> While the specifics of the data breach remain unclear, the trove of data was put up for sale on the dark web for $3.5 million in April, the complaint reads.
I guess they failed to sell it because links to the leaked data on usdod.io have been available on Breachforum/Leakbase for over a week now. Someone created a magnet link yesterday and it's fully seeded so speeds are fast.
The data in the breach is irreversibly public now.
Are you against simply sharing the infohash here? I'd like to download the leak to see what information it has on myself and my family, but I don't really relish the idea of signing up for a breachforums account and sifting though its posts if I can avoid it.
I dug into this a little and one of the files is 164GB. How do you even work with these files? That is, how would I search for my SSN on my windows box?
That's not even that big? `cat big_file | grep -v my_term` would go line-by-line and show any lines matching your query. If you're doing a lot of queries, you'd probably want to index it, so you throw it into a sqlite database with the usual SQL utils.
Edit: I missed you said Windows. Probably Powershell have similar utilities, so you can do `ReadFileLineByLine \r \d big_file | ReturnHitBySearchTerm \v \t \s my_term` or something similar.
>ReadFileLineByLine \r \d ssn.txt | ReturnHitBySearchTerm \v \t \s trampas
ReadFileLineByLine : The term 'ReadFileLineByLine' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ ReadFileLineByLine \r \d ssn.txt | ReturnHitBySearchTerm \v \t \s tra ...
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (ReadFileLineByLine:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
:(
All I know about powershell I just learned by accident: ls works
If the desire is just to grep for your name, email address, whatever, and then throw the rest of the data away, I don't think waiting multiple minutes is a big deal.
BitTorrent uses something called a "distributed hash table", for which there exist services to search it (btdig, etc). You can use one of those alongside the torrent name (NPD) to find it.
I haven't downloaded it, but my understanding is that the data comes compressed and with a (weak) password.
fyi that is likely to be a crime, at the very least has been cases of websites being punished for linking to illegally distributed IP (even if not hosting it).
I'd be worried about legal repercussions if we were talking about the latest Disney movie, but this is merely the private information of a billion people. Never seen IP law give much of a crap about that before.
A collection of facts is not and can not be copyrightable, especially when it was mechanically derived/collected (no human creativity). So, no, it is absolutely not "Equifax's IP".
Not on an individual basis. If you collected a large number of them and someone copied them from you, then you could have a database right claim, which is sort of similar to copyright, but much less powerful. https://en.wikipedia.org/wiki/Database_right
3,000,000,000 leaked Social Security Numbers is a statistic.
-Joseph "Social Credit" Stalin
...Is it obvious I, as an American who can confirm my SSN (and whatever else) was leaked by this, sincerely couldn't care less because this is leak incident number 897165176548795647564576415671?
That $10 UberEats gift card from CrowdStrike would be more valuable than another batch of Free Credit Monitoring(tm).
Now everyone just needs to send their email addresses to HIBP, i.e., email HIBP, so he can connect these identities with IP addresses and working email accounts. For peoples' protection of course.
After everyone "has been pwned" then there is no need for HIBP. The answer is always "yes". Yet I am certain sites like "HIBP" will never go away. Something about email marketing.
Some HN commenter(s) will inevitably try to defend HIBP. But this comment also refers to sites "like HIBP" that use data breach dumps opportunistically to generate web traffic, collect IP and email addresses. Some folks just do not see what is wrong with the idea.
The offline lookup is just for passwords (the pwned passwords service) and is used to prevent people from using known breached passwords.
There is no offline availability for the Have I Been Pwned data on which emails were present in which breaches. Access to thus data is rate limited and paid API keys are needed for bulk access.
The downloads are the way to go IMHO. But this is coming a little too late. "HIBP" is already making money from "paid API" and other commercial nonsense. Profiting from data breaches. While posing as a hero, catering to a dedicated following. This is, IMHO, everything that is wrong with the web.
The issue I am raising is not whether a particular website operator claiming to be in posession of data breach dumps, that any web user can download themselves, is "trustworthy" or not. The point I am raising is the unnecessary data collection. If these downloads were available from the website from day one, then there would be no "paid API" nor partnerships with so-called "tech" companies or HN HIBP following. There would not be "HIBP" proponents trying to suppress any criticism of it, defending its every move despite its past mistakes. Most importantly, there would less/no need for "trust".
HIBP is a particularly ugly symbol of the problem of web intermediaries/middlemen and everything/anything "as a service". As expected, HN commenters will not like this viewpoint as they may themselves be trying to profit from such intermediation and the data collection it enables. They may have even convinced themselves they are doing good.
Just think about it: HIBP hinges on a person doing his stuff, putting in his time and finances. That affects personal life. However that is a very valuable utility that guy is doing. Good that CF donates cache and help is here and there... but do you think you would have managed that service better?
Would it have been better if HIBP was sold and managed by a real company? Who knows. But long term it is of course healthier if HIBP isn't affected by a single person personal life situations.
Using data breach dumps to get web traffic and IP/email addresses under the guise of "helping" is lame. Then partnering with so-called "tech" companies that collect data as a "business". Data collection is the cause of the problem not the solution.
It's worth remembering that the main reason this kind of data breach is a real problem is mostly due to the incompetence of the IRS. For any serious financial organization, knowing a person's SSN, name, address, etc doesn't allow you to access or withdraw that person's finances.
But the stupidity of the IRS means that people are easily targeted by false tax return attacks. File a fake tax return for someone, using their SSN/name/address, but tell the IRS you changed address. Then the IRS sends your tax refund to the new address, and boom, you just collected some poor sod's refund. To add insult to injury, the IRS is probably going to audit the person whose refund you stole.
But not just the IRS; the banking system, most healthcare providers, states for most of a century, and the credit bureaus for REusing SSN as unique identifier "passwords".
I hope this is meant to be satirical. The IRS has a massive budget. Maybe just reallocate their current funds instead of giving them more is a better idea.
I don’t think the parent is satirical at all; as an enumerated power, the IRS needs modernization and better funding.
Recent hiring expansions have increased audits for high earners and generated additional revenue. Turbotax’s lobbyists are losing influence and we’re enjoying free filing options for individuals in some states. It’s also reasonable to say that a revenue service is not responsible for defining authentication security standards.
Why do you think reallocating funds is worth it as a response to this issue? Where would those funds go?
I'm sure you've seen teams that have bad leadership / a culture of dysfunction. They're always asking for more headcount and no much how much you add they don't get any better. I assume parent was pointing out that no matter how many resources you give to the IRS they won't get functionally better. You need to change the leadership/incentives/culture, which is hard with govt agencies but resources also won't make the problem go away.
I simply don't agree that the issues faced are the same; published reports detail how the complexities inherent to high-income non-filers and filers alike leave plenty of room for more accurate assessments. [0][1]
The IRS doesn't have the authority to mandate the creation of a secure national ID system and enforce it's use by the financial system. Only congress has the ability to really do that. The IRS collects revenue.
Even if it did have that authority, it doesn't have the budget to accomplish that goal.
isn't it funny how no government service is ever at fault, it's always just a problem of funding? The IRS is good, just under funded. Public schools are good, just under funded. The NHS is good, just under funded. The roads are good, just under funded
except then funding is raised, and it's still a problem of funding. and inevitably, it's the evil side of the government (you know the one) that is to blame, even if there is no money to spend.
how does a public service determine when they have enough funding?
This is neither a problem of funding or any government service being at fault. This is the fault of American culture. A national ID system sounds too scary to too many Americans. Politicians aren't going to waste their political capital on pushing through something so unpopular. It really isn't any more complicated than that. There is a huge desire for some sort of national ID system and SSNs are the closest we got so they filled the vacuum. It is silly to blame that on the IRS. It is a societal failure.
I'm not trying to be combative, but this sentiment just doesn't pass the smell test to me.
Yes, I agree that there is a cultural undercurrent of fear around a national ID system, and I also agree that politicians are likely to game their political capital for the greatest return in their career.
What I do NOT believe is that the Social Security number just sort of came about and started being used by government services such as the IRS without anyone being responsible for that huge organizational decision or the initial (current?) lack of security controls around its implementation.
To me, it seems to be an almost certainty that it is both an organizational problem at the government service level AND (as a result) a funding problem.
>What I do NOT believe is that the Social Security number just sort of came about and started being used by government services such as the IRS without anyone being responsible for that huge organizational decision or the initial (current?) lack of security controls around its implementation.
They didn’t “just sort of come about”, they were created for this exact purpose of tracking government services. Over the years, the number of government services expanded because of the lack of other alternative like I said.
And the lack of security around SSNs is because they weren't intended to be secret. It is generally private sector groups like banks and credit agencies that have turned this into a problem by treating SSNs as if they are a proof of identification. They were created as usernames, but people treated them as passwords.
> They were created as usernames, but people treated them as passwords.
Fully agree, but I don't see how this refutes what I and the root-level comment (anti-IRS sentiment aside) are saying.
> the lack of security around SSNs is because they weren't intended to be secret.
The lack of security is not BECAUSE they weren't intended to be secret. The lack of security is because numerous organizations (including the IRS, until their introduction of an IP PIN) treated these "usernames" as though they were passwords.
It's not a design problem with original intent of SSNs, it's an implementation problem with any organization using them improperly. Gov't services are just as responsible as banks and credit agencies when they misuse them.
When exactly has funding EVER been raised for any of those things??
That's one of the biggest political fights in the past century: austerity, cutting public spending, and means-testing the fuck out of every social program the government even still offers. This has been the case since the 80s reagan-thatcher year. You can literally look at the budgets of major cities and easily see where the majority of spending goes. Hint: it ain't public schools. Were you not paying attention when people were talking about how much police departments get paid out of the budgets of their cities a couple years back? Have you EVER thought to actually substantiate your beliefs by actually looking up the policies that effect public spending and government budgets?
Is the answer "no"?
And it isn't just a problem with funding, it's a legislative and cultural problem too. But in the short term, without drafting up new laws or changing the culture of society, the best we can do to fix these issues is provide more funding.
In the private sector, OKRs and KPIs are used to track performance and provide metrics on whether a company is meeting its goals. Boards review these metrics and decide on additional investments based on thorough cost/benefit analyses.
I imagine it's similar in the public sector, where funding is determined by the needs of the public, political considerations, long-term planning, and so on.
What you describe might be out of date. Someone tried to use my identity to file a fake tax return. The IRS caught it and now I get issued a PIN every tax season for kinda-sorta two factor auth.
Troy mentions "data opt-out services. Every person who used some sort of data opt-out service was not present."
Anyone have experience with these sort of services? A search brings up a lot of scammy looking results. But if services exist to reduce my profile id be interested.
> Anyone have experience with these sort of services?
Quite a bit. Often if you request removal or opt-out, you'll reappear in a matter of a few months in their system, regardless of whether you use a professional service as a proxy or do it yourself. The data brokers usually go out of their way to be annoying about it and will claim they can't do anything about you showing up in their aggregated sources later on. They'll never tell you what these sources are. A lot of them will share data with each other, stuff that's not public. It's entirely hostile and should be illegal. I am trying to craft a lawsuit angle at the moment but they feel totally unassailable.
I'm extremely skeptical of any services that claim they can guarantee 100% removal after any length of time of longer than 6 months. From my technical viewpoint and experience, it is very much an unsolved problem.
my understanding is that there's a bit of a catch-22 with data removal - if you request that a data broker remove ALL of your information, it's impossible for them to keep you from reappearing in their sources later on because that would require them to retain your information (so they can filter you out if you appear again).
I’ve heard this claim, but they could use some sort of bloom filter pr cryptographic hashing to block profiles that contain previously-removed records.
There could also be a shared, trusted opt-out service that accepted information and returned a boolean saying “opt-out” or “opt-in”.
Ideally, it’d return “opt-out” in the no-information case.
Hash-based solutions aren't as easy as we might hope.
You store a hashed version of my SSN, or my phone number, to represent my opt-out? Someone can just hash every number from 000-00-0000 to 999-99-9999 and figure out mine from that.
You hash the entire contents of the profile - name+address+phone+e-mail+DOB+SSN - and the moment a data source provides them with a profile only containing name+address+email - the missing fields mean the hashes won't match.
A trusted third party will work a lot better IMHO.
And of course none of the data brokers have much reason to make opt-outs work well, in the absence of legislation and strict enforcement - it's in their commercial interests to say they "can't stop your data reappearing"
> Someone can just hash every number from 000-00-0000 to 999-99-9999 and figure out mine from that.
That's what salts are for, right? It wouldn't be too hard to issue a very large, known, public salt alongside each SSN.
> And of course none of the data brokers have much reason to make opt-outs work well, in the absence of legislation and strict enforcement - it's in their commercial interests to say they "can't stop your data reappearing"
If the salt is public, what’s the point, then you can get all the salts, and combine them with every possible ssn, and you’re back where you were before.
No, that is kind of the point of a salt is that it doesn't need to be hidden - it's designed for a scenario where e.g. your database is hacked and they're visible as plaintext: https://en.wikipedia.org/wiki/Salt_(cryptography)
Since the salts are random, unique to each SSN and long: a) you'll find no existing rainbow table that contains the correct plaintext for your SSN hash and b) each SSN now requires its own bruteforcing that is unhelpful for any of the other SSNs
Combine that with a very expensive hashing method like PBKDF2 (I'm sure there's something better by now) and you've made it pretty dang hard for non state actors to bruteforce a significant chunk of SSNs. There's also peppers that involve storing some more global secrets on HSMs.
I'm sure the crypto nerds have like a dozen better methods than what I can come up with but the point is this is not a feasibility issue.
I’m sorry but it’s not that simple. You can’t just say add salt, here are the benefits of salt, problem solved.
In a password database, salt is not secret because the password combined with it is secret and can be anything. Even if you know the salt for a particular user, in order to crack that user, you need to start hashing all possible passwords combined with that salt. If a user picks a dumb password like password123, then they are not safe if the salt leaks. Other users with password=password123 will not be immediately apparent because other users have different salts. You would have to try password123 combined with each user’s salt to identify all the users with password123.
You said “It wouldn't be too hard to issue a very large, known, public salt alongside each SSN.” That means there should be some theoretical service where you pass it an ssn and get back the salt, right? So what have you gained? Any attacker with an ssn can get the salt, and nothing was gained. Or if attackers don’t have ssns they can just ask for all the salts, the mapping from ssn to salt is public so they know 000-00-000 has salt1, 000-00-001 has salt2, etc, so you haven’t increased the amount of hashes attackers have to do to do whatever it is they want to do.
You’re right about commercial interests being at play. That’s why we don’t have laws like GDPR in the USA. Crypto nerds have thought about this long and hard and if it was that easy we wouldn’t need stupidly complex laws like GDPR. They would “just add salt.” Or other services would “just add salt” instead of relying on more complex and expensive forms of identity verification and protection.
You don’t need to be a crypto nerd to try to describe a flow where having a public known salt per ssn helps with privacy. You do not need to be a crypto nerd to design secure one way hash functions that would plug into that flow.
Yep, you are right, complete brain fart on my end. Of course it doesn't work if it's required for the salt to be publicly mappable to the SSN, since that just circumvents the whole thing. I just didn't understand what you were saying in your earlier message.
"all the salts" * "all the SSNs" becomes a very big number. With a large enough but still reasonably sized salt, you can engineer it so that hashing all combinations takes an amount of time greater than the age of the universe even if you use all the computers in the world.
All the salts * all the ssns is a very large set but it’s irrelevant because in the above scenario each ssn has a public well known salt, you don’t have to test each salt against each possible ssn because the mapping from one to the other is known.
Even if such a service doesn’t exist, and you just have a list of all the salts without knowing which ssn they map to, you’re just hand waving how hard it will be to hash the entire salt*ssn set.
Hashing a salt+ssn can’t take too too long because data brokers need to be doing it frequently in order to verify identities.
In this report, https://files.consumerfinance.gov/f/documents/cfpb_consumer-..., it says monthly volume of credit card marketing mail is in the hundreds of millions per month. Can we assume that each piece of mail is roughly associated with one instance of hashing a salt+ssn? Given that number, how expensive (in terms of time, compute cycles, whatever) can it possibly be to hash a salt+ssn? If we make it too expensive, expensive enough to support your “age of the universe” claims, credit markets would grind to a halt.
I’m quite familiar with how a salt works. One might say deeply familiar since I have worked on auth services for very large, very secure organizations.
Poster above me just said “add salt” and waved their hands without describing anything concrete, like just saying some magic words can solve hard problems.
So for a perfect match they'd need to have some sort of unique identifier that's present in the first set of data you ask them to remove, as well as being present in any subsequent "acquisitions" or "scrapes" of your data.
If these devs that scrape/dump/collate all this info are anything like the ones I've seen, and they're functioning in countries like the US and UK whereby you don't have individual identifiers that are pretty unique, then I'd say the chance of them being able to get such a "unique" key on you to remove you perpetually, is next to impossible. And if it's even close to being "hard", they'll not even bother. Doubley-so if this service/people/data is anything like the credit-score companies, which are notoriously bad at data de duplication and sanitation.
Likewise, if you want them to do some sort of removal using things other than a unique identifier, then you have to have some sort of function that determines closeness between the two records. From what I've heard, places like Interpol, countries' border-control and police agencies usually use name, surname and dob as a combination to match. Amazingly unique and unchanging combination, that one! /s
Sorry, I value my legal rights over the viability of the data broker industry. If they can’t figure out a way for lawfully not collecting my data, they should not collect data period.
Which would never work because real life data is messy so the hashes would not match. Even something as simple as SSN + DOB runs into loads of potential formatting and data entry issues you'll have to perfectly solve before such a system could work, and even that makes assumptions as to what data will be available from each dataset. Some may be only name and address. Some may include DoB, but the person might have lied about their DoB when filling out the form. The people entering it might have misspelled their name. It might be a person who put in a fake SSN because they're an illegal immigrant without a real one. Data correlation in the real world is a nightmare.
When you tell a data broker to delete all of the data about you, how can you be sure they get ALL of the data about you, including the ones where your name is misspelled or the DoB is wrong or it lists and old address or something? Even worse if someone comes around later and discovers the orphan data when adding new data about you and fixes the glitch, effectively undoing the data delete.
It's a catch-22 that if you want them to not collect data about you they need a full profile on you in order to be able to reject new data. A profile that they will need to keep up-to-date, which is what they were doing already.
> Even something as simple as SSN + DOB runs into loads of potential formatting and data entry issues you'll have to perfectly solve
You don’t have to solve it perfectly to be an improvement.
Also this is BS. Not every bit of data is perfectly formatted and structured but both of your examples are structured data. You can 100% reliably and deterministically hash this data.
There’s so much in your argument that can be replied with “imperfect is better than status quo”. If you give someone the wrong DOB, it’s “not you” anyways, at least let me scrub my real data even if the entry is imperfect for some people or some records.
> You don’t have to solve it perfectly to be an improvement.
They don't want to solve your problem. You aren't their customer. They want to comply with the letter of the request in as much as it covers their own butt in terms of regulatory requirements and/or political optics.
The “solution” mentioned is political. A requirement that data on an individual is properly deleted when presented with the data would be “good”. A requirement that captures every nuance of mistakes would be “perfect”.
Hashing a birthday and SSN is deterministic. We could deterministically keep that data deleted. This would be better than we have today, and could be done reliably and affordably.
The companies can easily be required (by law) to implement the “good” solution. Everyone complaining it’s not “perfect” is stopping “good”.
There's a trivial way to not re-add data that was removed: don't do it without user opt-in, whom admittedly you have access to ask at the moment of data collection. If you don't have the ability to ask users to opt in, you probably shouldn't be collecting the data anyway, with very few exceptions like criminal records.
edit for clarity: by criminal records, I mean for the official management of them, not for scraping their content.
I've had a very bad experience with Liberty Mutual following a data opt-out from another service. They sent me on a runaround, ending with an email saying to follow "this link" to verify myself. (There was no link, only sketch.) I ended up getting a human on a phone through special means, and they sent me a fixed email with a working link.
I should be hearing back from them in the next 32 days, as this was 13 days ago.
I got a quote from them and immediately initiated a data removal request. It seems like it went through, got a link in the email. Thanks for the reminder that I might need to follow up to make sure they followed through.
It's hard to make collection, aggregation, and sharing of facts illegal.
Not to minimize the harm that can be done by such collections, but the law is justifiably looking for a scalpel treatment here to address the specific problem without putting the quest to understand reality on the wrong side of the line.
> It's hard to make collection, aggregation, and sharing of facts illegal.
Sure, but the US has a precedent in HIPAA. Not saying it's copy-paste, but... maybe it should be.
I would prefer the law be more restrictive than less, because I don't believe this is true:
> law is justifiably looking for a scalpel treatment here to address the specific problem without putting the quest to understand reality on the wrong side of the line.
I believe the law may use that noble goal as cover for the actual goal: restrict the ability of capital holders to accumulate capital as little as possible. Data sharing isn't a public good in any way. It's mostly not even useful for the targeting purposes it claims. It's extremely reckless rent-seeking that knowingly allows innocent people to have their lives wrecked by identity theft.
As someone who helps care for elderly relatives with widely-dispersed out-of-state families, I can point to HIPAA as an excellent example of why crafting this kind of law is difficult.
I think we are going to discover, once people do the research, that HIPAA has done net harm by delaying flow of information for critical-care patients resulting in lack of patient compliance, confusion, and treatment error.
Yes, there is harm potential in insurance companies denying coverage or claims because they are privy to too much information about clients (a scenario that, I'd note, we could address directly by law via a national healthcare system or banning denial of coverage for various reasons) or by employers or hostile actors (including family) discovering medical facts about a patient. I have to weigh that harm potential against my day-to-day of having to fight uphill to get quality care because every specialist, every facility, and every department needs a properly-updated HIPAA directive for a patient (and the divisions between these categories aren't clear to the average non-medical observer).
Huh, I wasn't aware of such a viewpoint. I've never had or heard of problems with HIPAA preventing timely or accurate care, even with my father going in and out of hospice toward the end of his fight with cancer. I'm really sorry to hear it. At the same time, I do have to wonder if that kind of problem genuinely outweighs the protection HIPAA has given millions of people against harms small and large. (I guess with the state of data privacy today, HIPAA may be basically useless, but that isn't exactly HIPAA's fault.)
> HIPAA has done net harm by delaying flow of information for critical-care patients resulting in lack of patient compliance, confusion, and treatment error.
You won't find any disagreement from me that HIPAA is very complicated. However there's a certain level of whining and foot dragging that happens in the industry that we should take with a massive grain of salt. There's so many HIPAA compliant and still convenient ways these days to have patient communications, but the industry doesn't want to invest and doesn't care about patience experience enough, and then go "sorry, HIPAA :-(((" every time.
With GDPR, after Schrems II happened and it became clearer that the EU-US Privacy Shield was no longer a valid workaround, I personally observed companies (including the one I was in) suddenly moving mountains to complete migration projects and privacy upgrades in just a few months that the industry previously deemed was technically unfeasible or impossible, cost prohibitive, business destroying, etc. And they still remained massively profitable and growing. If they had just done the right thing early on it wouldn't have been on such a tight deadline either.
That was the final straw for me in terms of being very firmly convinced that we should be telling companies to shut up and comply a lot more because they will never do the right thing on their own even if it wasn't /that/ hard. Another approach here is to start holding them liable for the personal costs of data breaches etc and let the incentives take care of themselves. In fact, why not a bit of both?
Sure, I should probably have clarified "In the United States," where there's a First Amendment that most attempts to make fact-sharing illegal immediately fall afoul of.
There are definitely exceptions, but it puts strict scrutiny on any novel prior constraint of speech.
this is true and nothing new.. mass "gray market" personal information services lept into markets since VISA and Mastercard fifty years ago, and somewhat before that with driving records, in the USA. The "pure land" of democracy in North America was never pure, and the Bad Old Ways have crept into the corners since the beginning.
The difference now though is an attempt to legislate personal data collection, such as the CCPA. I strongly believe they are violating the law, and that if I opt-out or request removal, an answer of "oh well nuthin we can do" is not acceptable when my data re-appears either on their platform or on another platform they provided data aggregation services to.
>The "pure land" of democracy in North America was never pure
don't mix your pet grievances together, having full public knowledge of every person in your country is democratizing, frankly, an aid to democracy, not a hindrance. Not saying I want to live in that world, but it's not an impure democracy.
Norway (and others?) already publishes everybody's income statements. Not healthy imo but I guess would aid more accurate snitching (and envious resentment).
Consumer Reports just published (as in last week) a report[1] surveying a number of these services and found almost all of them to be a little bit effective, none of them to be highly effective, and the cheapest of the lot to be the most effective (EasyOptOuts).
Of note, opting out of a service by yourself by hand was only 70% effective ($0). Using EasyOptOuts was around 65% effective ($20) and using Confidently was only 6% effective ($120).
Did you use a grep command? The file is too large for me to open and I have not used grep before to have confidence with it.
Edit: nvm,
```
findstr /i /r ".000000000." ssn.txt
```
did the trick in powershell, with the zeros replaced with the ssn. Also there is a star after each period that HN has changed to italicize the text instead of showing it.
A lot of the data opt-out services are operated by or have the same owners as data brokers. So at the very least they are selling both the poison and the cure.
If you're willing to tempt fait, the best way to 'opt-out' is to tell people, when they call asking to speak to 'your name', that 'your name' sadly passed away recently.
I knew someone falsely declared dead (probably a paperwork mixed up around pensions when his ex-spouse died). Without warning, he lost all of his pensions, social security, medicare, etc, along with most financial institutions freezing accounts and canceling credit cards. Many long phone calls, letters, and lawyers eventually resolve most, but that never fully purged the public and private death records so there would be random issue for the rest of his life (failing fraud checks, brief interruptions to pensions, trouble with the cable company).
