Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> once someone knows the ins and outs of a system, sometimes there are very few barriers internally to check that an order/paperwork is legit.

It sounds to me like they are using security-by-obscurity, as well as easily forgeable proofs such as "signatures" or drivers licenses (they're only as secure as your ability to spot a forgery). Hence why anyone who is knowledgable and determined enough, can easily crack the system.

If you want to prevent such problems, you could either go really old-school. Require the person filing documents to show up in person, and be personally identified and recognized by someone in-house. Or go really new-school and only accept biometrics or digital paperwork that has been filed using a secure account accessible only by that person.

Using an in-between approach, like a signed paperwork that has been given to you by someone you don't recognize, is the worst possible solution.



The usual way to fix these sorts of things is to ensure there are multiple independent barriers to fraud. 2 factor authorization is an example. Double entry bookkeeping is another. Independent audits is another. Separate checks for unusual activity is another.


The latter two explicitly acknowledge that spotting fraud is a probabilistic activity.


If it was certain, one wouldn't need multiple layers of security.


Yes, definitely. It's just that much of the discussion about controls and checks is often framed in the language of certainty.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: