can tell, it basically serves as proof that you did confirm the identity. There's no way to distinguish between "obtained unique ID via the key and thereby proved identity" and "obtained unique ID via any other method and thereby did not prove identity".
I just described a system that is neither fully static nor fully dynamic. It has a static part (Unique ID) and a semi-dynamic part (numerical key) that can rotate as needed.
> Your system is just another static piece of data to keep secret.
Keys can be rotated as needed. For example with drivers license renews. The Unique ID is static but it isn't security sensitive.
> I also don't understand how the "unique ID" doesn't have value.
Because having it doesn't give you the ability to open a bank account, take out a loan, or receive a benefit. It is used by the financial institutions to tie actions to an identity, nothing more.
The actual validation of identity occurs with the key and API, the Unique ID is simply the result.
> There's no way to distinguish between "obtained unique ID via the key and thereby proved identity" and "obtained unique ID via any other method and thereby did not prove identity".
The action of retrieving the Unique ID is more important for verifying identity than the actual Unique ID itself. You could steal a Unique ID but that isn't useful, and there wouldn't be another way of obtaining one.
If the secret sauce is key rotation, then the best strategy is to rotate for every use. Building that strategy into the system basically results in OpenID. Take OpenID and allow the client to generate tokens offline, and that's SecurID.
And I still see value in the unique IDs, because they serve as a type of proof that key exchange has taken place. How does the bank go to court and demonstrate the the individual has validated their identity? The best way is to retain the key. Oh, but we're supposing that's illegal. So instead they'll show the unique ID and say, well then how did I get this unique ID?
I don't think you're applying enough hacker mentality to this. If we're going to approach this problem, let's approach it will the full capabilities that modern cryptography give us. There's no reason to share a secret with the company and extend trust to them; we already know how to securely share a secret between two endpoints (client and central authority) through untrusted middle men (company).
How are you paying for giving out half a billion SecurID-like tokens?
I'm talking about a code that can be printed on your driver's license, you're talking about a piece of electronics that has to be shipped to every person in the US, the logical differences are stark.
Also, soft tokens are a thing and are basically free to generate. I've got several loaded on my phone right now, and have the code backed up in my password vault.
Also also, printing secret codes on drivers licenses seems like an amazingly bad idea... Every bar bouncer I interact with sees that thing!
Which negates the whole benefit of having short lived secrets, which was the whole crux of why you were suggesting it.
> Also, soft tokens are a thing and are basically free to generate.
So now instead of buying every citizen in the US a token we're buying every citizen a smartphone or legally requiring them to have one? Seems problematic.
> Also also, printing secret codes on drivers licenses seems like an amazingly bad idea...
Then print them on a separate sheet of cardboard. Still a massive order of magnitude cheaper than what you're suggesting which could range from $0.5-20B+ depending on implementation.
I'm suggesting a more flexible SSN that solves the major issues we already facing. You're suggesting a token based system without actual tokens, smartphone apps without actual smartphones, and printed list of codes.
There's nothing about the former system that requires the things you are stuck on. (And I honestly think you're just being stubborn for some reason, because I'm pretty sure you understand the idea I'm conveying.) You could do it over the phone using a touch-tone system. You could do it through a website. You could do it with an app. You could do it with a hard or soft token. You could do it with a smartcard. The only requirement is that you are capable of telling your secret to the central authority in exchange for a token, in a way that it is very difficult for others to observe. Or, alternatively, to have come to an agreement about how to generate such tokens offline.
But the important part is that in the system I'm talking about, you get a secret value from a central authority. And then you don't tell anyone that secret except that same central authority. Everyone else sees temporary values that are useless if saved -- no pinky promises and laws required.
Indeed I do, it is logistically absurd. I'm talking about replacing one piece of cardboard with a different, more secure, piece of cardboard that resolves actual problems we have today. You're talking about smartphones, tokens, calling in, and a million other complex workarounds all in the name of hypothetical security.
I'd love to see you try to explain your system to an elderly or disabled person. I can explain mine: "Instead of giving them your SSN card, give them this card instead." Done. One sentence. That's literally all they have to know.
Plus your scheme has a huge hole. The second you moved away from physical tokens (which you now seem to acknowledge is unaffordable) to smartphones and now regular phones, you need a way to authenticate who you are. Which means you'll be giving people credentials, which can then be lost, stolen, or requested from vendors creating exactly the same issues we started with.
In other words you've managed to create an expensive logistical nightmare that the general public will hate all in the name of hypothetical security benefits that won't even work in practice. Neat.
And you're talking about zero improvement in security stance. You could literally implement your idea by just making it illegal to store SSNs, because that's the only salient point where you've improved over current state.
> I'd love to see you try to explain your system to an elderly or disabled person. I can explain mine: "Instead of giving them your SSN card, give them this card instead." Done. One sentence. That's literally all they have to know.
Print card with secret. Give them card. Card has phone number on it. Call the number. It asks for what's on the card. You enter it. You get another number. Give that to the person asking.
Also print on the card to not give the card or the number on it to anyone.
> Plus your scheme has a huge hole. The second you moved away from physical tokens (which you now seem to acknowledge is unaffordable) to smartphones and now regular phones, you need a way to authenticate who you are. Which means you'll be giving people credentials, which can then be lost, stolen, or requested from vendors creating exactly the same issues we started with.
Physical tokens are a "something you have". So is a piece of cardboard. If there's no need to authenticate a hardware token, there's also no need to authenticate a number on a piece of cardboard. And there's no reduction in security stance by doing so.
