I've read all the comments, and as usual, no one's asked "what do other industries do?"
Money-handling, for example (banks, payment systems). If ever there was a Fraud Magnet, that's it. I've heard PayPal described as "a giant fraud-detection system, wrapped around a tiny money-transferring system."
And yet, they don't seem to be in the news all the time like "data theft" stories are. Could it be that the legal and regulatory and insurance systems have made it a manageable problem? Someone steals your credit card, your losses are capped. Someone steals your Personally Identifying Information, sorry, pal; change your passwords.
So maybe treating PII as the same thing, in every way, as money is the answer.
One useful move would be changing laws around identity theft so companies are liable for any costs incurred from their failure to verify identity, or for reporting credit issues from unvalidated activity. Americans worry about things like SSNs getting breached because they don’t want to get someone else’s bill — if companies were required to check photo ID against a real person (not an uploaded photo) that’d be a much harder crime to make financially viable.
Indeed, it is ridiculous that "identity theft" places a burden on the person whose identity was used - if someone opens an account in my name and the only "evidence" is having provided something that other people (e.g. my mother or spouse) can know, then in any dispute it should be illegal for that fraud/debt to appear on my credit report.
That's the way how most of the world has mostly solved identity theft, however, it's not that easy to implement in USA because there's no system of universal secure IDs in USA (by design) - there's a multitude of ID forms, some of them are not really secure (easy to forge, no verification if it was really issued by the institution who did so, no easy process to quickly verify online if the provided credential has been lost/stolen/revoked, etc), and there's a sufficiently large minority of potential customers who don't have a valid ID.
It would be helpful to have laws that clearly assign the credit fraud risk fully onto the defrauded companies instead of the people whose identities were used, as experience shows that this would rapidly result in improvements to fraud elimination (there's all kinds of measures that simply are not taken since they add friction), however, a proper solution does require a decent state-run identity system as the foundation of trust, and USA has made a political decision to not have one.
The root of the problem is sharing the private information. Why your credit reports are shared among completely different entities? Nobody want to gives them a consent to share your private information.
> system of universal secure IDs
Actually, it's the opposite. US has universal ID(not secure though). That's the problem. If there exist one idiot who doesn't verify your identity, everything fails in chain reaction, because everybody else believe the idiot.
Do we? Our SSN is not a unique number, and not just because the keyspace is too small for our population. (It's worse: some of the prefixes are geographically related.)
SSNs have not been issued with a geographic prefix in a decade. I'm not sure if you're really suggesting two different individuals are issued the same SSN, but no, they never are. SSNs are never reused.
SSNs are entirely insecure as mentioned earlier in this thread. Geographic prefixes are a drop in the bucket on that front.
The post that I replied to is almost entirely incorrect as it relates to available SSN “keyspace” (misnomer), uniqueness, etc.—-for which geographic prefixes and group numbers are relevant.
I supplied direct sources, so no idea what your “even if what you say were true” skepticism is rooted in.
With "ID" I mean "a photographic ID document used for verifying one's identity" - SSN (or, really, any "something you know" factor) is not an insecure ID, it doesn't even attempt to be one.
The problem is knowing when to take action. It could be months after the actual event before you find out about it. And you’re liable for everything in between.
Identity Theft is actually just fraud. And the companies that allowed the fraud should be required to shoulder the burden of addressing that matter with the actual people who committed the fraud. No part of that burden should ever be placed on you, just because someone pretended to be you and commit a fraud.
I wish proving your identity used asymmetric cryptography. So that if one company's database is compromised, your identifier key isn't compromised, just a public key and/or some value signed using your private key.
Oh, trust me, I know that this is a self-inflicted problem — we have too many people who subscribe to conspiracy theories about things like the “mark of the beast”. It's just somewhat impressive to see how effectively companies created a new category of crime to direct attention away from their negligence.
See I do understand the distrust of the state with the ability to cut people off from society, by revoking an id for example. Especially if there are laws around the ID checks being mandatory (which I am generally against).
But I think this is mitigated as long as it’s optional for a company. The company is held liable for any fraud that they allow. The company has the option to use the government ID to prevent fraud, but they can also assume more risk and take on a customer without the “official” gov ID, if they want to.
I can see this resulting in something like creditors saying: “either you can use a govID to sign up for this credit card, like normal. OR you can send us a $10k deposit and forego the govID entirely, if you like.”
