56 comments

[ 0.26 ms ] story [ 135 ms ] thread
>The target was a Vietnamese man named Hieu Minh Ngo. Investigators believed he was a big-time identity thief who sold packages of data known as “fullz,” each of which typically included a person’s name, date of birth, mother’s maiden name, Social Security number, and e-mail address and password. Criminals could buy fullz from Ngo for as little as eight cents and then use them to open credit cards, take out loans, or file for bogus tax refunds. [...] He had allowed nearly 1,400 criminals to access a database containing the personal information of 200 million U.S. citizens—almost two-thirds of the population.

If two thirds of Americans have had all of that information compromised from this one incident alone, why do we use it as authentication for anything? Shouldn't the SSN be replaced/assisted by a key pair?

I always thought the Gov't should just publish everyones SSN. That would prevent institutions from trying to use them as psuedo-passwords, while making them more useful for their actual purpose of providing a unique identifier for individuals.
Problem: Too many places already use them as pseudo-passwords, and no amount of forewarning would stop at least some of them from not moving away from that in time.
Americans are dead-set against having a working national ID system. There are even people who are upset about the mere existence of the SSN for weird religious reasons. The British situation is even worse - proof of right of residence is required for opening a bank account, working, or renting a home, but only immigrants are made to have ID cards. Also utility bills are a valid proof of address for some reason.

No, the real problem is a liability one; loan companies should be held liable for each instance of fraud where they pursue the wrong person.

Only if loan companies can freely deny loans to folks who cannot prove their credit worthiness (spoiler alert: that's a lot of lower class/immigrants/disadvantage populations). Credit is a complex problem that simple "common sense" solutions will never adequately address.
Actually I think @simplicio might have hit the nail on the head. If you want to take out a line of credit from a bank, you have to be physically present at the bank to do so.

It would inconvenience SOME who don't live near a bank and shopping loan offers around will be harder than going on Quicken Loans, but it would also make it nearly impossible for the giant crime-rings that outside of the US to steal identities and open up credit cards.

Every purchase you make with a credit card is a loan. Rapidly available, distributed credit is an amazing thing for society. I think both the genie is out of the bottle on the current credit paradigm. Forcing people to go to a physical location to conduct routine business should not be the primary solution to a problem in the 21st century.
Yes, but the line of credit is the credit card, not the purchase. You wouldn't have to go to a bank every time you wanted to buy something on a credit card, but you would have to go there to get a card.
I wonder if just requiring someone to personally appear at a bank with an ID to get a line of credit would get rid of 90% of identity theft issues. While its hardly impossible to pretend to be someone else in person, it would increase both the risk and time-commitment necessary to commit the fraud enough that I doubt it would be worth the criminals time.

On the other hand, opening a line of credit is something people do rarely enough that the extra time required for legitimate borrowers would be marginal.

That's assuming the bank you use has physical locations. A large number of banks exist now that are either geographically prohibitive for those that have moved, or more so simply lack any physical locations at all.
Why should a bank, which does not have physical locations, get around KYC regulations?

Or asked differently: How do they handle that?

> Why should a bank, which does not have physical locations, get around KYC regulations?

> Or asked differently: How do they handle that?

The same way the IRS handles it when you mail your taxes, they collect your social and some identifiers (banks tend to ask for driver's license, etc online).

Thanks.

I'm a bit surprised living in Switzerland, which has an image for those very discreet, secretive banks.

But you could not open an account with a local bank without showing your passport in person.

Even when I ran my own company and had the corporate account with a specific bank I had to show up at a branch in person showing my passport in order to open a pension account with the same bank.

This even applies for postal accounts.

Mailing a scan of your driving license would never fly. I don't think it would even be accepted as identification if you show up in person.

There could be physical businesses who's sole responsibility is to accept applications for banks and verify identity. It probably make sense for TransUnion, and similar to get into this kind of a business - validation of id for submission of forms.

Obviously this would be more expensive for the consumer. I think if we can put a credit-freeze except for such applications in person, there would be people who go for it; I would.

If we had key pairs, why would we need a national ID system?
What verifies the keypair-person mapping? PGP "web of trust"?
Each organization can choose how they want to validate a person’s keys.
.. which is fairly pointless, because the whole reason organisations use things like SSN in the first place is delegating verification to someone else.

Trying to do the whole thing in the private sector would result in everyone using Equifax as a "private key verification service".

Presumably one of those organizations would be the federal government...
Lulz, I considered including my own (non-religious) objections to such a system, but decided they weren't relevant.
> but only immigrants are made to have ID card

Errm, that's not true.

I'm referring to the biometric residence permits. Who else is made to have ID cards?
I'm an immigrant living in the UK, I have no such ID card. I have a driving licence and that's about it from stuff issued to me by the British government :)
From the EU?

(I should probably have written "some immigrants", because the situation is tediously complicated. Anyway, presumably you get to use the license as proof of right to work/rent etc?)

Yeah it is horrendously complicated for different nationalities! I've only ever had to provide a scan of my passport to employers in order to prove I have a right to work. Never had to do that when renting. I bought a house recently, so proper ID checks were part and parcel of that (but that was the same for my British wife).
9 years ago you would not even be accepted into a pub in the UK if you only had a EU ID card with you. Not so sure about today as I’ve got a UK driver’s license not to bring my passport with me.
> There are even people who are upset about the mere existence of the SSN for weird religious reasons.

The religious reason is generally about seeing insurance and/or investment as gambling, as I understand it. I wouldn't call it that weird.

> Also utility bills are a valid proof of address for some reason.

Well, yes. A utility bill means that there's a highly-regulated company that is providing you a recurring service to that address, billing you at that address. If the electric company is billing you at a house, for providing electricity to that house, presumably that is your house. It doesn't seem especially unreasonable, it's going to be more up-to-date than the record of when the house was bought or when you started a lease, and it's cheaper than sending a government employee to verify. It doesn't have to be a hard, unfalsifiable proof; it only needs to be stronger evidence than writing down whatever address you like without any checks.

> If the electric company is billing you at a house, for providing electricity to that house, presumably that is your house.

Utility bills are ordinary pieces of paper that can easily be forged.

Even if you have a genuine one, all it proves is that the address exists in enough of a way to have its own utility meter, and that the person you're dealing with has access to the mail there. That's not nothing, but it's not a lot. People may not be on the bill (subletters etc), or the bill may be paid by an absentee landlord, etc.

Conversely, the security is terribly vulnerable to social engineering, like SMS "2FA". I know because I had a month's disruption when someone managed to order a replacement phone line to my house and cut off my internet for a month.

Utility bills are forgeable paper, yes. So is any other proof short of the strong cryptographic kind, which is going to be a lot more trouble to get set up infrastructurally. Also, forging them, or theft of mail, is a notable threshold beyond "just say you live there". Generally, in my experience, proof-of-address is coupled with some other requirement to prove your identity, so a genuine-but-stolen utility bill would need to be coupled with either a forged ID or a remarkable resemblance to the actual owner.

It's not perfect, but I would say that in most cases it's better than nothing. It's a bit lacking for of subletters, but when I've needed proof-of-address, showing the signed lease has also been acceptable.

(I actually am in a month-to-month with no lease and with a roommate's name on the utility bill, so the last time I needed proof of address I needed something else. Can't now remember what it was.)

> So is any other proof short of the strong cryptographic kind, which is going to be a lot more trouble to get set up infrastructurally.

More trouble definitely, but not crazy hard. Some creditcard companies do it in those chip cards (others just put a readable ID on the chip, which is why you still see zoe gods printing chip cards). I know the government is generally less efficient than corporations, but they've got a massive budget. They should be able to figure out how to make an ID with a cryptographic signature that verifies itself and brings up a pre-registered photo on the computer of the person verifying you that's pulled from a government database. I don't really even want the government to have power, and I believe a national ID program like the one I'm proposing would do that in ways, so I'm fine with them failing to do this... I just don't understand why they haven't yet.

It could be as simple as scanning the barcode on a drivers license, the data goes to government system, and they compare what they see. Minus the last step, this already happens at lots of places that sell beer.

If minimizing privacy invasion, they could type info they're verifying in to get a yes/no instead of seeing whole thing. There's strategies for reducing abuse of such a service, too.

Americans not having a national ID system has nothing to do with what Americans want. It is expressly unconstitutional for the Federal government to require such a thing, only the individual States have the authority to issue IDs and the States are required to recognize these documents from other States. Again, the US is organized more like the EU than a single country.

Consequently, all Federal identification documents are strictly voluntary (like passports), which means some significant fraction of the population will never have them.

Good point.

Perhaps a PKI-based federated system should be deployed, even if adoption were on a state by state basis. I assume most states would adopt it, given the benefits we can think of ourselves.

(comment deleted)
Governments are long overdue a good authentication system.

Note that passports provide passable ones but not everyone has a passport.

If you desire an optional government-enforced ID scheme, Estonia provides some even to non-resident. You need to go to an Estonian embassy with a valid passport and for a sum ($200 IIRC) they'll give you a card and a USB card reader that allows to sign certificates in a way that is authenticated by the Estonian government.

I was wondering, does it make sense for "Underworld" to adopt something similar to Facebook's Libra?

Seems like a perfect fit and transaction cost would be worth it.

They already did, it's called bitcoin
Monero actually. Bitcoin is traceable.
Yes. It's usually converted back/forth between those two though, as Bitcoin is sometimes the only one accepted.
Absynthe/Master Splynter was an undercover agent at those times.
> First of all, for thouse who [have] big money [stuck] in LR, dont be anxious … thinking about the possibility to loose your money. Thats will cause unnecessary pain. Give a good kiss your wife/girlfriend or your son if you have. Give a time for your mind. Live your life whatever be the future of this money … If still thinking that you have no where to run: IF we lost, (I said IF, we have nothing concrete yet) we lost a place to KEEP money, not the way to MAKE money. Keep that in mind. The show MUST GO on.
>Budovsky insists he didn’t marry Vargas simply to get Costa Rican citizenship, which would have been illegal. Theirs was a personal relationship, he told me, without elaboration.

Lol!

I m not really how they gross 200 M USD in transactions at 1% and he is found with 2.5 M USD in his debit card.

>Prosecutors dismissed the idea that many legitimate businesses used Liberty Reserve. After the takedown, they noted, users were encouraged to contact the U.S. Attorney’s Office in Manhattan if they wanted their money back. According to prosecutors, only 35 people did so.

Was that because only 35 users were legitimate, or because the users - even if completely legitimate - were reluctant to risk potentially destroying their lives by admitting their identities to federal investigators?

Additionally size of average account would matter, I don’t see people wading into those waters over $50 or probably even $200
I was not even aware this was possible.

My loss from the LR takedown was ~$600 and this is the first time I ever heard that any such recourse that was available.

In my personal experience, LR was easier to use and more widely accepted at the time than competing services. (namely PayPal)

This article focused a lot on the carding scene, which no doubt was heavily reliant on LR, but to paint all 1MM+ users of LR as carders is simply incorrect. As the article mentions, it was trivial to open an account (as easy as signing up for HN really) and many would do so to make a one-off payment.

So long with the right to a lawyer and a fair trial.

>> According to Stapert, the U.S. government requested that he forfeit his fees for the case—insisting that the money Budovsky had paid him was tainted—a move that forced him to drop Budovsky as a client. (The Manhattan U.S. Attorney’s Office denies that the government petitioned Stapert to forfeit the fees.) Once on U.S. soil, Budovsky was assigned a court-appointed lawyer;

Once a case is big enough for improving the reputation of prosecutors and institutions involved, they will go to any length to make it happen.

Challenging the US justice system in matters of legal (and even human) rights, more often than not, leads to dead ends.

> An agent tried opening an account with the name “Joe Bogus” and an address of “123 Fake Main Street” in “Completely Made Up City.” The agent also named the account “ToStealEverything” and wrote that it would be used for “shady things.” He encountered no problems, and the account was soon functional.

One must assume registration was automated at this point, no? There's no shady business practice in this specifically.

The issue is that financial systems are regulated and opening an account usually requires an AML / KYC process that ties you users to a personal ID.
As the article states, Western Union is used frequently for transactions with assets that may have been gained through illegal activity (as judged per various government measurements/perspective).

And the USD is likely the greatest instrument by volume of the same types of transactions.

The transaction business will continue, as humans continue to trade for benefit. The cat and mouse game seems mostly about "authorities" overseeing and/or obtaining their share.

Again, an opportunity for p2p distributed, anonymous, and encrypted technology to allow humans to continue to trade that which they value.

Currency/money is based on trust/faith, so that would be the logical focal point.

Hypothetically, such development work would likely need to be conducted in jurisdictions that owe no allegiance to those authorities that do not wish for it to occur. Flavors of Cryptonomicon...

Fascinating.