Also, I make no acknowledgement of the in-/affordability of tokens. Rather, I assert that you can simultaneously support multi-modal methods of exchanging a secret for a token.
> In other words you've managed to create an expensive logistical nightmare that the general public will hate all in the name of hypothetical security benefits that won't even work in practice. Neat.
Really? My proposal is literally the same mechanism by which OpenID and web tokens work... And I'm done because I don't know how to work with someone who's idea of a good security posture is give away secrets to people who ask for them.
Rotatable consumer keys. Mitigating the danger of vendor hacks/leaks. Both at the main problems with SSNs today.
> You could literally implement your idea by just making it illegal to store SSNs, because that's the only salient point where you've improved over current state.
SSNs cannot be rotated. SSNs have already leaked. Stealing an SSN allows you to open accounts/credit/etc neither of which my proposal allows.
I'm wondering if you've even read my proposal. Either you haven't or you're pretending you haven't, in either case it seems bad faith.
> It asks for what's on the card. Also print on the card to not give the card or the number on it to anyone.
So this card of yours is identical to existing SSNs. SSN cards even contain that exact text. You need to go back to the drawing board (or just read my proposal and think about it a little).
> Physical tokens are a "something you have".
So now we're back to spending billions on physical tokens? How are you funding it.
> My proposal is literally the same mechanism by which OpenID and web tokens work...
OpenID won't scale to half a billion people, it isn't affordable or practical. Something you've already conceded, that's why you're talking about calling a phone number using your SSN-v2 secret.
> And I'm done because I don't know how to work with someone who's idea of a good security posture is give away secrets to people who ask for them.
We're on the tenth post and you still haven't even read my proposal, that isn't something in it, and you'd know that if you had taken the time to read it.
You really aren't discussing in good faith here.
This statement seems to be about the only thing we agree on. You keep shifting your goalposts or simply repeating "but rotation!" when I've already addressed exactly that.
If that was all it (SSN) was used for, a "unique-id", it would work ok for that usage.
The problem is that far too many companies also make use of SSN as a "secret only you know" to authenticate that you are in fact the individual identified by the SSN. I.e, your "login name" is identical to your "password". It is this miss-use that leads to the problems around SSNs.
OK, fine, whatever, except this is the same even for controlled substances. Which is quite weird considering all the other regulations around controlled substances. One time I had to get rid of some excess oxycodone after a surgery, I ended up having to go into a little booth at the sheriff's department where they had a drop box and a sheriff's deputy sitting at a desk behind a window watching me. But all my wife needed to pick it up in the first place was my name and DOB.
 - https://www.pcworld.com/article/3004654/a-tale-of-two-women-...
No. It's sufficient for identifying someone, but not at all sufficient (not even close) for verifying someone is who they say they are.
SSN as a user identifier - to uniquely describe an entity
Actual PKI including a secure public/private key with a signature from a trusted agent (like a government ID authority), and maybe also web-of-trust signatures? THAT is what is required to securely sign things.
I'd imagine it's trivial to pretend to be a cop and just purchase access to this stuff, not that it's going to be hard to hack most police departments either.
On the non-trivial side: I was doing a startup where we sublet from a law firm. We had an on-site audit by someone who came in and we were cautioned that we had to have an independently locking door on our office. We also had to give a reasonably thorough explanation of what we wanted to do with the data and certify, as well as convince the auditor, that we would be using it for GLBA (anti-fraud in financial transactions) purposes.
We actually failed one of the audits the first time because some paperwork wasn't in place (I think we had changed the Delaware company name and not re-filed something, like our local jurisdiction foreign corporate registration, in the new name).
On the not comforting side: the sales reps for these products have full access and will let you do lookups and surf through on whatever. 100% unmasked details on any numbers you want. DMV, aircraft, SSN, judgments, etc., all linked and at the ready.
Also, GLBA is a giant Sherman-tank sized loophole that means that essentially anybody can fully legally use these databases as long as there's some cognizable financial transaction that you're protecting from fraud (even proactively / research wise).
So no, you can't just "pretend to be a cop" but if you actually go to the trouble of being some sort of fraud-prevention business, you can just go wild.
>An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.
>An individual who read a story about the operators of a similar ID theft service online having broken into the networks of LexisNexis and other major data brokers wrote to say that he’d gone back and reviewed my previous stories on this topic, and that he’d identified the source of the data being resold by Superget.info. The reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.
>Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.
>Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of courtventures.com are available through archive.org.
>In March 2012, Court Ventures was purchased by Costa Mesa, Calif.-based Experian, one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget.info were based in Vietnam.
So, yeah. I bet you could obtain tons of SSNs from fucking Lenscrafters if you wanted to.
So there must be a workaround that relies on verifying identity, based on non-random information (e.g. no PINs, no passwords).
They've made it too easy, but until we can request that a credit agency blacklist an SSN and forget all associated information, this will keep happening.
She tosses around the word security, but really what she is saying is that Equifax decided to make the experience as simple as possible because having people create accounts with them without the need for boosting CSR headcount is more important that securing those accounts.
>Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.
>“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..
I complained about this to my old bank (Wells Fargo) and they told me not to worry about it because I'm protected from fraud.
Usually anyplace that has a limit less than 512 characters (often 1024, but some string buffers are small) or on the characters you can use, at all, isn't doing it right.
I don't for a second believe that's why my.equifax.com is doing it. It's certainly not why there's a 20 character limit. (I personally use 64 char passwords wherever such long ones are allowed.)