I can't get my [knowledge-based authentication] data back. I don't want their measly $125 from them (it will cost me far more time and money when this breach is used against me). I want them to pay the cost for the government to replace the SSN as an identifier. And to pay for the government give me a new SSN in the meanwhile... and they don't get to store the new SSN in their database (because they dun messed up). I think that would be a better outcome for everyone.
Everyone is identified by their birth date, the name of their mother and their birth place. (Their own name is not that important, for example twins can pull off identity fraud easily, as they can pretend to have the name of their twin, and how would anyone know!?)
Sure, we can go full 1984 and GATTACA and use biomarkers and papers and whatever. But that just makes puts many edge cases out of scope, doesn't solve them at all.
If someone shows up at the bank and claims to be someone, they can produce documents, either via simple forgery or by stealing someone else's "identity".
They can then pass all the checks the bank runs. (Sure, if there is some database that says don't open accounts for these IDs, then the scammer can start with persuading the admins of that DB to unlock the corresponding ID.)
And this will always happen as long as we allow fallbacks for people to get access to (and create) their accounts after losing (or without creating) a strong cryptographic key (password).
The kicker is they reuse the SSNs. Had a gig where I was working with the 'death master' files. (It use to be much easier to get your hands on the files - https://ladmf.ntis.gov now) and it would list every SSN number used by the dead. Lots of duplicate SSNs, some malformed data, some just missing. An interesting data set to look at, and a great reminder why folks should not be using this as an identifier.
