Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sadly, financial institutions will continue to use knowledge of your SSN and DOB as proof that you are who you claim you are. And if you're not, that's the problem of the sucker whose identity got stolen.

Financial institutions in America prioritize convenience over security.



The problem is that y'all unlike most/all of Europe don't have a requirement for people to possess a government issued ID card with a picture on it.

In Europe, we use these as "root of trust" - either in physical form or in electronic form.


> The problem is that y'all unlike most/all of Europe don't have a requirement for people to possess a government issued ID card with a picture on it.

You aren't required to posses one in Europe either, but you get assigned a unique number at birth to identify you.

Of course life is hard without identification, but there is no law mandating that you get one, at least not in all EU countries maybe some of them do.


What's better is congress wants to tackle piracy (which will never be stopped) by frivolous bills like SOPA, and make backdoors for encryption to "catch the terrorists / bad people" but nobody wants to fix identity theft. Heck, now we're all having to have stupid cookie dialogs on every website.


This is trivializing the amount of backend system migration that's required to change core identifiers.

If they could push a button and use new identifiers, they'd do that today.

However, in reality that means cracking open 50 years of code and systems.


You don't need to change the core identifiers. You just need to stop treating (at an institutional and broader system level) mere knowledge of those identifiers alone as sufficient proof of a user's authenticity. For the most part, the 50-year-old hard-to-change code is already surrounded by other systems which can be adapted more easily anyway.


Point, in internal vs external sense.

What else would you use though? (in the US)

I can't think of any broadly-existing alternatives. You could perhaps have people opt-in to a newly-created, cryptographically-secure ID replacement.


This is the real and hard problem to solve. As far as I know, there are identity-verification services using other, semi-publicly-available data, which can still be spoofed for a lot of people, and some that use just-in-time photography (of your face, driver's license, passport, etc.), but that relies on more on-device security (and thus less end-user ownership of their devices).

It ultimately falls to the government to provide a more robust solution.


Well, then these institutions can take more responsibility when their weak auth is exploited to defraud innocent people, vs "sucks to have your 'identity' stolen!"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: