Comment by EvanAnderson
9 months ago
For years I've said the entire SSN database just needs to be published alongside legislation strictly assigning liability to any company who defrauded as a result of using the SSN as a "secret". That would fix the problem with SSN's and "identity theft" quickly.
Part 1 has been accomplished. Let's get part 2 going!
Aside: It amazes me how the American public has allowed defrauded companies to assign the company's loss as a liability to innocent individuals (in the form of "identity theft"). It would be great if we could get that changed in the minds of the public. A well-informed public could collectively turn "identity theft" into the "bank's problem" (from the old adage "If you owe the bank a billion dollars they have a problem..."). The insurance industry would swoop in as the defrauded parties start making claims and shoddy security practices would get tightened-up.
(Edit: I fear insurance companies coming in to "fix this" to some extent-- citing my experiences with PCI DSS compliance auditing and Customers who have had 'cyber insurance' policies coming with ridiculous security theatre requirements. Maybe we can end up with something like a 'cyber' Underwriters Labs in the end.)
(Also: Yikes! I hate that I just typed 'cyber' un-ironically.)
Identity theft is a very clever term to shift blame from the company to the consumer.
https://youtu.be/CS9ptA3Ya9E
It’s a comedy bit but I take its point seriously: if the bank gives away money, it’s the bank’s job to make sure it is repaid. Not mine, unless I was actually a party to the agreement.
Well then you're up against the wall of digital verification.
I know there's a fuck load of situations where the banks are 100% screwing the customer to their benefit, but there's a legit conversation about people who give out their passwords, or claim they did, when money gets wiped out.
If you meet all the requirements to identify yourself to the bank, at what point does the bank have to say "this is that person, and that transaction is legal".
Now granted:
1. With passkeys and biometrics and 2FA we've got a lot of better ways to make these accounts secure, and hopefully more idiot proof. I'm hoping we start getting rid of email/phone for 2FA as a valid option though.
2. The moment the police are treating it as an identity theft case, the bank should be required to pony up. I don't know if that's the case (and wouldn't be surprised if they fight it tooth and nail), but at that point you have a state or federal entity acknowledging this is not a legit transaction, and therefore you should be compensated by the bank, and they can get their money back from the insurance companies that insure against this kind of thing.
> If you meet all the requirements to identify yourself to the bank, at what point does the bank have to say "this is that person, and that transaction is legal".
Our current system is entirely built on ridiculous levels of trust, mostly for convenience / cost saving reasons. I've made payments over the phone with nothing more than the information found on the bottom of every check I've ever sent. I routinely hand my credit card to waitstaff making 7.25 an hour and in that moment I'm handing every last one of them the ability to snap a photo of my card on their phones and go on a shopping spree at my expense.
As insane as our system is, it's mostly worked. Even though I've been made to pass around my account info countless times, I've never once had my accounts cleaned out. If a single mother with less than 1k in her account gets robbed, I have a hard time blaming her. She had zero say in the design of this system, and she's the person least able to deal with the cost of the consequences of it.
On the other hand, I have very little problem putting the blame on the banks which do control much of the system and who can more than afford to cover the costs of such incidents. This puts a small amount of financial pressure on them to improve the systems they've created and forced the rest of us to use in order to participate in society.
There are all kinds of things they could be doing to reduce fraud, but they don't. Mostly for convenience / cost saving reasons. I consider their refusal to take even simple steps to improve the security of their systems as their implied consent to continue accepting the responsibility for the still rare instances where criminals take advantage of their inaction.
4 replies →
The Google Authenticator app (just as a mainstream example) was released 14 years ago. When we're still waiting for a lot of banks to even support TOTP, consider me unimpressed with the level of effort banks are putting into securing my accounts.
3 replies →
>Well then you're up against the wall of digital verification.
That's whole point, they should use standardized authentication process. The problem is that they don't use any authentication at all. They just give money away because they can extort them back from unsuspecting victim like some gangsters.
How do you feel about the recent case where a caretaker for a disabled person who was given permission and access to use the person's cards, banking app, etc ended up stealing from the person. The banks response - they had given the caretaker access so it was their fault.
Even if you have all the passwords and bioinformatics, passkeys, 2FA, etc - how can you prevent theft like this?
2 replies →
Banks should get insurance to cover their negligence. They weren't careful.
3 replies →
The obligatory Mitchell & Webb sketch
https://m.youtube.com/watch?v=CS9ptA3Ya9E
YES!
I couldn't remember their names and absolutely was thinking of this.
It's not even necessary to publish the database. Pass a law, or even possibly a regulation or court instruction, that SSN is not a sufficient basis to establish identity, and that any unauthorised financial transaction, legal document, commercial transaction, or other use relying on SSN is considered prima facie uninsurable fraud.
Use would likely diminish markedly.
Ever since the Equifax breach I’ve been a proponent of a new national ID program to replace the SSN, that can be designed for what the SSN has become and tolerant to these never ending data breaches.
Maybe this will give a second chance at a conversation around that, but I’m not too hopeful.
US law does generally make fraud the bank's problem. Identity theft isn't loophole in this, it is a situation in which there is a logical ambiguity in differentiating one fraud from another. If they just believed everyone who said "it wasn't me that spent that money!" that would just be opening another vulnerability.
I think we've got liability pretty well buttoned-up in the banking industry. I'm more concerned about the non-bank businesses. (I recently obtained utilities at a new house. All three utilities-- electrical, gas, and water/sewer-- use my SSN as an authenticator for my account. In 2024.)
It isn't great, but I don't think there's much risk there. There's not really much of a motivation for some random person to get into my utility account. The balance is never positive. Utilities are physically bolted to my house. They're pretty heavily regulated too. If someone wanted to steal electricity from my house, they can use the outlet on my patio that has zero authentication whatsoever.
2 replies →
When I obtained utilities for my house, none of them required my SSN. The water company asked, but I declined, so they asked for a fax of my DL (which I could have probably photoshopped, but didn't).
Just because people ask for something, doesn't mean you have to give it to them. I leave fields blank all the time on different (paper) forms (including when they ask for SSN), virtually no one hassles me.
I maintain my utilities account by email.
As crazy as it is… kinda smart lol