I prefer to just never answer a phone call unless I know who is calling and it's someone I know personally and want to speak to. Even then, those people know I'd rather they text anyway so when they do call it's more likely to be really important.
I have used (free trials) and currently use (discounted annual) a service called incogni. It's hard to really verify what's going on, but they at least show the brokers they are contacting on your behalf, and I've directly received confirmations from some.
Anecdotally, searching my name on Google pretty much no longer returns those scummy "People Finder" pages that just scrap any public records they can find.
That said, I hope incogni is happy enough with my money that they themselves don't do anything scummy.
Also, freeze your credit at the big three. do it now.
In the past I have just searched for my own name. And when I found a match, I would go to that site and request to be removed. It is a lot of work, but thus far it has been successful.
And I say this, because I was on a TV show years ago, so my real name is all over the internet from an entertainment point of view. But, if you search my real name, there are little to none pointing back to "public record" websites and the such.
Many seem scammy, and I went through the search before and gave up.
Then, as fate would have it, a HNer(tjames7000) mentioned he made EasyOptOuts for this reason, so I signed up. Cheap, seems effective, absolutely no complaints.
It is crazy to me that data brokers are even a legal form of business. All of these services should be opt in at minimum. If they are obtaining publicly available information and making it easier to access, they should have to maintain insurance or a deposit with the government to compensate victims of cybersecurity incidents. Telling people to get credit monitoring is in NO WAY an acceptable way to make us whole. They need to pay for a lifetime of monitoring and INSURANCE up to the net worth of affected individuals. This needs to become law ASAP.
I’m optimistic for Harris, not just because she’s so much younger and less beholden to industry, but because she created an entire unit for privacy protection when she was the California AG:
There has never been a US president that had anything close to ethical behaviour (to wit: the ones that existed after drone strikes became a thing all signed off on drone strikes. Those hit a lot of innocent people. The US has never stopped having slavery. I could go on). It is really the height of fanciful thinking to believe that the flavour of the month US leader will be any different.
That’s absurdly naive – it’s like saying every picture is the same because they aren’t entirely (255, 255, 255) pixels. If your goal is to do anything other than feel smug, consider the impact such non-serious positions have on how other people will perceive anything more serious you say.
Respectfully, you are wrong. Nothing I've said is untrue.
I gave you examples, where you reciprocated with a personal attack. This is one of the ways in which US internal politics has become infantile and tedious. I would appreciate it if you left it there.
You didn’t give examples, you called it “fanciful thinking” to think that there are real differences between people using vague claims about a different issue. The same logic for calling my categorization of that as a personal attack would apply evenly to your comment.
If you are concerned about politics being “infantile and tedious”, try to set an example of the rigor you’re looking for. For example, you could point to specific verifiable actions by a candidate like I did.
If you don't understand the examples, that's perfectly okay. But I think it's not my responsibility to tell you in even more exhaustive detail about things in your own country that have been extensively covered everywhere.
> It is crazy to me that data brokers are even a legal form of business.
Ah, yes, but they're businesses, you see - the most important class of entity in America. We the people can evidently go fuck ourselves if it means some scumbag gets to make a buck.
"there were no email addresses in the social security number files. If you find yourself in this data breach via HIBP, there's no evidence your SSN was leaked, and if you're in the same boat as me, the data next to your record may not even be correct. "
Seems like Troy is skeptical about this being a real full breach?
You probably are posting this as a joke, but without a clear technical solution to this problem, flooding the industry with bullshit data seems like a great avenue.
I have a silly standup joke along these lines, about how I'd Google things crazy things like "circus lawyer" or "giraffe mitigation tactics" to throw the algorithm off every now and then.
My friend is a thriller writer and is convinced he’s on some FBI list. He’s googling stuff such as “how to dissolve a body with quicklime” and all sorts of other fun stuff while researching for his books.
The quicklime method shouldn't be particularly fast, at least that's what my chemical intuition says (CaOH2 is barely soluble in water). What a bad name!
In the most general context it means "with the characteristics of the living" (as seen through a middle ages lens).
In the context of "quicklime" the quick refers to the heat of the reaction when making lime for slaking on walls, etc.
"Quick" historicaly has been applied to plants and animals (alive), rivers and streams (moving), coals, fires, quicklime (burning, heat producing, glowing), to speeches and pamphlets (Lively, full of vigour or sharp argument), to tastes, to smells, and more.
The full blown Oxford English Dictionary entry for quick is a lengthy one, multiple cases and variations over a page and more.
that was the idea behind certain applications and add-ons that would browse around to popular websites and randomly click ads so that marketers couldn't tell your actual interests from fake ones.
Unfortunately that strategy is deeply flawed and dangerous because nobody cares if the data they have on you is accurate or not. They still can, and still will, use it against you at every opportunity. Every scrap of data they have, accurate or not, can be used to hurt you.
The only way to flood data brokers with garbage data that can't hurt anyone is to fill it with entirely fictitious people who somehow can't be mistaken for any actual people. Even that runs the risk of hurting real people though. For example, an insurance company might go to a data broker and ask for the number of people within a certain neighborhood or zip code who bought fast food more than once a week in the last year and how many have a gym membership. If the number of frequent fast food buyers is higher than it was last year and/or the number of gym members is lower the insurance company might decide to raise the rates of every single member within that neighborhood or zip code. Even fake people could skew those numbers if their fake data said they lived in those zip codes or neighborhood and ate out a lot or didn't have a gym membership. Indirectly, the fact person is mistaken for being a real one in that community.
The best way to deal with data brokers is to regulate them with strong data protection laws. Anything you give them risks hurting someone and gives them another data point to sell.
I doubt it, since nobody is being denied housing or services. Health insurance companies have plenty of data to back up their practice. Your zip code might be the single most important predictor for longevity (https://time.com/5608268/zip-code-health/).
More importantly, your insurance company is never going to tell you that that's why they raised your rates. You're just going to see a high bill. Same way that a potential employer isn't going to tell you that you didn't get the job because of something you said on social media 14 years ago, or because the information they got from a data broker says you drink a lot. You just get ghosted.
That's the problem with surveillance capitalism. Even as all that data increasingly impacts your life you're almost never aware that it's happening and have no ability to appeal or correct the record.
Isn't something like regulation with strong data protection laws a bit late at this point? It seems fair to say that most people alive are already scooped up in 1 large data breach or another.
And that data has been made public likely in some form, and is probably replicated to dark corners of the planet.
Don't get me wrong, regulation on these industries seems like a no-brainer, but it seems unlikely to remediate the damage already done.
That's kind of true. Preventing the sale of it will make it harder for it to be used against you. Even if scammers can still buy or download your data from the darkweb your future employers and the companies you interact with are a lot less likely to go that far to get their hands on it, so all that data being out there will impact your life less and less. Even better, fewer places will be collecting new data about you. Your social security number and date of birth don't really change, but your income, medical conditions, home address, spending habits, sex life, and location history do.
You can never know what might prejudice someone else against you. Maybe you get flagged as being gay when you aren't, or as holding certain religious or political views that you don't. Extremists, activists, and protestors can go to a data broker and buy up lists of people to harass or attack. Data brokers have already been caught collecting data on people who visited Planned Parenthood locations and selling that data to anti-abortion groups.
You could be incorrectly flagged as having more money than you do, causing companies to charge you more than they charge your neighbors for the exact same items. Discriminatory pricing has been happening for a very long time. Just using a different browser can cause prices for some online services to change. (https://www.bostonglobe.com/business/2014/10/22/online-shopp...) For example, Apple users might be seen as having/spending more money and so the prices they get for hotels and airfare can be higher. Increasingly, brick and mortar stores have been trying to get in on the action too. (https://link.springer.com/article/10.1057/s41272-019-00224-3)
If you have a browser extension that randomly visits sites and clicks on ads. Maybe it clicks a bunch of ads for alcohol or marijuana. Maybe it clicks on ads for mental health services, addiction/recovery services, or suicide hotlines. That data can be used against you in court during a divorce/child custody case. It might make a company less likely to hire you. It might cause your health insurance company to charge you more.
Maybe it clicks on ads for DUI attorneys and suddenly your auto insurance rates go up. The company isn't going to tell that's why. They might not even know why. their algorithm just decided you were more high risk than before.
Any data for sale, accurate or not, is going to be used against you. The people paying data brokers for information about you aren't doing it because they want to help you. They want to help themselves at your expense. And its insane how many people are buying up that data and using it whenever they feel it might give them even the smallest advantage. Companies are using that data to decide things like how long to leave you on hold when you call them. (https://www.nytimes.com/2019/11/04/business/secret-consumer-...)
That has been my strategy for the last decade or so, Unless I have a solid reason to I never use my real name when placing orders and generally never the same fake name twice, always use a virtual credit card, if it's a non-physical product I don't even use my real address. I have some old phones I throw pre-paid sim cards into when I need to do number confirmation. The goal is to create a little consistent linkable data to me and at least generate some noise in all these data broker collection processes.
I do the same, I worry that eventually someone's going to need to see my driver's license and refuse me because my ancient account info doesn't match.
"It says here that this shipment is for Firstname Lastname at 1 Main St, Yourcity, born January 1st in the same year as you. Your license has a different address and different birth day and month, so you're not the same person."
In fact there are far fewer valid Socials. They follow a system where guessing a number of digits is fairly determined based on year and state of birth
While I have never dealt with one of the paid services someone ran one on me as an example of what is out there (nothing malicious about it) and just about everything on it was accurate or close to it. Only one thing on it wasn't at least pretty close to the truth--it had me living in a state I've never set foot in. And quite a few other people seemed to have the same address at one point or another.
I'm in the UK so I have no Social Security Number, and I still got the HIBP e-mail.
When I looked into it, it turns out the "original" breach is comprised of files named ssn.txt and ssn2.txt which only contains Americans details, and doesn't contain any e-mail addresses.
It seems what happened is there was one leak of US SSNs which the leakers attributed to NPD, then some people bundled that leak up with a bunch of other data (including e-mail addresses and details of non-americans) and who knows if the latter data actually came from NPD?
I don't think it's a "full" breach because I assume that would include many tera/petabytes of original source documents rather than just a CSV of PII, but it's definitely a real breach.
I looked up several family members and although most of the phone numbers and addresses were out of date, they were accurate as were the listed social security numbers. However, it didn't include any of the more recent immigrants in the family or myself, possibly because I take opsec seriously.
Funny enough it looks like it has data for Tom Brady, former FBI director James Comey, Barack Obama, and Donald Trump (just some of the names that popped into my mind to look up).
For years I've said the entire SSN database just needs to be published alongside legislation strictly assigning liability to any company who defrauded as a result of using the SSN as a "secret". That would fix the problem with SSN's and "identity theft" quickly.
Part 1 has been accomplished. Let's get part 2 going!
Aside: It amazes me how the American public has allowed defrauded companies to assign the company's loss as a liability to innocent individuals (in the form of "identity theft"). It would be great if we could get that changed in the minds of the public. A well-informed public could collectively turn "identity theft" into the "bank's problem" (from the old adage "If you owe the bank a billion dollars they have a problem..."). The insurance industry would swoop in as the defrauded parties start making claims and shoddy security practices would get tightened-up.
(Edit: I fear insurance companies coming in to "fix this" to some extent-- citing my experiences with PCI DSS compliance auditing and Customers who have had 'cyber insurance' policies coming with ridiculous security theatre requirements. Maybe we can end up with something like a 'cyber' Underwriters Labs in the end.)
(Also: Yikes! I hate that I just typed 'cyber' un-ironically.)
It’s a comedy bit but I take its point seriously: if the bank gives away money, it’s the bank’s job to make sure it is repaid. Not mine, unless I was actually a party to the agreement.
Well then you're up against the wall of digital verification.
I know there's a fuck load of situations where the banks are 100% screwing the customer to their benefit, but there's a legit conversation about people who give out their passwords, or claim they did, when money gets wiped out.
If you meet all the requirements to identify yourself to the bank, at what point does the bank have to say "this is that person, and that transaction is legal".
Now granted:
1. With passkeys and biometrics and 2FA we've got a lot of better ways to make these accounts secure, and hopefully more idiot proof. I'm hoping we start getting rid of email/phone for 2FA as a valid option though.
2. The moment the police are treating it as an identity theft case, the bank should be required to pony up. I don't know if that's the case (and wouldn't be surprised if they fight it tooth and nail), but at that point you have a state or federal entity acknowledging this is not a legit transaction, and therefore you should be compensated by the bank, and they can get their money back from the insurance companies that insure against this kind of thing.
> If you meet all the requirements to identify yourself to the bank, at what point does the bank have to say "this is that person, and that transaction is legal".
Our current system is entirely built on ridiculous levels of trust, mostly for convenience / cost saving reasons. I've made payments over the phone with nothing more than the information found on the bottom of every check I've ever sent. I routinely hand my credit card to waitstaff making 7.25 an hour and in that moment I'm handing every last one of them the ability to snap a photo of my card on their phones and go on a shopping spree at my expense.
As insane as our system is, it's mostly worked. Even though I've been made to pass around my account info countless times, I've never once had my accounts cleaned out. If a single mother with less than 1k in her account gets robbed, I have a hard time blaming her. She had zero say in the design of this system, and she's the person least able to deal with the cost of the consequences of it.
On the other hand, I have very little problem putting the blame on the banks which do control much of the system and who can more than afford to cover the costs of such incidents. This puts a small amount of financial pressure on them to improve the systems they've created and forced the rest of us to use in order to participate in society.
There are all kinds of things they could be doing to reduce fraud, but they don't. Mostly for convenience / cost saving reasons. I consider their refusal to take even simple steps to improve the security of their systems as their implied consent to continue accepting the responsibility for the still rare instances where criminals take advantage of their inaction.
Is that "ridiculous" as in excessively stringent or weak? Because that phrase can be read either way. From the examples you give I'm presuming the latter.
Note that payments or deposits to a given account require little authentication over the destination though more for the payee. I've long been amused by US banks which require me to authenticate to an ATM to make a payment but will accept cheques dumped into a deposit slot.
I agree that the system mostly works, but fraud costs are in the billions, and that's U.S. credit cards alone:
Financial transactions are premised on 1) the ability to detect fraudulent activity in realtime --- rather than solidly establish identity, payment processors are looking for indicators of fraud, and 2) reversibility of transactions --- if fraud does occur, funds can be clawed back, usually with the vendor holding the bag / taking the hit, rather than either the bank or account-holder.
The Google Authenticator app (just as a mainstream example) was released 14 years ago. When we're still waiting for a lot of banks to even support TOTP, consider me unimpressed with the level of effort banks are putting into securing my accounts.
>Well then you're up against the wall of digital verification.
That's whole point, they should use standardized authentication process. The problem is that they don't use any authentication at all. They just give money away because they can extort them back from unsuspecting victim like some gangsters.
How do you feel about the recent case where a caretaker for a disabled person who was given permission and access to use the person's cards, banking app, etc ended up stealing from the person. The banks response - they had given the caretaker access so it was their fault.
Even if you have all the passwords and bioinformatics, passkeys, 2FA, etc - how can you prevent theft like this?
Just because the bank didn't reverse the transaction doesn't mean the disabled person can't sue the caretaker and doesn't mean a prosecutor can't charge the caretaker.
See how credit cards work (at least where I have lived). Someone fraudulently cloned my card after a petrol station visit and I got it fixed as soon as I noticed the weird transactions. The bank or VISA footed that cost. UK has statutory law on this. Probably because of how CCs used to work with that carbon copy crap.
In the US merchants are the ones footing that cost, either in merchant fees (which they then pass on to the Customer in the form of higher prices) or directly (by the credit card company refusing to pay the merchant).
It might be different now, but in the late 90s I sold some laptops to a buyer using a stolen credit card. The cardholders had no fraud liability but my company ended-up having to eat the cost of the stolen laptops. The credit card company simply didn't pay the amount of the fraud in their settlement with us.
It's not even necessary to publish the database. Pass a law, or even possibly a regulation or court instruction, that SSN is not a sufficient basis to establish identity, and that any unauthorised financial transaction, legal document, commercial transaction, or other use relying on SSN is considered prima facie uninsurable fraud.
Ever since the Equifax breach I’ve been a proponent of a new national ID program to replace the SSN, that can be designed for what the SSN has become and tolerant to these never ending data breaches.
Maybe this will give a second chance at a conversation around that, but I’m not too hopeful.
US law does generally make fraud the bank's problem. Identity theft isn't loophole in this, it is a situation in which there is a logical ambiguity in differentiating one fraud from another. If they just believed everyone who said "it wasn't me that spent that money!" that would just be opening another vulnerability.
I think we've got liability pretty well buttoned-up in the banking industry. I'm more concerned about the non-bank businesses. (I recently obtained utilities at a new house. All three utilities-- electrical, gas, and water/sewer-- use my SSN as an authenticator for my account. In 2024.)
It isn't great, but I don't think there's much risk there. There's not really much of a motivation for some random person to get into my utility account. The balance is never positive. Utilities are physically bolted to my house. They're pretty heavily regulated too. If someone wanted to steal electricity from my house, they can use the outlet on my patio that has zero authentication whatsoever.
You should read some fraudster diaries. Having the SSN as authentication, means you can con the utilities employee into handing over all of your other personal information. Date of birth, current and past adresses, spouse or roommates, parents if they are with the same utility company. They can then turn around and use that information to apply for a credit card. Now all they need is to wait by your mailbox or pay the postal worker $100 to not deliver the card and letter.
That info is, in fact, already easily obtained trough leaks, but I just wanted to give your "utilities" case some clarity. Now the fraudster can apply for a creditcard in your name, and before the month has passed you are on the hook for $3000 in cc charges/debt which cost the fraudster a mere 12 minute phone call and 10 minutes skimming trough the leaked records from this HN post to find your SSN.
Yeah, I’m aware that any data that can be used to obtain more data is an issue. But I figure if someone knows my utility company and SSN, they probably already have an address. And with an address it’s easy to get the rest of that information through people search and public records.
When I obtained utilities for my house, none of them required my SSN. The water company asked, but I declined, so they asked for a fax of my DL (which I could have probably photoshopped, but didn't).
Just because people ask for something, doesn't mean you have to give it to them. I leave fields blank all the time on different (paper) forms (including when they ask for SSN), virtually no one hassles me.
For non-Americans (and Americans) that don't quite understand what SSN is and why it's a problem, CGP Grey [1] has a great (and short) video about the history and why it's not technically an identifier, but has become one.
It's so interesting how Australia went the other way and actually banned the use of any government-issued ID number as a primary identifier by any organisation other than the government department which issued that ID number.
In the 80s, the very popular Aussie prime minister, Bob Hawke wanted to introduce a National ID card, complete with a unique number, that would then be used for everything from Medicare to tax filing. The government however did not have the numbers to pass it through the Senate. Hawke called a double dissolution (dissolving both lower and upper houses of parliament) over the issue. He was returned to power after the election but still without a majority to get the bill through.
There were then attempts to use "other" government issued ID cards like the Medicare number, for this purpose. To prevent this, a few years later, a bill was passed that would prevent any such use.
In reality, this means businesses can ask for government issued numbers but it has to be optional and voluntary, and never used as a primary ID. When I go to my doctor for example, I can provide them with my medicare number, in which case they will claim the Medicare rebate on my behalf automatically, or I can refuse to provide them this number, pay the doctor's fee in full, and claim the rebate from medicare myself separately. Similarly I can provide my bank with my tax file number, in which case they will automatically tax my interests earned according to my income band. Or I can not provide them my tax file number, in which case they'll tax my interest rate at the highest income band, and I can then get the money back from the tax office when I file my tax returns at the end of the year.
In Australia we don't have a Bill of Rights. We don't even have a right to freedom of speech. The police can ask us to unlock our phones without a warrant; etc etc. Yet when it comes to privacy, our laws are very clear. For a country with such a history of protecting individual liberties, it always amazes me that the United States takes such a laissez faire approach to privacy.
The video doesn't quite get into the problem of identity theft, which is when someone uses your stolen creds to claim they are you, and then go on a shopping spree which may include buying a car under your name. You shouldn't be liable for debts incurred after having your identity stolen but proving that is a lot of work.
> You shouldn't be liable for debts incurred after having your identity stolen but proving that is a lot of work.
The first step is to call it what it is: fraud by misrepresentation. The owner wasn't deprived access to their identity (a key component of theft), they weren't even involved in the transaction. Companies want to have their cake and eat it - have low barriers to making sales/offering loans without rigorously verifying the identity of the person benefiting and be shielded from losses when their low-friction on-boarding fails lets in fraudsters.
If a home buyer is duped into transferring deposit into a fraudsters account, they don't blame it on corporate "identity theft" and put the escrow agent on the hook by default.
The reason the Shaggy defense doesn't work is the default assumption of the courts is that you're a deadbeat trying to game the system. This assumption comes about because in the majority of cases it is the truth. The system would be a lot nicer if there weren't people trying to scam it every hour of every day of the week.
When I was in the Boy Scouts, a local judge came to speak with us about the legal system. I asked a similar question and he admonished me that innocent people never wind up in court. He explained that every person who is in a trial (criminal or civil) is guilty of something. A judge's job was merely to determine if the prosecution or plantiff was correct about what the defendant was guilty of. He was very annoyed that ignorant people, who had never been to law school, kept spreading this nonsense that some defendants were innocent.
The problem with putting a value judgement on this is that it will precondition people to assume good faith or bad faith on the validity of the assessment based on how they interpret the fairness of the court system.
Instead, we could just say that the majority of the cases are people trying to get out of legitimate debts. If we wanted to go farther, we could say that's because some people just don't feel responsible for their own debts and some people make a choice that a last ditch effort to get out of a debt they know they should pay rather is the lesser of two evils when the alternative is to continue to fail to provide adequately for their family given their circumstances, and how different people may draw that line at different points.
That's harder to articulate and a larger discussion that may be a tangent people aren't interested in discussing though, so it's probably just simpler to keep the value judgements out of it if the intent is to keep the discussion productive.
Instead, we could just say that the majority of the cases are people trying to get out of legitimate debts.
There's another discussion which could be had about just how legitimate even "legitimate debts" actually are in some cases but that's even more in the woods.
When someone named adamomada comes to the bank for a loan, the presumption is that
adamomada will repay the loan.
If they knew it wasn't you, they wouldn't have written the loan in the first place. They're asking you to repay it because they really do think it was you.
If "it wasn't me" was all anyone had to do to get out of paying a loan, many people would do it.
It's much more subtle, fraud is accepted and part of the business. Even if you are not 100% certain of the identity of the person, what matters is how likely you are going to get paid back.
For example, when you purchase online, some merchants do not check who is the owner of the card, or the address. It's done on purpose, because some people borrow the card of the others, some people don't want to use their card, etc. And overall it's all about risk management, but if the holder is really the one in front of you is just one factor among others.
It’s not “accepted” as much as it is just simply impossible to completely avoid at any kind of scale.
Even if online payments were eliminated, and you had to show up in person with a birth certificate and passport to perform a transaction, fraud would be non-zero.
To have a functioning business, people need to be able to use the system.
Is that even a Shaggy defense? The whole point of the Shaggy defense was that it's saying it wasn't you despite overwhelming evidence ("She even caught me on camera - it wasn't me")
But in this scenario, there is basically zero evidence it was you
I thought it was, they would have to have some sort of evidence of your name, dob, ssn, blood type, etc. But in the end it was just your information used fraudulently; you the person did not authorize the loan and therefore it really isn’t your loan.
"Identity Fraud" is institutionalized victim blaming. The claim is that the person who's identity was stolen was defrauded (and they should protect themselves or fight back), but in reality it was the creditor that got defrauded.
In many other places SSNs are non-sensitive data. There is not much one can do just knowing a SSN. Usually one has to do some kind of verification (eg using some sort of authentication app, if online). Which is why it is so confusing.
> The problem with verifying breaches sourced from data aggregators is that nobody willingly - knowingly - provides their data to them
This is a bit of a tangent but I feel like if we can prove this statement then these data aggregators should be made illegal. How can you consent to something that you don’t know you’re consenting to? Likewise why do these entities have the right to collect detailed personal information like SSN without your explicit, beyond reasonable doubt, consent? To me this is the most obvious failure of the legal system, it clearly goes against well established legal principles that a basic requirement of an agreement is that all parties know what they are agreeing to.
Obviously there is some leeway with agreements where it’s not possible to clarify every eventuality but lets say if you’re applying to rent a place through an online form and that form shares your SSN to a data aggregator, it should be extremely clear about that, and possible to out out while still allowing you to complete the rental application without discrimination.
It’s like, it should be possible to show that no one, with in reason, consented to sharing their data with this aggregator because no one is able to confirm that they did. Sure one person could forget, or lie, but 100s of millions of people? No. Clearly almost zero people knowingly consents.
I have been using a different site@mydomain email address for every service I've used for the past 15 years. I can point to exactly which site breach furnished my email address to the aggregators.
Care to call out some bad actors so others know to avoid business with them?
I recently started using unique emails for everything I sign up for. Thankfully I haven’t seen anything yet, but I have little hope it will stay that way.
I second this request of releasing the results of this “digital tracer dye” experiment. If their respect for your personal data is that low, they deserve to be named and shamed. And more.
Surprisingly, there aren't that many. When I started, I thought I would catch my email address being resold. The only reseller has been Democrat politicians or funding sites like Go Blue. The other one is Engagez, which is some kind of tech vendor expo I signed up for with some meetup event.
The most widely spread breached address is LinkedIn by a wide margin. Houzz is second. Zynga, Imgur are also in contention.
When I started getting porn spam from the Diver's Alert Network, I alerted them to a breach. They misunderstood and just told me how to change my password.
The most annoying thing is that I found my personal robert@ email address is HIBP under the evite breach. I so jealously guard my personal address. A well meaning friend invited me to something with evite. And that's all it took.
>I so jealously guard my personal address. A well meaning friend invited me to something with evite. And that's all it took.
I hate when this stuff happens. I setup an email address like that for myself and I have never used it because I’m so afraid it will have something like that happen.
My dad is guilty of doing stuff like that often. He was renting a VRBO for the family and wanted us all to see the invite, but he threw in my email address that I only use for family correspondence. When I went to sign up (because he didn’t tell me this), I used a different address and it was a mess. I had to get him to re-invite me to the trip with the new email, but VRBO still started sending me some nonsense to my good email. He also gave it to some financial planner he uses and they started emailing me left and right. I was really upset. Like you said, he means well with it, but I don’t think anyone should be handing out other people’s email addresses.
The other thing that can get you are social sites that ask users to upload their contacts to find people they know. If your friend or family member uploads their address book, you’re account ends up in the Facebook, LinkedIn, Twitter, or whatever other site might do it. I’ve never used that feature for this reason, I don’t want to do that to people. But I know some of my friends and family have done it and my addresses are sitting in other DBs because of it, probably with my name, phone number, address, and maybe even birthday as well.
I like email forwarding services, like ddg, mozilla’s relay, iCloud’s hide my email and simple login. Unique password and email address for every website, plus, like you said if your unique email shows up somewhere it’s a smoking gun.
I was wondering why Google suddenly turned on "prompt authentication" on zero-security feature accounts yesterday. Now I "must" have a phone nearby to use Gmail... Tap to authenticate every time you want to look at ... ad spam.
With this, Ticketmaster, and the CDK Global car theft, is there anybody on Earth who doesn't need data protection? Poor people in Somalia need data breach notices. People who are not even on the WWW need data breach notices...
I recently hired the experts of {hacker11tech (@) gmail com} to help me track my spouse's GPS location, as I suspected infidelity. They provided me with accurate and timely information, revealing that my spouse was frequently visiting another person's location instead of going to work as claimed. Their expertise and professionalism were very impressive, and their ethical approach ensured a discreet and confidential process. The evidence gathered was comprehensible and reliable, giving me clarity that I needed to address the situation. I highly appreciate the {hacker11tech (@) gmail com} dedication helping to uncover the truth while maintaining ethical standards, their services was valuable in helping me make decisions about my relationship. I highly recommend this team {hacker11tech (@) gmail com} for anyone seeking reliable ethical practices and their commitment is reassuring.
You could freeze your credit, it you wanted to be careful. Realistically though, you should have already been monitoring to check if unexpected things were being done in your name. I’ve presumed that all our SSNs have been out there for years now due to one hack or another, that this hack just makes it indisputable doesn’t change much.
Just like a lock on the door, it raises the barrier to a non trivial level. It does not give you a ft Knox level impenetrable fortress.
I recently froze my credit with the big 3 and it was easier than I pictured. I don't know if they slow you down if you try to unfreeze it immediately after clicking "forgot password".
This sort of stuff will continue happening until the regulatory framework acknowledges a fundamental consumer right to privacy.
If a data broker collects data without the consent of the consumer, then their only real risk is a class action lawsuit which drags on for six years, gets settled for a few days profit, and the consumer gets $13.50 after the legal fees. This massive skew in the risk reward calculus of data brokers is why we have the problem. Because there's little to no real downside, the trend is automatically collect as much data on as many people as possible.
Fixing this means big, mandatory, cash penalties in the law code - say $5k per consumer data leak, directly to the affected consumer, with added penalties if the company lies about the leak or delays payment. The fine must be big, mandatory, and paid directly to the consumer. Only that changes the risk reward ratio.
In that new world, companies would have to re assess their risks. They'd either build invulnerable systems and hire a lot more people reading HN to protect their golden goose, or better still they'd decide to exit the business entirely. That sounds bad, but the only reason the industry exists is because regulators failed to foresee massive leaks like this happening every three months.
We need a consumer data privacy law, with massive fines, to force companies to change their behavior. What we're doing now clearly does not work.
They should tax companies so that operating data centers become more expensive. Increase price of electricity or property tax. That will inherently force companies to collect and store less data, hence less damage from breaches.
I used Robokiller to remove myself from data broker lists. I'm extremely impressed with it. I pay yearly. My only annoyance with Robokiller is that
A) It's necessary. When is the government going to start creating laws to help us and prosecute this?
B) It's expensive. Most people cannot afford this. I can barely afford it but my information has been leaked online.
C) It's inconvenient. A majority of calls are spam, but I'll often miss important calls from unknown numbers because Robokiller acts as a proxy and for some reason the call is routed through the Internet.
Anyhow, my wife and I are not on this list. I'm wondering if using Robokiller saved us from a lot of pain here.
I’ve finally figured out the play: war of attrition.
Eventually enough data will be leaked to make moot the benefits of securing any personal data. At that point everyone stops trying and moves on to more financially rewarding activities.
I mean even if I’m an elephant, and data breaches are blind men, eventually enough blind men will draw a true comprehensive picture.
Several other commenters have brought about the sneaky wordplay involved in saying "identity theft" instead of simply calling it "fraud on the bank", and somehow turning the person into the victim rather than the bank that has been defrauded.
Has anyone tried to argue this point in court? Has this survived / how did this terminology shift survive judicial scrutiny?
> Please be advised that we will not collect, use, disclose, sell, or share the sensitive personal information or sensitive data of California, Virginia, Colorado, or Connecticut residents as those terms are defined by the CCPA/CPRA, VCDPA, CPA, or CTDPA, respectively.
Does anyone else just not give a fuck at this point about their SSN? I feel like maybe early 00s this would be scary but it's clear that everyone's SSN is out there already or waiting to get breached from a shady private data broker.
The problem lies in how institutions treat the SSN, not the number itself.
Yes. 99% of the time “identity theft” means a huge company cut corners on their security policies and wants us to subsidize their negligence. Every so often there are cases like that guy who pretended to be his former coworker for decades but they’re rare enough that they make the news internationally. Most of the time it used to be things like instant credit applications where they didn’t “slow” purchases with ID checks.
The good news is that companies have lost the presumption of competence there. In the 80s if a company said they’d confirmed that an applicant was you using your SSN, a lot of people would falsely believe that was sufficient but by now they’re not going to get far if they sue you unless they can provide better evidence because everyone knows huge breaches have happened many times.
if you know place of birth, and place of ssn application, you can determine most of the ssn. the final 4 are supposed to be random, but are blurted out to rooms full of people and tech, during service.
the integrity of SSN security, was lost a long time ago
Yes, but 100% of adults today were born before 2011, and that will continue to be (ever so slowly less and less true as we die out) true for decades. It's good and all, but.
What can an attacker who knows your SSN still do with that information nowadays? Genuinely curious, as the SSN is just this strange in distinct password thingy the Europeans like me hear about on HN but have no actual parallels with.
If they have your address; birthday; and SSN a whole lot. Generally, they could apply for credit cards; loans; set something to bill to you; etc...
Fortunately, it's getting harder without previous addresses or other verification methods.
For non-Americans that don't know, our Social Security number is generally assigned at birth or when you become a citizen by the Social Security Administration. Social Security is a disabled or elderly benefit we all pay into (roughly 7.5% employee and 7.5% employer - ~15% total). It's the only number we all get, since not everyone gets a driver's license; ID; passport; or other identifier. Unfortunately, it's been used to identify us for everything, and until recently was typically in plaintext on most forms (medical; tax; student; etc...).
> It's the only number we all get, since not everyone gets a driver's license; ID; passport; or other identifier. Unfortunately, it's been used to identify us for everything, and until recently was typically in plaintext on most forms (medical; tax; student; etc...).
I fail to see the problem with that. As you said, it's an identifier, like an username or your full name. There should be no issue with everyone knowing your full name, or your username; why there should be an issue with everyone knowing your SSN, or it being in plaintext everywhere?
Because it was used as BOTH an identifier AND proof of identity, for a long time. If it were used properly as simply an identifier, you'd be right, but there are still many cases where knowledge of the number is used as proof (or partial proof, along with birthdate/address/etc) of identity.
I heard there was a similar problem with the bank account number in the US - that you could use it to withdraw money without an actual password or strong identification. Hence the popularity of cheques, PayPal and similar services that weren't needed that much in Europe.
You're right that bank account numbers in the US are insecure, but you're wrong that this is why checks are popular here.
Checks are actually the source of the problem. If you have access to blank check stock and MICR laser toner (both readily available on Amazon, since business accounting departments will routinely print their own checks for payroll / bills), you can make seemingly valid checks to withdraw funds from any account number. This is still a problem.
The reason why checks are popular is because until recently there hasn't been a cheap + accessible + official + unencumbered way to do electronic transfers between personal accounts. The infrastructure existed (ACH), but only businesses could actually initiate deposits/withdrawals. Individuals could initiate full-service wire transfers, but those are risky (there's no way to reverse one done in error) and banks typically charge $25/transfer - which is far too expensive to use for anything routine.
PayPal came into existence so people could purchase goods online (on eBay, specifically) and have the option of performing a chargeback if the goods weren't delivered as advertised.
(Checks will probably still persist for some time, since all the online payment services want to charge percentage fees if they think you're acting as a business. The beauty of checks is that they just work and don't insist on taking a cut of the payment.)
> why there should be an issue with everyone knowing your SSN, or it being in plaintext everywhere
Because far too many businesses, esp. financial ones (banks/credit unions/etc.) have also incorrectly used it as a password to authenticate that "voice on phone" is really John Q. Public and/or that "grifter in chair across desk" is really John Q. Public. I.e., they used the fact that "person X" knew number Y as proof that person X was really person X.
We can argue that it was never intended to be used this way (a true statement), that knowledge of it provides no such proof (also true), and that using it as such was always wrong on the part of these businesses (also true), but the fact is, many did use it this way, and, sadly, many still do use it this way. And it is this misuse that is the "issue" with everyone knowing everyone's SSN.
Do you need SSN for voting? I heard that you don't need an ID (at least in some states) which was very weird for me but if they ask SSN instead, that is at least something I guess?
Voting requirements and eligibility are set individually by each state, sometimes even in finer detail, New York City wanted to give immigrants the right to vote in local school board elections for example.
SSN are administered by the federal government and are opt-in(however most people apply for one) so it is not something a state can really use as a voting requirement.
State I currently live in(GA), you need to bring a photo ID for in person voting:
- Drivers License(from any state or federal government)
- State ID card
- Student ID card
- ID badge from any state or federal workplace
- Passport
- Military ID
- Tribal ID
Data was cross check to an online voter registration database.
Prior state (NC), I think the ID requirements were similar(possibly more relaxed) but at that time the data was checked to the voter roll, a book with the name and address of all the people in the precinct. When you went to vote, you signed by your name and then it was crossed off the list.
The SSN is used as a way to genuinely identify someone, unfortunately - it’s like having to give out your password each time you rent an apartment or buy a car or obtain medical care or any number of other transactions. Having this info (along with other basic info like name/address/date of birth) lets you effectively pretend you are them. You can take loans out in their name or call some service to do a password reset (since you have all the info to verify you are them) or whatever else. But it’s not like there is one particular way in which the information can be used - it’s dependent on what businesses LET you do with that info. In 2024, NO business should use SSN to verify identity or authorize sensitive transactions but many do, and what they let you do varies significantly.
I think it’s important to distinguish between identification and authentication. As a unique database primary key, they’re fine. The problem was when a bunch of businesses decided it’d be too expensive to check things like government ID and started using them for authentication purposes. Nobody blinks an eye at using a phone number or email address on an application, but we should treat using your SSN or past addresses for authentication the same way we would if someone says they could approve a loan if you know your phone number and zip code.
The SSA specifically told people not to misuse SSNs this way and it seems like a poor use of taxpayer funding to spend billions bailing out businesses’ bad decisions, even if that was legal (Congress would have to specifically authorize it), since we’d be back to the same problem with five years.
If we were going to do something, we’d make government ID include an NFC token for PKI purposes since public keys can’t be compromised in the same way, but nobody is jumping to pay for that, especially in a country where you have so many people prone to wild conspiracy theories (I am especially amazed by the guys who freak about a national ID as big brother but never say a word about the credit reporting industry) and the enduring “Mark of The Beast” religious fears.
> If we were going to do something, we’d make government ID include an NFC token for PKI purposes
Another alternative would be to go the other way: Pass a law prohibiting the use of social security numbers for any purpose other than social security. Don't provide any globally unique identifier for companies to use.
Instead each institution would issue their own identifier which would have no value outside of that institution. If they get breached or you lose your ID, they mail a new one to the address they have on file or some similar recovery method and you don't have to worry about someone using your ID somewhere else because the breached one gets disabled and you get a replacement.
The obvious advantage here is that companies can't use it to correlate your activity across institutions without your knowledge or consent.
> If we were going to do something, we’d make government ID include an NFC token for PKI purposes since public keys can’t be compromised in the same way, but nobody is jumping to pay for that, especially in a country where you have so many people prone to wild conspiracy theories (I am especially amazed by the guys who freak about a national ID as big brother but never say a word about the credit reporting industry) and the enduring “Mark of The Beast” religious fears.
Login.gov gets us pretty far until NFC can get baked into credentials. Would love to see passport cards evolve into this [2], but again, lots of work and political will to make that happen. In the meantime, remote and in person proofing to bind IRL gov credentials to digital identity must do.
(As of December 31, 2023, over 111 million people have signed up to use Login.gov to date, with over 324 million sign-ins in 2023; this is ~1/3rd US population; no affiliation)
I still don't get why people are calling these "religious fears". The parable from the book is because the problem is very old, but the problem is exactly the same as it ever was: If a central authority gives everyone a serial number then it will be used to track them by powerful institutions, which is a tool of oppression. This is the massive mistake we made with social security numbers, and their inherent insecurity is actually mitigating the damage there because it makes people much more hesitant to divulge it.
You do not want to make it easier for every carnivorous for-profit corporation and wannabe apparatchik to pressure every citizen to cough up an identifier that can be used to track their every move.
> I still don't get why people are calling these "religious fears
That’s what the people making those claims are talking about. If you haven’t talked with paranoid religious extremists before, it’s eye-opening: they are literally saying that a mandatory government ID will serve the beast mentioned in Revelations.
That’s not the only concern or group raising it by any means but I mentioned it because governments have to consider edge cases - if you make SSN a required field you have to figure out how to avoid turning away children from those households. If you’re building a website to sell t-shirts, that’s fine but if its government services you might be breaking the law and especially might be harming people who need help (a 17 year old who ran away from that house might have trouble getting the ID they need to live independently).
> a central authority gives everyone a serial number then it will be used to track them by powerful institutions, which is a tool of oppression.
It’s only a tool of oppression if you have a government prone to abuse and without constraints. If that’s true, since the computer age the distinction increasingly useless. The Stasi paid clerks to move paper around and if you’re comparing IDs by hand having a single number is a huge timesaver. In 2024, however, all not having one means is that they use software to link them – the context for this story is the huge industry doing that for all kinds of data, and they don’t mind having to link a couple of different identifiers. Faced with an oppressive government, we should be calling for legal restrictions and accountability for leaders. Not having a unique identification number is like wearing a breastplate into battle after the invention of the machine gun.
> It’s only a tool of oppression if you have a government prone to abuse and without constraints.
Untrue for three reasons.
One, it's a spectrum, and where you are can change. While the current US government is pretty bad, they're not rounding up citizens based on their race and throwing them into internment camps right now. But they have in the past, so let's not leave them anything that helps them if they decide to Be Evil again eh?
Two, there are different governments. Suppose the federal government is bad but not heinously bad and the Colorado government is pretty good but the Mississippi government is corrupt and racist and oppressive. Create the system federally and you're handing it to Mississippi officials to abuse, whereas they couldn't create their own because free travel between the states is constitutionally protected.
Three, it's not just governments. Create something like this and corporations will use it. Then all you need is for the government to fail to stop them, which is the status quo.
> In 2024, however, all not having one means is that they use software to link them – the context for this story is the huge industry doing that for all kinds of data, and they don’t mind having to link a couple of different identifiers.
The single identifier is what enables them to be linked -- it's why the surveillance apparatus keeps pushing it on us. Without it you have to speculate and will commonly get it wrong. If someone is signed into Google and then signs into their bank, does that mean they're the same person, or just two people who use the same computer?
If you pull an old PC off a skid destined for the recycler and use it exclusively for buying things on Amazon (which inherently has your shipping address), and use a different machine for social media which you never use for Amazon, a single identifier would still force you to associate the two no matter what measures you use to separate them.
It is important to preserve the ability to keep them separate.
Also notice the form of your argument: Things are currently bad so it's fine to make them worse in a way that's sticky and hard to undo. Maybe instead we should make things better?
> The single identifier is what enables them to be linked
> If someone is signed into Google and then signs into their bank, does that mean they're the same person, or just two people who use the same computer?
You misunderstood my argument as “it’s okay to make things worse” rather than “spend your time on things which can matter”. You’re grossly overstating the importance of the unique identifier in era where databases are widespread. In your examples, you’re characterizing as hypothetical risks things which are routinely done by private companies right now. The modern Stasi wouldn’t need to an army of clerks to link government IDs, they’d pay Google or some other ad tech companies who’ve already linked your online activities (how many people even know if their bank uses Google Analytics?) and your email addresses and your phone numbers and your credit card transactions and the location data which the phone companies and mobile app analytics firms have already collected, etc. As a government agency, they’d even get stuff like the precise locations your phone is at. Even if you had your Amazon burner on a separate network, used a different email address with a different provider than you do for everything else, perfectly adhere to not using it for social media, etc. all you have to do is forget to turn off your phone once to link them, especially if you don’t live in a very crowded environment with many new people coming and going at unpredictable intervals.
Yes, having one identifier would make it easier but they’re already doing a good enough job that anyone who cares about it should be thinking about the safeguards which prevent abuse rather than pretending that there’s one weird trick to stop it. If we were in a scenario where any of the feared outcomes of a government are imminent, the range of bad outcomes either way overlap too much for the difference to matter.
The key thing to understand is that they don’t need it to be perfect: authoritarian governments don’t need to jail everyone who disagrees as long as they keep those people from organizing an effective opposition. If you’re opposed to them but keeping quiet and not doing much, they win. If you pull off perfect opsec and stay undetected, but they catch you because someone you know made a mistake, they win.
Worse, in the absence of effective accountability, minor mistakes only help build the fear of doing anything dodgy or subversive – if news gets out that someone went to a protest and the cops busted their roommate after linking the wrong phone, it _might_ help that one person be released but it will definitely ensure that a hundred other people get kicked out or turned in by roommates who don’t want to have the same thing happen to them (read accounts from East Germany, Russia, China, Mexico in the 70s, etc. for a reminder of how toxic the effects on social networks are), and a thousand people will stay quiet and avoid the next protest.
> The modern Stasi wouldn’t need to an army of clerks to link government IDs, they’d pay Google or some other ad tech companies who’ve already linked your online activities (how many people even know if their bank uses Google Analytics?) and your email addresses and your phone numbers and your credit card transactions and the location data which the phone companies and mobile app analytics firms have already collected, etc.
But it's not about clerks.
You go to your bank and sign in. If the bank is using Google Analytics then Google knows you've signed into your bank. But they don't know that this is the same "you" that signs into YouTube under a different account on a different machine.
If you make a government ID which is trivial to check over the internet then everything would start checking it, and then Google would know that it's the same "you" because you'd have to present your ID in order to use YouTube and it's the same ID you have to present to the bank.
> Even if you had your Amazon burner on a separate network, used a different email address with a different provider than you do for everything else, perfectly adhere to not using it for social media, etc. all you have to do is forget to turn off your phone once to link them, especially if you don’t live in a very crowded environment with many new people coming and going at unpredictable intervals.
This is the spy scenario where they magically associate the phone with you based on a single ambiguous data point. It doesn't work like that because if it did you could do it on purpose to link your identity with someone else. It also assumes that the other problems can't be improved. Suppose we stop forcing people to disclose a single identifier and we get phones that don't forcibly report our locations to large institutions. Then you have defense in depth and can make a single mistake without being automatically screwed.
> Yes, having one identifier would make it easier but they’re already doing a good enough job that anyone who cares about it should be thinking about the safeguards which prevent abuse rather than pretending that there’s one weird trick to stop it.
It's not that there's one trick to stop it, it's that forcing a single identity to be disclosed in order to do anything would defeat all other privacy measures. There is no point in preventing browser fingerprinting or using a VPN with a shared IP address or posting under a pseudonym if everything you do is still tied to your centralized ID number which in turn is tied to your face and home address and full transaction history with every extant bureaucracy.
> If we were in a scenario where any of the feared outcomes of a government are imminent, the range of bad outcomes either way overlap too much for the difference to matter.
Those are just the worst-case scenarios. If you get Nazis, they're going to push this on everyone anyway as soon as they can. It's better to slow them down as much as possible than leave everything already implemented and all they have to do is turn key, but that's hardly the only bad thing that can happen.
If corporations know everything about you, they can use machine learning to do price discrimination. They can predict when is the best time to present you with an agreement that has you sign your rights away for a song. They can influence public opinion to control election outcomes. Censor whistleblowers who are now incapable of publishing anything under a pseudonym. Blackmail anyone because no one has any secrets from them.
The longer it's possible for people to do these things, the more likely that they happen, and the more often. So it needs to be made not just illegal but technologically unavailable. That way it's harder to happen because they have to do two things and not just one.
Especially because many of these things are not necessarily things done by people who are already in power, they're things done by people who have the surveillance data and use it to seize power. "Accountability" doesn't work if the technology can be used to seize control of the government before the government can enforce a prohibition on that use of the technology.
> It doesn't work like that because if it did you could do it on purpose to link your identity with someone else.
It does work like that in too many cases. Yes, one data point is not definitive but since they can get many data points it works well enough to be a major privacy risk - for example, this was a cheap attack which required no governmental access:
I would suggest writing down exactly what you are concerned about in a structured manner. You’ve shifted the scope significantly and are well off topic from the original point. I appreciate the emotion but it’s hard to build a policy on quicksand.
>I still don't get why people are calling these "religious fears".
People are calling these "religious fears" because they are fears very often based on religion. People who fear the Mark of the Beast aren't simply worried about being tracked by powerful institutions, they're looking for prophetic signs of the antichrist and Satanic one world government that their holy book says will lead to the second coming of Christ and Armageddon. Even though it was really talking about Nero Caesar. You can't separate the fear from the religion.
>You do not want to make it easy for every rapacious for-profit corporation to pressure every citizen to cough up an identifier that can be used to track their every move.
Then ban cellphones. Those are far more useful as a means of surveillance and control than any serial number in a database. They're also held in the hand and to the head, and used to buy and sell goods, which conforms far more closely to the mark of the beast than, say, RFID chips or SSNs or serial numbers on currency. Which the mark of the beast people were all against, in their time.
Unless you want to go full Kaczynski and run off into the woods to live off the grid, you can't avoid having identifiers attached to you. Your birth certificate, vaccination history, criminal record, credit score, address and phone number, the license plate on your car. Even the cookie that leaves you logged in to Hacker News. Governments and corporations already know who you are and where you are. Are there massive negative externalities to having our identities controlled by forces we have no agency over? Absolutely. But fearing every number as a slippery slope to a global satanic dystopian hellscape isn't reasonable. Unfortunately that's the context in which many people have this conversation, and that needs to be recognized.
> People who fear the Mark of the Beast aren't simply worried about being tracked by powerful institutions, they're looking for prophetic signs of the antichrist and Satanic one world government that their holy book says will lead to the second coming of Christ and Armageddon.
This is the "weak man" version of the argument. It goes in the book because the (relatively wise and experienced) authors wanted to warn people of the dangers of a real problem. Nutters read metaphors as literal and then people who want to discredit the argument point to the least credible of the nutters as the proponents. But you don't have to believe in The Devil to believe that authoritarians exist and have provably caused great pain and oppression throughout history.
Isaac Newton was a Christian but you don't have to believe in God to believe in gravity.
> Then ban cellphones.
The problem here isn't so much "cellphones" the abstract concept in which you have a portable computer with a network connection, as the current implementation of cellphones which are in actual fact implemented as tracking devices. Which, okay, let's also make cellphones that are actually controlled by their owners and don't act as mass surveillance devices. Sounds good.
> Unless you want to go full Kaczynski and run off into the woods to live off the grid, you can't avoid having identifiers attached to you.
There is a difference between "you have a social security number which the social security administration uses exclusively for social security and no one else uses for anything" and "you have a social security number which every corporation and bureaucracy uses as the primary key in a database to correlate everything you do in your entire life". The kind of ID systems people keep proposing are the ones that do the second one, and that's the bad one.
Yeah, I love login.gov and especially how they embraced things like WebAuthn faster than entire industries like finance but I can only imagine how much screaming there would be if usage became a requirement outside of government.
> Painting those of us concerned with privacy as "people prone to wild conspiracy theories" is a very bad faith take.
Fortunately that’s not what I’m doing. I suggest reading more carefully and trying to come up with a scenario where the government having standard identifiers meaningfully harms your privacy but a mess of identifiers and a huge private industry linking them does not.
The SSA has shown absolutely no urgency on this issue. Their existing policy is that having your SSN compromised is not enough to issue a new number. You have to actually be a victim of a financial or identity crime that abused your SSN for them to consider a new number. In reality what they should be doing is giving everyone accounts that can generate tokens for use with each transaction, to maintain a trail of where leaks originate and also to expire these temporary tokens. Instead they’ve stuck to this archaic system.
They can't issue new numbers in bulk without revamping the system because they'd run out. The urgent fix wouldn't work.
