Hacker News new | past | comments | ask | show | jobs | submit login
US Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs (krebsonsecurity.com)
676 points by elsewhen 12 months ago | hide | past | favorite | 619 comments

I am amazed at how well these criminals from another country know the details of the systems in the US when we in the US have probably a handful of people who understand the end-to-end line they do.

I am not surprised this is happening. The small offices in each state are responsible for 100s of millions of dollars and they awfully unequipped for it. This is sort of thing that the federal government should do and provide a portal for each state to use so that they can track and do stuff across states to look for fraud. However i don’t know if states rights and separation of duties screws this up.

> I am amazed at how well these criminals from another country know the details of the systems in the US when we in the US have probably a handful of people who understand the end-to-end line they do.

It’s quite literally a criminals job to understand and abuse these systems, and there’s very clear link between their performance and their reward. Makes for a good motivator.

People frequently underestimate criminals because they don’t appreciate that these individuals are doing this work as full time job. I’m sure if you spent 8 hours a day for week, you’ll have an equally good understanding.

I always find it ironic that for all but the most lucrative criminal enterprises, if the criminal applied the same amount of effort towards pursuing legitimate employment, they would come out ahead (adjusted for risk of course).

Some people just enjoy "getting over" more, to the point that they will discount their labor used for such schemes.

I don't think that's true. The criminals you hear are the only ones who get caught.

In fact, I would say criminal activities have a higher risk-adjusted return than legitimate activities, simply because there's less "supply" in this labour market due to moral reasons and risk-aversion.

As an example, let's say you find a zero-day that gives you access to any FAMG account. Their responsible disclosure programs will pay you probably ~$31,337 (real example from Google).

If you sell that on the darkweb as a "hax any Google account as service", while it is more effort, you could absolutely clear multi-millions from it (charge $50k per account hijack; which itself can lead to millions in fraud profits or selling intellectual property; etc; can maybe pull this off 50 times before it gets patched = $2.5 million).

Not to mention you'd probably be able to sell it to Saudi Arabia and Israel for anywhere from six to eight digits too depending on their operational needs.

So that's a >80x increase in earnings if you go the criminal route. It's more work, but there are brokers who will happily do the heavy lifting for you in exchange for taking a cut of the profits.

And if you reside in a country where the government essentially encourage hacking Western companies as long as you don't hack properties of your own nation (e.g. China; Russia), then the risk to you is virtually zero (as long as you don't plan to travel to a western-extradition country).

  for all but the most lucrative criminal enterprises
What you described is top-notch hacking and super high risk (99,99% of such criminals probably never deal directly with governments).

Seems similar to claim that acting pays well and take the example of Tom Cruise to prove it.

The recent interview of Marcus Hutchins says something else: he's been working full time as black hat and realized afterwards that being a white hat pays better.

Marcus Hutchins simply didn’t understand the business side of things.

He had his fingers in his ears singing la la la

I work in preventing financial crime, so I have some useful context on this.

Unless your hitting the big leagues (stealing millions to tens of millions of dollars) then the odds of you actually getting caught and prosecuted are basically 0.

This sounds silly, but it’s mostly driven by the fact that most traditional law enforcement agency (i.e. the police) don’t understand or are interested in preventing financial crime. It’s too abstract, doesn’t have a physical component, and frequently the criminals will be completely different jurisdictions to victims.

Even when you provide the police with the home address and photo ID of a financial criminal to the police, they usually won’t do anything. Again they don’t understand the crime, they don’t have the training to investigate and they don’t know what evidence is needed to prosecute. Finally the police are usually rated by the public on the number of shootings and stabbing that didn’t happen, rather than dollars not stolen.

So the only agencies that actually pursue financial criminals are people like the secret service in the US, and the City of London fincrime team in the UK.

Both relatively small agencies compared to a national police force. The end result is they only pursue whales, people and organisations that have stolen millions from one person or organisation.

If you’re not a whale, then no ones gonna chase you. You can spend years ripping off grandma‘s at $10k a pop, and no law enforcement agency will care.

How do you know that to be true?

Social engineering, much hacking, scamming, etc. don't care about race or gender or connections or degrees, all of which are very real things limiting people's professional success. Many can be done without interacting with a team and without any kind of interview, both of which are skills.

I doubt these people are discounting their time or labor. They might be optimizing for the opportunities available to them. Willingness to do something illegal could reasonably be seen as an arbitrage opportunity—something seen in business all the time.

The case for crime is, in fact, pretty clear-cut you have a bright mind, an appetite for risk, and resist societal expectations about orderly conduct - i.e. it is another flavor of "startup founder".

You only need one big score where you get away clean and you're done, your criminal career is complete in one go and you can retire. Compare that to all the fuss of operating within society, the social signalling and bargaining and courting of gatekeepers - that's only worth it if you've been groomed for it in some way.

And computer crime is as clean as it comes, in terms of the kind of damage done. The ultimate purpose is simple - change some database rows! No bashing of heads or physical entry to property needed. With appropriate choice of targets, you pass the resulting crisis over to some figurehead executive who mumbles for a bailout from the government. Numbers are shifted around again after some delay and everyone is happy.

By contrast the SV startup dynamic is one of gaining overt power over others, not just getting a high score. The product and platform acts as a Trojan Horse for this subjugation, powered by a belief(oftentimes a sincere one) that this is a grand humanitarian project, which in turn inspires cult thinking. Then to even get in as a worker, you have to fit into the cultural mold. Your userbase is likewise fostered towards dependence and ushered to mega-scale, data-driven extraction, if not immediately, then later, after the company is acquired. It's all quite a long schlep if you just like working with technology to help people.

>You only need one big score where you get away clean and you're done

The laughable part is here. People bring their problems with them. The kind of person who would pull off a big score, such as a brilliant hack or a bank robbery, won't retire to the Oregon coast and drive at or below the speed limit for the rest of their lives. A lot of those traits are traits of antisocial personality disorder. People like that are magnets for trouble. They won't lie low and relax for the rest of their days.

It's a lie criminals are not professionals. It comes with a set of other rules, rituals and codes. The money is not a big score but an unlimited amount of cashflow. The antisocials are the ones blowing up a money printing machine just for the sake of their ego. Have you ever seen estimates of the grey economy? That world is running way more efficient than civilian life because of the stakes. Guys like Pablo get that famous because he had an antisocial personality and had to blow up an airplane while he was one of the most richest billionaires in the world.

Antisocial personality disorder is almost a prerequisite for career criminals. Disagreeable enough to commit crime and not feel bad about it, extroverted enough to enter or form a gang, and low enough in neuroticism to keep your cool under pressure. I'm not trying to paint all antisocial people as "bad". It's also a personality configuration that works well in certain military positions.

There's a famous bit of research done by the guy who wrote Freakonomics.

He tracked how much drug dealers were actually making and found that if they just got a job at McDonald's they'd have a higher income.

If I remember correctly, that was for low level weed dealers, not scamming financial systems. A successful identify theft of a middle or upper income family will reap a payout much greater than a fast food worker.

Dealing drugs can also offer a much higher degree of flexibility to conventional work

I can say, based on my own observations, that is absolutely nowhere near true. Many people selling drugs to their friend groups make profit in excess of $400 a day, tax free.

I can't speak for a larger group, of course. Perhaps the average is weighed down by more casual actors.

It's only tax free if you're stupid enough not to launder the money.

I don't think that an individual proprietor earning only 100k would have a motivation to do that. One can pay rent, buy vehicles, and purchase most everything else with cash. Why give 40% to the government? Social responsibility is great, but not if it's going to get you interdicted as a drug dealer.

You can do that, but at some point you might be asked to explain how you manage to rent a nice apartment and own a car without earning any income. Outright tax fraud isn't really any more of a sensible risk to take if you're a career criminal than it is if you work a regular job. After all, they got Capone for tax evasion.

It's more likely that they'll be caught up in enforcement of controlled substance trafficking laws, and those are the more severe charges the authorities tend to pursue.

Is it? It's quite difficult to prove that someone is involved in trafficking controlled substances, if they're careful. It's not difficult to show that someone is committing tax fraud if they have a big house and a car and zero declared income.

Most people involved in such activity have incriminating communications that are very easily used in court such as text messages. The bar for proving that various messages are evidence of illegal activity is surprisingly low. One individual not only has to be very careful, but also enforce the same level in everyone who communicates with them while providing customer service (e.g. making customers happy, feel good l, not offending them and so forth).

The issue of tax fraud is only an issue if they investigate you - someone in the tax department would have to find a reason to take notice. In the case of a narcotics trafficker it's more likely that activity would be observed by drug investigators than for the tax department would determine there's someone paying a mortgage or rent that isn't a significant income tax payer. That's not really how tax investigations work.

Freakonomics is an awful representation of economics. It's literally a collection of anecdotes and uncontrolled experiments.

When I was a teenager, I tried to work at McDonald's over one summer break.

They turned me down.

I think you overestimate the lucrative opportunities available to hard-working honest people especially in developing countries where a lot of these operations are based

Maybe. I don't have faith that the world is that meritocratic. I don't know many criminals, but I know people who are smart and competent, but who've fallen into careers with low pay and no room for advancement. Crime is something that doesn't require the resume or capital of legitimate options.

It’s very very easy in the modern world to end up in a situation where you’re not allowed to contribute positively and have very few options other than crime.

You mean with some kind of criminal record, or just a dead end career? Because the latter is your starting point, not your end point, when it comes to deciding whether it pays better to put subsequent effort into figuring out how to profit via crime versus finding better legitimate ways to make money.

Adjusted for location as well. I'm very skeptical that these Nigerians can find anything this lucrative within their own country.

> we in the US have probably a handful of people who understand

When I moved to the US from Canada and HR was helping me setup my health insurance on the first day, I was overwhelmed trying to understand it and said "Sorry, I don't really understand how health insurance works here."

The HR person responded:

"That's ok. Most Americans don't understand how it works either."

> Most Americans don't understand how it works either.

When I dislocated my jaw and went to an in-network ER for treatment (it popped back in as I was sitting on the bed), I wasn't surprised to get a call from a collections agency regarding bills I never received from an "out of network" shell corporation for "consulting physicians" (never even saw a doctor, only a nurse), but I definitely didn't see it coming.

Count me an average American, I guess.

My hospital now had a very easy to use portal for bills.

And I’ve still been sent to collections for a bill that wasn’t on that portal.

Sorry, can't decide if it was a scamming attempt or it was a legit request?

That’s just a matter of perspective :)

I think a lot of US immigrants are more well versed in the workings of the US government than native born citizens.

This is because they have a source of comparison, and it is on the test! (if they go for citizenship)

Although some US citizens get how well some things work in the US compared to other countries, they have blind spots for some things that don't.

I got sick in Mexico once and went to a doctor there. I paid in cash and it was something like $2. If I wanted, I could get my medicine in pill or hypodermic form.

I know there's some controversial history adjacent to this idea, but I think everyone (native born included) should pass the test before they can vote. I also think we should throw out the voting age and the felony condition and ONLY have a voting test.

Who gets to decide what’s on the test? Also, what languages would it be available in? Seems hopelessly fraught (and likely illegal).


I have a long answer to this which I can dredge up and copy paste. Here's the short version.

1/3 random questions from the immigration test as it exists today (so that no one can disenfranchise others by changing the test).

2/3 questions chosen by each candidate on the ballot. Questions must have an objectively correct answer and must be pertinent to the powers of the office itself.

The long version of this answer just adds defining objective, correct, and pertinent in a legally unambiguous way and sketches out scenarios like trick questions to show that the only reliable way to gain favor in this system is to actually be knowledgeable.

Oh gosh. Why do candidates have any business filtering voters?

Why do people who don't even know what the candidates said have any business voting?

There is already plenty enough built-in momentum to not properly educate the public - "if we fuck up they don't get to vote" is some next level shit.

Just curve the test so that 80% pass.

At face value, that means 20% of the people (in a "democracy") will be unable to vote.

Basically you are saying that some people will not have the ability to decide who will govern them.

I just think it would be gamed somehow, like the games played with gerrymandering.

Are you ok with children not voting? That right there is ~20% of the population.

I assume that it works more like a filter - does the voter know the promises and policies of each candidate in his region? Or is the voter voting blindly?

There was an idea going around that instead of voting for candidate, you would answer a questionnaire about policies, and would be matched with best fit candidate.

The questions itself would be compiled from candidates' policies, and candidate would assign the weights to each of the answers.

That will play into the hands of certain parties, as it will serve to eliminate certain demographics.

And not having a test plays in the hands of others that have a large pool of people who don't understand the system and what they're voting for.

The problem is that this system will gradually mean that people who get to vote entrench their privilege and keep out others who do not get to vote. Gradually, you'll have a permanent underclass of people who have never known voting. The effects of unequal schooling etc will be even worse than they are today and politicians will have no incentive to even consider people who can't vote.

I really should dredge out my old comment because I already address this concern. Curve the test so that 80% pass. In this way it is impossible to get a feedback loop that miniaturizes the electorate.

This is so True, as an immigrant - I have changed jobs and every orientation when talking about benefits does not break down the cost to the employee - resulting in "just sign here" so we can be done with everything mentality

That HR representative appears quite talented. Nobody knows how it works, or there would/could not be significant "administrative" changes daily as insurance companies (and really any businesses) find new ways to take more of your money without any risk or possible recourse. They do whatever they want.. at least that they believe they can get away with long enough to make a profit.

> when we in the US have probably a handful of people who understand the end-to-end line they do.

Is it a hard thing to understand or is it just something that doesn't get done?

I work for a municipal government (not in social assistance though). Very little is documented, not because it would be hard to do so, but because first everything from budget to approved software for documentation to time allocation to 5 different approvals would be required to do it. We are terrible at sharing information internally, so every thing would require meeting after meeting to chase down who knows what as well.

Actually documenting the system I work on would take 1-2 days. But we initiated an overarching documentation plan in November and it is still being worked on (if it has not died from neglect).

Many of the US systems were/are very trust based. Unfortunately trust based systems are too vulnerable to fraud these days.

It will take time to redevelop the systems and thinking to be more fraud resistant.

However, many in the US equate validation or verification as too intrusive, too discriminatory, or both.

> However i don’t know if states rights and separation of duties screws this up.

The history of the US shows that such things matter only when there is no bipartisan support.

See for example the Commerce Clause that explicitly grants the Congress the power to regulate interstate trade, yet it is used as a basis to justify intrastate regulations (e.g. drug prohibition).

> See for example the Commerce Clause that explicitly grants the Congress the power to regulate interstate trade, yet it is used as a basis to justify intrastate regulations (e.g. drug prohibition).

If anyone is curious, this is due to Wickard v. Filburn (https://en.wikipedia.org/wiki/Wickard_v._Filburn), a very unfortunate Supreme Court decision made in 1942. This decision was cited as precedent in Gonzales v. Raich (https://en.wikipedia.org/wiki/Gonzales_v._Raich)

This seems to e a general cultural thing where rules are seen as malleable. See how well the lockdown is (not) being adhered to.

> I am not surprised this is happening. The small offices in each state are responsible for 100s of millions of dollars and they awfully unequipped for it.

But trust us when we tell you that voter fraud isn't happening, that mail-in ballots offer no increased risks, and that non-citizens aren't voting.

[Citation Needed]

Not that it's either relevant or germane to a discussion regarding an organization using stolen identity to wire funds electronically.

Multiple states have been using mail-in ballots for literally decades. No widespread voter fraud has ever been reported.

Here's an anecdote for you: a few elections back, my signature didn't look quite right on the envelope of my ballot. Got a call from elections officials to verify that I had in fact filled out the ballot.

There's a lot more control involved in mail-in voting than there are in fraudulently filling-out an online form and receiving an electronic funds transfer.

> Not that it's either relevant or germane to a discussion regarding an organization using stolen identity to wire funds electronically.

It's absolutely relevant, particularly when the article discusses "mules" in the US (with US mailing addresses) being used in furtherance of the scheme on behalf of foreign individuals.

If it can be done to steal hundreds of millions of dollars by Nigerians using recipients' PII, it's difficult to imagine how it couldn't be done with mail-in ballots. If it isn't already, it's only a matter of time until it's worth doing to someone.

Every piece of mail must enter the system and be postmarked correctly. The US postal service certainly will not accept or deliver a piece of mail with a "Miami Beach, FL" postmark addressed to the "Sacramento Board of Elections" if it comes in with a batch of Par Avion mail off a plane from Nigeria.

You understand that the standard ML training data for OCR is from the US postal service, right? They've been routing mail electronically for decades.

The election system in the US is ridiculously decentralized, which makes it really hard to commit large-scale voter fraud at the ballot level.

people in business in the USA hire outsiders to do the dirty work, or afterwards such relationship leaks the details provided, to others who are just willing.. Why is USA federal IT work outsourced three times before it is done? What USA business owners, former owners, their accountants and others, are just in it for the money and tired of others winning while they work so hard and lose, etc.. SO .. there is some collusion across borders, most likely

What details?

> The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.

This is the problem, a complete lack of security. Why doesn't the US use an electronic signature supported by a digital certificate as we do in Europe?

Has there been a real profitable incentive to implement the technology? Then why spend the money for a risk that may not have an impact tends to be the mindset.

Well you have an incentive when you read stuff like this:

- Hackers from China are believed to have stolen the social security number for every US federal employee in a cyber-attack much larger than it first seemed (2015)

- For the first time ever, data breaches compromised more Social Security numbers (35 percent) than credit card numbers (30 percent). The Equifax breach was largely responsible for that. (2017)

- If a cyberthief has your name, address and SSN, he is not far from being able to steal your identity. (2018)

It seems strange to me to fight corruption and fraud by creatiung an even larger institution with more cash to manage.

Quote: "The Service’s memo suggests the crime ring is operating in much the same way as crooks who specialize in filing fraudulent income tax refund requests with the states and the U.S. Internal Revenue Service (IRS), a perennial problem that costs the states and the U.S. Treasury hundreds of millions of dollars in revenue each year."

A perennial! problem, hundreds of millions each year. It blows my mind how 80+ years later SSN is still used as identity, far beyond its original purpose. I mean with only one year of those losses US gov. could easily adopt something better.

The Dutch system to this is pretty nice. Your BSN gets attached to a digital id (DigiD).

You might give your BSN out to a company (healthcare, doctor, etc) but that is used to create the link to your DigiD. From there if you want to login to something like your healthcare company it will then bring up a form where you copy four characters from your DigiD app on your phone. This makes sure the requests match, then you just scan a QR code and type in a pin.

