Comment by ghm2180
9 months ago
I am just dreading the day when a near simultaneous cyberattack on a high number of(more vulnerable like middle-lower income individuals) start in a DDoS fashion:
1. Credit histories will be(unlocked) used to file multiple credit applications and tax credits will be applied for.
2. Multiple Cell phones will be hijacked through Sim Hijacking or other zeroday attacks to make it very difficult to get back in.
3. A person's profile will be used to attack the most vulnerable things: - Their families will get fake calls to create confusion. - Their financial services will be frozen or worst weak 2fac auth ones will be compromised.
4. Deep fake image and videos will be created from compromised accounts to sow further mayhem.
This already happens in targeted and one startegy of teh other fashion. Imagine what one could do with a bit more compute and completed profiles and orchestrate this kind of terrible vengeance.
I am wondering what the numbers are like for this to be realistic.
I am not too sure of the end goal other than general chaos. Let’s say it’s 2 days of an attack, (that’s about how long any co-ordinated response would need at minimum).
So attackers need to sow chaos across the USA. They apply for a million unsecured loans of say 20k each. That’s 20 billion.
I honestly don’t know what the daily personal loan application rate is, but america has about 150M adults, 1% of them applying on the same day will not only raise flags but would basically grind the system to a halt - each loan office would have daily maximums and a massive spike coukd not be handled. And once the massive crowd is noticed and made public then the financial immune system comes into play.
I can imagine taking out the cell network through a sort of SS7 ddos, but I suspect that cell towers might have a dose more vulnerabilities (probably not as basic as all the admin passwords are ComC4astSux but close)
In general Chaos seems to come from attacking the limited services that act as our safety net (ambulance, police, sewage, electricity). We know these are vulnerable in non obvious ways - crowdstrike for example.
Making otherwise fit and healthy citizens have a shitty day is less impactful than we might think - it will be the “blip” day - as I say 48 hours later the Treasury secretary goes on TV and announces all personal loans that day got cancelled or some other fix - finance has a fairly good immune system when it sees the need.
But overall, if we are going to worry about some attacks, let’s look at the ones that attack our freshwater supplies - and that might not mean some terrorist - in the UK our sewage handling has been under attack by Private Equity for decades and SWAT teams are not allowed to shoot people in Belgravia
You’d need to pick a day of importance to launch the chaos-sowing attack against information and social services. I’m sure there’s a useful one in early November.
Thanksgiving is at the end of the month though
1 reply →
In the US, the government could help alot if they simply moved to a national ID system and dismantled social security numbers.
The national ID systems I've seen proposed have alot more security from the ground up, and could replace the passport system.
The US has done itself a disservice with their actions because few people trust the government. A national ID system means a database of all Americans that would very likely be used for surveillance and monitoring. I'm saying this as someone who has Global Entry so it's not like I'm afraid of being in a US database but I see the concerns.
That surveillance already exists with insignificant additional work on the part of the government. The cost of not establishing a best ID system has been clearly more costly. That's why the Real ID system was pushed onto state governments.
Pretty sure the FBI and equivalent agencies already have access to every state’s DMV records so it’s sort of a distinction without a difference.
1 reply →
That survail
The US doesn't need a national ID. It needs a national PKI.
The US Postal Service is in a great position to be the one who executes it. They have access to delivery physical goods to the entire country. They have the staff and procedures to do identity verification for their current products that could be extended to a PKI offering.
It'll never fly, politically.
If you look at the best National ID systems in Europe, effective it’s all leveraging PKI. It needs a name, of course (National ID) and a purpose, however the entire core of these systems rest on PKI
1 reply →
"Wow, the government is so catastrophically bad at managing IDs; what should we do?"
"Hmmm. I know! Lets get the government to manage a mandatory ID system, and require it for all aspects of citizen's lives! In fact, lets centralize all of their medical, financial and personal data using this ID, and ensure that it can all be accessed using this ID! What could possibly go wrong?"
I wonder if you could create a national or federated ID system that takes advantage of blind signatures/ZKP to improve privacy. For example, you could create an unlimited number of identities to hand out to different buisnesses, and they could use ZKP to prove that you are above 18, a non-felon, or an organ donor etc. Dunno how something like photo ID would work.
I wonder how many governments have this capability right now? I would guess at least three.
As far as I know, most of the developed and in development countries have this kind of database, I also know some poor countries does too, but they often lack security measures
SSNs can be used to disconnect utility service, too. Doing some amount of that would surely add to the "fog of war". It often takes phone calls but the tools have been created to automate that on a massive scale.
Luckily, there aren't multiple hostile nation states capable of this. /s
All that I can see preventing it is deniability and eco-political risk.