I don't know. I found the argument convincing that even naming the breach "identity theft" is beginning to push responsibility away from Equifax and make it seem a personal problem of those affected, or a general societal phenomenon. When in reality it's just Equifax's poor security practices.
As you probably know, the exploit basically is using Java's ability to dynamically execute code from JVM bytecodes (supplied via XML in this case, but that's just an implementation detail). Once you get remote code execution ability, it's game over for most Java backend apps, because these are executed in a single process/address space and thus lack basic process isolation. Even if JAAS were used to propagate authorization contexts within the Java backend, typically (almost always) Java apps operate in such a way that a single database identity/credential sets is used for any and all database access.
Dynamic bytecode execution is a core feature of Java and other JIT execution environments, so you can't use straightforward NoExecute bits (provided by hardware and supported by OS loaders to disallow calling into dynamically allocated memory) to prevent this from happening, and can't contain/isolate execution paths with authorization contexts either. For these reasons, I think this breach should make banks and other financial institutions rethink their Java strategies mid- to long-term.
There are two massive problems and neither of them have anything to do with executing attacker's code.
First, for Equifax, their databases should be sufficiently isolated from front-end web servers. SQL gives you the ability to, in essence, ask the database any question the data can possibly answer. Instead, Equifax needs to do the work to enumerate all the questions they want the data to answer and put intermediate API services in place that answer only those questions. Public-facing web servers should only be allowed contact the intermediate API servers, and not the database. With data that has the value (to an attacker) that Equifax's database does, this is the minimum that needs to be done to offer reasonable security.
Second, there's an identity problem. That identities can be stolen using largely facts about people (name, address and such and, yes, SSN) is a fundamental problem in how we identify people. They're using non-secrets in a way that assumes they are secret. A Keybase identity is much closer to the model that the industry needs to adopt.
Chalking up the cause of this to flaws in some ancient Java web framework that's barely used anymore is just sweeping the true problems under the rug. The industry needs a fundamental overhaul to how they identify people and mandatory security compliance (hey...they foisted PCI-DSS on etailers and card processors, so they can't complain when something similar is foisted back on them) to keep our information safe.
> I found the argument convincing that even naming the breach "identity theft" is beginning to push responsibility away from Equifax and make it seem a personal problem of those affected, or a general societal phenomenon. When in reality it's just Equifax's poor security practices.
The thing being hidden isn't the surveillance bureau's poor security practices, but the banks who actually extend credit. Banks want to pretend that they can define identity as equivalent to a few bits of public information, and when they're defrauded blame innocent bystanders instead of their own broken abstraction.
Ability to execute data as code is present in many languages. Almost all of them these days. I think you are saying that banks should only use C or C++ ??
I don't know Java well, but at least in .NET it's possible to set a flag that disable execution of dynamically emitted code.
Obvs, you should do this on every box that accepts connections from the outside world.
Obvs, it's no easier to get people to do this in practice than it is to get people to quit using string formatting to get parameters into their SQL queries.
Or use other statically compiled languages instead.
Or at least use Java or O/S sandboxing features.
At least in the web-facing parts of their apps.
In any case, this requires some planning ahead, and a mindset different from "agile".
Maybe Java 9's AOT compilation can help in the process, but even if it could produce stand-alone programs, I think the dynamisms in Java code (reflection, annotations, dynamic class loaders) will make this infeasible for most code bases.
He also suggests that even with process isolation in the application layer, the database is likely not going to be isolated and you'll be breached anyway.
The qmail architecture would likely be very inefficient with 100M+ users.
DEP and ASLR provide significant mitigation of the threat posed by this capability in statically-compiled languages, so it is definitely an issue that should be considered, along with others. Having said that, it is unlikely that there is any merely technical solution for the problem, which arises from the whole system being predicated on a falsehood - the assumed confidentiality of SSNs.
That's right, but the OP did mention how that issue is addressed in c/c++:
> so you can't use straightforward NoExecute bits (provided by hardware and supported by OS loaders to disallow calling into dynamically allocated memory
Something non-US folks don't always get about the US -- in a lot of ways, the US is more analogous to the EU than it is to any one country of Europe. That is to say, the US Government is the national entity, but quite a lot of power is still held in the states. There is a 200+ year wariness of federal power here.
One of the ways this manifests itself is that identity is established and maintained largely by the states. Your driver's license is basically your national ID here, even though there are 50 different kinds of driver's licenses.
In the 1930s we had Great Depression, New Deal, etc. and Social Security. Once Social Security Numbers became a thing, they became wildly popular as a stand-in for a national identifier. And now they're crucial, and they get stolen all the time, and we have nothing better to replace them with.
National IDs are a nonstarter politically in the US. One side thinks it is undue encroachment on local rights, and the other side thinks requiring ID disenfranchises the poor and undocumented. That's the tl;dr version of course -- reality is more nuanced.
> in a lot of ways, the US is more analogous to the EU than it is to any one country of Europe
Interestingly, this is because the EU was modelled after the USA, though things didn't quite go according to plan so we have the EU instead of the USE.
> National IDs are a nonstarter politically in the US. One side thinks it is undue encroachment on local rights, and the other side thinks requiring ID disenfranchises the poor and undocumented. That's the tl;dr version of course -- reality is more nuanced.
As a non-American, this doesn't really make much sense to me. There's already a national ID, the Social Security card. It's just a really really terrible form of national ID.
Social Security card is made of paper, has nothing but the number and your name, and 99% of people in the US have lost, destroyed, or never carried it to begin with. Stupid paper card even says "Do not laminate" but mine is laminated and thus intact after 40 years.
SS#'s were never meant to be personal ID numbers or national ID numbers. This was a big thing when they were introduced. Unfortunately, companies use them ALL the time. There should be a law against companies asking for your SS#.
Anyway, nothing about American government or the American people makes sense. We're probably the most irrational, stupidest electorate in the world. I mean, look who we elected president!
Except if the SS number was not meant to identify people, what was it for? It was meant to track people throughout their lives to set the amount they get paid by the program based on what they made / what SS tax they paid.
It is terrible at that, it is terrible as a general id, and its just another example of doublethink in American politics - we want national welfare programs that are restricted only to valid citizens, but we don't want to actually know who the citizens are or keep track of them, or have any concrete way to identify them.
> Except if the SS number was not meant to identify people, what was it for? It was meant to track people throughout their lives to set the amount they get paid by the program based on what they made / what SS tax they paid.
Sure, but there's a huge difference between identifying people's accounts with Social Security / IRS and being a National ID card used for everything everywhere. It's was designed for the first, and intentionally forbidden for use as the latter, despite everyone using it that way anyway.
Social Security cards literally said "NOT FOR IDENTIFICATION" right on them, for 30 years, to try to stop this from happening. It did anyway...
I was wondering why it says "do not laminate". I found this FAQ:
> Do not laminate your card. Lamination prevents detection of many security features. However, you may cover the card with plastic or other removable material if it does not damage the card
> What happens when an ID card is stolen? What proof is used to decide who gets a card?
Mine has a picture on it. If this argument is true, then why does any country issue passports, drive licenses, etc...? Why do security enforce agencies have identifications? They are not perfect, but they work.
> An ID card system will lead to a slippery slope of surveillance and monitoring of citizens.
The "slippery slope" theory is just the straw-man fallacy on disguise.
> A national ID would require a governmental database of every person in the U.S. containing continually updated identifying information. It would likely contain many errors, any one of which could render someone unemployable and possibly much worse until they get their ""file"" straightened out.
This is the definition of what Equifax is. But it gets worse as people gets into no flight lists because they share the same name than a person of interest. The lack of an ID card just magnifies the problem, it doesn't makes it disappear. (http://www.nbcsandiego.com/news/local/Same-Name-Mistaken-Ide...)
> How long before office buildings, doctors' offices, gas stations, highway tolls, subways and buses incorporate the ID card into their security or payment systems for greater efficiency?
This information is already available for credit card companies. Is that better? And in Europe we have ID cards, and they are not used for any of that things. Except maybe the doctor office, as your life depends on having reliable data and it is part of your health care rights provided by the government.
> A national ID card would have the same effect on a massive scale, as Latinos, Asians, Caribbeans and other minorities became subject to ceaseless status and identity checks from police, banks, merchants and others.
This says more about USA culture than about id cards. Also, it already happens (e.g. the POTUS pardon).
The parent just explained why there is not much support from either the people or the politicians for a national ID in the US. Even if you don't agree with him, the assertion that "there is no reason US can't have a national ID card" is clearly false. Of course, an individual can obtain a passport if he wants, but that is only required to travel out of the country and only a small percentage of US citizens do that.
P.S. if you don't drive, your state probably offers a state ID card equivalent to the driver license. It is generally cheaper to obtain and replace.
There's no technical reason, but there are plenty of political ones. And since our government derives its power from the consent of the governed, if enough people don't want national IDs we won't have national IDs.
I never realised till now that American's SSNs were supposed to be kept secret. That's absolutely ridiculous. The idea of trying to keep the UK equivalent (National Insurance Number) secret is laughable. How can anything function when an important id number is also supposed to be known by very few people?
The scheme was designed in 1935 as a way of identifying people enrolled in the then-new Social Security program (hence the name), and was gradually made a de facto national ID number over the intervening decades as the increasing scale of national population and economic activity prompted a desire for greater legibility to facilitate management and taxation.
