> Social Security numbers are the keys to the kingdom. In this country, people get a unique number when they’re born, and the Social Security Administration tells them it’s secret and valuable. Then we use that number to pay taxes, to get government benefits, to apply to college, to get a mortgage, to apply for a car loan, to open a bank account, to track our credit. We’re asked to hand over this number again and again to institutions that have failed to guard it.
This is the problem right here.
To that sorry list, I would add medical providers' offices (doctors and dentists), all of which seem to request social security numbers for some reason on their patient intake forms, when all they should need is the patients' insurance information as printed on their insurance card.
Regarding all the Social Security number issues, it somehow reminds me the Onion title "‘No Way To Prevent This,’ Says Only Nation Where This Regularly Happens" (I know USA is not literally the only one, but almost) - plenty of places have something similar to that number, but USA is pretty much unique is treating simply knowing it as some kind of identity proof. "Something you (and a bunch of others) know" doesn't cut it.
On a fundamental level, it's absurd to use the same datum as a unique identifier and an identity proof. The best analogy I can think of is signing up for websites with only a password, and then having to provide that password as an identifier any time you need support.
Oh, and the password is almost impossible to change, and you're required to use it to sign in on a host of other sites.
I recently redeemed my Amtrak points for a free ticket and then needed to change the ticket which required a phone call. The gentleman on the phone asked me for my “points PIN” that was apparently required to change any Amtrak points reservations. I had never needed to change any points reservations before so I didn’t have one.
Amtrak’s solution? I could set a PIN, right then and there, verbally with the agent over the phone. No logging into my account. No email or text message confirmation. They didn’t even ask to confirm my DoB or address. Nothing. I had only given him my reservation number.
And not 30 seconds after creating my new PIN the same agent was then able to “verify” my identity/account by asking me... for my PIN.
You can do the same thing to
steal anyone's Delta Inflight wifi account to use wifi credit they've paid for and not used on a flight, just by knowing their email address.
Though that also sort of illustrates some of tradeoffs involved.
Historically, something like that might well have been handled by snail-mailing a default pin to the address on record for the account and telling you to call back after you received it.
Of course, the problem is that a lot of people these days would think that was really poor customer service.
Having only a password is just fine for many sites. The real problem comes up when you have to show it as an identifier to a third party. If you don't ever need to do that, all you need is a password, not a username. (Auditability of login information within a company notwithstanding -- isn't really something a user can try to enforce, and it can happen in a variety of ways. As a user, at the end of the day, you trust the company with your credentials, and assume they secure internal access in some fashion.)
Imagine all you have is a password, and I come along to register, attempting to set my password to "hunter2". Turns out someone else has already used this. Do you allow me to continue or tell me the password is already in use? If its in use - great, I'll just log in using that other guys account!
Of course, you could let the site specify the password, which would work if they're long and random. But social security numbers are neither of those.
Nobody said they should let you choose your own passwords. We were comparing with SSNs, which are assigned to you, not chosen by you. You'd do the same with such passwords. And nobody claimed SSNs are appropriate passwords either.
This is a good point - not all services need both identification and authentication.
I've noticed some sites using identification only (like the days of IRC), so you can have a consistent identifier to interact with people but a username isn't actually secure or owned. The converse should also be possible, in the same sense that a bank PIN is used to authenticate with no public identifier involved.
That said, for many offerings we should consider "a company employee" to be a third party. There are already employees with access to my data, but the outsourced call center employee who answers the customer service number probably isn't one of them, and I want them to be able to look up my account details without being able to impersonate me.
Because of the Swedish constitution, everyone in Sweden's name, address, birth date and, yes, personal identity number is completely public information. Thus the systems and processes in Sweden have necessarily developed around a threat model of a potential attacker knowing all these details.
The solutions Sweden has to proving identity despite this are not exactly radical: photo ID documents, and secure ID apps (encrypted certificates) on phones or smartcards.
Indeed, here in the UK we have the very similar "National Insurance Number" for tax reasons but it's never used for identification as it's assumed to be public knowledge.
There are multiple meanings of the word identification.
SSN and NIN could reasonably be used for identification of the form of "this person's data is different from that person's data". (identification as in primary/unique key)
They can't/shouldn't be used for authentication that this person is who they claim to be. (identification as in password)
SSN's were only ever meant to be used for identification (as in a username). In the beginning the worst that could happen is that someone else would file their payroll taxes with your SSN, and make you eligible for more Social Security benefits when you retired. It was never meant to be a password.
How would you receive benefits if not by using SSN as a password? Or to get a job when you may not have authorization to do so (noncitizen not on a worker visa)
You use the SSN (acting as the username [which links to authority to work or claim benefits]) combined with another piece of information that establishes your identity (acting as the password to establish that it's really you and not me who is applying).
For employment, the I-9 form is what we fill out as authorized US workers and to document same.
You'll note that Social Security card is in List C "documents that establish employment authorization" and not in List B "documents that establish identity" nor in List A "documents that establish both identity and employment authorization"
I guess you can look at it as a form of off-line multi-factor authentication. You are using the Social Security card as proof of eligibility for the person whose identity you have already established using another factor. In that case, it's the card that acts as the factor, not the number (which if you've ever seen a social security card, it's ridiculous to think that it's in any way secure or even durable).
The German SSN is also trivial to query (if you don't have it at hand your employer can just phone the pension insurance) and is somewhat predictable. It's also only used for tax/pension purposes; if you steal mine you can basically only gift me money.
The closer equivalent in Germany is probably the Personalausweisnummer (ID card number). Basically everyone has an ID card, and sometimes the number of the ID card is used as age verification or is written down as part of identity verification at a bank or similar. Assuming you verified that the ID card is genuine it's a good unique identifier that survives name changes; however its usefulness doesn't come from secrecy but the forgery-proof piece of plastic it's printed on. Also you can change it at any time within a few weeks by just getting a new ID card, and it naturally expires every ten years or so.
I think a fundamental problem in the US is the requirement to verify identity via phone. In Germany that's just assumed to be impossible without a prearranged passphrase; when opening a bank account you verify identity by showing ID at the bank or a postal station or by waving your ID in front of a webcam during a live call.
I can't think of a use case where this happens here?
- If you want to pay bills you just do a bank transfer (they are free and fast within the EU), transferring the money to a published bank account with my invoice id or similar in the subject. If somebody else wants to pay my invoice neither I nor the company will have any objections, so no need for authentication.
- If I want to check a bank account or a credit account or something similar I have a password that was set up when the account was created
- If I want to set up an account I can authenticate either via webcam (showing off the security features of my ID card) or via PostIdent (where I have to go to a post office)
- When talking on the phone you have an authentication problem (unless a "phone passphrase" is prearranged, but for anything with lasting consequences you usually have to send them a written version per email or snail mail for papertrail reasons anyways, or alternatively they send you a confirmation per snail mail that you can object to in a reasonable time frame.
The new ID card has online features that in theory solve the problem completely for online systems, but few places implement that so far.
Modern passports have an online functionality, you can unlock that plus hardware for fairly cheap (<50€ IIRC), which lets you use your passport to authenticate and you can, similar to credit cards, have the passport reported as stolen so it no longer works.
I expect that in Germany it would also be harder to convince a bank to lend you money based on nothing but the tax number and a forged drivers license.
Don't forget a DVD rental card at Blockbuster. Yep, they used to ask for it just to become a member but you could of course not fill it in and they would still accept your membership.
I still remember them asking me for mine. Pure jokes.
> The trash pile included recent membership applications, each revealing the customer’s birth date, address, phone number, driver’s license number and signature.
More alarming, each application also contained a credit card number and expiration date, and many included a Social Security number.
Talk about a violation of privacy and leaking sensitive information. This is why you can't trust big companies with anything sensitive.
Old timers told me when Social Security was first started, the American people were promised that the number would never ever be used for anything but Social Security.
It's interesting, in Canada and probably other countries, the corresponding ID code cannot be used as primary key, like for employment records. And somehow their societies function.
Unfortunately, one of those lawful uses is to give one's SIN to banks who provide accounts that pay interest. That said, I don't think it's enough to impersonate someone.
Yep, but the US never developed any alternative form of universal identification so people gravitated towards the SSN for that purpose, even though it was explicitly not to be used for that.
What other options are there? Most other potential identifiers are full of pitfalls like input error, collisions, having things change, or simply being unknown by the citizen. Even something as simple as name, birthdate, and place of birth is chock full of problems. People transcribe records wrong, or were born out of the country in a place with no recordkeeping that no longer exists to parents who have since died.
SSNs are far less complex and error prone. Their only major downside is that they only work for people who have them, which means your app can only service legal citizen Americans.
Keeping track of employees isn't an issue. Everybody has some number they use or are small enough not to have run into issues with just using a name.
It's when you're talking about something that sticks with a person for their entire life. A prime example is credit scores. That's something that stays with you no matter how many times you change jobs, change names, change addresses, get married, etc... Federal taxes are another area where it's important to match the name with the correct record every single time.
Tip: I leave the social security number blank for medical providers, and have never been asked for it verbally except once. I told them I don't feel comfortable with it, and the person said that was fine and moved on.
If you're giving your SSN to your doctor you're doing it wrong. Just leave the field blank. End of story. You don't need to give them your SSN and the practice has been largely phased out due to HIPAA.
I don't have a SSN (I'm not an American citizen), but I've spent quite a bit of time in the US. I had a bank account, drivers license, registered a car in my name, etc. etc.
What stops you from just refusing to give out your SSN, or simply saying you don't have one (even if you do?)
Obviously getting a credit card might be annoying, but to get around that I just put down a $500 "bond" and got a Credit Card with a $500 limit (so the bank was guaranteed not to lose it's money).
Can you not just refuse to give out your SSN and still get on with life in America? (I get on OK without one)
> Can you not just refuse to give out your SSN and still get on with life in America? (I get on OK without one)
That's really strange, is it because you're not employed in the US?
I am not a US citizen but I have a US SSN because I lived there on a work visa (multiple times). Employers have always asked for my SSN to check my work authorization through e-Verify. Every time.
In other countries with ID numbers like this, I wonder how much of a difference is made by requiring that institutions be liable for fraud, rather than shielded from such fraud, forcing them to use more secure methods of verifying identity/possession by default.
Example is chip+pin, which is widespread in Europe but not really available in the US. Chip+nothing (which is still better than a 16-digit number) is become more commonplace as the liability protections that the magnetic strip enjoyed are disappearing. People react in self-interest, and the fact that you become liable for fraud if you take the strip instead of the chip mean that there's a large incentive to move away from the magnetic strip.
I'm sure if you dig into it you'd see similar provisions that protect other organizations, either throw law, regulation, or just protection of "industry standard practices", from being held directly liable if they use the SSN for identity verification rather than insisting on a more reliable hard-to-exfiltrate identifier.
The difference is that they require other information. The Italian tax ID number is just an encoded version of data that's already in the form (name, gender, date and place of birth), but the form also requires an ID or driving license number and I have to hand a copy physically with a matching number and picture.
Out of curiosity, who, specifically, is "they" -- is it the government for government services/taxes, or is it private companies for identifying you for taxation or employment eligibility purposes, or by private organizations (banks, credit cards) as an attestation of identity?
I was mostly referring to banks, but it's also mostly true for government offices (tax offices, retirement agencies, voting stations, also the municipalities if you need some certificate etc.). Technically public officials can authenticate you without photo id, but it's most common to provide one especially outside small towns.
> To that sorry list, I would add medical providers' offices (doctors and dentists), all of which seem to request social security numbers for some reason on their patient intake forms, when all they should need is the patients' insurance information as printed on their insurance card.
Insurance information changes over time though so it's simpler to just request the government issued GUID and use that to make sure you're associating the patient files correctly.
I think the only real solution would be for smart cards to come back into vogue and assign everyone a unique key along with their SSN. Proofs of identity for things that matter ie loans and other financial work could then be secured without significantly interfering with it's use as a unique identifier in cases where it doesn't need to be secure. (As wrong as it is to use SSNs that way it's ingrained enough in interactions and systems that trying to cut that off would be a big pain.)
Yeah it's tricky because the US is a bit shy about national IDs for vague reasons that seem loosely associated with anti-authoritarian reasons and distrust of government. Sure we can't be forced to 'show us your papers' because they don't physically exist but the government knows who 99% of citizens are if they wanted to work at it even a bit and it's not like states are going to be the bastions of fighting back and they do have IDs pretty much everyone gets.
There is a significant percentage of the US population that believes any attempt at a new national ID is the mark of the beast from the biblical book of Revelations. I shit you not. These are the same people that would consider a war in the middle East to be a good thing, because it means Jesus is coming to usher in the millennial reign of heaven on Earth.
> No one cries foul on a passport or driver's license, but a national ID card is so draconian
Fair point, but it's worth noting that lots of people don't have either document. Hence, say, the voter ID law fight: many people genuinely have no standard identity document except SSN.
One other aside is that driver's licenses are a remarkably bad identification document. Even plenty of bars won't take out of state driver's licenses, or will outright declare real ones to be fake. And dealing with government offices, I've had several iterations of "that state's license ID has a different number of digits, so I can't use it in our system".
Yes, I agree entirely. Which is why the cost must be driven down for obtaining a national ID card, and you should be able to obtain one as easily as going to to a DMV. Someone in this thread suggesting using the postal service for such a task, which I would be in favor of with adequate controls in place for safeguarding the PII of citizens.
> One other aside is that driver's licenses are a remarkably bad identification document.
This is changing with REAL ID; all states are either compliant with new ID issuance and doc standards or have received an extension. https://www.dhs.gov/real-id
Yeah the only way I'd ever say election ID laws were ok and no discriminatory attempts to shape the electorate would be if it were accompanied by a) a massive expensive push to ensure everyone had and ID (mobile DMVs going and registering people who can't get out to an office, free licenses, etc) and automatic voter registration (because if you're going to say everyone needs to have this to vote I damn well be able to vote with just the ID).
> plenty of bars won't take out of state driver's licenses, or will outright declare real ones to be fake
Italians that have an id card predating electronic id are routinely bumped off American bars because to them it looks like it's just a piece of paper with a photo stitched on top. Yet, identity theft is a problem in the US and not in Italy...
In fact, even though that id card actually is relatively easy to forget, it does have some watermarks and special government stamps. In fact, it's probably easier to fake an electronic id card with a piece of plastic, if you know no one is going to try using the smartcard functionality.
But aren't social security numbers effectively being used as national IDs right now? The fact that that they suck just makes fraud easier.
I don't see how modern society can function without some form of universal authentication. Alternately, if you live in a forest and don't need or want to participate in the financial system, I'm all for making a hypothetical national ID opt-in.
SSNs aren't really an ID they're an ID number, without looking at other databases and traces left there's only really a name associated with each and no biometric data so there's no real way to confirm that the person you're looking at is actually the person assigned XXX-XX-XXXX.
Which is what makes it such a huge problem- they're treated as ID's whether they're supposed to or not. Regardless of original intent, regardless of what you or the government or anyone else says, they are treated as ID's by the vast majority of business and organizations. That's the whole point of this discussion and why it's such a problem.
States give access to their driver's license databases to federal authorities. Any safety you perceive due to the lack of a national ID system is an illusion.
Well, actually you need to prove you are a citizen if you fit the profile of an immigrant within 100 miles of the border. And if you don't do so to their satisfaction the border patrol will detain you indefinitely. Yes, in America.
https://www.dallasnews.com/news/immigration/2019/07/22/dalla...
Constitutional rights are as it relates to the fourth amendment are a bit fuzzy within 100 miles of the US border. Even as a citizen, you'll need to provide proof or sit in lockup until CBP is satisfied you belong in the country. The ability to provide oral attestation of citizenship was deprecated by the justice department many years ago.
Nope if they think you should have proof and you don't you can be detained and there's no strict limits on how long you can be detained it's essentially till they're satisfied you've proven your citizenship.
Is there any harm in choosing random number as your Social Security number? Since it is supposed to be secret how can anyone verify it? Apart from special situations like filling taxes where one would use the real SSN.
I am not a US citizen and I have no idea what is the real life use of SSN.
Generally, knowingly and willfully giving false information to certain entities is fraud and is illegal. Especially when the form has you sign off that the information provided is correct to your knowledge under plenty of perjury.
Even if you gave a fake SSN to, say, a landlord (they need it to run a background and credit check on you and to better chase you down if you don't pay your rent) that would almost certainly be considered either fraud or theft by deception.
Generally, you provide the entity your SSN because they have a legitimate need to identity you, and that includes identifying you as you outside their internal system.
If you would provide the same, but still random, SSN to the insurance company and hospital, what that be a problem? How would they ever find out it is not your real SSN?
First of all that would be insurance fraud, and it would be illegal.
Secondly, that wouldn't work, the insurance company already knows your SSN. If your insurance is provided through your employer your employer already gave it to your insurance company when they set up your benefits. You need to give your employer your real SSN to pay taxes. If your insurance is provided through the government (medicaid, medicare, tricare) then the government already knows your SSN. You BEST not be giving the government a fake SSN to collect benefits, that's all sorts of illegal.
>Secondly, that wouldn't work, the insurance company already knows your SSN
It could totally work, it’s really easy to get a card open with another SSN and then accurint or whatever the insurance company uses will just return multiple SSNs.
It really depends on how the SSN is used, but using a false SSN is considered fraud.
If the party requesting it is using it for billing and collections, and you fail to pay a bill and they send it to collections, and subsequently report the collection to a credit agency, then it is a clear case of fraud. If you randomly happen to pick a valid SSN, then you are committing identity theft in addition to fraud.