So if you want to login to do something related to your taxes, or healthcare online you have very strong two factor auth.

Additionally banks work similarly for making payments or purchases online. I want to order a pizza for delivery online it redirects me to a payment page on my banks website. I then take out my bank app on my phone, type in a pin, scan a QR, and approve the payment.

> it will then bring up a form where you copy four characters from your DigiD app on your phone

What happens when you don't own a phone?

Can't chime in for Netherlands, but here in Denmark you can get an actual code card you use for 2FA. It has 100 codes on it.

If you're doing online shopping/purchases chances are you have a phone though.

My guess is they will send a code to your registered address, which is a must if you live in the Netherlands. I just lost my phone and retrieved my DigiID through this way.

To set up digid, you apply via official website (or app), receive one-time code in your paper mail, then proceed back to the same website/app to register your password and phone number. App registers itself if you're using one.

Once set up, you have 3 authentication methods, selectable on login page:

1) password only (low-trust authentication, not all places accept this, certainly not your doctor's office);

2) password + 2nd factor via SMS/text (high-trust);

3) password + 2nd factor via app (high-trust).

Bicycle down to the local Gemeente office and talk to someone?

I think it's possible to "assign" someone and grant permission for them to access information, a bit like power of attorney.

Are elderly Europeans just so much better at tech than elderly Americans? Smartphone apps. QR codes. 2FA pins.

I know folks in their 60s who positively would not be able to do any of this with any level of success.

You can always do things via mail, phone, or bicycling down to the local Gemeente office. I just don't know what the authorisation methods are for mail/phone because I use the DigiD methods.

You can make the digital side of things secure while still having accessible method for non-technical people.

It's crazy that we all walk around with some secret number that, if discovered, could wreak havoc on our lives.

This is especially true in this digital age of connectedness and breaches, wherein we're encouraged to use and share the number ourselves in some scenarios, but somehow expect it to not fall victim of a single error or act of malice.

It's crazy that people use it and think of it as secret number.

I wonder, like, how much of that (and legitimate tax revenue) could be recovered or prevented each year by properly funding the IRS and other departments.

Where is the outrage compared to that of welfare queens, which don't exist in high numbers?

In context of how much "personal identifiable information" (e.g. SSN) that is stolen through data breaches in the USA - it's hardly a surprise.

The list of breaches just goes on-and-on: https://krebsonsecurity.com/category/data-breaches/

I think it's time we just eliminated the concept of personally identifiable information (PII). Your SSN, birthdate, name, etc. are no longer secret. Operate with that assumption. Invest in a department in the government (e.g. digital service) to make this change once and for all. Heck, let's eliminate DST and move to the metric system while we're at it. Let's call this "moving to new standards" that will pay off in dividends in the future.

Why would a bank give someone a loan if they have no idea who the person really is?

How is any of this information supposed to secure anything? Name, birth date, address, etc are all public record or essentially public record. The only "secret" piece of information is the SSN, which is (a) public for almost all Americans and (b) specifically forbidden for being used as an identification number.

This is a very 'tech' response in a good way, it made me smile. I think they meant why would a bank give an anybody a loan? You have no way of knowing if an anybody already has a loan out with you and you have no ability to evaluate their risk. Why would you loan money to someone with no ability to review their credit health and financial situation? It's an impossible battle without inventing a user specific metric.

>It's an impossible battle without inventing a user specific metric.

And that's exactly what happens over here. There is no credit score, nor other such bullshit.

You get assessed for viability by proving your current income for last X months depending on the loan.

There also exists a national black list of debtors - but to get there you must really mess up and not even try to pay back your loan.

How do you price your current income with no identifying information is the point that was being made. If you can prove your income then you have identifiers.

you get a standardized form from your employer, or income transactions from the bank. They can use that data internally, but they cannot sell it nor give it to 3rd parties.

ID cards?

You had me until the whole “invest in government...”

> that is stolen

Or just straight up sold by the government: https://news.ycombinator.com/item?id=20438289.

... or collected by state prison call centers and misused (though admittedly this would be a minute fraction in comparison).


I wonder what the rate/total volume (or detected volume) of fraud is? How does it compare to baseline levels of fraud? The article says the amount of fraud has kept pace with dramatic increase in claims in Rhode Island. If it's just keeping pace, why are we surprised? Do we even need to worry that much? Is the current situation making it easier to commit fraud? Or is it just generating more volume and noise to hide fraud in?

My friend's desperately needed unemployment funds are frozen because they were requested using a Romanian IP address. My friend has never been to Romania nor spoofed their IP in such a manner. The New York state unemployment website seemingly allows no recourse for this incident. They are now unemployed and unable to receive any income.

The recourse as I understand it is to try and call the agency to speak to a person. Of course the call systems are overloaded so that's easier said than done.

edit: This is the general approach by US agencies, the IRS website barfed on my info and I had to call a local office to get a person to help me (the nation wide number was 100% automated and likewise barfed on my info).

Calling the unemployment office right now is virtually impossible.

Conventional wisdom these days is that if you want to collect unemployment, you need to make filing a claim your full-time job. You start calling at 7am when they open, and keep re-dialing until you get through -- hopefully before they close at 4pm, and you have to start again the next day.

Also, don't call before Wednesday, if you don't absolutely need to. Monday/Tuesday are unofficially reserved for people who really need the money.

Of course, even if you get through to a person and get the right bit flipped in their database, there's no guarantees. I also hear lots of stories of people whose claims were approved 4 or 6 weeks ago and still haven't gotten a dime.

Why are Monday/Tuesday unofficially reserved for people who really need the money?

Good luck: https://www.oregonlive.com/business/2020/04/oregon-insight-h...

> Laid-off workers are confused and confounded by the department’s faltering claims system, erroneous denials and stubborn silence on key policies and questions.

> The frustrations lead people to call the department again and again – some say they dial more than 700 times a day.

> The employment department is taking steps to address the call volume. It has added hundreds of staff to process claims in recent weeks – it has 520 now and has leased a facility in Wilsonville to expand claims staff to 800.

> With jobless claims up nearly seventeenfold, though, the staffing increases aren’t close to keeping up with demand. So it may be weeks – or months – before Oregon works through its backlog in claims questions.

Once upon a time our office IP in Helsinki was tagged as being in Spain by some geoip provider. For months parts of the internet were in Spanish. No way to fix this from our end. For example, googling for any php function automatically linked me to the spanish version of php.net.

After a few months, the issue disappeared as mysteriously as it had appeared. And we'd had that set of static IPs for about 5 years by that point.

It's a shame that such technical problems can become severe personal problems in times of crisis such as these.

Maybe they were using a VPN proxy?

They were using a VPN that was exiting in New York City and had never exited from Romania.

It does seem somewhat disingenuous to not mention the VPN usage in your first comment. Makes reasonable people wonder what other details you're leaving out, even if there are none.

I failed to make it clear by just mentioning spoofing in general, my apologies.

Are you sure the exit point was in NYC? VPN providers don't always put their servers in the same country that their IP claims to be from.

While I agree that it's unlikely that they would serve NY customers from Romania, you will definitely see weird results from Geolocation services when going through some VPN providers.

Wait, why were they using a vpn? Where were they physically at the time?

How did NYS figure out "Romania" (even if wrongly) and communicate that to your friend?

That's a bizarre capability for a system that is as incompetent as has been seen.

Browsers send tons of information to all sorts of in-page components. If the attacker is incompetent, it's not that difficult to narrow down their location.

I wonder if CDNs can be used as "standard candles" for in-page scripts to measure latencies to multiple known network locations and infer a position from there across multiple sessions with different exit points. How many exit-point/latency pairs would I need to figure out the actual origin of a request?

remember when SSNs were being implemented and the government promised it wouldn't be used as a personal identifier?

I've only been in the USA for less than a decade but when I landed here and got my SSN I got a pretty good lecture at the window from the Federal worker about never giving this out, keep it safe, yadda, yadda, yadda...

...and was then asked at every turn, by every website and application and whatnot, to provide four or more digits of this number to accomplish even the most benign things.

There's what the US government thought it would be and then there's what it's become because zero enforcement on use of it as a national person identity number was ever enacted.

The "don't give anyone your SSN" trope has become one of those household jokes. Right up there with "American's don't pay high taxes".

And those 4 numbers that they always ask for are the only part of the SSN that isn't procedurally generated from public information.

This isn't true anymore. (Although for most adults, it doesn't matter as they got their SSN before it changed.)

> On June 25, 2011, the SSA changed the SSN assignment process to "SSN randomization". SSN randomization affected the SSN assignment process in the following ways:

> 1. It eliminated the geographical significance of the first three digits of the SSN, referred to as the area number, by no longer allocating specific numbers by state for assignment to individuals.

> 2. It eliminated the significance of the highest group number assigned for each area number, and, as a result, the High Group List is frozen in time and can be used for validation of only those SSNs issued prior to the randomization implementation date (see section "Valid SSNs").

> 3. Previously unassigned area numbers have been introduced for assignment, excluding area numbers 000, 666 and 900–999. [1]

[1] https://en.wikipedia.org/wiki/Social_Security_number#Structu...

That's great for 9 year olds. But for the people it matters for now, these points don't apply.

OP already acknowledged this: "for most adults, it doesn't matter as they got their SSN before it changed"

Not personally, because I’m not 90 years old.

But you’re right that the original purpose wasn’t identifying people, however it was private banks that really latched onto it as a convenient way to identify people and associate debts to individuals.

When I worked on Wall Street way back in the 90s we knew SSNs were useless for any sort of id...

Too many 'shared' SSNs in, too many stolen SSNs. I highly doubt any financial instituation is using SSN as anything more then then 'corraborating' account access at this point.

BTW - you might find this interesting: https://www.ssa.gov/history/ssn/misused.html People thought they were getting an SSN when they bought the wallet...

Just goes to show how much of a net negative the parasitic banking system is on society.

Your lifestyle must be pretty ascetic then? A society that only contains business bootstrapped by independently wealthy owners is pretty small. Almost everything we have required somebody else's capital to build. There was a reason unemployment spiked when lending stopped in 2008.

Lock up all capital with a small group of individuals and you will then need to acquire that capital in order to create large projects, that's pretty truistic.

A system where you instead has to convince a "capital" assignment group (really a work+resources assignment)- who would only profit if your project benefitted society - could also work.

You'd get different assignment of resources too as ability to extract maximum value from the system and lodge it with a small group of capital holders wouldn't be the principle aim.

This only works with systems where everyone is on board and there are no greedy people, ...

It may come as a surprise to people, but there have been societies which banned interest/usury, yet got things done just fine (e.g. Islam bans usury, but the Islamic Golden Age speaks for itself). Even until relatively recently, when Western colonialists forced their usurious banking system onto Islamic nations post WWII, things were done interest-free.

Coming from a jewish background (Judaism also "bans interest/usury"), I advise you to take these rules with a grain of salt. In the case of Judaism, there were (sometimes still are) many tricks to the system, for example: you could lend with interest to non-jews, you could have and trade slaves, etc.

I'd assume Islam, being similar to Judaism, uses the same kind of tricks. For example, after a quick search, I found this:

"The common view of riba (usury) among classical jurists of Islamic law and economics during the Islamic Golden Age was that it is only riba and therefore unlawful to apply interest to money exnatura sua— exclusively gold and silver currencies—but that it is not riba and is therefore acceptable to apply interest to fiat money—currencies made up of other materials such as paper or base metals—to an extent."

Source: https://books.google.cl/books?id=1MKrCQAAQBAJ&pg=PA23&lpg=PA...

Thank you for chiming in. I'm aware that Judaism bans interest, but you're also correct that thier Rabbis made loopholes such that only Jews don't lend money with interest to other Jews, but they're allowed to lend money with interest to non-Jews. Christianity bans it as well, but people don't practice what they preach so to speak.

With Islam, there are no such tricks, because it explicitly calls out tricks like what you're mentioning and warns people who engage in them. Of course, it doesn't prevent some people from claiming certain things, but you'd have to look at the overall consensus. If you ask scholars today, they will tell you that you cannot deal with interest with fiat money, the consensus is that you cannot take an interest-based loan or mortgage from a bank.

I can't find the author of the book you cited, but it seems he's misguided and conflating two things. There was no paper money back during the Islamic Golden Age, so I'm not sure why he mentions it. Secondly, he seems to be conflating Riba that applies to certain materials (explicitly mentioned in [0][1]) with Riba due to loans. The Islamic notion of Riba encomposses more than simply usury and interest. For example, exchanging 5gm of 22 karat gold for 8gm of 18 karat gold falls under Riba, and is prohibited.

What is permissible is to have exchanges of different types, as mentioned in those Hadiths. For a modern manifestation of this: I can exchange a certain amount of USD to a different amount of Euros. However, I cannot lend out $100 and ask them to be returned $105.

[0] https://sunnah.com/nasai/44/112

[1] https://sunnah.com/abudawud/23

The profit and loss sharing instruments used by Islamic banks are structured in such a way to be almost identical to charging interest.

Yes, and if you look up the opinion of present-day scholars, you'll find that many of them call said banks out on it (if it walks like a duck and quacks like a duck). While I'm not a scholar, I completely agree that it's jumping around the issue and it is almost certainly interest. It doesn't mean Islam allows it. This in my opinion, is a manifestation of what I mentioned how the West pushed their usurious banking system onto Islamic nations, and because many of those governments were installed by Western nations, now the people are having a difficult time breaking out of it.

There are other ways of bootstrapping businesses: people pitch in money in exchange for owning a percentage of said business. That's exactly using someone else's capital to build, but without the parasitic and immoral practice of lending with usury (aka interest).

That's not bootstrapping, just investment funding. We have that, though many still prefer debt financing instead for whatever reason. For example you can often get money "cheaper" via debt versus giving up too much ownership.

Preferring something doesn't automatically make it good or acceptable. Just like how some people prefer to smoke or prefer to gamble or prefer to drink.

Regarding your point, debt today is only cheaper because it is available and widely pushed by the government through banks. If lending money on interest were hypothetically banned, then everything would have to change, and we'd have a fair equilibrium.

What exactly is the moral framework that makes equity financing okay but debt financing not? The financier is still getting a consideration in exchange for his capital.

Postal banking!

In 1936? Sorry, I don’t remember that.

yeah. My college id number was my social and that was in the 90s. License numbers typically were too.

Try telling a Doctor's office you don't want to give them your SSN. I personally make it a point to NOT give them my SSN and they always give me hell for it. Sometimes I give up but whenever I can, I try to fight it.

It’s been easy in my experience. I say the magic words “will pay up front.”

What do they want it for?

Identification for billing. The more information you have about someone the easier it is to collect debt from them.

Credit checks. They need to know how much of a risk you are of not being able to pay.

You were alive in the 30s? No, I don't think most of HN's audience remembers that time.

Direct payments are better for this very reason. They also become bonuses for those working. Banks and broken state systems have really caused problems getting stimulus out as expected.

Lots of people calling for temp UBI like Cuban [1]. It was obvious from the beginning we needed this.

With everything we learned from the Great Recession 'bailouts/stimulus' we should have expected this and just not gone the bank route or unemployment alone. Direct payments takes pressure off everything, unemployment, state budgets, individuals, mortgage/rent, small business, demand from purchasing power etc.

[1] https://www.marketwatch.com/story/mark-cuban-says-families-s...

how would a buggy implementation of payment dispersal relate in any way to any perceived need for UBI?

I didn't say buggy, I said broken, sometimes on purpose.

In "Study finds 44% of U.S. unemployment applicants have been denied or are still waiting" it shows the systems don't work [1]. This is one article, study or example in many, many reports on this.

Direct payments, at least during the crisis and maybe auto UBI during recessions, would make it to everyone, not prevent people from weighing going back to work, not overload state budgets, reduce unemployment, and more. Some systems like Floridas were meant to not really work at all to minimize usage.

Basically anyone in a state with a bad unemployment state system suffered. Direct payments gets around all that by using identity and tax system information.

Direct payments to everyone also get past the whole idea of selective stimulus. Money to everyone gets to where it needs to be that no central planning could ever predict from food, gas, housing, insurance, health, etc [2].

Direct payments during recessions would make the floor higher and bring back purchasing power demand sooner, or keep it with some semblance of consistency in times like this.

[1] https://www.cnbc.com/2020/05/15/44percent-of-us-unemployment...

[2] https://www.cnbc.com/2020/04/15/coronavirus-stimulus-checks-...

If only we saw this coming.... oh wait... Equifax's data breach of 143M records.

People have been calling for social security number system to be updated. In what world does it make sense to prove your identity with just a username (ss #) and not a password as well?

. . . a substantial amount of the fraudulent benefits submitted have used PII from first responders, government personnel and school employees.

Seems like this should have generated some red flags, as public sector employees haven't been subject to layoffs.

Makes you wonder if the infamous OPM breach (https://en.wikipedia.org/wiki/Office_of_Personnel_Management...) has been distributed beyond China.

No wondering, I just assume that's the case. Like, whatever the Chinese equivalents of 4chan and pastebin are would be in constant discussion over the best ways to exploit that information. OPM is a big umbrella over the US Federal Govt. They even got biometric data in the form of fingerprints.

There are certainly worse things to breach but it's basically HR for the US gov't. Imagine your company's HR dept getting totally owned, then people using the CFO's data to get large loans, make harmful business deals or blackwash someone high-profile.

That’s funny because my dad has been struggling to get unemployment due to state bureaucracy (he was working remotely for a company in another state, which complicates the filing). I guess the same bureaucracy is probably what enables the fraud.

If you pay taxes in the state, shouldn’t it be enough?

Yes he is entitled to it. The problem was that it was unclear which state he was supposed to file in (because he works remotely out of state), and one state's department just said to go to the other state.

Well, if I am employed in one state, that means I am unemployed in almost 49 others, doesn't it? Time to fill out some paperwork!

For certain things, this perhaps one of them, there are benefits if handled on a federal level with more oversight.

Is that all it takes to get unemployment now? Just an application and they take your word for it? I thought you needed to get legitimately laid off (i.e. not quit or be fired for cause) by an employer in the state who notifies the state of this fact for you, and perhaps who has to pay part of your benefits.

And there's always both upsides as well as downsides to handling things federally versus state.

You wouldn't need to handle it centrally, you could do something like log all "single-state" transactions against a name, SSN, & bank account, and publish to reach of the other states your data -- preferably through a federal data store, but it could still work otherwise?

I’m surprised banks literally don’t have the ability check for suspicious behavior like blatantly having the same account receive multiple unemployment benefit dollars from a state that the person doesn’t reside in...

That’s not the bank’s responsibility. This is no different than the issues IRS faced with fraudulent refund activity. Unemployment systems should’ve invested in KYC-like systems, knowledge authentication, etc.

Simply look at the talent running unemployment departments though. No engineering mindset, no accountability, hence financial fraud with no repercussions for government or perpetrators.

For the love of Vint Cerf, please get involved in local government if you’re a technologist. It is the only way this gets better.

Most technologists likely have an aversion to anything as backwater bureaucratic as government “tech” programs. Couple that with pay that wildly trails the market and the outcome is fairly easy to predict I think.

What if the resulting code was open source and someone paid for the effort out of their own pocket. Non profit 18F style. Might even be able to distill requirements from existing code if that code can be retrieved with a FOIA request.

I can empathize with not wanting to work directly for the bureaucracy. There are alternate paths to success.


Interesting idea! I don’t know how to think about the threat model of “pay for it yourself, and then the government will run your code for essential services”. I suspect there’s a juicy target there, but it’s something I hadn’t considered so thanks for giving me something to mull about.

An independent application security assessment would need to be performed prior to handoff of the code base (with follow ups each time you cut a new release), but if you can meet the requirements of all 50 states (not trivial, but also likely not overly onerous), that’s a huge reduction in duplicated effort.

Glad I could provide something to ponder!

I don't know about the US, but I had the same misconception in Brazil until I ended up training government employees. What I encountered was an extremely motivated and intelligent crowd that, even though they were underpaid, were motivated by a desire to make things work. It stuck with me that, while some companies had the best talent money could buy, these agencies had the best people no money would ever buy.

Besides, even a small government deals with amounts of data that rival larger enterprises.

Why is it so hard to enforce banks to report such transactions? Doesn't the US force foreign banks to report balances of US citizens residing overseas? Oh the double standards.

FATCA is an injustice of epic proportions. You can thank the US government of 2010 for that hypocrisy. It was used by the left as a way to “get” “fat cats” — it’s literally in the name: FATCA(ts.) Chuck Schumer was a highly vocal proponent. Instead it harms everyone overseas while for actual fat cats, it has been business mostly as usual.

I suspect you're being downvoted by US citizens who have never lived abroad and are blind to the difficulties FATCA causes for non-"Fat Cat" American expats.

Your comment is entirely on-point.

Could you expand on that: how does it is cause harm, why aren't overseas "fat cats" affected?

It causes harm to American expats because FATCA's terms are horrible for banks. Basically, they have a whole host of new reporting obligations for their US citizen customers, wherever they are in the world. If their compliance fails, their US operations will be subject to a 30% withholding tax on all transactions. American citizens are the rare exception for banks outside the US and the compliance costs and huge operational risks make it very unattractive to accept US citizen clients. It is very difficult to find a bank willing to take them on as a customer, and those that do often put restrictions on their accounts.

Fat cat expats are relatively unaffected because they can afford to set up all kinds of complicated legal structures, companies, trusts, etc. to skirt the law and anyway have enough money that even with increased compliance costs they are still worth keeping as customers.

Finally, in general, US tax law regarding foreign earned income is completely absurd and nearly unique in the world, and direct compliance costs on expat Americans--for example, FBAR requirements--are equally absurd. I believe this is a result of the structural disenfranchisement of expats in the American political system. Expats vote where they last resided, so lots of places might have 0.5% expat voters, but no one place has 100% expat voters. So no politician has any incentive to represent expat interests.

One reason is that it causes the cost to be borne by those overseas bank, just to address the incompetencies of the US government and the bizarre law to tax its citizens living overseas, which I think only one or two countries do.

Well, no. I wish that was the case but no. You would be surprised how invasive BSA law is. The main reason banks basically gave in on SARs was the legal protection they have for it. This coupled with little average teller is trained results with suspicious activity report stemming from customer saying 'none of your business' to a teller.

And I assure you that when auditors ask an officer question why SAR was not filed ( most recent Moneygram case ), BSA officer is sweating bullet.

So based on current setup in US, it is banks' responsibilty. And just to add to this, this scheme is being actively copied across the world.

FinCEN case link: https://www.fincen.gov/news/news-releases/fincen-assesses-1-...

I think we might be taking past each other. A bank and money transmitters are required to meet AML and KYC requirements (in this case, making sure the illicitly obtained funds aren’t laundered with mules or other means), but I propose that it’s the state unemployment insurance department’s responsibility to put benefits into the right deposit accounts in the first place.

My bad. I completely misread your post. I never thought of that to be honest.

My first reaction is hesitation, but it is mostly, because I am not sure how that would work in practice.

My Citibank credit card pulls in my Chase deposit account details using my Chase login and password (I assume using Plaid under the hood). Perhaps something similar between unemployment systems and your bank, as the bank has already done all of the hard KYC work. They’ve got your PII (including SSN), and your account numbers. Use SSN as the key (I know, I know, we need to get away from the SSN as a citizen ID, baby steps) between the two. You also get to piggyback on 2FA/MFA systems banks have in place.

Doesn't it kind of become the bank's responsibility once they become aware they're holding onto criminal proceeds? Or is that why banks prefer not to pay attention, so they don't become aware of such things?

Banks already have responsibility to prevent money laundering by submitting a form when you deposit over $10k in cash, it’s called a currency transaction report and sent to the IRS.


So how to do fix this and make people want responsibility?

The only answer people seem to have is that children must be brought up better/parents must be better at raising their children, but this seems to require people who already want responsibility-first-power-second to be effective.

This was the naive communism idea, that you can mold people into any shape you desire with enough education, propaganda and other forms of societal pressure.

There is science that tells us otherwise. If you're a midget, you cannot ever be successful in the NBA.

People's brain regions vary up to 10x in size and some people have regions that are completely absent in others, oops. Some people can see 10x more colors than others. Some people can do mathematics, most can't. Sorry.

Ok so we have people with vastly different abilities, people are not equal. What do we do with this information? We need to figure out who has which abilities. How do you do that? You scan their brains :) Now what happens when we find out half the billionaires have tiny worthless brains and got lucky (every Russian billionaire as one simple example)? What happens when rich people have idiot children who are only good for serving coffee?

There lies the rub - you have to want power-responsibility ratio to match ability, more than you want your offspring to have power regardless of their ability to handle responsibility. You have to fix corruption on the level of enabling idiot family members because they're yours. You have to fix enabling your friends because they're your friends. You have to understand that an idiot would be better off serving coffee more than going to a top university, cheating their way through it and being a worthless manager with a high paycheque.

You have to not be an idiot to understand these things. How do we have more non-idiots? One easy way is to monitor who has children. Ohh but freedom I can do what I want with my body?! That's your selfish idiot brain talking that doesn't take responsibility into account. See how deep this goes? Every facet of modern society ignores responsibility. The fix starts with people like me talking about it and being treated with downvotes from the idiot masses :)

ps. If you want a more thorough treatment of responsibility and how important it is, I've heard good things about Jordan Peterson.

thats an intersting way of thinking about it, but one has to be careful not to attribute eveything to genetics lest we fall into biological determinist thinkimg about eveything


I'd put it as much on the state. From the bank's perspective it's just an ACH transfer. The state knows what it's for and is arguably in a better position to detect anomalies. And the state should be doing better due diligence to verify identities and eligibility.

States are processing claims in cobol on mainframes from the 1970s. I think you overestimate their data science ops.

They were wiring large amounts of money to people in Oklahoma rather than their own state. That there is no effort put into preventing fraud, which was guaranteed to happen, is down to negligence of the state government. Part of that is on the voters who allocate tax dollars in an idiotic fashion whenever given the chance.

There are plenty of cases where someone would be paid unemployment insurance out of state. The most common one is moving back to be closer to a family support network after losing a job since many people don't have much in the way of savings, at least not enough for a few months rent while they look for work. In most states, unemployment insurance is paid for by employers per worker and after paying in for a certain time, the UI program essentially owes the unemployment benefits to the worker once they lose their job. Where that worker chooses to go with their checks is up to them.

Banks already have fraud protection on credit cards and are responsible for reporting suspicious amounts of depositing (above a certain amount). Thus is the basis of my shock that something similarly obvious isn’t covered.

Why aren't all public transaction public?

Money paid from central government should all be publicly viewable, shouldn't it? Then anyone who wishes could look to see if an account had more than $X or more than $Y transactions, or more than one stimulus cheque, etc?

This is a good question that I’d like answered.

Banks absolutely do have this ability and I would guess SARs from banks are what led to the Secret Service eventually uncovering this elaborate scheme. Though I imagine more SARs would have come from the outgoing transfers (from the mules’ accounts to the criminals) than from the suspicious unemployment deposits. Generally government money is considered “clean” but if a mule suddenly started receiving more money than usual it would be investigated regardless of the source.

I agree, but I hope such analysis requires a warrant or just cause - instead of having banks check their customers activity, it should come from the other side, institutions that send the money out perform a cross-reference for the same person (whether defined by name, account, etc). Then the issue is some people are working, but under the table, and collecting benefits. That’s a bit harder to detect

Same thing is happening with the UK furlough scheme. Government is paying 80% of people's salaries while they're off work but some employers are actively defrauding the scheme and telling those people to work...