Greater legibility, management, and taxation are values not shared by a very sizable section of the US citizenry. Without digressing into a pointless and stupid flamewar over Humean oughts around these points of fact, we can acknowledge that every attempt thus far to implement a national ID scheme has been, and no doubt any future such attempt will be, energetically and, thus far at least, very effectively countered by those who so strongly prefer that no national ID scheme exist. Unfortunately, the US federal bureaucracy being what it is, we will have a national ID scheme whether well-designed as such or otherwise, and the wide adoption of Social Security and (generally) 1:1 mapping between SSNs and citizens made it the obvious candidate for a de facto national ID. Businesses followed government in adopting it as such.
Now, instead of a proper, admitted national identification scheme which would at least have a chance of being marginally secure, we have a motley collection of the world's most hilariously shitty zero-factor authentication methods, making a wide variety of frauds so trivially simple to perform that we've had to spin them off into a new category of their own, "identity theft", which we regard as just one of those unfortunate things that happens sometimes, like cancer. Even after the Equifax breach, it'll
probably still be cheaper to continue looking at the problem this way than to roll back the eight decades of technical debt that have gone into creating it. So it goes.
The UK is also heavily resistant to any sort of national ID scheme, and so National Insurance numbers (our equiv of SSN) are also a sortof proxy ID for people in work etc. But the difference is we don't pretend they are secret. In other words: we use it as a primary key, but we don't assume its a shared secret.
So let's say you want to apply for a bank loan or credit card online, or look up information about yourself on a government website - how do you prove you're you?
Or is this simply not possible in the UK without visiting a bank branch etc.?
You usually end up sending copies of your passport and proof of address (eg utility bill) by post. Sometimes the copies have to be certified by a lawyer/solicitor, to prove they are true copies of the original document
What problem does a national ID solve that a driver's license with linkage to a birth certificate and photo database with facial recognition will not?
Identity theft is about the regulatory environment. Banks are allowed to quickly vet credit customers, and consumers hold the bag for cleaning up the mess.
Use SSN for identity, but use a shared secret as authorization to use that identity.
Get SSN, name, place and time of birth, and birth name of mother. In theory 1 SSN maps to 1 (name, place and time of birth + mother's name) tuple, unless you have a twin and you are both called John. (Also, identity verification should could also use biometric data.)
Banks already issue PINs to users, they should issue one for regular non-ATM interaction too.
SSNs of people before 2011 contain place of birth as the first five digits, with the last four digits assigned sequentially. Your method provides no additional security.
I simply argued that SSN is not security. It's at best identity. But it's a lousy one at that too, because it's hard to check and easy to fake. (You can fake the paper you get from the Social Security Admin easier than you can fake all the other pieces mentioned.)
SSN is just dumb because it's a direct function of the mentioned attributes plus a counter, that nobody can really check. (No one can distinguish identical twins based on their claimed SSN.)
Over the years, I am willing to bet that the average US adult over the age of 40 will have given their SSN to hundreds of organisations already... There is no realistic way to guarantee the secrecy of an SSN at this point - Equifax's breach notwithstanding.
For me, the takeway isn't that the supposedly private SSN has been leaked but that it's been leaked with so much other information that, all added together, give bad guys a fantastic haul with which to run amok.
This, combined with the timing of the notification and the dodgy answers coming back from the automated online systems telling you that you "may" have suffered shows a total lack of regard for your data! You are now purely a commodity that corporates can use to their own ends. This is so glaringly obvious now.
Why companies are allowed to hold so much info on us is the issue here: moreso, why are they not held to the highest of standards? Even a simple "each bit of personal data given to the wrong person will result in a $500 fine for the company" would soon add up.
The danger is that these companies (I mean all the credit agencies) push this onto the consumer to "manage". In fact, now that I read this back, it's pretty much a certainty at this point.
Unless someone goes to jail, or Equifax are shut down Arthur Anderson-style, then this will disappear!
The article linked at the top of this thread discusses the need for different identifiers in different information contexts (education, health, tax, etc.).
Many education institutions 20 years ago used SSNs as a unique identifier for students. On the first day of class, the only way to determine if a body present in a class was actually enrolled was to confirm SSN.
Confirming identity in an education context is crucial in the first few weeks of class because being officially enrolled in a course affects student loans, work study, graduation paperwork, health insurance, etc. Additionally, many educational institutions have a policy that students not present for a class's first X meetings will be dropped from the course, a mechanism which allows students physically present to enroll in enrollment-capped courses (especially important for required courses).
One of the most straightforward ways educators had of verifying that a body was in fact who that body said he or she was--was to ask for SSN because many educational institutions used SSNs as unique identifiers (but not necessarily verifiers).
In other words, asking for verifying information enabled the educator to complete the institution's academic mission and to facilitate the educational needs of students.
It is not the fault of educators that financial institutions also use SSNs as both means of identification and verification.
As "clueless" as an educator might have been, he or she might be partially absolved for requesting PII in the context of educational bureaucracy. Granted, it would be better if each information context had unique identifiers that are not SSNs since SSNs are used by financial institutions.
> Many education institutions 20 years ago used SSNs as a unique identifier for students
RIT university was still doing this only ten years ago, at the time I had to send a number of angry emails about publicly available lists of students with their SSNs indexed by Google.
The Oregon University System moved away from SSNs as identifier in the late 90's. I could punch in my SSN to charge my meal in a dining hall to my account in 98.
I’ve recently seen inside the horror that is the US interbank clearing system. It seems crazy to me. In New Zealand we regularly share bank account numbers for payments, most obviously via TradeMe, our ebay equivalent.
If you had my bank account number you could authorise a payment with an approved direct debit provider, who have to keep the approval on file in case of a dispute.
Anyone can make arbitrary withdrawals or transfers with only the info printed on the check (modulo fraud detection of course). People just don't know or don't think about the total lack of any technical security of their money.
I don't, except among family members. Any payee I don't strongly trust and who won't accept an electronic payment gets a bank check instead - I'd rather pay a few dollars to have one of those made, than save them and risk having my entire account cleaned out through lack of diligence or scruple on the receiving end.
I moved from the US to the UK last year. I have seen two paper cheques in that time.
It is much more common over here to pay electronically, though both Direct Debit (receiver pull) and Standing Orders (payer push) require one person giving their bank details to someone.
FWIW paper checks are not nearly as popular in the US as they once were. Especially hand written. They are ironically useful as a "secure" form of receiving payment because ACH is such a big gaping security hole. Receiving paper isolates you from handing out an account number.
It's not a secret number, it's a unpublicized credential.
Any meaningful identity verification gets traced to an auditable event (ie your birth, immigration, etc) and one or more tangible thing s that attest to your identity.
SSN is definately important for credit, but know your customer laws are slowly making it less so.
Because use of the NHS and having a national insurance number are not a 100% overlap. NI just means you paid through taxes and aren’t for example a tourist or asylum seeker.
It's about as secret as your phone number I suppose. I.e. you probably won't write it on the side of your house but you will give it to lots of people.
The NHS having their own number is also to do with the NHS treating people who don't have NI numbers, and various historical reasons, eg the NHS started in the 1950s and I expect it was easier to just start a new number system than persuade the treasury to wheelbarrow over all the paper.
"We need laws that limit the collection and use of SSNs."
The problem shouldn't be defined as "let's still keep SSN secret, but limit its collection", because sooner or later your SSN will leak.
The issue is that SSN number shouldn't be considered as secret and some other measures should be used to identify the person.
There are legitimate use cases where collecting and storing (in some manner at least) is necessary. You cannot just stop companies from collecting information, and furthermore stop them from storing any of it. Thats just naive.
The private university I went to used to issue student emails that were first three letters of last name followed by last four digits of social security number. It always seemed odd to me. Years later, they've switched and we don't have that problem any more.
Companies can generate a unique identifier without using SSN. Of course, the main problem is that they can't do authentication based on that identifier. So why can they do authentication based on SSN?
SSN is the only reliable way to disambiguate duplicate names. Differentiating all the John Smiths by mailing address is too intractable, especially when you have JS Jr. and JS III living together. It is used to construct a primary key for the database.
Except that's not always been the case, either. SSNs have always been a terrible way to disambiguate people. There are weird, crazy edge cases in SSN history. Cases exactly such as JS Jr getting the same SSN as JS III in a podunk town because the local SSA administrator was feeling lazy that day and JS III was already deceased. The federal SSA website claims that that never happened, but if you have a big enough database (say, Equifax) you can spot all kinds of simple dumb human errors like that. For many, many years the SSA left local administrators in charge: the first 5 digits and the weird way they are hyphenated were local district numbers. For people born before 2011 (!), when the new randomization scheme was switched to, there is a 90% chance you can guess their first five numbers if you know their birth date and birth city (which is why it is so ridiculous that PII rules to keep SSNs safe ever considered it fine to show only the last four, those are only meaningful digits for still the majority of SSNs in the wild).
SSNs were never designed for what the credit bureaus and banks and insurance companies (and everybody else) use them for, and there are too many cracks and failure cases. Companies need to admit their failures and come up with a real solution; but companies have so much sunk cost in SSN-keyed databases they aren't likely to ever actually do that. (Maybe this Equifax breach pushes more companies to try. Cynicism says companies remain cheap and invested in their sunk costs.)
A corporation needs my name, address, and probably email to do business with me. They need a credit card number when I purchase something and never else.
That's IT.
My phone number is not necessary (and everybody using it for 2 factor just makes everything less secure). What I buy is not necessary to record past fulfillment. When I buy is not necessary to record. Where I am is not necessary to record. etc. If a company stores this stuff and it gets leaked, they should be liable.
A couple of egregiously expensive fines will stop companies from collecting this information quite nicely, thank you.