If they are just using it as a Unique ID, they may not ever know that it's fake. None-the-less it is still fraud.
> We’re asked to hand over this number again and again to institutions that have failed to guard it.
You’re asked to hand over the number, but you don’t always have to provide it. Really only the government needs to identify you with this number, and only for purposes related to the social security system. You don’t have to give it to your doctor’s office or bank. Often, a simple “I’d prefer not to disclose this because of identity theft” is fine. They may press you for it, and most people are too timid to resist. If they are insistent I’ll just make up a random string of digits and that’s always been ok. All they are looking for is nine digits so the computer form they are filling out lets them move on to the next page.
What does "identity theft" have to do with the person being impersonated? They have nothing to do with these transactions. It is not my fault Wells Fargo was tricked into giving someone a bank account under false pretenses. Why in the world does that have anything to do with me? And why in the world is Wells Fargo not liable for damages?
Around the time of the Equifax breach, there was a discussion here that put it succinctly. "Identity theft" is just a clever name for "fraud" that shifts the responsibility away from the bank.
>"Identity theft" is just a clever name for "fraud" that shifts the responsibility away from the bank.
Indeed. Here's an analogy I like using (warning: ethical argument follows, not a legal advice).
Say, you give your car keys to a valet to park, along with the fee.
You come back to find no car. The valet informs you that they already gave away the vehicle to a homeless person that "kinda looked like you, man" because they asked for it.
You never get your car back.
Now, I personally think it is very fair to hold the company that employed the valet 100% liable for the damages.
The business of operating valet parking comes with certain obligations, one of which is to keep your vehicle safe, and return it to you and only to you. If they can't do that, they shouldn't be in that business. It's not your problem that the valet got high and fulfilled an authorized request. They owe you a vehicle.
Same with a bank. Allowing unauthorized (meaning: unauthorized by you) access to your account is the failure of a bank to do its job and fulfill its obligations to you.
For that, the bank is fully liable. The damages that the thief thus caused to the bank should not be your concern.
------
TL;DR: a thief is guilty for stealing from the bank. The bank is guilty for letting someone else access your account. Both are 100% liable - for different things.
It's acceptable to cut corners and ship shoddy software to consumers, because if anyone points out the flaws, they're being "irresponsible". The responsibility to protect customers is therefore shifted away from the vendors onto researchers. Pretty sweet deal, because good quality security engineering is expensive!
The people that I know that works in security research treat responsible disclosure as "you have X time to fix it before we tell the world", to give them a chance to fix things before everyone, with who knows what intent, gets to learn about the issue. There's always a time limit and then its released regardless.
I have never once seen someone say that it's irresponsible for security engineers to point out flaws in software. Indeed, "responsible disclosure" often includes disclosing bugs even though they haven't yet been fixed when the developer isn't responding. There are problems with the term, but this isn't one of them.
I mean, they ARE liable in the sense that they will have to eat the loss (the money they loaned out won't be repaid). The problem is that for them, this is just a cost of doing business, and that cost is already priced into interest rates... the cost to the person who has to prove it wasn't them has no return and is only negative
It’s even worse for people using prepaid banking cards like GoBank. I got issued one of these debit cards from an employer. Months later, someone skimmed my debit card presumably at a gas station. While at home, someone withdrew $265 out of my account.
I call to report it. The 800 number says you can email the dispute but an operator told me that was outdated. I’d have to mail it into a PO Box. I repeatedly asked if they would inform law enforcement as dozens of other people’s cards were likely stolen.
Approximately a month later, GoBank responds and denies my dispute. I then searched for the executives, emailed them, someone called me and the next day my money was returned. Yet I’m assuming no one investigated the actual theft.
If you ever have problems communicating with customer service people, the only thing you can do is email the executives and suddenly you have a real person capable of understanding and making actual decisions.
Totally anecdotal, but I’ve had a great experience with Capital One 360. I never really use the card except for occasional ATM withdrawal but the number was somehow nabbed and a fraudulent charge was processed. Since I have it configured to send me a notification on every transaction, I noticed instantly and froze the card from the mobile app. A 5 minute call to their fraud dept later and the funds were returned to the account pretty much immediately during their investigation (which eventually came back successful) and a new card was sent next-day delivery for no charge.
You can draw an analogy to price elasticity in economics (more directly, the cost of switching). Because of identity theft, the expected cost of business between you and the bank has gone up. Who has an easier time switching to an alternative: you (to another bank), or the bank (to another customer)? Based on that, you can conclude, fairness aside, who ends up carrying the burden of addressing the identity theft.
The US generally has a legal system that acknowledges joint and several liability, so the bank and criminal are independently 100% liable...and guess who the damaged party is more likely to get satisfaction from?
Being a bank is a privilege, a highly regulated privilege at that. It sort of goes without saying the bank violate their duties and was not complying with bank regulations where the opened up an account on behalf of someone using the identification of a 3rd party.
Don't like those regulations? Think they are to burdensome? Then Wells Fargo can give their bank charter.
> The US generally has a legal system that acknowledges joint and several liability, so the bank and criminal are independently 100% liable...and guess who the damaged party is more likely to get satisfaction from?
People often wonder how this is fair. If parties D1 and D2 both played a role in allowing some bad thing to happen to P, but it was 90% D1's fault and 10% D2's fault, but D2 has deep pockets and D1 has almost nothing, how is it fair to make D2 pay both their own share and D1's share of the damages to P?
It makes a lot more sense when you realize that these are situations where someone has to get screwed. If D1 is liable to P for 90% of the total damages and D2 is liable to P for 10% of the total damages, P gets screwed. P only gets 10% of what they are owed.
Joint and several liability recognizes that of the parties involved P is the one who least deserves to get screwed, and so allows P to collect the full damage award from whichever D's have the money. If, as in this example, that results in one or more D's getting screwed, those D's can sue the other D's over it.
And that will fairly be debated until the end of time. Some jurisdictions do not have joint and several liability and so your example of liability being capped up to their % of their contributory negligence is a reality. Even in the joint and severally liable jurisdictions, there will be a finding of contributory negligence, but its pretty well understood a jury can't fairly assign %'s of fault anyway.