The true scope of the fraud will come clear when IRS starts coming after the named beneficiaries of the fraudulent disbursements.

In WA state (not sure about other states), the unemployment insurance agency does not automatically withhold taxes from disbursement checks. (It is an option the beneficiary can choose).

The IRS will come looking for those taxes.

I got a letter yesterday informing me I made an unemployment claim. Bummer.

Not surprising given the creaky state un-employment systems. I would not be surprised if bank account numbers are compromised as well.

> I would not be surprised if bank account numbers are compromised as well.

I don't that works too well for this kind of scam. What do you do with the money? ACH it to a totally traceable other account? This scam relies on a network of trust, that the mules will draw out the cash and take their cut (and only their cut) and walk the funds to another location for tender.

That’s what I don’t understand about this kind of scam. It seems like an awful lot of work. Juggling all of your fake internet significant others or employees and then building up enough trust to make the ask. I can’t imagine the payout is that substantial given how much effort would be required.

Think about the mule more like a drug mule. Someone who doesn’t have much to lose, is recruited by gangsters, work is ok as long as they do what they’re supposed to do, and they are beaten or killed if they go off script.

The bank account numbers on a personal check or the one you give your employer for direct deposit?

Aren't those the same?


Heh welp pardon me for having more than one bank account

It amazes me that there is no authentication provided by governments in the US to citizens. They just accept a social security number as if it was some sort of password, when it was never intended for that purpose. Other countries give citizens an electronic ID to authenticate themselves. It seems this would prevent hundreds of millions of dollars in fraud and identity theft.

UI is a program geared toward optimizing payment speed, with fraud looked at as something that is addressed via audit. Historically most fraud or bad reporting can be addressed by capturing future benefits.

With the unprecedented load being placed in these systems, you’re going to see things like email and sms used more, which enables new paths for fraud. Pandemic unemployment is also geared towards gig economy workers, which again is a new frontier of fraud.

It removes a lot of friction if you police transactions after the fact. The only trick is to make transactions un-doable if they turn out to be fraudulent.

> It amazes me that there is no authentication provided by governments in the US to citizens.

Vast numbers of Americans would view that as a big step towards totalitarianism and taking their guns away.

After 9/11 there was an attempt at a national ID card, but it never pans out. https://www.aclu.org/other/5-problems-national-id-cards does a decent job laying out the rationale why it never gets that far.

What we got instead is Real ID, https://en.wikipedia.org/wiki/Real_ID_Act?wprov=sfti1, which is a set of guidelines that States and federal agencies must follow to authenticate people for the issue of their ID and anti-counterfeit features that the ID should have. In other words, the issue was put onto the states.

Reason #4: ID cards would function as "internal passports" that monitor citizens' movements

I don't understand this one. This was never a thing in the EU, even though IDs are mandatory in just about every member state.

I spent on-and-off four years in Italy and while I initially had to present and ID to my landlord there, who then needed to pass this data to the police, nobody bothered me after that or checked if I'm still there.

Hell, even after a law was passed that initially basically forbade anyone who was in the country more than half of the year from driving a car with foreign plates I still wasn't bothered by anyone, because as I was a citizen of a Schengen area state, there was no reliable way to determine when and where was I lately.

That's interesting. When I changed jobs and moved from NY to Indiana, so my wife could pursue a graduate degree, I had every intention of maintaining my ID and permanent residence in NY, (since I could always still receive mail there via my parents, who allowed me to maintain my permanent residence there whenever I rented or was resident in student housing.)

It quickly came to my attention by communicating with car insurance that I could not do this legally (they sought me out, I have no idea what caused this, perhaps a National Change of Address record triggered?) my car insurance would be terminated because my car was no longer "garaged" in NY, and a lack of insurance on my vehicle registered in NY would trigger a suspension of my license, (and eventually a bench warrant could be issued potentially leading to my arrest, if I did not take action before 30-60 day window passed.)

I wonder if you got lucky, or if this scenario doesn't play out the same way in EU? FWIW, it turned out that everything about being an Indiana state resident is cheaper than living in New York, and it really was to my benefit to get my home permanent residence changed to the new state.

(It was very surprising that I had to do this, though, as a student you are allowed to maintain your primary residence in a different state, I guess this justification works for undergraduate but not for a spouse's PhD study...)

Car insurance and registration is one of those "interesting" areas if one bothers to peek below the surface. I've got a couple stories about it, but how about this (details removed to avoid personal information) one.

A few years ago, my girlfriend moved overseas for about a year, nearing the end of her time overseas I went over and we got married as we had planned. A short while later she returned and moved in with me, having mostly gotten rid of her car/apartment rental/etc (and moved the remainder of her personal items she didn't take overseas to my place) before she left the US. Within a couple weeks of her return, I received a letter in the mail from my automobile insurance stating that they had reason to believe that additional adults of driving age and related to me were living in my house but weren't on my insurance. I either had to notify them of said persons and sign some paperwork indicating that they would never drive my vehicle, or I had to add them to my insurance (for an additional $$$ a year of course).

Now when I got married overseas we did some some paperwork local to that country. But the state I was living in, there was additional paperwork that needed to be completed stating that I had been married overseas/etc. As far as I'm aware that paperwork had not yet been filed before the insurance company contacted me. Nor had my wife changed her address from her foreign one.

So, somehow, not only did the insurance company discover that we were married, they somehow found out when my wife had flown back to the US as well (she returned a bit after me for various reasons). Its not hard to come up with ideas for how they might have put these details together, but I've never managed to find any evidence of the existence of the kind of channels/databases that must have existed for them to pull this off, considering it was a low key event.

And all that for a couple hundred $$$ annually you would probably have to pay had you added your wife to your insurance?

How is that even legal?

In Oct 2020 a passport or state-issued Enhanced ID [0] will be required to board a domestic flight in USA. It's about as close as they could get since no one wants a "national ID card".

[0] https://www.dhs.gov/enhanced-drivers-licenses-what-are-they

That requirement has now been delayed until Oct 2021.

Re: #2 and #3, we already have the shadow national databases, just none of the civil benefits.



How about making the id voluntary to get, but required to get benefits. Want to get the guvmint out of your life? Sure, then don't ask for unemployment benefits.

As an American: see the classic "Get your government hands off my Medicare" line. I don't know how many of us actually paid attention in Civics or bothered actually trying to understand how our government is supposed to work.

How about you get evicted and cannot get food stamps for your family, because your non-driver ID expired three months ago and you have a hard time getting a day off to take a bus downtown to DMV?

That’s reality for millions of people.

There are clearly other ways to solve this that don't involve depriving people of food stamps. Most every other developed country has figured out some solution.

First of all, in most countries an expired proof of citizenship is accepted for many purposes because it's assumed that people didn't go out of their way to coincidentally lose their citizenship or permanent residence when the ID expired. If it proves residence or driving qualifications, then there are certainly other reasons why it should expire.

Suppose we have an administration, decentralized or otherwise, that stores the records of the people concerned. They can then be contacted and details can be verified.

This informal verification already occurs on many levels, particularly in the US due to the lack of consistent ID. Try flying on a flight without photo ID, entering the US as a US citizen without proof of citizenship, etc. You will be permitted to do so with a bit of extra hassle while you're identified to a reasonable degree of confidence.

I've found that HN and other online communities have a disproportionate number of users who have no idea of rural life in America. As such they cannot fathom a poor, rural person without a birth certificate or a photo ID or the ability to get either.

Go get your ID situation fixed.

edit: To get an EBT card in NYC you can do it all online if you have a valid (ie, not expired, ID card.) If you do not have a valid (ie, expired, ID card), then you have to go to the DMV so they can take your picture and you sign a few forms. The forms are available in 22 languages. At the same time they may work to get you a new, valid, ID card.

How is this unreasonable?

How are the DMV opening hours/wait times? Now imagine that impact on a person with some minimum wage job. You have a valid point but the marginal cost of bureaucracy to a poor/disabled person is often a lot higher than to someone for whom life is going smoothly. Also, it's easier to fall off the smooth track than to get back on.

What is the alternative to get a valid ID card and an EBT card? I understand there's a hardship for someone that can't get away for a few hours to travel to the DMV office. But it's the same hardship for everyone. There are basic requirements:

1) You have to go to the DMV office

2) You have to agree to have your picture taken

3) You have to fill out 3 forms (offered in your native language -- 22 languages are offered)

4) You have to provide a mailing address for where the EBT card will be sent

And then you have to be on the other end of that mailing address to receive and activate your EBT card.

This all seems like very easy procedures to follow to get food stamps.

I understand there's a hardship for someone that can't get away for a few hours to travel to the DMV office. But it's the same hardship for everyone.

No it isn't. The marginal costs are different. If you earn $2000 a week and through some mischance have to give up a day's earnings to go the DMV your $400 loss is an annoyance. If you earn $500/week your loss as a percentage of income is the same but the economic impact of losing $100 is probably much bigger.

I think you have to factor in the other side of the equation as well.

SNAP benefits are worth, let’s say $400/mo. Giving up $100 to add a recurring $400 payment doesn’t seem so bad.

"Voluntary to get, required for some benefits" is another way to say "involuntary". What is citizenship but a collection of benefits?

> "Voluntary to get, required for some benefits" is another way to say "involuntary". What is citizenship but a collection of benefits?

This is pretty clearly a poor extrapolation. For example, Global Entry. Is signing up for Global Entry involuntary? It is voluntary to get, required for some benefits.

You're not getting any intrinsic benefits. If you are a US citizen, you are allowed to return to the US after international travel. Global Entry doesn't change any of that.

On average, it does make returning easier, which is nice... but the machines could be out of order, or you could be flagged for questioning in the usual manner, etc.

If “making something easier” doesn’t count as a “benefit”, I think that maybe there’s a fundamental disagreement about what it means for something to be beneficial.

Global Entry is pretty clearly beneficial for the user, as part of the border control experience. Whether having things like Global Entry is beneficial to society is, as `tptacek points on parallel to your comment, a very different question.

Global Entry is deeply problematic for exactly this reason, and all it does is speed you through a line at an airport!

The main purpose of government is providing infrastructure like roads and bridges, as well as enforcement of property rights and security through police and courts, as well as through healthcare and armed forces.

You get all of that without this hyothetical ID. Unemployment benefits is somewhere much further down the list. It could be argued to be a security measure both to keep the crime rate lower and to prevent an uprising from disenfranchised poor people, but it serves this purpose just fine even if a few people voluntarily opt out.

The main purpose of government is providing infrastructure like roads and bridges

Roads and bridges being a government function is a somewhat recent notion that we've grown accustomed to.

Historically in the United States, roads and bridges were privately owned, and users paid a toll to a private person or company to use them. This was one of the many disagreements between the states that led to the Civil War.

There are plenty of private roads and bridges still in existence in the Untied States, mostly in the older states.

One example: http://www.dcdbc.com

> The main purpose of government is providing infrastructure like roads and bridges

> Roads and bridges being a government function is a somewhat recent notion that we've grown accustomed to.

> Historically in the United States, roads and bridges were privately owned, and users paid a toll to a private person or company to use them. This was one of the many disagreements between the states that led to the Civil War.

> There are plenty of private roads and bridges still in existence in the Untied States, mostly in the older states.

> One example: http://www.dcdbc.com

I've always wondered about the bridge at Dingman's Ferry. Reading through the website, I wonder how they could possibly enforce the penalty for overages in terms of tonnage. Since they are a private entity would law enforcement issue a citation or would the bridge corporation be forced to litigate?

Wouldn’t anyone who did that be subject to a civil suit for damages? Also the bridge owners would have insurance.

In addition to standard economic devices like tort and insurance, the bridge owners could have a part of the road before the bridge that is designed to buckle or alarm if a weight is exceeded. That would save them a lot of money and frustration.

I figured as much with regards to civil suit, was just curious about public enforcement of private regulations when the lines appear blurred. Further, I wonder by what authority they can even set monetary fines? Like, why stop at $X for a fine? I ask because their site lists specific penalties which seem somewhat arbitrary [0]. I can't arbitrarily "fine" someone $1000 for stepping on my lawn. I can certainly take them to court for trespassing and possibly collect some damages, but those damages are not a fixed value in a fee schedule. So I wonder how this corporation has the authority to impose fines.

[0]: https://dcdbc.com/ratesandrestr.php

It looks like it's not a fine in the sense that refusal to pay can result in suspension of your driving license and possible wage garnishment. They don't even call it a fine but a "penalty". Basically they ask you for $50 or $100 depending on which limit you exceed, and refusal to pay risks a court case. I'm guessing the bridge needs to be inspected after the weight limit is exceeded or if a taller vehicle strikes the structure. The cost of inspection likely exceeds the penalty. They could easily ask for thousands of dollars in compensation. And even if you win the case, you have to pay for a lawyer and spend time in court. It's easier for both parties if the driver just pays the penalty.

I don't think it's a particularly recent notion. Ancient cities are the archetypical government, providing defense, some sort of justice system, and (often paved) roads. We see evidence of that from as far ago as the nearly 6000 year old city of Ur. Where larger empires existed, they often built larger road networks between cities to facilitate commerce and troop movements. The Inca road system and the Roman roads are well known examples of road networks built by their respecive empires. The Romans are also kind of famous for their bridges (viaducts and aquaducts).

Of course the less important roads were and still are often private, and the early US had an atypical lack of government that made this more common. But I don't think that proves that governments providing roads and bridges is a recent phenomenon, it's in fact rather ancient.

I don't think it's a particularly recent notion.

That's why I specified in the United States.

The US government exists to collect taxes, pay debts, prove for common defense and provide for the general welfare.

Roads were historically a local and state priority, so be careful with your modern conservative principles, as they probably are not compatible with your lifestyle.

How is that different from requiring vaccines for public school, a license to drive a car or fly a plane, or even a safety course and hunting license to hunt? Most of the things that are benefits of citizenship that don’t require any voluntary steps are true “public goods”, like national defense or the societal benefits of education, etc.

It seems more like the whole "Raise your drinking age to 21, or the federal government will withhold road improvement money from your state." It's coercion.

Employment is also voluntary yet we are somehow okay with it being necessary to not become homeless and will often accept terms which are very biased towards the benefit of our employer.

We have those. They're called Passports. But the rub is that some states and local municipalities will not accept a US Passport as ID. Which makes no sense what-so-ever.

> Sure, then don't ask for unemployment benefits.

Does that mean they would get to not pay taxes that pay into unemployment funds too then?

This line of thinking sounds consistent but actually isn’t: even if you’re against the government interfering in your life, you’re still entitled to the benefits that you paid for. Your line would only be consistent if the individuals could opt out of paying. This is the source of the “coercion” claim that libertarians make.

There is a non-trivial portion of citizen minorities who cannot get IDs because they do not have birth certificates.

First of all, an ID doesn't need to have anything to do with citizenship. It can also be a claim of residence like a driver's license in the US.

Second, if people are eligible for benefits, they are clearly being recorded in some fashion. If the benefit requires permanent residence in the US, I would presume most states are attempting to verify this as well.

In either case, this can be used for either a residence ID or a stronger ID that proves citizenship or immigration status, the latter resembling the national ID cards that many EU countries (among other places) have.

USA is set to require a passport or state-issued Enhanced ID [0] for domestic airline travel this year. It's about as close to a "national ID card" as it can get.

[0] https://www.dhs.gov/enhanced-drivers-licenses-what-are-they

Here is your comment:

>First of all, an ID doesn't need to have anything to do with citizenship

Here is the comment further up that this comment is in the context of:

>It amazes me that there is no authentication provided by governments in the US to citizens.

Do you see why we are talking about citizenship now? Especially when much of the discussion is revolving around voting as well, which does require a certain citizenship status.

The discussion was about unemployment benefits, which in most every case is not limited to US citizens. I believe that when the person who you quoted used the term "citizens," they meant it in a looser sense to refer to people eligible for unemployment benefits, which is what I responded to. Citizenship is also not sufficient proof to receive benefits, so I'm unclear why we're trying to add another confounding factor when states already have a (less than comprehensive) system for tracking residency that can be adapted.

You can get an ID without a birth certificate, many people do. And it has nothing to do with minorities; a large percentage of people without birth certificates are white.

Or social security numbers. Or tax returns. Or proof of address. Or... basically anything that can reasonably indicate that they are who they say they are.

Except if its about voting and then any amount of intrusion is fine.

And on the flip side, any amount of intrusion is fine, unless it's about voting.

Voting is a much more important right than the other rights, because voting is fundamental to the existence of a republic. One could argue that the right to bear arms exists for the primary purpose of protecting the right to vote.

Voter ID fraud is exactly the kind of thing that infringes on right to vote. Stronger protections on voting is what protects this right, not the other way around.

As someone who not only lives in a country with a widespread voting fraud (done by government officials), but also have been an observer on number of elections and have seen this taking place first-hand, I can't understand how relaxed are Americans about this issue.

> Voter ID fraud is exactly the kind of thing that infringes on right to vote.

There's a difference between "infringing on the right to vote," which is where you're literally preventing from someone from voting, and "diluting a legitimate vote", which is where your vote doesn't weigh what it ought to. Mathematically, it's the difference between scoring a zero and scoring some fraction less than one.

It turns out that, at least in the USA, advocates of voter ID requirements and other unnecessary impediments to voting in fact desire the opposite effect - that their votes be worth more than they would be if widespread voting by qualified citizens were easier than it is.

> I can't understand how relaxed are Americans about this issue

We're relaxed about it because the data (and we have measured and investigated, many times) says that voter fraud here is so rare that it falls well beneath the noise floor of statistical significance.

Many of them quite literally want voting licenses.

They are just loud and there aren’t many of them.

The bigger issue is that people who need services like unemployment and food stamps most have low penetration rates for things like valid government IDs.

> Vast numbers of Americans...

Very vocal (and provocative) minority

Better identification requirements is actually a right wing view in the US. Requiring it is now considered discriminatory.

You're forgetting the other half of the story which is insisting on requirements without providing the means to get it.


I don't understand why you're being hostile. I'm pointing out a very important point which you're missing.

Parts of the right.

The more libertarian parts are terrified at the idea of a database of Americans.

That's not really true. The Right is generally united on the point of wanting universal ID. Nothing totalitarian about a nation being able to reliably identify and distinguish its citizens.