The article goes a bit off the rails at the end, with all the focus on using a changeable identifier ("And if this new identifier were easy enough to change (unlike SSNs), breaches, leaks, and other unintended exposures would be less consequential.")
There's no reason not to keep SSN as an identifier. Just the same as I wouldn't change my name if I suffered identity theft. Instead there needs to be authentication (eg via a method such as a token, 2FA or whatever) - and it's that which needs to be resettable.
Simply making use of SSN alone illegal in certain industries would be a reasonable approach: it would stop current problems whilst not insensing the "mark of the beast" brigade.
I agree with you. Switching to another id system will mean we use that instead of SSN and have the same potential issues. I think the biggest problem here is our approach to credit and credit fraud. We need mandatory CC2 online, mandatory 2FA (not SMS!), chip and PIN, our credit should be frozen by default with out of band approval for new credit and credit granted without approval is the lender's responsibility. Steps like these would remove most of our exposure to credit fraud.
or a digital signature, or a MAC. Something where we could verify against a publicly-known value safely, and without giving that secret part away to anyone else. The secret would be between the Federal Government and the citizen.
They would probably have to through a similar procedure as they do to get a replacement social security card. That is, they would have to present at least a drivers license and US passport at one of the local social security administration offices.
At that point, they can regenerate the key-pair and have the SSA official sign the public key and keep that on file.
Now, presumably, it is possible to forge both documents, but I would think that the government could check their records (federal and state) to verify the authenticity of the provided documentation.
Exactly. You can't have perfect trust in every citizen to keep track of these things. And if it's a government issued ID in the first place, I see no trouble with them having your private key as well. Just don't reuse that key.
This would take a lot of solid investment politically, and technically, to make it even slightly feasible to work for the average Joe.
Couldn't we do this thorugh a system that's similar to PKI? That is, have each person generate a private-key and certificate signing request (that's signed by the appropriate government agency)?
Resetting it outside the normal certificate expiration time would require that one go to the local branch of the government office to do so (much like getting a replacement social security card or replacing a lost or stolen passport). At that point, you would have to provide proof of your identify that would be verified by the government agency.
For everybody who isn't acquainted with how Social Security Cards work in the US and how they came to be I highly recommend watching "Social Security Cards Explained" by CGP Grey https://www.youtube.com/watch?v=Erp8IAUouus
He also explains why US citizens don't have an Identity Card as opposed to many European countries.
That’s quite crazy. Though here in NZ we don’t have a National ID number either, we have several different numbers for different purposes. Most places will work with a driver licence or passport number, but given there’s no need to register a change of name it gets a little tricky.
If you don’t have any of those you can get a statutory declaration of identity from a local court. You just have to swear you’re the person in front of a justice of the peace and provide a passport photo.
Coming from another country I really have difficulties understanding why e.g., utilities would want to have your SSN. What do they get that they otherwise won’t get? Isn’t a validated address and a credit card number enough for them? What is the scenario that they try to protect against? That someone misses his 30 USD utility payment and has a CC that is not covered? That seems like a rather weak argument
These databases are there essentially to punish you. If you don't pay your utility bill, they report that to the credit agency, and reduces your chances of getting credit elsewhere.
These credit information don't give much benefit to Americans, it gives benefits to businesses[1]. It's essentially just a global black list where business can communicate who not to do business with.
This business is there for other businesses and we are the product there. This is why people generally have very shitty experience when they have to interact with them, and this is why Equifax thinks the problem is solved when they provide free one year credit monitoring service.
[1] note how Equifax thought it was important notice that the core database - the one storing your credit records was not affected. None of Americans care about this, but if the core database storing record was compromised Equifax would disappear overnight without any help of the government, because none of the businesses would want to use it.
> These [sic] credit information don't give much benefit to Americans, it gives benefits to businesses
Americans own, work at and consume the products of businesses. If there is a class American law generally holds above investors, in terms of protection, it's consumers.
I would also argue consumers benefit from our credit rating agency system, shitty as it is--it allows more people to get cheaper credit faster and more easily than if we had to establish trust at every commercial interaction.
> I would suggest that getting credit faster and more easily is not a benefit for consumers but a benefit to business also
Access to credit reduces poverty, internationally [1] and domestically [2]. It is also critical to letting poor and middle class individuals start small businesses [3]. Consumers and businesses benefit from financial systems that efficiently allocate credit. That's why both consumers and businesses voluntarily finance purchases with credit. (This is not a Panglossian claim that our system is perfect. Credit is better than no credit for consumers. Our current CRA system, while a complete mess, is still probably better than forcing trust to be re-ascertained at every commercial interaction.)
My prior expectation of almost any of the aspiring business-owners that you describe, is that they do not have the knowledge necessary to successfully run their business.
The problem is that SSN's are treated like a private key. If somebody has that private key, and some basic information about you, they can basically impersonate you electronically.
Meanwhile countries like Estonia use an electronic card reader with a PIN to verify digital identity, making it nearly impossible for somebody to impersonate you. Using this Estonian system, you can tell anybody your personal code ID.
In Italy the personal id is computed from name(s), surname, date and place of birth (state of birth if born abroad) and a check digit. Collisions are pretty rare (one every few tens of thousands of people), so it's pretty much a public piece of information.
Electronic identification is available on three levels: id+password, id+password+OTP (the most common), id+password+smart card (everybody has one, but in practice it is only used by officers nowadays). Getting a password is free and takes about 15 minutes plus a trip to the post office. It works pretty well, and underneath it's just SAML2 so everyone can use it.
We HAVE a set of laws and regulations mandating that SSN numbers be kept secret. It doesn't work. We have laws restricting the use of SSNs (it is illegal for most situations to demand an SSN, except for the situations where it is mandatory). They don't work either.
There is, however, one simple solution. Inform banks and others who need to verify identity that they may not use knowledge-of-someone's-SSN as a means of verifying identity. After a brief adjustment period for them to change their processes, publish a public list of every citizen's SSN. (Note: the Equifax breach already did half the job here... so that part isn't hard.)
There is no problem with having SSN numbers, and we MUST have something of the sort if the government intends to keep track of its citizens. There is no problem with SSN numbers being public, and history has demonstrated that it is impossible to design a system that successfully keeps them secret. The only problem lies in the fact that we treat knowledge of this number as some kind of proof of identity.
The real crisis here is that Equifax isn't being held responsible for providing meaningful fraud protection beyond one year. When I lived in the UK, the banks were constantly trying to sell me "fraud protection" and "identity protection" - trying to argue with the salesdrones about why you think it is insane that they are trying to sell me protection against their own shoddy information security practices was useless.
I'm not a big fan of over-regulating, but this is a specific issue that requires a significantly heavier hand then "i'm going to another bank" as they are all as bad as eachother.
Instead of heavily regulating I say we should make this service obsolete by passing similar to European laws where people can request what information given company holds about them, request removal and not allowing data collection without permission.
Neither of those companies provides anything valuable to ordinary citizens and the data collection they do comes with great price to us as it shown with recent Equifax fiasco.
well, Equifax is big in the UK, mostly to keep track of your credit rating, to allow individuals to borrow money.
I think you will find on closer inspection that EU data protection laws prove to be surprisingly flexible when it comes to things relating to money. But hey, at least we are protected from evil cookies tracking us! Talk about a fucking sleight of hand....
What we need is a system like a base key and derivatives keys that can be revoked / issued via some central government system. If someone's SSN gets compromised, revoke the base key and all keys are invalidated. If a individual organization's use of your key get's compromised, revoke and reissue. Most likely this all will have to happen transparently without the user really knowing what's happening under the hood. Perhaps on the blockchain?!
I lived in the USA for long enough to get a SSN and a credit rating, but I left some time ago.
I've now discovered that my details are in this leak.
Does anyone have any advice for how a non-US citizen, not currently living in the USA, can secure their data and ensure that its not being used nefariously? I.e. is there a way to permanently retire a SSN and credit rating, remotely (which doesn't involve dying, lol)?
You can "freeze" your credit with each of the 3 rating agencies (Equifax, Experian, TransUnion) which will prevent anyone (including yourself) from applying for credit using your information.
Any rational system needs to be able to: 1) Identify someone and 2) Authenticate someone. A moment's thought will suggest that the mechanism used to identify someone has different and at least somewhat conflicting goals to what the mechanism used to authenticate someone has, and these must be different systems.
For example: The identification token should be shareable, globally unique, and probably mostly immutable. The authentication token should be secret, not globally unique, and resettable if compromised.
The US system currently tries to use SSNs as both a means of identity and authentication: Telling someone your SSN both tells them who you are, and proves that you really are that person. Obviously, this can't work.
Either we need an actual unique ID number, and then we treat SSNs as a secret password, OR we need to treat SSNs as non-secret usernames, and add some form of actual authentication. Either will work I suppose, although the second seems more practical.
As a practical matter, yes. I mean, in principle we could declare a do-over, and re-issue any compromised SSNs (which would be uh...all of them), but uh...yeah.
Authentication through knowledge of a SSN is an absurd practice, and is a non problem in countries which have a national ID card scheme. Introducing ID cards would be my obvious response to this leak. Not re-issuing SSN until the next major leak.
Having a universal unique identifier for every individual across systems is a different matter and I am not convinced this is even desirable. In a world where no organisation is able to protect its data (or even willing since most organisations now are looking for ways to monetize it), this is making it too easy to link an identity across breaches. I don't think your utility companies have any need to know your SSN.
An identifier is not a verifier. Just because I know my neighbors id number doesn't mean I can e.g open a bank account in his name.
The act of validating that you are the person with the given ID requires some form of id validation (drivers license, passport, digital id).
I can't even understand how you even keep a reliable customer database that works through name and address changes without having a single immutable identifier for everyone. I can understand how people started using SSN if that is the only number there is.
Here I just record bob the customer as 123467890 and he can change name, address etc all he wants without telling me. I can still send him his bill because I can lookup both a name and address for any id at any point in time by just asking the tax- (and id-) authority for the details for that national id number.
If my customer db is leaked it's considered "bad" but it's not disastrous. All those addresses/names/ids were mostly public anyway (there could be protected identities etc so one shouldn't assume all is public)
For the purposes of fraud, it's fairly easy to link accounts across datasets even without a unique key like SSN. You can just guess based on name and address or something and if you're only right 90% of the time that's still a pretty big win.
People move home, particularly in the US which has a quite mobile population. Many people have many variants of their names, including middle names or long composed last names, and you have a huge number of homonyms. So while you may get a 90% hit rate on two, perfectly current, and breached at the same time datasets, I would expect that number to reduce greatly in a typical real world breach.
perhaps allowing tokens/passwords to be established for existing SSNs would be an alternative to national IDs. You could even create a separate token each time you needed to supply the SSN, so that if it's ever leaked, the source of the leak could be investigated.
And the social security system would become the paypal of identity. I don't know if they want that.
But an ID card is exactly that. It is a time limited, physical token issued by the state that identifies you to third parties. You could make it more secure with public-private key cryptography, by signing the information on the card, including the photo, such that forgery would become impossible (under 21 kids would hate that).
Having a unique identifier is separate from being able to use it to identify as the holder of that identifier. Yes, having it may simplify tracking, but tracking is a hell of a lot lesser problem compared to identity theft.
It makes me wonder why identity has to be a centralized government thing. For most purposes, my google account is my primary identity. If I forget a password, resets go there, so it's my foundational identity online. Per-purpose identity seems like an okay thing. I could have a financial identity, and gaming identity, a communication identity, etc. Just like the government doesn't need to know what I own on steam, it doesn't need to know my credit score. And just like steam doesn't need to know my drivers license/social, maybe my bank shouldn't either?
Writing this, I'm realizing how closely identity and privacy are related. For any transaction with memory (like games I buy on steam) there needs to be some identity. Connecting that identity to my other identities is a privacy question. We're probably at a tipping point where we could go either way next. It scares the crap out of me to think about it that way.
In Sweden your SSN is public information. I posted the same comment on another Equifax thread and got some pretty interesting replies relevant to this discussion: https://news.ycombinator.com/item?id=15208223
I believe that all EU has a similar approach, it is just the US that misuse the SSN.
The way it is done in Italy (it is called "Codice Fiscale") it is composed through a public algorithm from name, surname, place and date of birth with a final "control" character (derived by the preceding characters) so - with the exception of the very few cases of total homonimy - it can be recreated "on the spot".
Nowadays it is however printed on an electronic card, with both a magnetic stripe and a chip and it is the actual card (together with an ID document[1]) that "authenticates" your identity (in person) while on some government sites you can use the card (with a smart card reader) to authenticate.
[1] actually the main thing is the ID document, passport, ID card or - in some cases - driving license, with that you can declare your Codice Fiscale even if you don't have the actual card with you.
Not at all. At least Finland and Sweden do have a social security number assigned at birth (or immigration). They can be seen as a primary key in many contexts, not only when dealing with social security or the public sector. I guess there could be more such countries. In Finland the official recommendation these days is that you should be very cautious with your social security number, because it allows identity theft. But that is a bit ridiculous recommendation, because there are many cases where you have to give your social security number. Persons appearing to be 29 our younger need to show an ID when buying alcohol. So they show their social security number to every supermarket cashier. It would be illegal for the cashier to write them down and collect them, but easy to do for someone who trains a bit to memorize a birthdate plus 4 digits for a minute or 2. Nearly impossible to track.
In Germany on the other side having such universal primary key (a personal identifier) is deemed unconstitutional. Those who have been employed have a social security number, but it's not used for any other purpose than pensions. Probably most health insurances assign a number to the insured person, but it is meaningless outside of that insurer. A life-long tax number was only introduced a couple of years ago. It was quite much criticized by privacy activists that it is too close to a forbidden person identifier. Person identifiers existed in GDR (former East), but their usage was forbidden by law after re-unification (except in some cases where facts of the past need to be tracked).
>Not at all. At least Finland and Sweden do have a social security number assigned at birth (or immigration).
Maybe we are misunderstanding each other, the Codice Fiscale in Italy is the same, assigned at birth (or immigration).
The difference is that it is not on the ID card (as it is - say - in Finland or Sweden or Denmark or Spain), but on a separate card.
