[toufka]

Precisely. In no way was Alice's identity stolen - that's tautologically impossible. Rather, the bank was defrauded by the criminal - Alice is of not a party to whether or not the bank recovers from its own loss. Alice's ownership is entirely unaffected, though the bank's internal processes might not reflect that - again, their problem, not Alice's.

Further - this rat race, where I have to give ever more intimate details about myself to verify who I am, "for my own protection", seems to only ratchet away my privacy until there is nothing about me left unpublic. Facebook, Banks, Airbnb, Credit Card companies, Telephony companies have ALL given me that line when I resist providing SSN, DoB, or whatever mine-able nugget they're looking for this month. Every time I give out a new kind of private information it inevitably leaks - defeating their point of having asked me - all the while my privacy is left scorched while they move on unconcerned to the next piece of my private life. It's uncomfortable.

[thephyber]

> In no way was Alice's identity stolen - that's tautologically impossible.

I see this as you being too strict with your definition of "identity".

We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.

"Stolen identity" in this sense means Alice's attributes (the ones which Big Bank uses to identify a person) have been compromised by a 3rd party. It's not that all of Alice's identity has been compromised -- only a subset of her identity. Sadly that subset almost entirely consists of "something you know" (which the internet usually also knows) rather than "something you have" (like a government-issued ID) or "something you are" (biological traits).

I totally agree about the rat race. I think the credit bureaus are complicit in keeping the burden of credit identity low and the availability of credit reports high in the US, both of which lead to perverse incentives for {credit bureaus, consumers, creditors, governments, etc}. But they aren't alone. Credit card systems {VISA, Mastercard, AMEX, Discover, etc} and credit card merchants have done the same, causing the US to fall far behind other developed countries in consumer security.

Additionally, I've heard horror stories about the effort required for consumers to "prove" to credit bureaus that their identity was stolen. It sounds a lot like the insurance company's policies in The Rainmaker.

[zAy0LfpBZLC8mAC]

> I see this as you being too strict with your definition of "identity".

> We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.

Which is not relevant here, as this is not about different sets of attributes pointing to the same body, but about the exact same set of attributes being claimed to only possibly be pointing to one body (hence they supposedly identify Alice) while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.

For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body. Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.

[tripzilch]

Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".

> For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body.

And then we say that the stating the DoB authenticates anyone to make changes to Alice's account.

And then we say this is a terrible idea. And then we are in agreement.

And then we don't have to say completely unhelpful nonsense like the following:

> Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.

If these credit bureaus insist on conflating the word "identity" with "authentication" then it is up to us, computer / information / system / security professionals to correct this error and continue with more clarity.

Not not to start a one-sided (credit bureaus aren't listening) philosophical argument that nobody was really talking about in the first place. This isn't about ontology, and it never was.

(Ontology is the field of philosophy that asks the question what "is" is, a.k.a. "identity" and it's very interesting but also very much irrelevant to this incident and the problem it poses to badly designed authentication systems)

An important part of our jobs is being able to clearly explain such computer security and authentication concepts to a layman. That includes properly framing the question. Digging into a philosophical argument because you feel you can argue your way around a particular word that is used, only feeds pedantry.

[zAy0LfpBZLC8mAC]

> Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".

Except it's nonsensical to switch to "authentication" when the discussion is about how the term "identity theft" is misleading. It's not "authentication theft", it's "identity theft", and that is exactly why it is misleading.

[mfoy_]

The point is that it is NOT "identity theft", even if that's what people call it. It is more aptly "authentication theft/fraud".

The original point of this comment thread was that the credit reporting agencies want to keep it confusing so that it's not clear who exactly was the victim of the crime, so it's not obvious that the system sucks.

[zAy0LfpBZLC8mAC]

Yes, I agree, and I might have slightly misread what tripzilch wrote to mean that we should avoid the term here in this discussion, which I objected to. Towards the general public, it totally should be framed as an authentication failure, yes, I agree.

[ckastner]

> while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.

Attributes can be replicated -> attributes don't identify Alice

Why do you consider this implication necessary? It sounds nonsensical.

Counterexample: to verify an identity, the verifier must possess a replication the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.

Note that we're speaking of identity in the context of a technical implementation.

[zAy0LfpBZLC8mAC]

> Why do you consider this implication necessary? It sounds nonsensical.

Because it is implied by the definition that is implied by the concept of "identity theft".

Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice. Using that definition in the context of identity theft would then lead to the following sort of justification: Alice is responsible for paying back this loan because the person that we gave this loan to was a human and we identified Alice by her attribute of being a human to be the person we gave this loan to.

That doesn't make much sense, does it?

The whole justification for calling it identity theft, and thus blaming the identified person, hinges on the implication that whatever attributes are being used to "identify" Alice do imply that it is in fact uniquely Alice who has those attributes. It only logically works if you can say "those attributes are the attributes of the person that we made the contract with, and they are unique to Alice, therefore Alice is the person we made the contract with", not if your claim is "those attributes are the attributes of the person that we made the contract with, which are shared by a whole bunch of people, therefore Alice is the person we made the contract with".

> Counterexample: to verify an identity, the verifier must have replicated the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.

Erm ... no? Just two obvious examples:

In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.

In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.

Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?

> Note that we're speaking of identity in the context of a technical implementation.

Actually, we kindof don't. We are really talking about a legal implementation, where there really is no requirement to do anything as a "technical implementation"!?

[ckastner]

The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.

> Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice.

> That doesn't make much sense, does it?

If Alice is the last surviving human being in the universe, it does.

If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.

> In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.

You haven't checked that it's me, you've checked that it is someone who looks like me.

Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.

> In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.

Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.

> Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?

Do you believe this hypothetical example to be true? If not, what's your point?

[zAy0LfpBZLC8mAC]

> The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.

In which case it's just not a refutation of the tautological impossibility at all. Either something uniquely identifies someone, or it does not. Uniquely identifying someone while at the same time being (trivially) being replicated by somebody else is just a contradiction.

> If Alice is the last surviving human being in the universe, it does.

Seriously?

> If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.

Which is exactly why "was able to tell us the DoB of Alice" as an identity is nonsensical, and hence any conclusion of the form "therefore, Alice's identity was stolen" is nonsensical as well, correct.

> You haven't checked that it's me, you've checked that it is someone who looks like me.

Which contradicts the claim that the verifier does not need a replica of you how exactly?

> Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.

Which still cannot be stolen. So?

> Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.

Which contradicts the claim that the verifier in a context where it is taken to be sufficient proof of identity does not need the private key how exactly?

> Do you believe this hypothetical example to be true? If not, what's your point?

My point is that I am responding to your argument that was about an implication from that hypothetical case.

[tripzilch]

> Let's assume we define "identity" to mean

... seriously, just stop.

[jdironman]

So the only way around this is to disregard information about a person other than information that 100% without a doubt identifies that person making a purchase is who they say they are? I am just genuinely curious.

[sowbug]

No. It's to accept liability when you make a mistake. If a criminal tricks a bank into giving away money and debiting some random account, the victim is the bank, not whoever happened to own the account.

[zAy0LfpBZLC8mAC]

Around what? The fact that the term "identity theft" is nonsensical? There is no way around that, it just is.

As for fraud: There probably is no easy way around it. But that doesn't mean it's not fraud.

[jdironman]

I was not saying either really. I was asking what sure fire way we have other than a number / name for identity.

[zAy0LfpBZLC8mAC]

Well, there is biometry, with the simplest form being a picture, if you want to somewhat reliably identify people.

[mycall]

Here's a typical story.

Online loan firm gives money to someone. Months later, they default, so they call who they think is the holder of the debt. That person has no clue what they are talking about. Finds out through first ever credit report they are defrauded. Victim calls loan firm, who requests lots of proof of existence as well as a police report, before they will help them. Process takes weeks. Victim finds out they signed up at Equifax during hack. Now they are in worse shape.

[adrr]

All financial companies are required to have you SSN for reporting income for taxes and also report money movement under the anti-money laundering laws(AML). Know your customer(KYC) requires a financial company to gather documentation and information to verify your identity and to ensure your not on any list of people we're legally not allowed to provide services eg terrorist watch list.