This solution makes it so that companies are held more responsible, but decreases the risk of having more government power by making it a decision for the company’s “risk management team” to decide.
> See I do understand the distrust of the state with the ability to cut people off from society, by revoking an id for example. Especially if there are laws around the ID checks being mandatory (which I am generally against).
How does that not already happen, just inefficiently? It's hard to function in the U.S. if you don't have a Social Security Number — that's why people bother using someone else's — and we already have a de facto ID system for most people but it's a patchwork at the state level which was somewhat federalized with RealID.
It's hard to imagine an environment where people would unjustly be “cut off” where the state level system would prevent abuse which would otherwise happen — it's not like, for example, California stopped politically-motivated DHS activity during the Trump era.
The problem isn't with a person having a UUID of some sort (of which their genome is one). The issue is that the Book of Revelations talks about a Mark people will need to have stamped on their arm and/or forehead in order to be able to conduct business. I.e. it's a problem of allegiance, not authentication.
So, in practice, anything that pattern-matches to "people will need to carry some sort of token given by a big organization (private or public) to pay or be paid for goods and services" will be viewed by some as the Mark, or a slippery slope towards the Mark.
They do, but most people aren't aware how Internet works. Hell, most people haven't learned the concepts necessary to comprehend what information is (personal or otherwise) and how it behaves - not in terms of technology, but as a fundamental component of reality.
Anyway, the Mark as described in Revelations is pretty... bodily, for lack of better term. It evokes the image of getting a barcode stamped on your arm or your forehead, in exchange for swearing fealty. The Mark feels like a concrete, physical thing. That's why things like "government ID" or "payment chip in your arm" pattern-match to this prophesy for so many people, while things like "mobile phone number" or "e-mail address" don't.
(There's also a factor of scale/graduality. For people alive this century, countries and governments were always a thing. A big thing. Banks too. The governments, the UN, the international financial system - they look big, evil, and pattern-match to the Beast. In contrast, for most people alive today, mobile phones and e-mail addresses were something they've seen introduced gradually, from great many independent vendors. They don't have this obvious Beast-like quality.)
Source: grew up as Jehovah's Witness. While I obviously can't speak for all fundamentalist Christians, and while JW teachings don't consider government IDs to be the Mark[0], I got pretty familiar with the patterns of thinking people show around this topic.
--
[0] - They do, however, believe that the Beast described in the Revelations is currently embodied by the United Nations. So if the UN ever proposes a common ID scheme or an electronic payment system, I'm pretty sure plenty of Witnesses will throw a fit.
Framing the action of defrauding a person as a downstream effect of being a victim of theft, is nothing short of institutionalised victim blaming. No, just no. The person was defrauded because of stolen identity and/or payment info documents. They were not a "victim of theft": they were a target of fraud.
Calling it theft is a sleight of hand to absolve banks, payment providers and businesses from their responsibilities.
This is fundamentally why "identity theft" exists at all. It's slight of hand for moneyed interests to shift the responsibility of being robbed onto their customers. It's no wonder "identity theft" is such an issue since there's so little incentive to use a not broken means of verifying identity.
Using a secret number to verify identity is absurd and hilarious.
I doubt about PayPal’s anti-fraud capabilities. They allowed to open another account with the same name and address as mine, but with different phone and email, without any confirmation. And that person bought something, and after it wasn’t paid, gave my information to collectors…
Credit cards generally have one use: payments. Usage is not difficult to quantify. The card is generally worth the same to whomever is in possession of it.
PII has a multitude of uses. The prices offered on the black market for PII do not reflect its value to those that it identifies or those from whom it was stolen.
If we treat PII as money, it implies the loss can be clearly quantified and loss can be compensated for.
Banking industry isn’t better because they have solved the problem, they are just hiding behind the fact that victim can be compensated and hence an insurance can cover all risks
Money-handling, for example (banks, payment systems). If ever there was a Fraud Magnet, that's it. I've heard PayPal described as "a giant fraud-detection system, wrapped around a tiny money-transferring system."
And yet, they don't seem to be in the news all the time like "data theft" stories are. Could it be that the legal and regulatory and insurance systems have made it a manageable problem? Someone steals your credit card, your losses are capped. Someone steals your Personally Identifying Information, sorry, pal; change your passwords.
So maybe treating PII as the same thing, in every way, as money is the answer.