It is a "generic" identifying number with all public administration offices besides tax use, but of course it is always directly or indirectly connected with taxes.
As an example if you sign a rent contract for a house (between privates), or if you sign a contract for utilities, or you buy a SIM card you need that number, if you ask for some specific kind of receipt (fattura) you need it, when you buy medicines (that may be partially deducted from taxes) you need it at the chemist/pharmacy.
Fun fact: if you want to buy some cigarettes at a vending machine, you need the card to prove that you are 16 or older. .
Of course each country will have its own uses (or non uses) for the thing, that is generically (EU) called TIN:
> Of course each country will have its own uses (or non uses) for the thing, that is generically (EU) called TIN:
Exactly. In Finland (as in the US obviously) knowing someone's ID can be used to cause damage to the person.
You can do some business in the name of the person, because it is generally but falsely assumed that knowing the number is an authentication method.
In Germany, because the tax number is only used for income taxation. Already for other taxes, like sales tax, property tax etc. another number is used. I am not ware of any obvious way how one could misuse someone else's income tax number. The income tax number is completely obscure, age of the person cannot be derived AFAIK.
I know that in Italy the tax number is used quite a lot. I could not buy a rechargable smart card for public transport, because I did not have the tax number. And when just for fun at a train ticket machine I tapped that I would like a receipt, it asked me for my tax number. Whether the number is used as an authentication method and could be misused in that context I have no idea.
>I know that in Italy the tax number is used quite a lot. I could not buy a rechargable smart card for public transport, because I did not have the tax number. And when just for fun at a train ticket machine I tapped that I would like a receipt, it asked me for my tax number. Whether the number is used as an authentication method and could be misused in that context I have no idea.
No, the number is just a number, and as said it is not secret and can be generated (though with not a 100% guarantee of it being valid because of "total" homonimy).
It is only an ID number, whilst the card is (can be) a form of online ID (but only on a few specific government sites) and the said fun fact as proof of age on vending machines.
In any case it is never a password, so having it public it is not an issue, at the most you could have typed my (or someone else's) Codice Fiscale on the ticket machine, but you couldn't have used it for (if appliable) tax deduction on your name.
> No, the number is just a number, and as said it is not secret and can be generated (though with not a 100% guarantee of it being valid because of "total" homonimy).
True. I had already forgotten that. Created mine a couple of years ago using some unofficial online service. Maybe I still have it on some disk... Of course I cannot be 100% sure that it is correct. I understand I could order mine officially without ever having lived in Italy. Never bothered about that, I don't have that much contact to Italy.
Just a minor nitpick: your identity can't be authenticated. You, as an individual, can be identified, but the only thing that can be authenticated is the piece of plastic (ensuring it is not counterfeit).
Yep, sure, you are correct, that's why I put it in double quotes, more accurately the identity can be "verified" or "vaidated" by the ID card (of course authentic) or even more strictly by comparing the photo (and other description data) on the ID card to the looks of the bearer.
I just checked and also en.wikipedia has a good description of the algorithm used, JFYI:
That's why the piece of plastic is only used together with an ID card, driver's license or passport---the plastic has a smartcard but no photo, so the two complement each other.
Alternatively the smartcard can be used as a second factor together with a password but, as you correctly pointed out, it is not enough alone.
Because it is the "mark of the beast", just as SSNs or surveillance bureau's primary keys are. And no, I'm not joking either.
It's entirely sophomoric to trash a book of generational wisdom by taking its metaphors literally for use as strawmen. A actual "beast" was no more a part of their daily routine that it is of yours.
If identifying and cataloging people were against people's immediate interest, then it would actually not happen and it wouldn't be a concept worth mentioning. So the apparent fact that the practice looks fine and dandy to you is an indicator of exactly nothing! The problems manifest themselves on the scope of many generations, and true wisdom is to heed warnings from past failed societies rather than laughing them off.
and for the record, they meant the antichrist as an actual person, not a metaphor...even though there's plenty of evidence that the book is referring to roman coinage and caesar.
i really don't know how to reply. you are saying identification is wrong?
As you probably know, the exploit basically is using Java's ability to dynamically execute code from JVM bytecodes (supplied via XML in this case, but that's just an implementation detail). Once you get remote code execution ability, it's game over for most Java backend apps, because these are executed in a single process/address space and thus lack basic process isolation. Even if JAAS were used to propagate authorization contexts within the Java backend, typically (almost always) Java apps operate in such a way that a single database identity/credential sets is used for any and all database access.
Dynamic bytecode execution is a core feature of Java and other JIT execution environments, so you can't use straightforward NoExecute bits (provided by hardware and supported by OS loaders to disallow calling into dynamically allocated memory) to prevent this from happening, and can't contain/isolate execution paths with authorization contexts either. For these reasons, I think this breach should make banks and other financial institutions rethink their Java strategies mid- to long-term.