Unfortunately the political Left believes that such ID, specifically when used as a means of election security, would lead to discrimination.

You are conflating two things: a national/"universal" form of ID, and voter ID.

Voter ID is the requirement to show ID at polling stations in order to vote. That's what the left is generally concerned about. It's a separate concern from whether a national ID card ought to exist.

On the other hand, the existence of a national ID card is generally opposed by people on the right, which is the opposite of how they feel about voter ID.

The right at this point has long been pretty in favor of the surveillance state. Both sides have frankly.

If it were assigned for free when you were born and there was no effort associated with getting it or working with it, then there would be no issue. The current problem is that a driver’s license takes a long time to obtain (because the DMV wait time sucks as we all know), and because it’s not free. This means that it’s a lot harder for someone holding down 3 jobs or working during DMV hours to get one. You are basically making it more difficult for an already under-represented group of people to vote. It’s not that it’s impossibly hard or totally preventative, it’s just another obstacle.

The problem is that if the ID is not free, it could constitute a Poll Tax:


Which is against the constitution. It also disenfranchises voters who do not have a permanent address.

Those are both pretty simple issues to address. Many Democracies around the world use some form of voter ID and we could easily just follow their implementations with some adjustments.

Right but every proposition suggesting those elements gets struck down. It isn’t about voter ID, it’s about not letting poor people vote

> Unfortunately the political Left believes that such ID, specifically when used as a means of election security, would lead to discrimination.

I'm not an US citizen but this is the first time ever I've heard this extraordinary claim.

Do you have any source to substantiate your assertion?

If you are a citizen of the united states, you get a vote if you're 18, according to the constitution. No tests, IDs, or other things are required. To add any additional burden is counter to the constitution, and as a result any additional burden could be seen to prevent people from voting that have the right to vote.

Nevermind that when you add additional barriers, discrimination occurs against anyone that cannot meet the barrier, or does not want to meet the barrier.

Example: - "tests" in the South during civil rights to prevent african americans from voting

- Requiring any sort of payment or money to create a Voter ID in a state. If the person does not have money or time this is discrimination and against their rights as citizens (you are not required to prove you are a citizen. your ballot can be provisional)

- Requiring someone be able to read. It's not a requirement to vote. Any forms requiring reading are a no-go.

- Requiring them to have a permanent address (again, leads to discrimination for those without addresses.

- Requiring someone take a lot of time they cannot afford to get an ID (again, some folks are working too many jobs to go to the DMV for a day)

the list goes on...

Some places have tried to institute voter id laws that require ids that are difficult/expensive/time consuming to get, sometimes specifically making it harder for the most downtrodden segments of society to vote. That's really bad and so there's an outcry. Sometimes the nuance of "discriminatory ID requirements are bad" gets lost in the zeitgeist and circulates as "ID requirements are discriminatory and bad."

You might just be surprised at how many US citizens do not have a state issued ID card. There are just a lot of poor people who can't afford to pay for the ID or their parents never kept their birth certificate and they just don't have the slightest clue what to do to get another birth certificate. It perplexes me, but some people are just that broke or just can't get it together enough.

Maybe the commenter above is thinking of a different point, or coming at it from an oddly phrased perspective.

The Democratic party relies on a certain segment of immigrant or immigrant-related citizens to vote in support of them. And if licensing / IDs are perceived to target and identify who is not a citizen (your relatives, friends), then they could lose support. I suppose it could be seen as a kind of "discrimination". And if some social services, policing, etc were to be able to use such ID, then illegal aliens would certainly be more at risk of being discovered or face more stringent (less porous) treatment in the law enforcement system.

I personally think this is a ridiculous situation from every angle, and unfortunately it's all tied up in our immigration and economic policies, so it's hard to disentangle or fix.

> so it's hard to disentangle or fix

Give the Id to everybody who wants it for free. If someone cannot prove citizenship, but they can prove having worked or lived in the US for more than 5 years (checks, bank receipts, etc.), give them citizenship.

There, problem solved. That way, you only discriminate against those who are either in the US illegally and are not working, or are working but have been illegally living in the US for less than 5 years, and both situations are fixable by the individuals themselves (work for 5 years and "earn" your citizenship).

Of course, what many want is an Id that can actually be used to prevent poor people from voting, while also being able to employ those same poor people at very low rates using the fear of "reporting them".

This is quite a common claim from the Left in the US. If you do a quick search in Left leaning publications on the issue of voter ID you'll see that stance dominates their discussion of the issue. I agree it's an extraordinary claim, but it's a conspiracy they've latched onto.

You can in fact see a child comment below where someone is commenting that the purpose of such ID is to disenfranchise the poor.

> This is quite a common claim from the Left in the US.

What about the source? Are you able to find anything that corroborates your extraordinary claim? Because I asked for a source, and you just reiterated your baseless assertion.

I dunno, this claim isn't extraordinary. MSNBC/CNN/Nytimes/WashPost say stuff like this all the time. It's a very common talking point. Certainly (in my opninion), the reason why some people are so interested in voter ID is to make voting harder.

There are many sources, if you don't trust me you should search yourself.

Here's one, representative of the general attitude. Voter ID's are discriminatory or pushed with discriminatory intent: https://www.huffpost.com/entry/heres-what-you-need-to-kn_b_9...

> Voter ID's are discriminatory or pushed with discriminatory intent:

Your own link does not support your baseless assertion. The only claim is that so far voter ID laws have been crafted to exclude non-white US citizens from the electoral process.

Taken from your article:

> New studies suggest that the motivation of these laws is suppressing non-white voters, and worryingly, that they will be successful at doing so.

Do notice that the remarks refer to voters (thus, citizens with the right to vote) who, due to their race, are being excluded from casting their vote.

If that's the best source you managed to produce then I'm afraid that you were either lying or very confused, because your original claim has zero basis.

> crafted to exclude non-white US citizens from the electoral process.

Reads a lot like

>> pushed with discriminatory intent.

You seem to be confused about what the point of disagreement is

If it were harder to scam the social safety net republicans would lose another piece of their argument against making it more comprehensive.

One of the reasons they are happy to cripple it.


I am as conceptually socialist and communitarian as they come but there are many reasons for the federal government not to be the identity provider.

It should set the rules (the GOVERNance) by which identity providers provide that service, but it should not itself be in that business.

My favorite way of thinking about it is- the US federal government is a singleton. In any system, you want your singletons to operationalize as little as possible, because they are hardest to change.

Another way- the US federal government is an immortal entity. It represents a perpetual accumulation of all kinds of debt- legal, administrative, technical, financial, whatever. Building and scaling new operational systems within an infrastructure consumed by debt is doomed.

The thing it can do is creating the rules and policies by which a federation of private entities can operationalize a particular need. These entities have limited lifespans, can fail, and have profit and efficiency motives, can compete for business, and are overseen and supervised.

This structure exists in lots of areas, and is more successful in some- banking- less in others- military contracting. But it's vastly preferable to that work being done in the singleton itself.


If governments are singletons, what are individuals? Maybe individuals are other objects? And now the individuals don't need to hold a reference to a government service object if they want to authenticate a message they get from another object. They just ask an identity provider object. But which one? Do individuals have a list of identity provider objects? But what if the sender is using another identity provider object they don't have? Ah! The message could contain a reference to an identity provider. But why should the receiving object trust it? Wouldn't it have to ask a government service whether the identity provider is to be trusted? No silly, we don't want a government reference! It could ask other individual objects whether they trust that identity provider object! Then cache the response? Help me out here, how does reputation work?

Seriously though, you're just moving the problem around. Adding complexity. I mean, does an identity provider object still respond to messages when it's entered bankruptcy proceedings? If you're going to use an analogy, find one that informs.

Snark aside, agree that identity is a complex problem- and compartmentalizing it into components with well-known lifecycles that have known failure modes is the right solution.

The alternative- a single monolithic identity system? No, thanks.

Note- large governmental IT systems underlying programs like Medicare and Medicaid are not operated by government employees, they are operated on a contractual basis by large IT shops. You just don't know who the operator is. That's arguably suboptimal- but a different conversation.

To the specific question- what happens in this model when an identity provider goes into bankruptcy- the same thing that happens when any entity providing critical services goes into bankruptcy.

When a consumer-facing bank fails (for instance), the bank's customers

a) don't lose their money b) don't lose access to banking services

Their accounts are taken over by a comparable entity operating in the same geographical area.

When a critical insurance provider fails, the other entities providing comparable insurance in the operating areas have to take those contracts (even if they are terrible contracts, which they likely are, because they caused the provider to fail).

It doesn't always seem like it, but this kind of market partitioning and supervision is something that in the US both federal and most states do quite well. We should have more of it.


...debt- legal, administrative, technical, financial...

If you're right, then you can institute devolution of any of those things and the issues you cite are going to build up over time. It will just happen at different levels in because it's spread around some many different systems.

The unemployment issue is an excellent example of this. You want to know the reason why Congress gave a flat $600 to all UI recipients even if it would be more than they were making before? Because there isn't a single unemployment system, there are 50 systems each unique, each with their own "debt", and trying to implement appropriate strictures in all of those systems would have delayed that part of the stimulus for months, if not longer.

The way you deal with those issues is by having infrastructure that is built to deal with the issue. Call it societal/social/legal "garbage collection". Whether or not we have such infrastructure, you don't get rid of the problem by shuffling it around.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact