Hacker News new | past | comments | ask | show | jobs | submit login

Interesting.

So, the IRS issues everyone a unique identifier at an unknown point in time. Separately, a federation of businesses decides it needs to share records to estimate a customer's likelihood of conducting business in good faith. This federation needs a globally unique identifier that can be used to collate these records into a single profile. It decides to use the IRS's unique ID, which means a whole host of companies require you to provide this identifier in order to do business with them. The credit profile also establishes a system whereby someone else's identity can be more useful than your own when it comes to procuring services.

Most of the companies that require a credit check treat their business with a particular individual as confidential. Over time, they establish customer support call centers and require that the customer authenticate with a shared secret before providing support. Most key their records off this globally-unique ID (your social security number), and it becomes the industry norm for the second half of this ID to be the shared secret you use to verify your identity.

So, you've got a shared secret that we expect to be fairly well-protected, as someone can use it to falsely identify themselves as you and rack up bills in your name. The second half of this secret is freely shared over the phone, as its presumably useless without the other half.

Meanwhile, the authority that issues this ID is completely separate of the consumer credit system and uses it for a completely different (and less consequential) purpose. It changes the policy by which it grants this identifier, whereby the first half can now be fairly well predicted with a known piece of information (where an individual was born).

As a result, the infrastructures of many critical institutions presume that a secret they don't control is fairly well-guarded, and the inertia of their old decisions leads them to freely pass around the only part of the secret that is still hard to guess.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: