[csharpminor]

I’ve received two data breach notices in the past week, one from my healthcare provider and the other from the bank that holds my mortgage.

In both instances they said to lock my credit, and provide free credit monitoring for a year.

I find this egregiously insufficient to the point where I think we need more regulation in this space. They should provide lifelong credit monitoring and full insurance on any financial fraud that now occurs on my behalf, as well as immediate presumptive financial compensation.

That aside, the root cause here is that identity in the U.S. is a dumpster fire. We have no distinction between unique identifier (SSN) and secret (also SSN). Every other security question is just another version of the same factor type (something you know) which is easily accessible to scammers.

There is quite literally no agreed upon way to prove you are who you say you are.

We need DMVs to begin issuing IDs that are physical with digital capabilities, like credit cards. We need the equivalent of Apple/Android Pay for identity online. We need to mandate that banks support digital IDs. And we need strict enforcement for people who misuse a digital ID.

I believe that the consequence of ignoring this problem is at least tens of billions of dollars in GDP annually lost to fraud. And perhaps more importantly, it’s an insidious erosion of our status as a country of laws.

[FireBeyond]

> We need DMVs to begin issuing IDs that are physical with digital capabilities

The problem is that there is a very vocal segment that views such things as "government overreach" through to the literal mark of the devil.

And then there are the challenges of issuing them. There are states (the same states, typically, who shut down voting locations in working class areas and defund their DMVs) who will fight tooth and nail about having to implement this in a way that is free to all.

[DenisM]

OTOH some other states should be able to do it. They just need to agree on a standard and then motivate creditors to make use of this standard.

[fragmede]

Real ID is whole 'nother can'o'worms

[stackskipton]

Feds could also do it using Passport card and DoD does it with CAC cards so Federal government knows how to do this.

[mindslight]

You've put forth an utter straw man. I am rationally against making government verification of identity stronger precisely because the existing identity systems have been pervasively abused with essentially no recourse. After there is a US equivalent of the GDPR that lets me prevent the surveillance industry, including the traditional financial surveillance industry, from unilaterally creating dossiers about me, then we can talk about better implementations of identity verification. Until then, that dumpster fire is the main thing holding back the surveillance industry from pushing identity verification for ever more routine things like opening online accounts or buying groceries.

[FireBeyond]

> You've put forth an utter straw man. I am rationally against making government verification of identity stronger precisely because the existing identity systems have been pervasively abused with essentially no recourse.

There's absolutely no straw man. Among other reasons, things like this are exactly why there is opposition in some segments.

You've literally argued "You're making a strawman by describing what I think!" You're against it because overreach and abuse. I say a segment is against it because of reasons including that. Maybe less of a hair trigger is needed.

[mindslight]

> There's absolutely no straw man. Among other reasons, things like this are exactly why there is opposition in some segments.

Sure, technically there is a sliver of actual people out there worried about "mark of the devil". I'd still say it's a straw man to use that to characterize general opposition.

> You've literally argued "You're making a strawman by describing what I think!"

Uh, not at all. I accept that the government wants to be able to identify citizens. I'm not calling this government overreach. What I have a problem with is the ongoing failure to pass any corresponding laws that prohibit companies from abusing these identification systems to build limitless privately-owned completely-unaccountable surveillance databases. These abuses need to be stopped first, rather than brushing off the problems we're already suffering and giving even more to the surveillance industry.

As I said, pass a US GDPR that gives me the right to opt out of most of the surveillance industry, lets me drastically curtail and audit the parts I don't completely opt out of, and make sure any new types of identity attestation are still refutable in the legal system, and I am generally on board with stronger identification through something like a smart card.

[pdonis]

> We need DMVs to begin issuing IDs that are physical with digital capabilities, like credit cards. We need the equivalent of Apple/Android Pay for identity online. We need to mandate that banks support digital IDs. And we need strict enforcement for people who misuse a digital ID.

And how will all this magically work online? Answer: you'll have to provide whatever digital secret gives you access, just the way you provide your SSN now. Which means your digital secret will be in all the same online places where your SSN is now, vulnerable to the same kind of hacking. How does this fix anything?

[baby_souffle]

> Which means your digital secret will be in all the same online places where your SSN is now, vulnerable to the same kind of hacking. How does this fix anything?

Loads of ways to do digital attestation but they all involve some 3rd party being the trusted source of truth. Typically this would be the DMV or other government branch and at this point a few red flags start to go off: dmv isn't known for it's competence and I'm not really thrilled about them getting hit to confirm my identity for pornhub.

This is a REALLY hard problem to solve unless you take a "privacy must be sacrificed for the greater good" mentality.

[jam_ocean]

Actually, you can use cryptography to prove who you are without giving anyone else the ability to simply "copy" your ID and impersonate you later. It's how message signing works: https://en.wikipedia.org/wiki/Digital_signature#Authenticati...

Some countries already have national ID systems that use cryptography like this to secure identify oneself online, such as Estonia: https://en.wikipedia.org/wiki/Estonian_identity_card#Electro...

[pdonis]

If the crypto keys are on the ID card, how does my computer read the card? How do I know the hardware and software to do that isn't compromised?

Also, the Estonia system apparently includes keys allowing the manufacturer to perform card operations. How do I know that won't get hijacked?

[jam_ocean]

I think computers need a card reader (like a credit card reader) to read the card. Or you can use your phone to read it wirelessly via NFC.

One neat thing about systems like this is that the card itself can perform a cryptographic computation that proves its own "ID", without communicating its private key to the connected computer/phone. So even if your computer was compromised, the ID card connected to it still can't be copied. The card is simple enough that there is less attack surface (as compared to an entire computer), so it's much less likely be be hacked, even if it's connected to a hacked device. Though mistakes do happen, since no system is perfect. So if a vulnerability is discovered, new cards might need to be issued.

Granted, an attacker on your computer (controlling it remotely) could just wait until you log in to your bank via smartcard and then quickly pull all your money out... you need a more complex solution to fix that problem (like cryptocurrency hardware wallets use; they have a little screen that shows the proposed transaction, and you have to physically push a button to confirm it, and then it does another cryptographic operation to authorize that particular transaction).

However, the smart card system does prevent an attacker from simply buying a database dump of email addresses, passwords, SSNs, etc. and using that to get into your bank account.