This is also a problem with Square, and Stripe, and Paypal ... it's an unsolvable fraud/scammer problem.
Basically, if there was customer support that could fix the problem, then skilled scammers can get money and control out of them. They can do it a lot better than you can get your stuff re-enabled, they know just when to say what to whom.
Verizon just accepts the inefficiency, and also over-charges random customers, sometimes hands over control of a phone number to a scammer so they can get auth codes over SMS, has clueless support, etc. Google hasn't accepted this way of the world yet (but in scaling up the support has necessarily become disempowered).
It is very frustrating. It's a nature of things going mass-market. Just a few people, everything can be nice. Too many people, scams and fraud become big problems.
They most certainly do not "handle it just fine". They are highly scammable, they know it, and it's "solved" my moving as much of the burden and repercussions onto the consumer as possible.
I've had my identity stolen, and both my wife and I have been mistaken for somebody else. There ARE way to move past this condition (inline with Google Pay, apparently), but it's just done via trust. Or apathy. Or acceptable risk. Or some combination thereof. It never truly goes away.
Huh. I've had credit card companies call me proactively when they thought something was wrong, before I caught any stray purchases. They refunded the money before I knew my card was stolen. So that was nice.
But then I've also heard pure horror stories about stolen identities, and I am genuinely sorry you faced any of that.
So what's going on here...
I think this is due to one aspect of their model that is ultimately an improvement, even though it still completely breaks at moments.
+ + Your card number is not your account. + +
Ie, if your CCN is compromised, it's disposable without starting your relationship with the company entirely from scratch.
Your "identity" though is not disposable. Your identity controls your relationship with the company and is not disposable. That causes major problems when hijacked, as it did for you. And that's not fixable (or at least not easy to fix at all).
So while we might not be able to solve the problem with identity, we can create firebreaks -- disposable parts of the infrastructure that attract some thefts because they allow quick wins. Ie, CCNs provide access to money. That funnels a lot of theft towards something that is easy to monitor and patch.
The identity theft remains an issue, but hopefully hits fewer people.
One thing that makes Google struggle is that they combine all of these interactions together. Nothing is revocable without resetting your entire relationship.
Given that they started as an email service, I have no idea if it's even fixable from where they are.
How is the Google way not even more so "moving as much of the burden and repercussions onto the consumer as possible"? They let fraudsters kill your accounts just so they don't have to take any liability or staff humans.
I've said this and will say it again, Google doesn't know how to deal with humans. They've failed in every endeavor where humans have to be in the loop.
I was going to say this but then I realized that what was meant by consumers was of course the people buying the services from the people whose accounts are cancelled. So the argument is that in the credit card world it is harder to cancel the accounts of scammers, and the people who buy from them must suffer more.
Not sure if I agree, and it does seem to me that Google's way is worse because at least there are some legal protections for people (consumers) who are scammed in the credit card way but in Google's way there is no protection of any sort for people whom the system dislikes.
>> credit card companies and traditional banks and credit unions handle it fine.
> They most certainly do not "handle it just fine". They are highly scammable, they know it, and it's "solved" my moving as much of the burden and repercussions onto the consumer as possible.
That's false. I'm credit card companies are required by law (at least in the US) to shield customers from the repercussions of credit card fraud.
I've had my card number stolen twice, once by someone who used it in the same metro area as I live in, and it both cases it went about as smoothly as you could imagine.
> it's "solved" my moving as much of the burden and repercussions onto the consumer as possible.
I've had fraudulent charges on my credit card several times, and I've had checks stolen, and in no case I had any repercussions and financial burden shifted on me. I didn't pay a cent, and both credit companies and banks never tried to claim I am responsible for it - they rolled back the charges and reissued account numbers and that was it for me. Maybe I'm just exceptionally lucky, but my impression from other people that this is what happens in most cases like mine. Of course, whole full-blown identity theft is a different matter, probably harder to handle.
It fixes one "fraud" path - where somebody seizes control of an account and holds it for ransom. Since the account itself is effectively destroyed by any flagging, it's then of no use as a hostage. An account that is flagged in any way is no longer of any use at all, no point to taking them over.
Of course, a scammer could threaten to destroy your accounts, and can do so very easily and credibly... So that's not exactly a huge improvement.
I recommend anyone who likes Gmail to use your own domain name@example.com and just forward all messages to your Gmail address. Only give out your own example.com email and set it as the reply to.
Even the cheap budget registrars offer email forwarding for free and I have never had any trouble.
This gives you the benefits of free Gmail without handing your entire life over to them. At least with a tld there is some due process and rules to protect you.
You’ll find that if you do this, you start getting emails directly to your gmail anyway. I never give out my gmail address, but I use gmail and they happily report my gmail address when they send email as my “real” account. (Both email addresses are included in emails I send.) And upstream they are happy to respond to that gmail account when people hit the reply button.
So I have tons of people who would essentially seem my contact as a black hole if I abandoned my gmail address at this point, because Google seems to have deliberately crafted their clients to prefer the gmail address rather than the “real” address. Essentially treating the gmail address as if it’s a reply-to.
It's because of Google's use of 'From' and 'Sender' headers in gmail. If you setup an SMTP server to send your emails from for your @example.com address then Google won't mess around and the emails appear to actually come from the email address you want out there, not your @gmail.com.
You can actually set up gmail to send through an external server? I had no idea they’d support that. Running an SMTP server is absolutely not something I’m willing to do, though. Aside from the general setup/maintenance hassle, all the big companies are aggressive at blocking spam and private SMTP servers are just tough to keep unblocked these days (or so I read).
If you have GSuite you can, but I doubt it is possible for individual accounts. [1,2]
You can however send email to google's SMTP server, using an ordinary gmail account [3]. This is how email clients (Eudora, Apple Mail, sendmail) work. The only trick is that they force it to be authenticated and encrypted.
I believe (but have not verified recently) that if you send an email with an email address/domain other than of the authorising account, it will be delivered, even lacking all SPF etc. But, it will block for anything above small quantities of mail, and unless you set up DMARC for your domain, it will still get dropped or marked as spam. [4]
Running an SMTP server for yourself is actually fairly simple (okay, assuming a deep background in linux, but very educational). The real drama is DNS/DMARC/SPF/DKIM and users ruining your reputation.
It is, I do -- inbound email forwarded to gmail, outbound from gmail goes out through my server and while it's obvious it's from gmail, it doesn't actually include my gmail address anywhere.
Sending from Google's servers using my address would cause SPF and DMARC failures, so if you want to do that then they'd have to make sure it's clear that the mail is actually from gmail.
This happens because you use Google's own SMTP. If you configure an external SMTP (e.g. Amazon SES) then the gmail webapp won't tell your gmail address to third parties.
DNS aren't too reliable. Stealing your own domain is easier than stealing google's own domain. If you use that e-mail for primary ID, getting even temporary control on your domain allows stealing all your accounts.
I wouldn't advise doing this. Forwarding all your email from one provider to another doesn't really work in today's Internet.
The problem is that from gmail's point of view your registrar is now sending it a lot of spam. So it'll block the registrar or filter it more aggressively.
Also if you get email from a 3rd party who uses domain-keys, spf, etc (eg just about everyone) then those emails will be failing all the checks when gmail receives them.
You misunderstand jjeaff. He suggests making the MX of yourdomain.tld point to Gmail's MTAs. This is what he means by "forwarding email". This is the best-practice way to do it and works perfectly well.
I have namecheap forward all of my email from *@my-domain-name.com to my.name@gmail.com. Works no problem, has for several years. Prepared for the eventual switch to FastMail when they support multi-label messages.
The only messages that end up in my spam folder are spam for knock off online pharmacies.
Agree, and I've been doing this for about a decade with very little problem. (Google do add both a Sender and From, with the Sender being your GMail-address. But that has not been a problem.)
Are there actually rules and due process? I was under the impression that it's just a convention that the registrar won't seize your domain unless they really, really dislike you.
edit: I shouldn't be oblique in my comments. I'm of course referring to the whole Daily Stormer fiasco.
It becomes a legal and business decision for the registrar.
Most serve at the pleasure of a formal contract with their TLD control entity (e.g. ICANN).
Ultimately, if you were to sue them, there's a root document of legal responsibilities and behavior to point to.
In contrast to whatever emphemeral TOS bullshit Google feels like tossing out. And furthermore, unlike Google, they can't really just ignore you.
Or, to put it another way, VISA, American Airlines, Coke, etc also have an interest in maintaining legal ownership of domains. They could care less about Google accounts.
> Ultimately, if you were to sue them, there's a root document of legal responsibilities and behavior to point to.
But actually if you were to sue them, wouldn't the case be dismissed for lack of standing? If you're not a party to the dispute you can't sue (or rather, you can't sue and actually have your case proceed). You'd probably need to convince ICANN that they need to sue, which is already a much trickier position.
I'm increasingly convinced it's your cell phone number (i.e., all the IM services using SMS authentication). And when you're using Google Fi, they have that too.
It is too bad that I can't pay $50 and/or go somewhere in person to try and solve serious problems. This would eliminate most scammers and give people a way to get something done when it is really serious. I would guess this is not done because the PR hit for charging to talk to a person would be bigger than just ignoring certain people's problems (or companies don't want to have divisions that make more money when the rest of the company screws up, but I doubt that).
At the very least, they should figure out how to empower somebody in the support structure. This happened to me with that silly Cash app from Square (the Twitter handle is very cutesy in its interactions with people). It seemed kinda cool in how it let us come up with our own handle for people to send us money for our wedding, but left such a terrible taste in my mouth when everyone told me it wasn't working and Square shut down my account with no explanation. Why do millions of people depend on that? I want options like that to exist, but if I really need to depend on people being able to give me money, I'm just going to tell them to send it via my Chase account since for all its problems, Chase is a mature business. Maybe I'd use an Emoji app from Square just to share some giggles with people, but a money app from Square??? Nope, their brand lost my trust at the worst possible moment.
I've actually had decent luck getting Stripe to un-blacklist subscribers that they incorrectly identified as fraudsters.
But it takes a ton of back-and-forth with support reps who generally don't even know or believe you that blacklisting exists (sometimes just an email address, not a specific card, was blocked) – and in one case we didn't get a resolution until the customer got the CA Attorney General to write Stripe's general counsel.
PayPal has sales representatives and technical support people and you can actually deal with them, so I am not sure the premise is right...
...but the core problem is this argument is in reverse anyway: if I get banned from Bank of America somehow I don't lose access to the concept of a card that lets me pay for my Verizon account, and in the worst case scenario I can send them a check. I have had serious issues with Verizon paying for my account before (they both claimed I was behind on payments but would not accept money without a PIN number, which I could only get by verifying my address using a post card that would take forever), but it wasn't a catch-22 scenario where I lose my phone number as there is somehow literally no way to pay for their service again.
Are you sure about PayPal? Because I believe I have read quite a few pathetic stories -- similar in tone to the posted article about Google Fi -- about PayPal accounts being frozen with no recourse, for example[1]. And PayPal settled a class-action lawsuit on just this topic[2].
I thought PayPal's issues were on the receiver side rather than the payer side? Making payments seems OK, it's just if you use PayPal to receive payments, they can arbitrarily freeze your funds for 6 months whenever they feel like it.
I've recently moved to the US, and I wanted to get myself a Spitify account (hah). I had to wait for SSN for a few weeks, so no bank account yet - my only option was a prepaid Visa card. Bought one at QFC, used it with PayPal (a fresh account, as my old one is tied to another country) - and found it blocked the next day. PayPal had asked for an ID and address confirmation.
I had my passport, but no utility bill (I was still using Airbnb, just looking for a long-term place to live). Asked support if there's anything I can do - and got nothing useful besides "we need a driver license or utility bill", even though I specifically asked what else could I provide if I don't have either of those (I had a mailing address from a forwarding company). Account was unusable, all I could do with it was logging in :)
Then I've rented apartments and tried to send them a lease contract (with my full name and address) and it was rejected. Not an utility bill, right. Asked support about it, got no reply at all.
Waited for a month, got electricity bill, and only then my account was unlocked.
So, anything unusual - and even if you don't receive any money, you account could be blocked.
I believe these issues could be solved by actually taxing corporations and providing the service they clearly so desperately need.
An /actual/ (inter)national ID and Identity verification service. One where disputes about identity and authorization can be escalated somewhere that makes sense, to the jurisdictions issuing these IDs.
Ideally someone should be able to go to a police station (locally for local IDs, if on vacation/out of hometown in liaison between departments) and have their identity verified in a trusted way, and that verification reported as pass/fail to a third party whom is asking.
This would also be the way of officially disputing fraudulent uses of identity; they would be reported via the same actions, but as a customer initiation (and statement of legal testimony taken in a case that would then be opened and reported to the involved parties).
BTW, such a system SHOULD also include address resolution, for physical mail, voice, and electronic services (any sub-name actually).
I would LOVE to only update my address in ONE place when I move, instead of trying to remember everyone I've ever given it to.
Sweden has a personal identity number system, with an address/phone database that business can subscribe to. When you're shopping online, you can enter your ID number and it auto-populates your address. When you move, banks and others will automatically pull your new address from the database.
The banks then created a digital ID system (BankID) on top of this which is now used by everyone for real ID verification. Your physical ID is checked by a bank teller, and after that you get either a digital certificate file or a 2FA token that you can then use online to prove your identity for signing contracts (insurance etc), filing your taxes, or just logging into bank accounts etc.
Practically it works pretty well, even though I know philosophically an ID number like that would never fly in the US, and security-wise I'm sure experts have lots of objections.
There are only really two groups that have issues: the very young (who are not used to checking up) and the very old (who are not used to computers).
Nobody is unenumerated, everybody has our version of a social security number, you are mostly required by law to have a bank account (and banks are required to give you one, except in specific individual cases such as you acting in an inappropriate manor)
I don't have a physical address (I move approximately every 3 weeks). I don't have a phone number (I move country every 3 weeks and need a new SIM each time).
I have so many problems with online authentication it's not funny.
So yeah, I'd love a global system of identification, but please let's not tie it to an address or phone number
Tying to a physical location actual serves an important function in that it introduces an asymmetry between you and a potential attacker / identity thief - it's much cheaper for you to physically show up at your local courthouse to contest something than it is for an attacker to fly in. Any suggestions for how to solve this?
I dunno, that kind of starts with the assumption that people live at one address, in one country. This is what I'm pointing out: that assumption is not true.
I accept that I'm an edge case, but a large minority of (for example) Australians have dual nationality, and will have lived in either of the countries that they're citizens of for long periods of time. Some haven't settled on one yet, and skip back and forth every few months/years. All of them (us) have stories of identity systems, bureaucracy and banks not understanding that they moved country.
You're asking for a replacement asymmetry when the thing you're replacing in the first place isn't actually useful.
But, to answer the question: email is the one thing I'm pretty sure that I and I alone can get to. I have two email addresses, from different providers, using 2FA (google Authenticator on my phone). The 2FA bit is probably enough asymmetry.
However, even that, I could lose: if I fall into a swimming pool while carrying my backpack and phone, I'd have a hard time proving who I am to anyone until I got everything back up and running. Even worse, if I fell into a swimming pool while moving accommodation I'd have my passports in my backpack... not a comforting thought at all.
Passport number along with cryptographic authentication similar to Estonia’s ID card. I believe this satisfies the need for authentication of all citizens at a global scope.
And getting one for people can be difficult as many people especially older ones don't have supporting documentation e.g. birth certificates and so can't prove identity.
You can’t function as a citizen of a country without identity documents. Passport national ID cards, in my opinion, the optimal solution to the problem. Issuance can be streamlined, and cost can be absorbed for those who can’t afford it.
If you look young, how can you even buy alcohol or cigarettes (in my countries case even energy drinks) or get in a club? In my country each citizen must have an identity document - either a passport or ID card (drivers license doesn't count). I can't see it any other way as you need to ID yourself in stores (in the mentioned case if you look young and want to buy alcohol/cigarettes/energy drink), post office when receiving package, getting drivers licence, opening bank account, getting loans etc.
The checking for a picture id is mostly an issue in the US, because they are insanely horrified by thought that people drink in the US in the exact way they do in most of the western hemisphere.
Anyway never had an issue with getting a package with my drivers license, and I didn't recall having issues before I got that. My passport is expired, because travel is inconvinient and mostly made obsolete with the internet.
> If you look young, how can you even buy alcohol or cigarettes (in my countries case even energy drinks) or get in a club?
It is possible to go your entire life without ever doing any of those things, or having any desire to. And as a general rule, it's the people who are of legal age who least care to do them. Also, some countries don't have age restrictions on such things to begin with (or don't enforce them at all).
> post office when receiving package
Who goes to the post office to receive a package? They come to you, and are then satisfied by the fact that they delivered the package to the address on the label.
> getting drivers licence
This a major reason why this is pointless. If you're going to have an ID, how do you identify yourself to get the ID? It's fully circular. You can't prove who you are unless you can already prove who you are, in which case you already have an ID.
In the US a large percentage of the population don't have passports. When you get a driver's license, they nominally ask you for some other ID, most of which (e.g. birth certificates or company/school IDs they have no way to authenticate) are trivially forged and useless at proving the person is who they say. Because it has to be that way -- you can't make having an ID a condition of getting an ID.
The whole idea is silly. Identity is context. If you create an email address with Google, you set a password. Then Google knows you're the person that email address belongs to because you're the one with the password. Your government "identity" has nothing to do with it, nor should it.
> opening bank account
The only reason banks care about this is that the government requires them to. Otherwise they would be completely satisfied to give you a numbered account with no person's name attached and simply put a hold on your deposits until after they've cleared, as they do for most anyone regardless.
> getting loans etc.
To get a loan what they care about is whether you're creditworthy, not what your name is. Prove that you have a job and a history of paying back debts, or post some collateral, that's what they want.
One system by which they automate this is to have credit reporting agencies that aggregate this information and associate it with your name, but there is no inherent reason it has to be done that way -- and some good reasons not to. See Equifax data breach.
> It is possible to go your entire life without ever doing any of those things, or having any desire to. And as a general rule, it's the people who are of legal age who least care to do them. Also, some countries don't have age restrictions on such things to begin with (or don't enforce them at all).
Yes it is possible but you are describing outliers. Which first world country doesn't have age restrictions on alcohol or tobacco?
> Who goes to the post office to receive a package? They come to you, and are then satisfied by the fact that they delivered the package to the address on the label.
Envelopes and small packages (which fit) are left in mail box. In order to get everything else you have to go to your post office. Courier services deliver package to you personally and they don't leave it at your doorstep so anyone can steal it.
> This a major reason why this is pointless. If you're going to have an ID, how do you identify yourself to get the ID? It's fully circular. You can't prove who you are unless you can already prove who you are, in which case you already have an ID.
I don't really know how it is done today but in theory you could prove it by taking DNA/fingerprints at birth and registering accordingly.
> The only reason banks care about this is that the government requires them to. Otherwise they would be completely satisfied to give you a numbered account with no person's name attached and simply put a hold on your deposits until after they've cleared, as they do for most anyone regardless.
We are talking about reality not a situation where government regulations doesn't exist so there is no way of having a bank account if you don't have some sort of ID.
> To get a loan what they care about is whether you're creditworthy, not what your name is. Prove that you have a job and a history of paying back debts, or post some collateral, that's what they want.
This is just plain wrong, they care about the identity in case you stop paying so they can go after you.
P.S. You also need ID to own property, companies etc. I can't deny that if you are living in the middle of woods off grid you might get by without an ID but if you are an average person you will need an ID eventually.
> Yes it is possible but you are describing outliers. Which first world country doesn't have age restrictions on alcohol or tobacco?
In many parts of the US the restrictions are not actually enforced, or you can prove your age using non-government-issued identification.
I also dispute your assertion that people who don't drink or smoke are outliers. The majority of people don't smoke and a large minority don't drink. In some major cultures and religions drinking is outright prohibited.
> Envelopes and small packages (which fit) are left in mail box. In order to get everything else you have to go to your post office. Courier services deliver package to you personally and they don't leave it at your doorstep so anyone can steal it.
In the US they leave it at your doorstep so anyone can steal it, because in practice hardly anybody actually steals it. Who is going to risk federal prison or getting shot by the homeowner over a mystery box which is probably just a $25 bulk pack of shampoo?
> I don't really know how it is done today but in theory you could prove it by taking DNA/fingerprints at birth and registering accordingly.
This doesn't work for anyone who is already an adult, and isn't already being done for newborns so won't work for them either, which means you've got more than a hundred years before something like that could be used without having living people it doesn't work for. It also fails permanently for anyone born and raised in another country.
On top of that, it still isn't solving the unsolved problem, which is identity theft. You can't use DNA or fingerprints over the internet (they're trivially forged if you control the reader), so they're just going to issue you a card or a PIN or some other thing you can use and then someone can steal/hack/forge it and impersonate you. Being able to prove your DNA doesn't disprove that you're the person who used your card+PIN to buy $50,000 in already-provided goods and services, or pay for an email account used to send spam etc.
> We are talking about reality not a situation where government regulations doesn't exist so there is no way of having a bank account if you don't have some sort of ID.
We don't have mandatory national ID cards either. If the proposal is to make a policy change to improve things, let it be the one that doesn't double down on a bad idea.
Also, around a quarter of Americans and half of people in India don't actually have a bank account, largely because they don't have any money to put in it and can't afford the fees that come with not having a minimum balance. So they get paid in cash, or something they immediately convert to cash, and pay for everything with that.
> This is just plain wrong, they care about the identity in case you stop paying so they can go after you.
That is why they require collateral. If you take out a mortgage they put a lien on the house. If you don't pay, they take the house. If you're on a beach in Argentina with a million dollars in cash in a briefcase, what does the bank care as long as the house sells for more than they're owed?
> P.S. You also need ID to own property, companies etc.
There are millions of people who don't own real property or companies, or even cars.
And even then, it doesn't require a national ID -- they all exist without it. They even predate modern identification. Because all of those things are local. If you want to transfer property, you go to a notary. The notary will want to know who you are, but that doesn't mean national ID. They could just take a picture of you and keep it for their records, or accept a non-government ID or an oath from a person known in the community that you are who you say you are.
Centralized identification is at the same time unnecessary and actively harmful.
> In the US they leave it at your doorstep so anyone can steal it, because in practice hardly anybody actually steals it. Who is going to risk federal prison or getting shot by the homeowner over a mystery box which is probably just a $25 bulk pack of shampoo?
Nearly 1/3 of of people in USA have experienced package theft and it is only a federal crime if you steal USPS packages not Fedex/DHL/UPS etc.
> That is why they require collateral. If you take out a mortgage they put a lien on the house. If you don't pay, they take the house. If you're on a beach in Argentina with a million dollars in cash in a briefcase, what does the bank care as long as the house sells for more than they're owed?
I can get a personal loan without any kind of collateral as long as i have X income. Credit cards doesn't have collateral as well.
Honestly, i feel that we live in different worlds - i cannot fathom not having an official ID as there are occasions where i must have it (voting, travel, banking as well as government e-services where you can use bank login or your ID card certificate to identify yourself). There isn't a lot of press or reports from Personal Data Watchdog about somebody doing monetary damage from using other people data, in fact our ID numbers (like SSN) in some cases are public knowledge. I am not saying that our system can't be abused but right now i feel like it works just fine and i wouldn't want it any other way.
> Nearly 1/3 of of people in USA have experienced package theft and it is only a federal crime if you steal USPS packages not Fedex/DHL/UPS etc.
That statistic is from a survey done by Comcast as a precursor to trying to sell you a home security system. That is not a reliable source.
And stealing a non-USPS package is still a state crime, so the main difference is whose jail you sit in. Unless you manage to steal something which is actually worth a lot of money, or is involved in interstate commerce etc., in which case welcome back to federal prison.
> I can get a personal loan without any kind of collateral as long as i have X income. Credit cards doesn't have collateral as well.
These are small loans, in which case the collateral is your job. They verify where you work, so if you don't pay they know where to find you. The only way to avoid them finding you is to quit your job, which they don't expect to be worth it for you to do over such a modest amount of money. Notice that the interest rates on those kinds of loans are dramatically higher -- because of the risk that they're wrong. If it was really your identity doing most of the work you would expect the interest rates to be much closer to those for loans with more substantial collateral.
> There isn't a lot of press or reports from Personal Data Watchdog about somebody doing monetary damage from using other people data
According to DOJ statistics, more than 17 million people in the US are victims of identity theft per year.
> Honestly, i feel that we live in different worlds - i cannot fathom not having an official ID as there are occasions where i must have it (voting, travel, banking as well as government e-services where you can use bank login or your ID card certificate to identify yourself).
You feel that way because you live in a place where having an official ID is required to do everything. That isn't a law of nature, it's just a law of the place you live. It's completely reasonable to do things a different way.
I don't recall that having been an issue with the phones I've had, but I guess it must be an issue, as doing a search for "dual sim" on Aliexpress now brings up a ton of adapters to let you use both dual sim and a sdcard at the same time... (though I can't say I'd like to have one hanging out of the side of my phone...
The problem with centralized identification is that it doesn't actually solve anything, it only outsources it to a less security-competent entity which would be an even bigger target for fraud and corruption.
Creating one single place to change your address gives the attacker one single place to change your address. Compromise one system, bribe one police officer or DMV employee, get nation-wide root access to everything.
And how does it even solve the problem? The problem isn't that Google doesn't know whether you're John Smith. It's that Google thinks John Smith is a scammer they won't do business with, and they aren't willing to spend their resources helping you to clear your name.
Well, fraud would still happen. The problem from the fraudsters point of view are manifold though: They have to actually deal with the police in person. Sending copies of identity documents by mail is not as involved as personally going to a police station. The risks are very different.
Similarily, you can have corruption at phone carriers and credit-card companies too. What matters is the audit-chain. If a police officer keeps id-ing fraudsters they won't be in the job for long.
That public servants are more corrupt and less competent than the corporate employees one depends on is not a universal experience. Not for me anyway.
> Well, fraud would still happen. The problem from the fraudsters point of view are manifold though: They have to actually deal with the police in person. Sending copies of identity documents by mail is not as involved as personally going to a police station. The risks are very different.
Not really, because that isn't how fraud happens now, and nothing about that would change it.
People don't commonly commit fraud by going to a government office to get an ID issued in your name, they do it by waiting for you to do that and then stealing it from you or otherwise convincing you to give them the information they need to authenticate using it.
> Similarily, you can have corruption at phone carriers and credit-card companies too. What matters is the audit-chain. If a police officer keeps id-ing fraudsters they won't be in the job for long.
That's assuming the audit chain is both secure and less susceptible to corruption than the original system. Audit logs don't help if they're compromised by the people with privileged access. Or you nominally have individual accounts but in practice they're shared or not secured against compromise by privileged users.
And assuming that the corruption problem is specific identifiable people rather than a systemic issue where >=5% of police are corruptible so one getting caught only requires the fraudsters to use any of the thousands of others.
> That public servants are more corrupt and less competent than the corporate employees one depends on is not a universal experience. Not for me anyway.
The difference in this case isn't that the quality of the people is different, it's that the nature of the system is different. Whereas an individual company might have five employees with sensitive access, across an entire national government there would be a hundred thousand or more, so the attacker has a hundred thousand chances to find the lowest common denominator instead of five. And then when they succeed the scope of the vulnerability is not limited to that one company, it's universal.
Many US states have this place where you get you ID. It's often called the department of motor vehicles and is notorious for being a huge pain to deal with. Most places where the government works well in this capacity probably doesn't have companies pulling this kind of shit. Any Germans in the audience?
It's more specifically a problem with Google as they actually have $106 billion in the bank and choose to write a few algorithms and pretend they've met their obligations to their customers, despite 20+ years of evidence it is insufficient. Some segments of their users like Adsense they have actually been stealing from for all this time via automated accounts bans and balance forfeiture safeguarded by their patently fake support.
To provide a citation for their two decades of Adsense fraud, last year they settled a case they fought for four years after someone sued them for banning their account and stealing their revenue, alleging that they deliberately froze publisher accounts at the end of the month to maximize the amount of revenue to be stolen.
After a ban the allegedly fraudulent portion of the revenue is refunded to the advertisers, non-fraudulent revenue within the same time frame is ... they settled for $11m on the grounds that it would be too expensive to show how they didn't design a system intended to steal from their publishers.
This is especially a problem for Google. They have somewhat earned a reputation of not providing customer support. One of the reasons why I stayed far away from Google Fi even though it looks very cool.
I know it's against the narrative, but I find PayPal's support people (the ones you phone up, at least) to be both empowered and helpful. They have gone out of their way, on more than one occasion, to help me out and get my account back to normal.
PayPal and eBay might as well be direct and just tell the seller/receiver to outright fuck off. It's a scammers paradise between the two. They are both awful corporations that blatantly support obvious fraud. They don't give a shit. They should be criminally investigated.
They need to require better identity-proofing methods. To open a bank account at many banks you need to physically show up at one of the bank locations and present physical original copies of identification documents.
Allowing people to submit documents online is not good enough. After the identity has been proven, then from that point on you can offer online services, but the initial account creation needs to be done offline.
> Basically, if there was customer support that could fix the problem, then skilled scammers can get money and control out of them.
Possibly. Then the question is - what is more important for the company, tolerating some amount of losses but keeping honest customers happy, or minimizing the losses at the cost of innocent people being screwed hard. As an innocent person, I'd prefer the system that leans towards my benefit. Even if it'd cost Google whopping 0.0001% of their revenues.
Have to chime in here: not a problem with Paypal. I've actually gone through this process, spoke with a real human being, and got things resolved in about 15 min...
I completely disagree. I've had the same problem with PayPal and Venmo. At some point, if anything goes wrong, they just say their security system has flagged you and there is nothing they can do. They can't even tell you the issue. You just have to wait and hope it eventually clears you, hope it doesn't flag you the next time you do it (which it probably will somewhere in the algorithm, since you've been flagged before) or close/cancel your account.
I guess this is one of those times where it helps to be a lawyer...
As a money transmitter they have extra obligations and a quick call to the regulator can resolve issues relatively quickly (if you're a US citizen and live in the US).
Basically, if there was customer support that could fix the problem, then skilled scammers can get money and control out of them. They can do it a lot better than you can get your stuff re-enabled, they know just when to say what to whom.
Verizon just accepts the inefficiency, and also over-charges random customers, sometimes hands over control of a phone number to a scammer so they can get auth codes over SMS, has clueless support, etc. Google hasn't accepted this way of the world yet (but in scaling up the support has necessarily become disempowered).
It is very frustrating. It's a nature of things going mass-market. Just a few people, everything can be nice. Too many people, scams and fraud become big problems.