I started with this thought half-jokingly, but now I think I'm serious:
Every single SS# needs to be made public, along with the assigned name. Not just known-breached, but somewhere where it's obvious that anyone could look it up as easily as looking up a phone number or mailing address. Somewhere so public that everyone else knows that they're no longer "secret."
Using Social Security numbers as some sort of proof you're who you say you are is batshit crazy these days. But we all pretend that it's still secure somehow. If there was an embarrassingly public list of all SS#s, then banks would be forced to improve their vetting of applicants.
At the same time, the onus needs to be on a financial institution to prove that I opened an account. If I discover a line of credit in my name, all I should need to do is disavow it, and make the lender prove that I was the one who authorized it.
Yes, this will increase the cost of doing business. But that increased cost is already here, just born randomly and disproportionately by the victims of "identity theft."
Want to issue a credit card with a $15,000 limit? Have the applicant walk into a branch, provide a thumbprint take their picture. Or get them on a video call standing in front of their house, attesting that they're the person they say they are. Or if you think that's too inconvenient you can take on all the risk if the borrow later disavows the debt.
A piece of paper or online form with the magic numbers is just not enough.
> Or if you think that's too inconvenient you can take on all the risk if the borrow later disavows the debt.
They are already required by law to assume the risk for fraudulent charges. It's just a mess and hassle for consumers.
It's like leaving packages on doorsteps without signatures. Apparently they just make more money eating the occasional fraud losses than the price of doing something safer.
I’m not talking about fraudulent charges, but entire accounts. Credit cards and car loans opened using someone else’s identity. When that happens today, the victim can spend years trying to unravel the mess and repair their credit files.
In my case, a phone line for a ‘drug dealer’ that was eventually tapped by law enforcement. The phone company tried to stick me with 3k$ in fees. Initially, the only correct information on the account was my address — they had verified nothing else.
I have said for a long time that SS numbers, birthdates, mother's maiden name, place of birth, date of marriage, street you lived on 10 years ago, all the standard "secret" info should be presumed public if not in fact made public. None of that is hard enough to dig up that it should be relied upon to prove identity.
ever since the pandemic started, at work we've had a a chat channel for "socializing" with each other. One day someone posted a topic. Something like, "Tell us about where you grew up". And the head of security immediately replied and said, "let's talk about something that isn't a common security question".
I admit that I think that was 100% unnecessary, expecially in this situation, to put the kibosh on the conversation. But it made me realize how insane it is that something that is a common "get to know you" type question (tell me about where you grew up? (street, school etc) Tell me about your parents? (maiden name)) are also a common "security" questions.
Also, side note. I NEVER use real answers to those questions. I treat it as an extra password and store it securely that way. No way I'm going to turn my mother's maiden name (easily searchable if you know my full name) into a password!
Whenever I am forced to do surveillance based "authentication" (where they ask you all those questions about your past), I pretend to forget everything I know about my own life and just answer the questions using web searches (eg what city is some popular street in). I reckon this is a good way to avoid confirming any data that they only half know. So far I have not failed to "verify" using this technique.
Every single SS# needs to be made public, along with the assigned name. Not just known-breached, but somewhere where it's obvious that anyone could look it up as easily as looking up a phone number or mailing address. Somewhere so public that everyone else knows that they're no longer "secret."
Using Social Security numbers as some sort of proof you're who you say you are is batshit crazy these days. But we all pretend that it's still secure somehow. If there was an embarrassingly public list of all SS#s, then banks would be forced to improve their vetting of applicants.
At the same time, the onus needs to be on a financial institution to prove that I opened an account. If I discover a line of credit in my name, all I should need to do is disavow it, and make the lender prove that I was the one who authorized it.
Yes, this will increase the cost of doing business. But that increased cost is already here, just born randomly and disproportionately by the victims of "identity theft."
Want to issue a credit card with a $15,000 limit? Have the applicant walk into a branch, provide a thumbprint take their picture. Or get them on a video call standing in front of their house, attesting that they're the person they say they are. Or if you think that's too inconvenient you can take on all the risk if the borrow later disavows the debt.
A piece of paper or online form with the magic numbers is just not enough.