Brazil would require a "CPF", which is a unique number assigned to individuals. If you are doing something simple such as an online purchase or monetary transfers(to someone else's account), the number alone could be sufficient, coupled with other information like full name and address.
Many places will not be happy with just the number and will require at minimum a scan of the actual document - if you are lucky. Most likely, if you need to send in a copy, that copy has to be notarized. Which means that you have appeared in person with the actual document and got it notarized. You'll then send it by mail or drop off in person.
Sometimes this is not an option and you need to be present with the actual document - like if you were selling property or opening bank accounts, or even starting a business (which requires trips to many governmental agencies).
If you are filing taxes, then CPF is required, as well as the ID card, voter registration card(voting is mandatory). They have started to combine documents, but even then the actual hardcopy is required in most cases.
Medical care... well that's free so there's no fraud needed. If it's for private insurance, you'll have to have your insurance-issued card, plus your ID card. Unless it's an emergency, but even then you'll have to provide these sooner rather than later.
Financial institutions like banks: you'll either use internet banking, in which case any credentials or devices needed will have been issued in person by a branch, or you'll have to go to a branch.
If your physical documents get stolen or lost, you need to report to the police and get issued new ones. In that case, ID theft can happen if they were indeed stolen, but it's unlikely to have long-lasting implications if you have made the police report. This usually requires some corruption as some of those documents have photo ID. In that scenario, you may have to do some work to clear your name and it is not very different from US ID theft.
The bureaucracy is ridiculous so often you can have issues doing things even if you are who you say you are . But actual ID theft is not that prevalent. If you search for 'identity theft' most of the results are about getting website credentials compromised.
The main issue in the US is the use of a 'unique ID' which was never meant as ID, can't be changed and has no built-in security measures.
> Brazil would require a "CPF", which is a unique number assigned to individuals. If you are doing something simple such as an online purchase or monetary transfers(to someone else's account), the number alone could be sufficient, coupled with other information like full name and address.
> The main issue in the US is the use of a 'unique ID' which was never meant as ID, can't be changed and has no built-in security measures.
As someone with no knowledge of how Brazil does things, how is the CPF any different than an SSN? Is it the requirement to present a notarized copy of the document the difference? Or something else?
CPF and SSN are just numbers that uniquely identify a person.
The difference is that in Brazil, because of bureaucracy and fraud prevention, it is a lot harder to use somebody else's data to your benefit. Which is just as well, because most Brazilians are not careful at all and will readily give out their data.
I will give an example of how insane the bureaucracy can be: I once had to show my personal documents to an authority (ID, work card, driver's licence, certificate of birth, and so on). Because I was not born in Brazil, I was asked to show proof that I was Brazilian, to which I replied: how could I possibly have all this documentation and not be Brazilian?
But it is getting better and government offices speak to each other (through databases and webservices) and so they can more easily identify a person and not require so much paperwork. Still, some older folks can't shake their mentality.
I’m gonna rant here, but a big problem is that SSNs were never designed to be used as an identifier. It was simply used to allow someone to receive Social Security, hence the name. They literally used to have the text “Not to be used for verification.”
As for its problems, there’s quite a few, but the two big ones IMO are (1) no check digits and (2) (up until relatively recently) they’re sequential. I don’t know when the change was, but if you take a SSN issued before 2000, you could add one to your whole SSN and it would be a valid one. They may even have been born on the same day as you in the same hospital. Also, you could find out a general area where someone was living when it was issued (usually birth) using the first 3 digits.
Well the modern countries use documents such as ID card or passport, you can't just walk to a bank and start opening accounts from that little data. It's actually insane Americans have that archaic system.
> Well the modern countries use documents such as ID card or passport, you can't just walk to a bank and start opening accounts from that little data. It's actually insane Americans have that archaic system.
It's archaic to allow opening bank accounts completely online with no physical presence/authentication required?
I don't know about you, but I wouldn't like for anyone to be able to open a bank account in my name.
Opening bank accounts (and accessing them later) without authentication is insane not archaic :)
Most banks here require physical presence and the government issued (photo) ID to open accounts, and online banking has 2FA via either physical token or at least SMS.
There is an unique number assigned to you on that ID, but it's stored basically everywhere and only used to look you up faster, never for authentication.
If you call the bank and try to do something over the phone they either tell you it's impossible or for less impactful things they randomly ask you pieces of info about older transactions, info that isn't on your ID card etc. Or just give you a plain phone PIN when you open the account.
Yes because of security issues? Also some countries have chips in their ID cards that allow secure, online authentication with a card reader. Banks still want to check you in their office because of money laundry laws.
Some companies are starting to use "knowledge based authentication" like "which of these streets have you lived on?" but of course they get that information from the data brokers so anyone who can access data brokers can still "steal" identities.
The usual, credit agencies ARE JUST AS BAD AS WE THOUGHT. They exchange all of our information with each other, and their security is so absolutely horrible that a 20 something hacker in Vietnam who just learned English could stay in their systems for years and build a business off of reading queries directly from these databases. It’s actually insane.
The existence of these databases, especially given how insecure they are is, of course, a real national security threat, but the lack of reaction from the government is telling.
Yet everyone is freaking out and moralizing about nonfinancial data voluntarily given to Facebook. If only the credit bureaus kept our financial and identity data as Facebook kept your list of favorite movies and your selfies.
Facebook sell your favourite movies, friends, political views and anything else they know about you to advertisers. it's a very similar business model.
They actually don't, unless you define selling as they allow advertisers to select what demographics/attributes their ads target. But the actual data stays on the Facebook servers. If you're referring to the apps having access to user data, that was not selling at all, but instead a permission originally granted by users by probably forgotten about. Basically, unless you contort the definition of selling to a very different meaning, that's simply not true.
And if you do use that definition of selling, then everyone is selling your data. All the politicians who decry tech companies are selling your data using the same definition. Every advertiser, retail store, bank, basically every large business offers other businesses a way to access a specific subset of their users.
Yes, that's how I define selling in the context of that sentence, as the only other way to read 'they sell your favourite movies' is the wilful misinterpretation that they actually sell movies, which would be a non-issue.
I think it's pretty clear they sell your preferences to advertisers and let apps misuse your data (there have been plenty of scandals where people didn't understand what apps would get).
This is emphatically not the business model of most businesses large or small.
I think I see the confusion between us. You don't see the difference between selling data to a company, and selling ad space where the advertiser can choose for what demographics it shows up for.
Let me try to make it more clear. Do you see the difference between "hey Chase Bank, do you want to buy this file containing data about grey-area's interests, age, political stance, credit score, purchasing habits, etc." versus "hey Chase Bank, do you want to put an ad on my website that is only shown to people with credit scores above 600 and are interested in savings accounts"?
If they both seem the same to you, then I don't think your perspective is one that a reasonable person would take. If you do see the difference, then Facebook is doing the latter, but the word "selling data" conjures the former, which you do recognize as a different matter.
I'm going to ignore the nonsensical definition you gave of selling data = selling movies, being the only other definition of selling you could imagine, in hopes that it was just an oversight.
I regularly wonder why we don’t have some form of physical verification token which signs things with our identity, the whole system is broken in that regard.
The closest thing to this are probably the seals or "chops" used in East Asian countries to authenticate contracts, invoices, and financials. Of course it's the seal's imprint you need to authenticate a document, but in practice physical control over the seal tends to be what confers decision-making power.
28 comments
[ 3.1 ms ] story [ 79.6 ms ] threadScary how little you need to steal an identity in some places...
What countries and what type of information do they ask for?
Many places will not be happy with just the number and will require at minimum a scan of the actual document - if you are lucky. Most likely, if you need to send in a copy, that copy has to be notarized. Which means that you have appeared in person with the actual document and got it notarized. You'll then send it by mail or drop off in person.
Sometimes this is not an option and you need to be present with the actual document - like if you were selling property or opening bank accounts, or even starting a business (which requires trips to many governmental agencies).
If you are filing taxes, then CPF is required, as well as the ID card, voter registration card(voting is mandatory). They have started to combine documents, but even then the actual hardcopy is required in most cases.
