The fundamental issue here is that maintaining security is expensive, and it is cheaper to just deal with occasional hacks. The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It is not that expensive. It is a couple pennies per pull (of a credit report/file) for somebody seeking identity proofing to use knowledge based authentication (the usual “where did you live, are these trade lines you?”). It is $1.50-$2.00 per proofing attempt with the government credential using ID.me or stripe identity. The problem is that no one is incentivized to slightly increases costs to reduce fraud because the burden falls on consumers instead, and credit reporting agencies don’t want to see their moat and revenue stream cannabalized. Bit of a public good Innovator’s Dilemma.
TLDR A better national digital identity story makes this problem go away.
(responsible for customer IAM including identity proofing at a fintech, doing some lift for Login.gov independently as a citizen activist)
I would imagine that most of the data for the ID checks based on public records (where did a person live; own a car/house/boat; ...) are trivially handleable.
Just takes one person to leak the database, which is probably only a few TB compressed) for all of the US and fits on a single HDD/SDD.
I would be surprised if these DBs aren't already sold on the darknet. And this DB doesn't have to be super up to date b/c security questions often go back years.
Interpreting the DB should be easy to hardcode but even easier handled with an LLM.
So the protection afforded by these checks is IMO at best nominal.
I think we should be asking how to design the procedure for when someone calls and claims they forgot everything and lost everything. An attacker can always call in and say this, and we'll need to call in and say this if we've been attacked.
My opinion: we should be able to visit a government office, get our picture and fingerprints matched, and then we can reset our email/password/2fa right there.
More importantly, they can require you provide a government ID and perform a liveness selfie check. This is the gold standard for remote identity proofing. Onboarding secure authenticators is best practice to bind digital identity to IRL identity when proofing occurs and identity assurance is high.
This might be somewhat true (it's certainly more expensive than not having security) but when your entire business is around making assurances based on people's identities, you'd assume that they'd put more effort into making their services secure. And if it's too expensive to do it securely, then maybe we should start to question whether such a service should even exist and deserves to store a lot of personal and private information.
>The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It's notable this issue (verification by SSN) doesn't affect GDPR-land - the GDPR has fines of up to 4% of global turnover.
>malicious incompetence by everyone in the Experian security chain
How do we know it's malicious and not just regular incompetence? Hanlon's razor and all.
My question was related to this quote:
>the GDPR has fines of up to 4% of global turnover.
I was asking what GDPR has fines on. Does it have fines for incompetence? snthd claimed that "this issue (verification by SSN) doesn't affect GDPR-land" saying GDPR-land somehow prevents this with a specific fine. I'm wondering what the specific fine is that GDPR-land has that prevents this issue.