If the system needs to be revamped, then step one should be pressure/force so that companies stop treating the numbers as secret. And if we do that we don't need new numbers anymore.
It depends on the country. Where I live now even if I leak my name, date of birth, bank details, national id number, etc. you couldn't do much. We have a country wide 2FA system that all important businesses use (bank, utilities, health, government) to authenticate users.
I'm from the UK though, and previously was a 'victim' of identify theft where a few years ago someone walked into a phone store, and walked out with a new iPhone and contract in my name.
Is the country wide 2FA implemented by the country or a private company? While rare, what if a person does not have access to the 2FA mechanism, and what mechanisms are permitted to confirm an identity?
“The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present.”
It's real. A few people I know are in the dataset. The SSN is problematic, but personally to me, the more troubling data is a seemingly complete, or at least complete enough, address history for the people I checked for. It doesn't have dates, but just having the addresses could cause major problems for spear phishing attempts.
the government should have put out honey pots or something, or maybe it’s time to get new numbers and just invalidate all the stolen data, there is clearly money for fixing this kind of thing but they’re using it to spy on us and do who knows what else instead
I get a data breach notice at least a few times a year. I got one for my kids two months ago for their medical data. I thought HIPPA had huge penalties but I guess not.
Generally records have ID, firstname, lastname, middlename, address, city, county_name, st, zip, and ssn. Most records do not have the fields for name_suff (name suffix), phone1, aka1fullname, aka2fullname, aka3fullname, StartDat, alt1DOB, alt2DOB, and alt3DOB.
There are no emails at all. There is no "@" in the files anywhere. Phone numbers are very rare.
I don't know what the ID number at the head of each line represents. I presume it is an internal index used by the organization that compiled the data. The SSN is at the end of each line.
The files have U.S. addresses only as far as I can tell. Nothing from Mexico, Canada, or other foreign countries.
Many of the lines (records) concern the same person at various addresses. Of 7 random people who I personally know that I checked on, all had entries. There were between 3 and 20 lines (records) for these 7 persons, averaging about 10. They usually differed only in the address field. Going by an estimate of 10 records per person, the 2.6 billion lines represents about 2695681513/10 = 269,568,151 distinct persons in the U.S.
The U.S. population is about 337M where 78% is over 18 years of age. In other words, 337000000*0.78 = 262,860,000 Americans are adults. This is pretty close to my estimate of 269,568,151 distinct individuals in the NPD data files.
Of the 7 persons I checked on, the names were spelled correctly, although the middle name was sometimes just an initial. I searched each person by multiple methods (address, last name, birth date) so I believe I would have detected names that were spelled slightly wrong.
The addresses appeared correct but there was no way to tell which was the current address and the order in which they lived at each address. There is a StartDat field but it was almost never filled in. The latest entry was not always the most current address. In a couple cases, the current address, where the person has been living for several years, was absent.
The birth dates were correct in a couple cases, were abbreviated in three cases (that is, instead of showing 19800704, meaning July 4 1980, it showed 19800700, meaning July 1980 without an exact day), and was wrong for one person by a wide margin.
All 7 persons I checked had SSN numbers. It was correct for 1 person but I don't know for the other 6. The SSN numbers were consistent for each of the 7 persons I checked on. By this I mean that a person did not have more than 1 SSN number, at least among the 7 persons I checked on.
Ahh, cool, pour the corpus through GPTs and start tweeting Congressional rep personal info at them until they pass a law to outlaw data brokers (in keeping with historical precedent [1] [2]).
For argument sake, instead of outlawing data brokers wouldn’t it be better to design a better ID system that renders one’s name, dob, and SSN as harmless information?
I don’t know what that would look like but if I had congresses attention I’d like them to fix the problem rather than playing whack-a-mole with banning data sources. I don’t think any actual solutions come from that.
In many countries in Europe, your ID card contains a chip with a cryptographic key, much like chip&pin on a debit or credit card.
Those bits of information are worthless when you need to create a cryptographic signature with your ID card to do almost anything important.
If the card is lost or stolen they can just remove your old one from the keyserver. It's literally just public key crypto.
Identity theft is rampant in the countries that don't have such a system and basically require you give them increasing amounts of private information to prove who you are. In the UK that's every address you've lived in for 5 years, your council tax bill, your energy bill, your bank statement for a month... all because British people think an ID card means you'll get stopped on the street to show your papers.
> Identity theft is rampant in the countries that don't have such a system
No, fraud is rampant in the countries that don't have such a system. Calling it identity theft makes it sound like the onus on preventing the practice is on "whoever's identify was stolen", instead of correcting pinning the onus on the bodies issuing accounts and loans without verifying information or identity.
The "mark of the beast" types are pretty much fine with cards that have chips in them, but they really hate it when you threaten to implant those chips into people and they want cash to remain an option - same as the anti-government types. I don't share their apocalyptic or anti-government concerns, but I'm actually kind of grateful for their passionate opposition to both of those things anyway. I don't really want an implant and the option of using cash is a very good thing.
The anti-government types do hate the idea of a national ID, but they're already forced to carry a drivers license/state ID, and SS card so they've pretty much lost the battle already.
I'm afraid that it's the business owners who are our biggest hurdle.
Eh, depending on the flavor, the mark of the beast types don’t even really like barcodes. Allegedly Hobby Lobby does not use a barcode inventory system for this reason.
I will say that their list of reasons is deeply flawed.
> Human beings can't read a bar code.
- they can, and more importantly they almost never have to
> A lot of our product comes from cottage industries in Asia that couldn't mark their goods with bar codes if they tried.
- They can be added at the store/warehouse level, not every product needs one, and I've never seen a store that worked entirely on bar codes 100% of the time anyway.
> Inventory control by computer is not as accurate as you think.
- This assumes what I think, and it only needs to be more accurate than your current method. If it actually weren't more accurate, I don't think they'd have to fall back on "as you think" in their argument.
> Employees take more pride in their work when they know they are in charge, not some faceless machine.
- this doesn't even make sense.
> Customer service is better.
- questionable, but not impossible to support
> The time savings at check-out is minimal — and easily squandered.
- possible, but time savings at checkout is only one benefit.
- Reprogramming the computer for sales would take a huge effort in our case, because we put so many individual items on sale each week.
- It would take effort, but stores with much more inventory manage it just fine, even when new products are constantly coming in and sales are weekly.
> Twenty million dollars is a lot of money.
- I have no idea from the article what this is in reference to. Maybe the amount it would take for them to make the the switch? It's hard to say how much money it would save them so it's fair to say cost is a concern. I will say that over a long enough time period, it'd probably save more than it costs.
None of this means that concern over "the mark of the beast" is really the reason, but the reasons they gave don't make a lot of sense either. It could just as easily be that poor record keeping and manual entry at the register allow them commit fraud or something.
I suspect that if the mark of the beast plays any role at all, it's that no having barcodes panders to the christian customer base they've always heavily pandered to. Even just the rumor is basically viral marketing for them to that crowd.
Personally, Hobby Lobby's poor inventory management is a major frustration for me as a customer. Unlike other stores, they don't have any way for me to check online whether the product that I want is at their store. Granted, I avoid shopping at Hobby Lobby in general due to their owners regressive views; but at those times when I couldn't find something at a competitor it would have been helpful to be able to see if I could get it from them.
I'm not sure that's true, but it would make it more difficult since it'd be easier for customers to cheat. You'd need more monitoring than most stores at the very least.
Make the ID card optional, so that it simplifies things if you have it, but still allows operation without it. If 80% of law-abiding population has the card, only the stubborn deniers will remain targets of easy identity theft and fraud based on it. Partly it will stop being worth the effort, partly it will serve as a good control group.
Allow but do not require to use the card for employee identification. Whoever insists on hiring undocumented immigrants, could continue. Most industries don't do that, and would reap the benefits of a more secure identification.
Don't make the card universal. A bank card with a chip does not identify you for governmental agencies, but prevents a lot of PoS fraud. It could prevent credit fraud if banks allowed me to require the card to take a loan in my name, or to make a transfer larger than $10, and provided the card identity check service to each other and to credit unions. Phones with NFC can read bank cards, so it's a good way to say "it's me, I confirm" in a secure way.
Evolutionary, opt-in, piecemeal solutions often have higher chances to succeed than abrupt all-at-once changes.
They absolutely do, but most of the immigrants have a form of ID that gives the companies some measure of deniability. As long as the I-9 goes through, not my problem. If it doesn't, well that's where contractors come in. Official numbers say around 14 million illegal immigrants. Reasonable estimates are closer to 22 and some non-hyperbolic estimates go as high as 40 million.
>Make the ID card optional, so that it simplifies things if you have it, but still allows operation without it. If 80% of law-abiding population has the card, only the stubborn deniers will remain targets of easy identity theft and fraud based on it. Partly it will stop being worth the effort, partly it will serve as a good control group.
Kind of like RealID[0]? It exists right now in the US.
Indeed. But a federated database is fine, too; this is how Visa and MasterCard work.
Imagine having a bunch of ID cards in you wallet, like you already have (driver's license, library card, office access card, store loyalty card) that all have interoperable smartcard interface, and a QR code of their built-in public key.
They would be much like contactless bank cards you also keep in your wallet.
Banks and phone network operators are uniquely positioned to sell a validation service for such cards, being highly connected and already having data about their existing customers, which would be an easy initial audience pool.
More apropros to the current situation, Henryk Jagoda and the bolsheviks killed/starved between 29 million to 113 million people, depending on estimates. They certainly ID's people, based on ethnicity, religion, political affiliation, and class status.
Stalin killed around a million people in the purges. Several million people died in a famine in the early 1930s, which was partially due to Stalin's economic policies.
Figures like 29 million (not to mention 113 million, which would hardly leave anyone in the USSR) are simply not credible. I suspect the 29 million figure comes from counting the victims of the Nazi invasion of the USSR, but those deaths are on Germany's balance.
Everyone's like "a government went on and extermination campaign" and for some reason what would've stopped them is the difficulty in identifying who to exterminate?
As though genocides much care about accuracy.
The big secret of Nazi Germany that isn't a secret at all I is that they put a lot more then just Jews in those camps.
There are key differences between today and the 20th century that you are ignoring. Widely enforced digital ID not only makes it easier for them to identify who to genocide, it forces total compliance with the state, because if you do not fully comply, you risk death, imprisonment, or having your freedom and bank account revoked.
I mean surely then nations with little in the way of digital or personal ID are definitely immune to genocides and do not in fact make up the vast majority of extant genocides committed in recent years or throughout history...[1]
> all because British people think an ID card means you'll get stopped on the street to show your papers.
That's probably because all of the anti-immigration and anti-foreigner people who are asking the government to stop people and ask them for their papers... this is not unique the the UK, Canada, or the United States either, and some of the countries plan to do more than just deport people.
Strong identity is increasingly a meaningful technical requirement, but glossing over the human impact of strong identity controls by the government is not going to have good outcomes either.
Not really in Britain.
Labour tried to introduce some national id in early 2000s, the right wingers were the ones who objected the most. The same right wingers who are most anti-immigration
I think most of those right wingers are against illegal immigration. There's a big distinction here.
I think very few of those so-called right-wingers are -say- against doctors immigrating to one's country if there's a doctor shortage. As long as immigration is all done using legal means. And with proper checks and balances.
I'm a right winger (but not born and raised in the UK). And I am very much against illegal immigration. I also don't want to be required to wear an identity card / passport with me at all times.
Actually, with proper immigration policies in place, the state can be sure that most people inside the state are legal, law-abiding citizens. I don't think in such cases it does make sense to require people to wear an id card with them at all times.
There were just a series of mass race riots by right-wingers across the UK, in which they went around smashing up shops owned by immigrants and beating up people who don't look white. This isn't about illegal immigration. It's about racism.
conveniently emitting the fact that this is a reaction to immigrants going around randomly attacking birtish people. If you aren't already consider workong for MSM.
It was based on a false rumor that spread on social media that the perpetrator of a recent triple murder was a Muslim asylum seeker. It turns out that the perpetrator is a British citizen who was born in Britain and is Christian.
What this reminds me of are pogroms in Eastern Europe, which were often sparked by false rumors about Jews.
To bring up more things in the broader context, were there not several "grooming gangs" that were active in Britain recently and the police were reluctant to investigate/prosecute them as it might appear racist?
there are literal no go zones the police will not touch out of fear. If you can't figure out how law less zones and being socially untouchable could make doing crimes easier and harder to prevent, then there is nothing that could convince you.
Yeah, id cards aren't mandatory in France either because the precedent when they were comes from literal Nazis. (At least theoretically, in practice you will face a lot of pressure...)
> Those bits of information are worthless when you need to create a cryptographic signature with your ID card to do almost anything important.
That depends on the type of attack you're protecting against. It might prevent an attacker from filing your taxes for you, but many companies are still going to use this kind of information as primary key. But it's not going to stop an attacker from pretending to be a bank employee, calling a genuine bank employee via a secret internal-only number, and claiming they've got Mr. Doe in their branch trying to do a critical transaction but their phone broke so they can't use the bank app. Yeah, the Mr. Doe living at 987 Main Street, that one. See, you even verified their ID, and it has a SSN of 123456 printed on it - just compare that to our customer database to make sure it's legit!
It also opens up a whole new type of attack. The problem with those smart cards is that there isn't really a way for the user to know what operation is actually happening. You're using a regular PC or smartphone to interface between the smart card and whatever entity you're trying to communicate with. But that could just as well be a phishing website pretending to be that entity, or malware doing a MitM. Or even just a random website pretending to need a signature for "age verification" when it's actually applying for a loan behind the scenes.
There's no "Do you really want to sign over your house to XYZ?" message on the card itself. And suddenly the government/bank/whatever is getting a request with a cryptographic signature which can obviously only be made by you - why would they have to double-check it if it cannot possible be fraudulent?
I agree that we should be moving to more secure systems, but those ID smart cards aren't a one-size-fits-all solution.
> There's no "Do you really want to sign over your house to XYZ?" message on the card itself. And suddenly the government/bank/whatever is getting a request with a cryptographic signature which can obviously only be made by you - why would they have to double-check it if it cannot possible be fraudulent?
My country's version uses separate mechanisms with separate passwords for "identify me, revealing my name/DoB/number" and "sign something". Obviously not impossible to pretend that you're signing an innocuous document and have you sign something else, but it at least removes some of the low-hanging fruit.
As a potential Mr. Doe, I'd love to have an ability to opt in to a stricter mode of banking. I would voluntarily ask my bank to refuse certain types of transactions in my name unless my identity can be confirmed by secure machine-readable means at my presence; internal phone calls should not qualify. It could be a bank card, or a passport — yes, both can be physically stolen, but it's much harder to pull off, and I would immediately warn my bank when I notice.
That seems entirely like an implementation detail that doesn't have anything to do with the smart card interface itself.
It's not like it's rocket science to have the reader application detail what the request is used for, and encoding it in the request/response, verified when used, so that it can't be used for anything but the approved purpose.
> It's not like it's rocket science to have the reader application detail what the request is used for, and encoding it in the request/response
The reader application can, sure, but what ensures that that "reader application" is genuine and can't be subverted? The card's own processor is supposedly tamperproof, but all the display etc. is in the reader which is probably owned and controlled by whatever third-party you're identifying yourself to, or at best it's a random application running on your PC/phone with whatever malware you have.
This is already a more restricted type of attack than the common identify theft that's rampant right now in the US.
What you're describing requires the actual terminal you're interacting with to be malicious, and it can only be used to authorize individual transactions.
As things stand in the US, a much broader class of attacks are not only possible but common, in which the attacker takes over the identify of the victim and can authorize any number of transactions in their name.
Why do you trust the reader though? It could display one thing and send another. Although I guess this also happens with payment card terminals. Who's to say the €3 displayed is not charged as €300...
If the ID is on your phone, you can make it so that the transaction details have to be digitally signed by the person authorizing them in order to be valid. Then, if 3€ shows up on your phone, that's what you're authorizing, not 300€.
Sure, given an advanced enough device anything is possible. But I think here we are still discussing a "card" form factor for ID? (Being an "unperson" simply because you don't have a smartphone or have a rooted one would be "interesting").
Most places with digital IDs use either a phone card reader or the phone’s own NFC terminal to read a contactless smart card. The cryptographic key comes from the smart card, with the phone as a payment terminal.
Nothing advanced is required. And sure, your phone can be hacked, but there’s only so much fearmongering to go around.
Funny you should say that. Australia is trying to launch TEx -designed on open-source models to do this kind of thing. It's hitting the usual roadblocks of public acceptance of government mandated ID, in an economy which trashed the "australia card" idea back in the 80s. We're wiser now, we've been frogs boiled slowly: the downsides of central safe ID/auth are outweighed by the risks of loss of info giving everyone 100 points information.
The government now knows what we do most of the time anyway: layer-2 logs on our phones are constant. We lost any privacy some time ago. So now, getting security back might be a net win.
Yes. There is that. But it's only true to the extent all government things are brought to you by the government. If the underlying IMS system used for datamatching by ATO and Centerlink is the product of the same s/w development group I'd be a bit surprised. It's different code.
But I am by tendency an optimist, and the open-source part (if they do that) means we can have eyes on their crypto assumptions behind the protocol and whats on the device.
MyGovID, which I think they're baking into it has been pretty solid. thats distinct from your mygov account, many of which have been hacked, in part because so few people used MyGovID.
(if you've got better info always happy to see it)
I mean it's literally being built by services australia with all the baggage of that organisation.
The execs are mostly the same. the product contracts run by the same people and even the minister is now the same again. they have no interest in changing or correcting.
Every phone provider has a log of the IMEI binding to cell tower and triangulation over multiple towers. Call logs are one thing, carrier cell connect and disconnect is another.
If your phone is on, your position in time and space to some circular error is also known, continuously.
To say nothing of Bluetooth that's with the advertising hoardings and inside the store mainly.
Basically, any privacy nut with a phone and simcard is in denial.
We should be doing both, for different reasons. Ban data brokers because they allow anyone with a credit card to stalk people, more or less legally. Fix the SSN identity system because even if you ban data broker businesses, dark web brokers don't abide by the laws anyways.
Going after data brokers seems like low hanging fruit, and necessary even if the ID system needs to be replaced. This is a top level issue that need to be addressed regardless.
While I think it’d be great to design a system where the information you mention is harmless (I’m curious how this would work without just shifting the problem to whatever new identifier is established), the reality is that this information is not harmless, and will continue to be dangerous to leak for the foreseeable future due to the myriad of systems that use this data in its current form. Any theoretical project to replace this would likely be a long and drawn out undertaking. Addressing the information environment in the meantime seems like a good idea.
> I’d like them to fix the problem rather than playing whack-a-mole with banning data sources
We should fix the problem and ban the data-sources. Whack-a-mole makes it sound like we're talking about a ban on one company, but what clearly needs to be done is a categorical ban on super sketchy business practices, and that seems simple enough. Data-brokers, if they are going to exist at all, need to accept the burden of proof to establish that every single row involves consent, and they need to acquire new consent for every single resale of the information. If that makes the whole industry unprofitable, too fucking bad. And if this looks bad for business, it gets even worse: good luck getting consent for reselling what is mine without offering me a cut.
Since the above kind of common sense looks crazy these days, let's throw in something even more radical. For anyone looking to fund UBI, ^ here's a start. The trouble with the often-mentioned idea of "tax the data" as a solution for privacy concerns is that these taxes are just redistributing wealth from corporations to governments, while all of profit is made with our information. Who wants the monetized details of their personal life to pay for the next unjust war, or even the roads in some place they don't live. If we are so valuable, put some of that money back in our hands, and if the price doesn't sound fair to us, then let us opt out of the sale.
The uneven availability of information means that no, it's not better to just design a better ID system. Data brokers give corporations far more advantages than a normal person could ever protect themselves against, because even if the data broke doesn't have your government issued credentials they can still easily designate who you are buy collating all the data from other means such as purchasing habits, cellular, and service guest lists.
It's politically a non-starter in the US. US states have a lot of power that is derived from their ability to maintain their own ID systems. The states have fought for almost 20 years on requirements as simple as REAL ID.
Plenty of countries have smart cards with chips and RSA keys that can be used to verify ID with much higher level of certainty, but then they usually don't use it.
Even just name, DOD and last 4 of the SS number and you are done.
TLDR Login.gov, and publishing a circular to allow businesses to use it to identity proof. Push all liability onto the business for losses if this method is not used to identity proof. ID card as ljm mentions, such as a passport card. Very similar to credit card EMV chips and the liability shift from magstripe.
> I don’t know what that would look like but if I had congresses attention I’d like them to fix the problem rather than playing whack-a-mole with banning data sources. I don’t think any actual solutions come from that.
Aggregating data means it can be lost. You must therefore make aggregating and storing data toxic, and impossible to be leaked through eventual mismanagement.
I thought it was a legitimate proposal to the problem at hand, but respect and understand the decision. My apologies for taking the conversation potentially off topic.
> Though the most successful founders are usually good people, they tend to have a piratical gleam in their eye. They're not Goody Two-Shoes type good. Morally, they care about getting the big questions right, but not about observing proprieties. That's why I'd use the word naughty rather than evil. They delight in breaking rules, but not rules that matter. This quality may be redundant though; it may be implied by imagination.
While scoped to founders, I think it broadly applies to a subset of curious people who are wired to solve problems, imho.
I am just dreading the day when a near simultaneous cyberattack on a high number of(more vulnerable like middle-lower income individuals) start in a DDoS fashion:
1. Credit histories will be(unlocked) used to file multiple credit applications and tax credits will be applied for.
2. Multiple Cell phones will be hijacked through Sim Hijacking or other zeroday attacks to make it very difficult to get back in.
3. A person's profile will be used to attack the most vulnerable things:
- Their families will get fake calls to create confusion.
- Their financial services will be frozen or worst weak 2fac auth ones will be compromised.
4. Deep fake image and videos will be created from compromised accounts to sow further mayhem.
This already happens in targeted and one startegy of teh other fashion. Imagine what one could do with a bit more compute and completed profiles and orchestrate this kind of terrible vengeance.
I am wondering what the numbers are like for this to be realistic.
I am not too sure of the end goal other than general chaos. Let’s say it’s 2 days of an attack, (that’s about how long any co-ordinated response would need at minimum).
So attackers need to sow chaos across the USA. They apply for a million unsecured loans of say 20k each. That’s 20 billion.
I honestly don’t know what the daily personal loan application rate is, but america has about 150M adults, 1% of them applying on the same day will not only raise flags but would basically grind the system to a halt - each loan office would have daily maximums and a massive spike coukd not be handled. And once the massive crowd is noticed and made public then the financial immune system comes into play.
I can imagine taking out the cell network through a sort of SS7 ddos, but I suspect that cell towers might have a dose more vulnerabilities (probably not as basic as all the admin passwords are ComC4astSux but close)
In general Chaos seems to come from attacking the limited services that act as our safety net (ambulance, police, sewage, electricity). We know these are vulnerable in non obvious ways - crowdstrike for example.
Making otherwise fit and healthy citizens have a shitty day is less impactful than we might think - it will be the “blip” day - as I say 48 hours later the Treasury secretary goes on TV and announces all personal loans that day got cancelled or some other fix - finance has a fairly good immune system when it sees the need.
But overall, if we are going to worry about some attacks, let’s look at the ones that attack our freshwater supplies - and that might not mean some terrorist - in the UK our sewage handling has been under attack by Private Equity for decades and SWAT teams are not allowed to shoot people in Belgravia
You’d need to pick a day of importance to launch the chaos-sowing attack against information and social services. I’m sure there’s a useful one in early November.
The US has done itself a disservice with their actions because few people trust the government. A national ID system means a database of all Americans that would very likely be used for surveillance and monitoring. I'm saying this as someone who has Global Entry so it's not like I'm afraid of being in a US database but I see the concerns.
That surveillance already exists with insignificant additional work on the part of the government. The cost of not establishing a best ID system has been clearly more costly. That's why the Real ID system was pushed onto state governments.
The US doesn't need a national ID. It needs a national PKI.
The US Postal Service is in a great position to be the one who executes it. They have access to delivery physical goods to the entire country. They have the staff and procedures to do identity verification for their current products that could be extended to a PKI offering.
If you look at the best National ID systems in Europe, effective it’s all leveraging PKI. It needs a name, of course (National ID) and a purpose, however the entire core of these systems rest on PKI
National ID won't sell, politically, in the US. Branding it as some kind of "cyber" nonsense might give it some legs. (Just until the opposition starts calling it "National ID". I don't think political buy-in will ever happen in a reasonable timeframe no matter how it's branded.) The opposition to REAL ID act is evidence enough.
"Wow, the government is so catastrophically bad at managing IDs; what should we do?"
"Hmmm. I know! Lets get the government to manage a mandatory ID system, and require it for all aspects of citizen's lives! In fact, lets centralize all of their medical, financial and personal data using this ID, and ensure that it can all be accessed using this ID! What could possibly go wrong?"
I wonder if you could create a national or federated ID system that takes advantage of blind signatures/ZKP to improve privacy. For example, you could create an unlimited number of identities to hand out to different buisnesses, and they could use ZKP to prove that you are above 18, a non-felon, or an organ donor etc. Dunno how something like photo ID would work.
As far as I know, most of the developed and in development countries have this kind of database, I also know some poor countries does too, but they often lack security measures
SSNs can be used to disconnect utility service, too. Doing some amount of that would surely add to the "fog of war". It often takes phone calls but the tools have been created to automate that on a massive scale.
I guess they failed to sell it because links to the leaked data on usdod.io have been available on Breachforum/Leakbase for over a week now. Someone created a magnet link yesterday and it's fully seeded so speeds are fast.
The data in the breach is irreversibly public now.