Medical care... well that's free so there's no fraud needed. If it's for private insurance, you'll have to have your insurance-issued card, plus your ID card. Unless it's an emergency, but even then you'll have to provide these sooner rather than later.
Financial institutions like banks: you'll either use internet banking, in which case any credentials or devices needed will have been issued in person by a branch, or you'll have to go to a branch.
If your physical documents get stolen or lost, you need to report to the police and get issued new ones. In that case, ID theft can happen if they were indeed stolen, but it's unlikely to have long-lasting implications if you have made the police report. This usually requires some corruption as some of those documents have photo ID. In that scenario, you may have to do some work to clear your name and it is not very different from US ID theft.
The bureaucracy is ridiculous so often you can have issues doing things even if you are who you say you are . But actual ID theft is not that prevalent. If you search for 'identity theft' most of the results are about getting website credentials compromised.
The main issue in the US is the use of a 'unique ID' which was never meant as ID, can't be changed and has no built-in security measures.
> The main issue in the US is the use of a 'unique ID' which was never meant as ID, can't be changed and has no built-in security measures.
As someone with no knowledge of how Brazil does things, how is the CPF any different than an SSN? Is it the requirement to present a notarized copy of the document the difference? Or something else?
The difference is that in Brazil, because of bureaucracy and fraud prevention, it is a lot harder to use somebody else's data to your benefit. Which is just as well, because most Brazilians are not careful at all and will readily give out their data.
I will give an example of how insane the bureaucracy can be: I once had to show my personal documents to an authority (ID, work card, driver's licence, certificate of birth, and so on). Because I was not born in Brazil, I was asked to show proof that I was Brazilian, to which I replied: how could I possibly have all this documentation and not be Brazilian?
But it is getting better and government offices speak to each other (through databases and webservices) and so they can more easily identify a person and not require so much paperwork. Still, some older folks can't shake their mentality.
As for its problems, there’s quite a few, but the two big ones IMO are (1) no check digits and (2) (up until relatively recently) they’re sequential. I don’t know when the change was, but if you take a SSN issued before 2000, you could add one to your whole SSN and it would be a valid one. They may even have been born on the same day as you in the same hospital. Also, you could find out a general area where someone was living when it was issued (usually birth) using the first 3 digits.
(Name+SSN is likely to be unique, the issue is that knowing a name+SSN doesn't prove you are the person with that name and SSN...)
It's archaic to allow opening bank accounts completely online with no physical presence/authentication required?
Opening bank accounts (and accessing them later) without authentication is insane not archaic :)
Most banks here require physical presence and the government issued (photo) ID to open accounts, and online banking has 2FA via either physical token or at least SMS.
There is an unique number assigned to you on that ID, but it's stored basically everywhere and only used to look you up faster, never for authentication.
If you call the bank and try to do something over the phone they either tell you it's impossible or for less impactful things they randomly ask you pieces of info about older transactions, info that isn't on your ID card etc. Or just give you a plain phone PIN when you open the account.
And if you do use that definition of selling, then everyone is selling your data. All the politicians who decry tech companies are selling your data using the same definition. Every advertiser, retail store, bank, basically every large business offers other businesses a way to access a specific subset of their users.
I think it's pretty clear they sell your preferences to advertisers and let apps misuse your data (there have been plenty of scandals where people didn't understand what apps would get).
This is emphatically not the business model of most businesses large or small.
Let me try to make it more clear. Do you see the difference between "hey Chase Bank, do you want to buy this file containing data about grey-area's interests, age, political stance, credit score, purchasing habits, etc." versus "hey Chase Bank, do you want to put an ad on my website that is only shown to people with credit scores above 600 and are interested in savings accounts"?
If they both seem the same to you, then I don't think your perspective is one that a reasonable person would take. If you do see the difference, then Facebook is doing the latter, but the word "selling data" conjures the former, which you do recognize as a different matter.
I'm going to ignore the nonsensical definition you gave of selling data = selling movies, being the only other definition of selling you could imagine, in hopes that it was just an oversight.
If they can overcome that, sign me up.