However, as someone who sees the reality of these cases, the guy with the deep pockets really doesn't pay either, their insurance pays, and this is really where things get both weird and fair. Say you hit me with your car and I file a claim with my insurance and your insurance, the insurance companies work it out behind the scene (and I promise they do these settlements in their own best interest, not the insured (your) or the claimants best interests (mine)) and insurance does this knowing tomorrow they will work together on another claim where the other insurance company will be liable.
Insurance issues aside, if it weren't for joint and several liability these deep pockets you reference would never be liable, they would always out spend the criminal defendant in attorney's fees and likely be attributed almost no % of liability. Joint and several liability encourages the fair settlement of cases to save time and money to all parties, and gives the claimant the best chance of being made whole, whereas these other system encourages outspending the other parties in litigation and disincentives settlements of claims, shifting a lot of costs on tax payers who pay for the courts.
I was vaguely familiar with all the concepts in this, but I hadn't been exposed to a clear explanation in laymen's terms before. This makes a lot of sense to me now. Thanks!
Ultimately, yes, but in the lag between when the fraud is discovered and the criminal caught, who should bear the cost of the fraudulent transactions? There's a very good argument to be made that Wells Fargo, who was actually one of the parties involved in the transaction is more appropriately liable than the identity theft victim, who had absolutely nothing to do with the transaction, besides their name being used against their will.
> There's a very good argument to be made that Wells Fargo, who was actually one of the parties involved in the transaction is more appropriately liable...
Specifically, my argument would be that Wells Fargo was in a position to verify the criminal's claimed identity, but didn't.
I don't think this is really about liability for the direct cost of the fraudulent transaction, though.
It sounds like third parties (banks, credit providers, etc) have been libelling the reporter by claiming to other third parties (credit agencies, law enforcement, etc) that he did things that he didn't. They should be expected to verify identity more carefully before making such strong claims like that, and should be liable to the reporter for damages caused as a consequence of their negligence.
Likewise, if law enforcement has been told about the fraud, then they should be held to account for harassing this unrelated party.
The financial institution is, in fact, liable for these sorts of charges.
The Bloomberg reporter's problems weren't that he had to pay a bunch of money because a fraudster did a bunch of stuff using his name. His problems were all related to his damaged reputation (credit score, government lists, etc).
Small claims is pretty accessible. This isn't exactly lawsuit of the century stuff - their actions defamed and harmed you monetarily which is exactly the sort of issue our tort system was setup to deal with.
Note that if it was your own bank that defamed you, then you may have signed an arbitration agreement.
Well yeah, and that's not how it should be, and how is it elsewhere.
If the bank claims that I have a delinquent loan, and that claim is false due to their negligence, then they should be liable for all the consequences.
In Europe a more usual consequence would be that if a bad credit is reported and disputed (because it's not mine) then (a) the disputed bad credit notice would have to be immediately removed until the dispute is resolved; (b) the burden of proof is up to the institution, not the borrower; and (c) "a guy came in, claimed to be you, and knew your ID number and your mom's maiden name" is not considered proof. So the end result is that they'd be out of money and my credit would still be clean.
This also means that any institutions with lax ID policies will be heavily targeted by fraudsters. If you're the only car rental (for example) which doesn't properly verify identity, then every crook in the country (and beyond) will come and visit your office. For example, banks used to take scans of the ID used - if the picture they have is not your real ID, then there's no dispute that it's not you; and if it's your real ID and it was reported as lost/stolen beforehand (companies can query that data), then there's no dispute, their claims are not valid and they're not allowed to tell any other companies (credit registers/etc) that you have a bad debt because that's libel and they'd be liable for any damages.
If they think that I'm just faking that claim, they're free to go to the police and press charges that I did take that loan and I'm defrauding them by these false statements. Then it's a criminal case - serious consequences, but also serious burden of proof.
Or they're free to go to the police with surveillance cam footage of the person who took that loan and have them look for the fraudster.
And things like the regulations for managing credit scores and government lists are things that the gov't can (and should) change to remove undue burden from the person whos identity was used by fraudsters.
Your point is well taken about the banks. I think the general principle still applies though. We have a system where all of these entities possess all kinds of information, and the main question is, "Who should pay when they get that information wrong through no fault of the person whose information they're keeping?"
At the end of the day, his problem is exactly that he had to pay a massive cost (in the form of reputational damage and tremendous wastes of his time) because a fraudster did a bunch of stuff using his name. While not technically monetary, it's definitely not impossible to financially quantify people's time and reputation.
You think a class action lawsuit could turn the tide against fraud? I wonder exactly what you think a class action lawsuit is actually capable of doing.
The class action would be against the banks for their negligence in protecting against said fraud.
It's bafflingly easy to get a new credit card from them with a couple key bits of info that everyone knows are widely compromised or otherwise readily available.
You're right of course, but I wonder if the status quo were to suddenly change so that banks are liable, would credit suddenly restrict and cause a recession or worse?
More likely, the banks would respond by being more vigilant at verifying the identity documents as valid before accepting the crooks word for it.
So it might take a day to open an account (while the bank does the verification they should have done anyway), instead of five minutes, but the financial world would continue on as normal.
And, this would shift the work onto the entity best suited to performing the work instead of forcing the work onto the victim.
Within the context of cortesoft's sibling comment:
> I mean, they ARE liable in the sense that they will have to eat the loss (the money they loaned out won't be repaid). The problem is that for them, this is just a cost of doing business, and that cost is already priced into interest rates... the cost to the person who has to prove it wasn't them has no return and is only negative
What would "the status quo [changing] so that the banks are liable" look like?
> And why in the world is Wells Fargo not liable for damages?
This is more or less a digital question in an analog situation.
What I mean by that is they could very well be liable however the cost, trouble and barriers to pursue this make it impractical to enforce that liability. This is often the case in both business and life unfortunately.
Because they identify people using Tax ID, obviously. Plus birth date and other information. So if they need to go after an account holder, whoever they find with the matching Tax ID is "it".
And then it's your responsibility to prove that you're not "it".
But turn it around. How else would they identity people? I suppose that they could collect fingerprints, iris scans, DNA samples, etc. But for >99% of cases, that's overkill. And too expensive.
In a way, this just reflects the fact that anyone can sue anyone. And if sued, you must defend yourself. So basically they're just using Tax ID to decide who to sue.
The concept of identity theft is a massive scam that not only let's financial institutions shift losses to other people, but then then they get to double dip by selling ID theft prevention solutions.
If your government is not willing to step up and protect you, who do you expect to prevent these abuses? I think you know the answer to all these questions. Might makes right.
Here’s[1] an early picture of a social security card where it says plainly it’s not for identification purposes.
What’s the better solution — the government making it so you can change your ssn? Or legislation that shifts the liability burden of identification entirely onto the lender?
It should be grounds for a particularly efficient form of litigation. In the past, you could have argued that better forms of authentication were onerous, but now they are much more efficient.
Yep. I haven't had a physical SSN card for decades. (Was in a wallet that got stolen and I never replaced.)
The only time it's come close to being an issue was recently when needing to renew a drivers license with a REALID compliant one. One of the requirements was proof of SSN which I only had through my previous year's W-2 form because it actually isn't printed on many things these days.
I don't know how common this is in other countries but in Norway we have a common system called BankID which is pretty much the de-facto way to identify yourself when applying for government services, bank loans or basically anything else "important". It usually consists of a two-factor authenticator issued by your bank, a password and your "birth number" (basically SSN) if you have all three as far as any bank or the government is concerned you "are" the person. However since it is so robust I don't think it can be exploited unless you royally fuck up. I wonder how the per capita identity theft cases in Norway are compared to the US because of this system, I would think much lower.
It isn´t BankID that´s robust. In fact, as a federation service, it is probably one of the worst maintained ones in human history.
The thing that makes identity theft harder in Scandinavia is the fact that Person-nr (SSNs) are public information. I can look up anyone´s SSN via a quick search (using https://upplysning.se for instance). Yet I can do very little with that information (compared to the US). That said however, it is possible to ruin someone´s life here as well if you really wanted to, it would just take a little bit more work.
In Brazil we also have a number assigned to each person (as do most countries). It's just not a secret (but it is personal information, and thus companies can not publish it), so it only handles identification. People are expected to use some other means for authentication.
Many people have this number published for one reason or another, and it doesn't become a problem.
Maybe the most ridiculous aspect of US credit reporting: federal law only mandates that you be able to obtain a free copy of your report once per year - why is this not “whenever the hell you want”? It just generates a PDF from their database!
First, CreditKarma makes their money by spreading the surveillance profiles on you to other surveillance companies that wouldn't otherwise have that data.
Second, the main thing that requesting a copy of your surveillance dossiers does is make you responsible for refuting any incorrect information in it, as you have now been notified of it. This fuels the ongoing perverse incentive wherein the surveillance companies are relying on you to do their diligence for them.
If you want to push back against this offensive system, engage with these parasitic pests as little as possible. Barring some sea-change like the US adopting the GDPR wholesale, this is the only choice available to you.
First, that is not accurate. CreditKarma makes money by showing you ads for credit cards.
Second, that is also not accurate. You are no more or less legally responsible for the contents of your credit report based on whether you have recently pulled a copy.
> First, CreditKarma makes their money by spreading the surveillance profiles on you to other surveillance companies that wouldn't otherwise have that data.
> First, that is not accurate. CreditKarma makes money by showing you ads for credit cards.
Do you truly think that showing advertisements does not spread the surveillance profiles on you? Advertisement companies are exactly how and partly why those surveillance profiles were built in the first place.
Does CreditKarma actually run their ad targeting and delivery system entirely in house? Even if so, that is still one more surveillance company that has your dossier that otherwise wouldn't...
And you're really going to have to back up that second point, because a very basic legal principle is having to respond to notices in a timely manner. If I have a private file on my computer that says "harryh owes me $100" for years, you can't possibly be responsible for that. If I send you a notice saying you owe me $100 for some plausible reason, and you don't refute it within a few months, you've now implicitly accepted that state of affairs and my case has grown much stronger.
Knowing that the surveillance companies merely could be conspiring to defame me doesn't imply that I need to investigate their activities just in case. But as soon as I have knowledge that they actually are, then I am forced to either let that state of affairs stand or go after them for libel.
If you go to a bank to get a loan and they say "No, your credit sucks" telling them "I've never seen my credit report before" isn't going to change anything.
Of course, because being a passive consumer who only asks a counterparty for your options never changes anything.
What you say is "I need a copy of the exact information you're basing this decision on", and inform the bank and its sources what statements are actually not true. If the bank defers to trusting the surveillance bureaus, and the surveillance bureaus refuse to recant the false statements, then you have a strong case for libel with actual damages on top of the procedural recourse in the industry-written laws.
I am not a lawyer, but I likely have had more at-bats with the credit reporting agencies and financial institutions on this and related issues than almost all lawyers and, I mean this literally, every other person on HN.
I think you will, if you consult an attorney, be advised that you are unlikely to prevail in your cause of action under a libel theory. Your lawyer is likely going to point to the pre-emption parts of FCRA, specifically 15 U.S.C. § 1681h(e) and 15 U.S.C. § 1681t(b).
The general tenor of this conversation is going to be "When Congress wanted to regulate the credit reporting industries, they and interested parties made a trade: a very consumer-friendly state machine and freedom to operate the state machine. Part-and-parcel to this trade was radically reducing legal risks to the financial industry and CRAs outside of the state machine. If you're going to claim that Congress didn't want to pre-empt state laws, you're going to be walking uphill against legislative history, the plain text of the statute, and every canon of statutory construction."
Separate from the legal issue, I think HNers might be surprised to learn that the state machine pretty routinely achieves the objectives. A determined, literate, and well-organized person will routinely achieve the outcome they desire from it, even with the other side of process being the largest lenders in America. This is a surprising result in consumer lending when reasoning from first principles ("Shouldn't Bank of America's legal team always or approximately always crush a Kansan grandmother?") but I believe, from a few hundred at-bats, it to be true.
I know of your personal experience, and thank you for your response. I actually hadn't realized that the surveillance bureaus had regulatory-captured general legal immunity so openly. So yes, I was overstating the legal situation thinking they would be better on the hook for libel. Frankly this overbearing immunity should be a talking point of every "identity theft" article, but unfortunately those articles are written from a perspective that is still wed to the primacy of this system.
> I think HNers might be surprised to learn that the state machine pretty routinely achieves the objectives
None of these stories really focus on irreversible damages (besides eg SIM swapping stealing cryptocurrency), but rather the time taken dealing with that "state machine". Diligently checking your own dossier is doing the surveillance bureau's work for them - adding to this perverse incentive where they don't bother doing the diligence of verifying loan applicants hoping that consumers will be responsible for guarding use of public identifiers associated with them.
A quick reading of the FCRA still doesn't show any statutory timeline within which surveillance subjects ("consumers") are required to verify the dossiers on themselves - compared to say regulation E which requires that you verify your legitimate account ledgers at least every month and a half (please correct me if I missed something). I'm not the type to be continually applying for new credit cards for whatever incentive they're offering, so dealing with any backscatter from identity fraud is purely a cost to me. The less I involve myself with their system, the more I can handle its involuntarily burden in "batch mode".
All of this is covered by the FCRA (fair credit reporting act).
Yes, if there are mistakes in your credit report and you ask the CRA to correct them through designated channels they are obligated to fix things. However:
1) Whether you have previously seen your credit report or not is not relevant to this obligation. Most people will be better served by staying on top of things and getting errors corrected sooner rather than waiting to run into problems when applying for credit because:
2) Fixing things will take time. The CRAs are not obligated to act overnight, but instead on the order of 30 days or so. And depending on the exact nature of the errors, this can involve several sequential 30 day round trips. If you need a loan to, say, buy a house right now that's gonna be a bummer for you.
3) In the end, if the CRAs don't follow the rules it's not actually a problem of libel for them. They're much more likely to have a problem with their regulator than to be concerned with a private lawsuit. AFAIK no one has ever successfully sued a CRA for libel. People have tried and failed though. Frankly if you threaten to sue for libel you will not be presenting as professional[A] and you will hinder your cause.
Are you saying you'd have a strong case for libel because you have empirical data to back that up, or are you saying it because you think axiomatically that you should have a strong case?
Not 'axiomatically', rather just naively from basic legal principles. In the same way that one would expect many police shootings to be prosecuted as voluntary manslaughter.
I mean, federal law has little to say about the pricing of PDFs generated from databases in the supermajority of instances. Lots of them cost tens of thousands of dollars. The price is what the market will bear, etc etc.
From the perspective of a savvy technologist talking to another savvy technologist on how to optimize for their preferred outcomes in personal finance:
1) You probably do not need credit monitoring more than 3X per year unless you are actively applying for a mortgage, because you are unlikely to get signalful updates from it which will change how you conduct your affairs in a fashion which optimizes for your interests.
2) But if you do not take my advice on #1, you can get free ~weekly reports from e.g. Amex or Capital One or Chase as a function of having an account with them. Of this group, note that you can open a checking account with Capital One with an initial deposit of IIRC $1 and keep it open forever.
> In this country, people get a unique number when they’re born
Fun fact, social security numbers are not unique. [1] Apparently 40 million of them have been assigned to multiple names, and there's a 1 in 7 chance that any given SSN is not unique.
I skimmed so apologies if this doesn't resonate or was answered, but here in OZ we have what is called "100 points" tests which demands more than one item of ID, and not just knowing the value, but a 'what you hold is who you are' receipt from a government agency.
The burden of proof for KYC is higher basically. Not that fraud and identity fraud don't happen: we have some very famous cases of land titles being swung on wafer-thin proof of identity, which lost people significant amounts of money.
I just feel the US 'social security number' thing is a problem which is in large part of US state/federal making: you drove too hard to a single weakness. Much like your voting fraud risk, you took it too far.
To me the worst is that there seems no way to clean this up. Like the story when he applies for a mortgage and they tell him not to bother. At least at this point you would expect somebody to take a look and clean this up. But instead the machine keeps going.
> when my wife and I went to apply for a mortgage, our agent at the bank told us not to even bother including my name and assets
I think there exists a difference in what the author is communicating happened here and what actually happened here.
I'm presently in the process of applying for a mortgage. I'm married. My wife will, pretty much inevitably, be told not to bother filling out her half of the application. This is not because the loan officer, a commission-seeking sales employee of the mortgage originator, believes she is unlikely to be approved for a mortgage. This is because the loan officer is accurately advising the juice is not worth the squeeze.
The loan officer sitting down with my wife and I is going to say "Mrs. McKenzie, your situation is complicated to explain. His really isn't. Do you want to spend many hours documenting it in a fashion which will not change our decision on how much house you can afford or what your mortgage rate will be?"
I understand that this is not the way that people are socialized to think about credit, but understanding the business process here would cause one to have a very different understanding of the amount of actual damage sustained here.
> Two-factor authentication for bank and credit card accounts would be a start. Banks should probably make it harder to get a new credit card than to log in to Gmail. Creating a web of multichannel identity verification using devices we carry around all day already—conveniently equipped with fingerprint scanners—would likely make some types of fraud more difficult.
Would it, though?
To protect against the type of problem in the article, the second factor would need to come from some sort of official government database. Otherwise, I could just walk into any bank where my victim didn't already have an account and say "Hi, I'm so and so, and I'd like to open an account and sign up for a credit card."
Also, it's not as though iPhones actually send a copy of your fingerprint to the bank. Actually doing so—and relying on it—would introduce a host of other problems.
We have the CPR (Central Person Registry)-number in Denmark which is handed over to various authorities and can also be misused for fraud, to which degree I'm unsure of- but I have heard of some nasty debt issues people struggled to get out of. What's worse is that the generating algorithm is based off of your date of birth and if you have date of birth for the victim you can run the algorithm rather easily and come up with 10-20 potential CPR-numbers (I can't remember the exact num., but it's approximately in that range) whereas one is the valid for the person you wish to defraud.
EDIT: Unsure about possible CPR candidates when reversing CPR numbers.. There have been some updates to the way it's working post 2007.
Wouldn’t you typically have to also use Nem-ID to log in to some new service?
Nem-ID is a central login system, where you get mailed a physical printout of keys that act as two-factor authentication across financial and other services (at least that’s how it was, I think some new system is underway).
I.e the cpr number on its own is not valuable without the login info for services that use nem-Id.
The system seemed to work pretty well and I’m surprised to not see it more widespread.
You can still create phone subscriptions and order medicine and from what I can read quickly on the internet people have in recent years been frauded with smart-loans, leases and some similar stuff.
This is one of the rare highly-charged issues in our country that's also bipartisan, and it's been rapidly gaining space in the public awareness in recent years. I wouldn't be surprised if some legislation actually makes it to the floor. In an era of broad dissatisfaction with the US government, this seems like easy political points waiting to be scored.
> The good news? With so much stolen information in circulation, there’s almost certainly an oversupply of raw materials for fraud and an undersupply of willing criminals.
This is what I've always used as cold comfort. Given the degree of anarchy on the side of the actual data, and given that society hasn't totally collapsed yet, it must be that deterrence by companies and prosecutors is good enough on its own to keep fraud from happening everywhere it could. Even though chances are high that your information is out there, chances remain relatively low that you'll actually be targeted. Of course you still want to keep yourself out of that minority by freezing your credit, etc., but it's something.
Right, it's privatized profits from having a cheaper insecure system with lower sign-up friction, and socialized losses because uninvolved third parties and law enforcement have to pick up the pieces and find the guy to make an example of.
It isn't the credit card that is in your possession that's the problem, it's the fraudulent loans, credit cards, etc. that the scammer receives directly from various banks, etc.
If you destroy your credit preemptively it would be less likely somebody else can get new loans with your identity. I would hardly call that a good solution...
You can, trivially, so trivially that the community has a phrase for shaming people when it happens: "Not your keys, not your coins."
One of the thorniest problems in credit history management in the US is that credentials are given to people who have apparent and actual authority to transact on behalf of other people at the time of the credentials being given but who do not have it at the time of credentials being used. The paradigmatic example is parents using their childrens' SSNs/etc to open accounts, which is routine, legal, and must be a supported use case and, btw, is also an enormous fraud vector. Related vectors include commingled finances of married couples needing to be extricated post divorce and elder abuse.
Blockchains do not solve for these issues, and the community's insistence that they do does not do it credit.
I think, while there may be a technical solution, the bigger problems are with the business and legal incentives around the credit industry today. Many of the things that make our credit system a nightmare for security, also lower friction for opening new accounts and engaging with the banking system. In my view, the banks are effectively offloading the security costs to law enforcement and unrelated third party individuals, in order to reap the benefits of less friction with signup.
If you want a blockchain credit system, you need to solve that convenience problem, as well as a bunch of other kinds of support problems (what happens when you lose your key? Are you just screwed, and if not, what happens when the recovery mechanism is compromised?), and the banks currently have no incentive to do so (see chip and pin for a similar but smaller case study with the credit industry).
Barring large legislation that shifts liabilities onto financial institutions from individuals and law enforcement, we won't see them invest in solving this either.
While there are better practices and worse practices, there's also just a tradeoff between convenience and how thoroughly identity is vetted.
Imagine you forgot your 15 digit randomized password to Google and their response was either a shrug or a requirement to come to an office in Mountain View with multiple forms of government ID between the hours of 9-5 weekdays. (And 2FA doesn't change the basic equation because smartphones, keys, and one-time pads can all be lost.)
That's a somewhat nonsensical extreme example obviously but using physical mail to addresses of record and things like that have often been used to enhance security for certain types of reactions. You're a digital nomad, are just traveling, just moved and didn't update records, or are actually homeless? Too bad.
And this is in a country where pretty much any sort of Voter ID law is controversial because they do disenfranchise many voters.
People have their private keys stolen all the time. Blockchain makes this problem worth because after a theft there is no central authority capable of repairing the damage.
Private keys and addresses are not the same thing.
In the current model, if you get my social security number, checking account number, or credit card number, you have it. I have to trust you not to use it for something bad.
At least in BTC, if you have my public key, it doesn’t matter. You can’t do anything with it.
But in the current system, we are expected to give away this sensitive information all the time. In the BTC model, you (practically) NEVER share you private key with anybody.
The BTC equivalent would be giving your private key to everybody who you have even any sort of relationship with, and just hoping they don’t do anything you don’t want them to. It’s absolutely insane how we treat this stuff right now.
Yes, public/private key authentication would be great when it comes to this sort of thing. But that really has very little to do with the blockchain. It would be quite possible for the government or a consortium of banks to implement improve authorization schemes that have all of the upsides of public/private keys and none of the downsides of the blockchain.
How can you see that this has little to do with the blockchain? This is like a basic application of that technology. Yes of course the government could implement the same thing, but many people already have.
The fraudulent activity got his name put on a government watchlist, probably while the perpetrator was still actively posing as him. Once you get on these lists, it can be extremely difficult or impossible to get back off.
The currency questions imply that they didn't have enough information to arrest him (and were quite possibly aware of the mistaken identity issue), but didn't want an actual thief to escape jurisdiction with stolen money.
This is the problem right here.
To that sorry list, I would add medical providers' offices (doctors and dentists), all of which seem to request social security numbers for some reason on their patient intake forms, when all they should need is the patients' insurance information as printed on their insurance card.