You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.

[bigiain]

Seems KYC as used in the real world doesn't do a very good job of verifying whether the "customer" is Alice or the fraudster... It'd be nice if _that_ requirement had enough teeth to reduce the ability of the financial institution to claim Alice is "the victim"...

[adrr]

Curious how would you verify a user? Right now standard solution is to use public records(LexisNexis), credit history(Experian), fraud detection networks(early warning). Along with a bunch reputation providers around IP(Maxmind,Socure), email(emailage), address. Also government based ID and utility bills etc. This isn't cheap and can costs $10+ to run all these checks.

Even government can't verify people and its problem because people give other people's SSN and DOB when they get arrested which is the worst type of identity theft as it can lead to the victim getting arrested or not getting a job(criminal record showing up in background check).

[user5994461]

You ask for their ID card or passport. If you want credit history, you ask for their last year tax sheet.

[perlpimp]

how about having photo on the credit file. this would solve so many problems.

[freeflight]

> You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.

Don't give them any stupid ideas. This year Germany did exactly that: Require proper identification for purchased SIM cards. Lot's of people used that opportunity for some extra cash by selling pre-activated SIM's through Ebay, after the requirements had been changed.

Too bad they also introduced Euro roaming, so people are still free to buy their anonymous SIM's in other EU countries and use them in Germany.

I guess those are the consequences of a future where your mobile device is used for your personal authentication everywhere by everybody. [0]

[0] https://www.nytimes.com/2017/02/13/business/dealbook/banks-l...

[mattmanser]

I've worked a bit in the industry and around the industry, the worrying thing for me is that it doesn't seem to be working for anyone apart from equifax/experian/call credit.

I have separately worked with one of those companies with a client and their IT staff were utterly incompetent (I won't say which). Loads of different sites, lots of little fiefdoms, utterly inconsistent security policies on each site, blaming everyone but themselves because only half their sites could access a video on a major commercial video provider (not-youtube). We ended up having to host it on AWS cloudfront as none of them had blocked it yet. Their sharepoint could only host a 50mb file, which made their CEO look like a blockhead in the 20 min high def video.

Utterly incapable of hosting a simple video file so all their staff could access it in 2010.

I've also worked with a company one of those companies acquired for $100 million+, holding millions of people's personal details in the UK, with some very sensitive data. Some of the worst IT engineering I have ever seen, a bunch of tools written by the worst out-sourced IT teams I have ever seen (if you've ever worked with C#, these idiots made a project per .cs file. Yes, PER CS FILE. They also wrote the worst SQL I have ever seen, all of the stored procedures seemed to be duplicated but the duplicates had op_ before them. I eventually realised the op_ stood for optimized! They were still terrible and half the program used one set of SQL, the other half the optimised. Whenever I re-wrote one of these 'optimised' queries, I usually knocked it from seconds to milliseconds. Outsourcers in the naughties really did suck that bad, young 'uns).

We've given up huge amounts of privacy, but the scores are utter bullshit and the 2008 crash show what a load of nonsense they are.

A friend even told me at uni he'd got a £1000 loan out to get a good credit rating. You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.

equifax/experian/call credit basically get given all our personal spending habits for free, sell it on to everyone else for crazy money, don't add anything to the economy and as far as i can tell, are a huge security hole.

EDIT: Another anecdote on how incompetent these people are, a couple of years ago someone used my details to scam a few free phones. I got alerted to it when I started receiving insurance contracts for those phones in the post. The phone companies sorted it pronto, almost immediately admitting they'd been scammed, but I wanted to make sure my credit rating hadn't been trashed. In the UK these agencies must provide you with a credit report for a nominal fee so you can check for incorrect details, so I applied to the big 3.

One of them accused me of trying to hack their system because I'd forgotten a security question, eventually told me to fuck off after passing through various layers, then sent me a letter saying they'd detected a hacker trying to access my details. No, you idiots, that was me. Still never got my report from them.

Yes, they still use security questions.

[matthewmacleod]

You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.

I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?

Any system can be gamed, but I don’t get the impression that credit agencies are attempting to eliminate all risk - after all, it’s obviously possible that someone who has had perfect credit for years might simply run away with your cash! But the system doesn’t have to be perfect, or detect all outliers, to have value.

It seems intuitively obvious that lending to someone who is frequently late with credit repayments is riskier than lending to one who isn’t, and this is the mechanism by which that information is shared.

[mattmanser]

For £100 you get a shiny credit rating for no risk. That'll get you a mortgage for £100,000s.

In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay. I appreciate that it probably benefited a certain type of person, but the new system probably has the same prejudices built in. Now it's all about the ephemeral and easily game-able credit score. Until a few years ago you would get negatively scored for not having a landline.

These scores are utter bullshit, they're simply about if you haven't screwed up yet, they're not actual assessments of your ability to pay or the risk you've exposed yourself to.

Again, I worked in the mortgage industry before the Northern Rock collapse, brokers used to be able to go to those guys and openly fudge people's incomes by calling them self-employed, they had a good credit score so no-one blinked an eyelid, get 105% mortgage, and then lo-and-behold, the bank collapsed. Yes, part of it was that they lost their access to easy bank credit, but another part of it was they lent to hugely risky people.

As a slight-side, my bank was willing to lend me crazy credit card money a few years ago because for 10 years I never missed a payment. In reality in those ten years I went through a patch of being the most business-un-savvy freelancer ever, selling myself at a stupid rate and not putting enough aside to pay my tax bill, to the point where I had to get a loan from a parent to pay it. I was flat broke, almost bankrupt, and these people were willing to lend me almost 9 months of my income.

I was not a good risk.

But because I paid on time for X years before, I was to the credit agencies.

[redblacktree]

> I was not a good risk.

Banks are using actuarial science to make loans. You were (possibly) an outlier. That doesn't matter. All that matters is that their risk models work in aggregate. If they're right enough of the time, they profit. It doesn't have to be perfect.

[tripzilch]

They had to be bailed out, remember?

[pow_pp_-1_v]

> In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay.

You do recognize how terribly inefficient that is, right? In this day and age its all about scale. Expecting a bank manger to have financial profile of all the clients using his firm is impractical.

For all it's faults, the credit reporting agencies are providing a service. It's not perfect and I think it's best they could do with the information available to them. I expect they will improve their score though once they start incorporating signals from social media and other sources.

[mattmanser]

In reality the new credit agency model's been tested once, and it failed.

[gaius]

You do recognize how terribly inefficient that is, right? In this day and age its all about scale.

Is it, tho'? It is well known that IT doesn't improve productivity[1]; all the benefits of automation get swallowed up in the extra people needed to support and maintain it. So we can assume that the ratio of bank employees to bank customers has remained constant over time. So actually there's no reason for bank's not to operate the old personal-relationship model; they would need to employ the same number of staff to do it, just locate them in branches rather than at head office.

[1] http://www.computerweekly.com/opinion/McKinsey-Why-IT-does-n...

[trentmb]

> I was not a good risk.

But you were- you had access to a parent with money to bail you out.

[freeflight]

> I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?

That's probably the reason why it would increase one's credit rating in a positive way. I have no doubts about these systems being broken in such a way that they consider people who take on credit, paying it back in time, as more "credit-worthy" than people who never needed/wanted to take up a loan.

A bank obviously wouldn't want to miss out on the first group of people, why they couldn't care less about the second group of people from which they make no money in the form of interest.

It's also interesting how these kinds of rating systems seem to be "broken" all over the world. In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany and they are quite infamous for mixing up people and thus giving them a negative rating, often without the people noticing until it's too late and their negative credit check denied them access to a rented flat/credit whatever, after which it's their responsibility to get in touch with Schufa to clear up their misidentification.

[germanier]

> In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany

Just for anyone from Germany reading: There are multiple, less well known agencies that are used by banks and others as well. They are definitely worth keeping an eye on. I will only mention Creditreform Boniversum, Arvato Infoscore, and Bürgel.