Tangentially, the FCC is forcing the hand of mobile carriers on this. T-Mobile just the other day has updated their policy so that two employees must be present and part of the process to swap a customer’s SIM. The perils of your phone number being your identity.
Refreshing to see these active theft and wire fraud prosecutions.
That's nice to hear. So the SIM swappers have to double their bribes.
I think the best solution is to cut the mobile providers out of the equation altogether. I've long advised removing your phone number from anything you can, or at least substituting a voip service that can't be social engineered over the phone. Some services don't let you use voip services for multi-factor or signup, so your mileage may vary.
Also, it's important where possible to use types of multi-factor that don't rely on your phone number. The tricky part is, so many sites will let you reset your password if you can receive a link via SMS at the phone number on file for the account. Which means anyone who SIM-swaps you then can reset the passwords on those accounts that allow SMS resets (which is a lot, still).
One of the few things I miss about giving up my landline a couple years ago is that I pretty much have to give out my cell phone number for anything that needs a valid phone number. (yes, I could use Google Voice or some sort of VOIP number but that starts making things complicated.) I used to be very selective at giving out my cell number.
> yes, I could use Google Voice or some sort of VOIP number but that starts making things complicated.
You should soldier through it. Google Voice is a decent free service domestically, unless paranoid. I use it in the reverse manner as I expect you would intend (if you'd intend to generate many virtual throw away numbers to forward back to your phone until the forwarding is manually severed). My actual phone number has changed many times over the years, but my GV number stays the same. Eventually, I got rid of my phone altogether. That was January 2014. But jobs will often require I carry the on-call cell (which I almost never need to use and just for work). Boy I sure miss those cell phone bills every month, not. I just realized GV has saved me at least $10K since I cancelled my cell contract.
More and more places refuse to accept my Google voice number for verification. It started out with nearly all banks but has gotten ridiculous recently.
Target outright refused for Target circle a couple years ago. Recently 7-11 had accepted my Google voice number to get points on in store purchases but now that I live somewhere where I need a car, the gas pump decided the number was invalid when I tried to get the discount on gas from the pump I'm worried since I basically never gave out my actual cell for over a decade now
Good point, that is a problem, though I can't fathom why a bank wouldn't accept it, but I do recall having issues before with some site not accepting it (possibly Craigslist?). My solution is simple: if my GV number is not accepted, I take my business elsewhere.
>That's nice to hear. So the SIM swappers have to double their bribes.
Most SIM-swappers are retiring with their ill-gotten crypto, but the ones remaining are at the "bribing prosecutors" level now.
With crypto skyrocketing and the pitfalls of SMS becoming more apparent, I fully expect the jump to amateurs purchasing and leveraging state-level 0days against unwitting wallet holders.
The gap between profit and cost is getting larger, and more crypto-millionaires are going to get their Teamviewer 0dayed.
One thing I don't understand about the suggestion to remove my phone number from 2FA is that 1FA seems worse. I'd prefer something like Google authenticator, but none of my banks offer that. Did I misunderstand the suggestion? Is there something else I should do?
> but none of my banks offer that. Did I misunderstand the suggestion? Is there something else I should do?
Yes there is: change your bank. If your bank is still using SMS based 2FA, get the hell out of there. If you really need to keep that account for reason X, move out all your assets to another bank and keep enough funds to fund X there.
Charles Schwab and USAA use TOTP but aren't exactly main stream banks. Both use a Symantec client and don't officially support third party authenticator apps.
The problem is that often adding the phone number just says "2FA" but in reality becomes as another single authentication factor (e.g. in credential reset workflow) - and, given the risk of SIM swap, it may be weaker than proper 1FA e.g. a good password.
One of the advantages of using Google Fi as your phone provider on a Google phone: there's no SIM, and you have to log in to the phone on your Google account in order to transfer phone/SMS service there. So an attacker can't use a SMS hijack to steal 2FA codes unless they've already compromised your Google account (which is hopefully a higher bar than convincing some random phone shop employee).
> or at least substituting a voip service that can't be social engineered over the phone
unfortunately it's also very easy for somebody to submit falsified port documentation to port away your voip number to their own carrier.
In many cases even easier than doing a SIM swap, since the oldschool way to do a port is to literally print out one page of a bill with your name on it (Anybody could edit this by inspect element on a legit bill of their own and swap your name), print it, sign it in ink, scan it, and send it to the carrier requesting the port-in
> one number on file for the account. Which means anyone who SIM-swaps you then can reset the passwords on those accounts that allow SMS resets (which is a lot, still).
> reply
Why not use a special phone number for 2FA? How do hackers know your phone number?
Hackers can easily get anyone’s phone number. Just Google <name> phone number. There are so many data brokers out there happy to sell this information.
If you use a special separate phone number for 2FA in multiple places, then it likely has both been exposed in some data breach, and also been sold for marketing/tracking purposes; attackers can get access to both these types of sources.
You must have to pay more than double to bribe two people simultaneously -- since each one then has to rely on an extra person to cover up the corruption.
I wonder if the following idea has occurred to anyone else?
We have more and more kinds of accounts, financial products, online services, etc. that would benefit from some kind of real in-person verification at points in the process (initial application, maintenance, changes to account) that are imperfectly done with credit checks, questions/answers, logins, etc.
We have Post Offices in nearly every corner of this country. How about turning them into a kind of value-added identity verification service where any company wanting/needing an identity verification could rely on the Post Office to accept someone in person to prove who they are (through fingerprint, document, etc) and be the 3rd party to make this proof easy?
Sure you would need to have normal fraud protections, etc. but I bet the act of having to come to a post office would make things very secure / reliable. And it would give the post office a new function. I heard of this being done in some other countries.
It seems like a way to avoid us all having to pay for fraud so frequently.
There's a number of KYC services where you're basically asked to be filmed and a person in a call centre looks at it and decides whether it's really you.
When I went looking at them they were boasting with using AI, and then in the meeting it turned out it was mostly farmed out to someone in India.
>We have Post Offices in nearly every corner of this country. How about turning them into a kind of value-added identity verification
When I opened a bank account (n26) in Germany this is how they verified my identity (along with a brief video call) as a foreigner so the idea has merit.
Going through some processes on DMV and USCIS recently I noticed both of them were using Id.me
Seems like a private company providing services to these gov agencies on authentication. Seems like a better solution than showing up at the post office.
That’s actually fascinating, because this official login solution exists, and it seems very nice: login.gov. It’s from the GSA which seems to be doing some good work.
I wonder how id.me differs, and how we haven’t centralized on one solution yet
Over 200 federal agency web properties have adopted login.gov. Social Security Administration recently adopted them as their primary identity provider (and appears to be phasing out id.me but I’m waiting on some ground truth to confirm that). Something is up with IRS as to why they went with with id.me, and someone has submitted FOIA requests to get more context.
There are already standard ways of doing brick and mortar identity verification, and in somewhat surveillance-resisting ways even! The most common is "notarization" - a state-deputized "notary" verifies that you are who you say you are, and then endorses your signed document with a special stamp and a signature. Another common one used for financial transactions is a "medallion stamp", wherein not only do they verify your identity, but the institution doing the medallion stamp also takes on the risk for a fraudulent transaction.
Both are generally available for free by being a customer of your local small bank or credit union. These could be easily adopted by web companies for password resets, account withdrawals above self-set limits, etc.
Yes, but notarization feels like a much more cumbersome process, designed for more like "once in a lifetime" transactions (house purchase, will, etc). It also feels more like a proof, only needed if a transaction is disputed in court etc, it can be investigated back to the source.
I mean the every day kind of verification that fuels our daily transactions and benefits from instantaneous info being transmitted back and forth, to easily get a credit card approved for example.
The cumbersome part of notarization is having to physically go to the bank, which would be the same for the post office. The performance of showing up in person, and showing a physical hard-to-forge ID, is exactly what drastically raises the bar for an attacker.
Doing this instantaneously implies skipping the heavyweight process. Which I assume means doing something like a one time (or periodic) cumbersome in-person process, and then repeating a quicker online process. Any private company could create such a system right now, bootstrapping off the notarization framework to do the heavy lifting.
But credit cards and other traditional financial institutions don't actually care about identity in such a strong sense. The standard process for setting up online access for a new account at a brick and mortar bank involves leaving the bank, going to their website from home, and entering your not-particularly-private information to sign up. That could be easily modified to setting up initial access credentials right in the bank if they wanted to, but the traditional financial system is pretty forgiving for the most part.
So we're really talking about custodians of new bearer instruments (eg cryptocurrency), which are more like cash. Hence my reference to these new holding companies being the ones that should be integrating notarization into their exceptional account access methods. Of course they could also just insist on the use of real security tokens, require a second one for backup purposes, and simply not use SMS at all.
FWIW another more convenient way of doing brick and mortar verification is to snail mail out a letter with a code on it to the address of record. It obviously doesn't have super security properties (anyone can steal mail), but it's much better than electronic-only non-verification and much nicer than surveillance database verification.
Yes from what I know, you technically do not need to get a will notarized. But getting it notarized makes it a "self proving will", which will be easily accepted by a court. If you don't do the notarization at the time, your poor executor will likely need to hunt down the witnesses and get them to sign affidavits.
Canada Post, the equivalent of the USPS in Canada, offers exactly this service [1]
I've used it for Know-Your-Client type stuff with banks, but it is theoretically open to most if not all businesses. Every time I've needed to interact with it, it's been a straightforward process as a consumer.
Sagawa (a private courier in Japan) provides a similar service but at your doorstep. Basically the sender registers your info with them (mainly DoB) and upon delivery you have to provide an ID, which the driver checks that it matches with what's written on the envelope, then enters your DoB and other info and your ID number into a portable wireless POS device. Only if they match, you receive the package, and then I believe the info entered into the device gets relayed to the sender.
It would be amazing to see the current trust / code-signing industry fail and for something that integrates services like the one you linked to replace them.
I've always thought that a code-signing certificate tied to a natural person should be more valuable than one tied to a faceless corporation, but the industry is (poorly) built around selling high priced certificates to anyone with enough money to start a business.
Imagine being able to get a code signing certificate in a single afternoon by signing up, taking your ID to Canada Post, and downloading your certificate after the identity verification is submitted. That would be quite the difference from the current awful experience where someone in a foreign country guesses and makes judgement calls based on the documentation you snail mail to them.
Or we could just have a modern ID card that already has a cert embedded in it, and skip the whole go to the post office step. Most big companies and the US Federal government have already figured this out for their own employees.
Keep the post office option for the folks that don't have an ID, but for most people, this would be the most straightforward option.
This does work for certain things, but for some things you don’t just want proof of possession of a particular person’s ID card, you want to see that a particular person matches the document they are presenting in addition to verifying that the doc is real.
Wouldn't people just get socially engineered into giving up their code signing certificate? Some ads along the lines of "give us your code signing certificate and be entered into a raffle for an iPhone" would probably work. Stand in line to get some document you'll never use, maybe win a gadget, and a few days later your name is being used to spread malware.
Basically, I don't think a natural person is enough protection against malice. Something like "stick 1 million dollars into escrow, and if someone uses your cert to spread malware, we keep it" is a much stronger incentive. (Not what's done, of course.)
Here in europe we have several countries with digital ID cards. You put your ID in a smartcard reader, you put in your pin, and you can get your identity verified in a web browser.
In Sweden we have "BankID" that could be card based, but almost everyone has it in their phone. It is issued by the banks (hence the name?) since they already has vetted your identity. BankID is used almost everywhere, from online banking to sign your employment contract or collect benefits when you're home to care for your sick child.
The post office used to issue normal identity cards, but today I only think it's the DMV equivalent and the police that does that.
Its usually situated on post offices or local government offices and makes it possible to get verified electronic signature that you can then use to prove your identity electronically. It can also access various government registries, etc.
Meanwhile the USPS instead funds itself by being an open channel for wasteful junk mail.
Making money while doing something actually useful? Not my government, not when there's a tiny sliver of profit to be funneled to wealthy special interests!
Here's my Senator on the subject of postal banking:
> “You would have to work very hard to come up with a worse idea than having the government become a national bank executed through the post office,” [Sen. Pat Toomey, a Pennsylvania Republican] said. “Even if the U.S. Postal Service was the most competent, professional and best-run organization on the planet, they should not be in the business of banking.
> “We have banks,” Toomey continued. “The idea that the government is going to do a better job is just laughable.”
What's even funnier is that we actually used to have Postal Banking back in the 20th century.
But like other things during the 'Regeanomics era', it was cut, along with forcing the USPS to pay pensions 10 years in advance. The context does help to explain the reason why our USPS Grumman vans are well over their service life, and no where near retirement yet.
I lived in the Netherlands and admired how they offer a SSO service called DigiD for most—if not all—national and municipal services: personal tax, business tax, healthcare, pension, water, garbage, police and many other service portals. Yes, there is a nice online police portal where you can digitally file a police report, get a declaration for insurance, and ask questions.
You also get a digital inbox—Berichtenbox—to organize and centralize all communications from those agencies.
It is difficult to overstate how much life is made better when the government is well-organized and that organization is exposed to you through good UX. I'm now back in the US, it's been 2+ weeks since my renewed passport was supposed to have been mailed to me, and no one at the State Department knows anything.
It's long, long overdue. That said a national ID scheme has long been opposed by a vocal part of the Christian population in the states. It's association with the new testament's prophesy of the mark of the beast prevents many lawmakers from pushing forward a proposal, especially since 65% of Americans in 2019 identified as having a belief in some variety of Christianity[0].
The obvious reality here is that in the wake of no proper national identification system, social security numbers have been used instead. It's not a question of whether or not we have a national ID, it's really just a question of whether we have a functional one or an inadequate one. Nonetheless politicians would likely be committing suicide with their constituents in some districts if they were to support a push towards a better system.
Historically that was sort of the case. I'd argue today that we mostly rely on state-issued IDs (especially but not necessarily driver's licenses) which are now overlaid with RealID requirements.
As a practical matter it's probably indistinguishable from what a federally-issued ID would be and I'm mostly content with not adding any more layers of identity verification than are really necessary. I'd probably oppose a push for a broadly required federal ID--although I have a passport (and a global entry card).
This doesn't invalidate your point, but man it irritates me how many states have chosen to retain a noncompliant ID tier in order to avoid eating costs or raising fees. At least my state offers a full EDL so there's some added value, but it's absurd that the 'default' local ID isn't adequate for domestic air travel.
There are non-trivial documentation requirements for RealID though. I had to go back in a second time. If someone has no need to fly it’s probably reasonable to offer them a lower bar.
There's a surprising number of people who do not possess a birth certificate document. Their parents lost it, it got thrown out during an eviction, etc, etc. I've witnessed people at DMV stations who brought in their original birth certificates, but the embossed notary stamp had flattened over the years. It takes time and money to get a replacement. If the non-enhanced IDs didn't exist, these people couldn't get a state id card.
I have a passport so it's sort of academic, but I'm not sure if I could lay my hands on my birth certificate. I'd certainly have to look through some file cabinets to see if I could find it and who knows if it's an original or not.
For people without a passport, it's extremely easy to have lost a birth certificate at some point over the years. And I honestly have no idea how easy or hard getting a new one issued is from some potentially far away city or town.
>it irritates me how many states have chosen to retain a noncompliant ID tier in order to avoid eating costs or raising fees
That's not why. States like California have dragged their feet for a decade with RealID compliance because they want to keep IDs for people in the US illegally indistinguishable from those for citizens, permanent residents, and others here legally.
That's interesting, I can imagine why certain groups would want that but not really why the state itself would want it; and if they would, why can't they just explicitly pass a law granting those people whatever rights they want to grant.
I don't understand why people think religion is the main reason to oppose this.
The main reason to oppose this is that if you had a low friction government ID system, surveillance capitalism would then require you to present your ID to do anything whatsoever and all privacy would disappear forever.
But we already have that? If you pay with a credit card, have an address on file, or use a state-issued ID (drivers license), I don't see how that would be worse.
Credit cards are already a privacy catastrophe for anything where you have to pay money, but people will push back if you demand one for anything where you're not supposed to be paying anything because people are rightly wary of being charged when they ought not to be. Anyone who gives their credit card number for a "free trial" learns that the hard way and then becomes appropriately cynical.
A state-issued ID generally doesn't work over the internet, which is good. Some of them can be read electronically in person, which is already being abused to a limited extent and should be gotten rid of.
Which is the general response to your concern: "This is already a problem" means we need to go the other way and address that so that doesn't happen anymore, not intensify the problem and set it in concrete so it can never be fixed.
Centralized identity is a design flaw. Your bank needs to know if you're authorized to withdraw from your account, which is why you have a bank card. Your email provider needs to know if you're allowed to access your email account, which is why you have an email password. Your apartment building needs to know if you're authorized to enter, which is why you have an access card. What we don't need, and should not have, is a single primary key binding all of these things together so it can be correlated in a single database.
As someone who campaigned against UK ID cards 20 years ago, we failed to realise that the ID requirements could be imposed without providing the ID scheme.
Since then the UK has imposed ID (technically "proof of right of residence", but that kind of has to be ID) on having a bank account, having a job, and both buying and renting houses. All without having a coherent ID scheme other than passport or driving license.
People can reasonably get multiple phone numbers. A good countermeasure against this would make this easier and less expensive for people to do, e.g. you buy one phone plan and the phone company gives you two phone numbers, either of which you can change at your leisure. Then you give one to your friends and the other to your enemies, and change the second one every time you encounter a new enemy.
IMHO the difference is that the status quo (a high friction non-universal government ID system + almost universal private "ID"/tracking systems) has all the same disadvantages anyway, but simply fails to realize the possible benefits.
What possible benefits actually are there, compared to non-centralized identity systems we already have? The only thing you get from a centralized identity system is the bad thing -- it allows surveillance bureaucracies to correlate separate authentication tokens with each other.
This means that each and every institution has to verify identities "from scratch" which they are not really capable of. Bootstrapping trustworthy verification of identity that is useful for commerce (e.g. where you can practically collect debts/credit and prevent creating fake identities so that you know who you're dealing with, can reach them for contract enforcement if needed, and can ban people you don't want to deal with) is really hard, so everyone is essentially delegating it to someone else - webstores to credit card issuers, all kinds of institutions to social security numbers, some to phone numbers, and everyone is doing that poorly and failing at making it secure since there is no solid foundation for any of it, resulting in the extremely costly identity theft problem (in USA it's like $50bn per year?) and in cases like this, where companies have to rely on "phone numbers" and ridiculous "security" questions like mother's maiden name - because they don't have anything better to use.
Privacy and anonymity are not the same; there are many domains where anonymity is reasonable and default, but also many domains where it is not; in those someone can respect privacy and at the same time refuse to deal with anonymous partners, and it's an entirely reasonable choice that they should be able to make not only in theory but in practice - having an effective, secure mechanism for a person to verify their identity to someone else.
Proper identities are a key basis for trust - without them you can do one-off immediate barters (perhaps many times), but prolonged relationships, various forms of credit and "credit-like-effects", accumulation of reputation are highly beneficial for society; and from the perspective of incentives it's worth noting that the harder it is to "get away with" betraying trust and start from zero, the less incentive there is to defect and more incentive to cooperate; there's a good reason why the game theory iterated Prisoner's dilemma (which relies on preserving identities) gets so much better average results for everyone than non-iterated or fully anonymized Prisoner's dilemma.
My National ID is valid for 10 years, but certificates expire 3 years after issue. Can only renew face to face, but I’m approx 30hours of flight time away from home, lol.
But I agree - NFC passports are already kinda doing that, but there isn’t enough services that support it.
I'd just observe that we saw the opposite happening with COVID. Based on a couple experiences of my own I was chatting with a friend who runs gift-giving strategy for a major university. I made the comment that a lot of things that just had to be done in person with notaries etc. suddenly apparently didn't have to be any longer and she agreed.
While it's doubtless sometimes necessary, I'm generally a fan of not having to go into an office for money transfers and so forth. It's also worth remembering that this sort of thing may (normally) be pretty low overhead for a lot of us but isn't for e.g. people who aren't very mobile.
I thought about this too. My iteration of the idea is to have the USPS office to install a cert on a citizen's phone (upon verification in person) and make sure a cert is associated with one person only. This will allow easy and reliable online voting.
What you describe does exist, but not via the post office. For example when I started a new job I had to go to a tiny store that does fax, copy, postal, notary and similar services and have them physically verify my employment eligibility documents. Several similar providers exist all over the city (including FedEx, UPS, banks and more).
This is such a high barrier to entry, however, that people will simply not do it for something that isn't absolutely critical. Online services compete with each other to be as frictionless as possible, whereas this is the exact opposite of that.
A notary is a publicly commissioned official who serves as an impartial witness to the signing of a legal document. Document signings where the services of a notary are likely include real estate deeds, affidavits, wills, trusts, and powers of attorney. The main reason a notary is used is to deter fraud."
Taking this a step further, I'd love for them to be able to issue some sort of smart card that I could then utilize when signing up for other accounts that still wanted verification, but were okay with a slightly lower assurance.
The term you're looking for is "Notary". There are plenty of them around, and they're required to execute high-dollar contracts like buying a house or wills.
Every state has its own requirements to become a notary(with one requirement being posting a $10k bond or purchasing insurance, so you have something to lose if you make an egregious mistake).
You can require counterparties notarize any documents you'd like, and reject anyone who declines. And you can do this without needing to change the law to increase the scope of responsibility of the USPS. It's illegal for the USPS to offer notary services, although they're often located near notaries: UPS Stores usually offer it.
It's a good idea. The flaw is in thinking USPS is even slightly interested in innovating. They're not.
But then we also have a notary public system, which is already in the business of verifying identification for official purposes. That could do it too.
>thinking USPS is even slightly interested in innovating
Or, you know, it's hard to innovate when you're in organizational crisis mode trying to prefund 50 years of retirement while not being allowed to market-rate your core service...
> The flaw is in thinking USPS is even slightly interested in innovating. They're not.
If the political system stops public sector organisations innovating, they won't innovate. See, for example, BT in the UK, who were looking into investing in fibre optic rollout in the 80s and 90s until Thatcher snuffed that idea out and we're only now starting to get fibre to the premises rolled out in significant numbers.
> It's a good idea. The flaw is in thinking USPS is even slightly interested in innovating. They're not.
That's because it has been a target of right-wing attack for decades starting with the republican-led 2006 bill that effectively bankrupted it overnight by requiring a massive 50 years of health benefits to be funded.[1]
So when you have a service (not a business) that is constantly being picked apart and hamstrung from completing its most basic functions, you can't possibly blame them for not innovating. Well you can, but it is not in good faith.
Democrats have had opportunities to "rectify" this, including complete control of the Presidency and Congress the very next terms (2007-11 Congress and 2009-17 Presidency) as well as at present. Ask yourself why they didn't... and don't.
I don't know about other countries, but here in Australia post offices are open Monday-Friday, 9-5 (with the exception of some smaller ones being open until noon on a Saturday) and there are massive queues around lunchtime.
And that's assuming there is a post office near you (or you have a car), and you're able-bodied enough to get there independently.
I can say from personal experience that I have point blank refused to pick up Signature on Delivery (ie, the sender instructed the postal service not to leave the package on the porch) items from the post office in the past and demanded a refund from the seller. I'd do the same if I was asked to go down there to verify an account for Uber or whatever.
You may not like AusPost, but, the actually do offer the suggested service. [0] (As well as being somewhere you can apply for Police Checks and other identity services.)
I mean sure, you can, but it's ridiculously inconvenient.
If an online service like eBay, Facebook or Uber required this level of verification, people would (rightly) tell them to piss off and use a competing service instead.
> If an online service like eBay, Facebook or Uber required this level of verification, people would (rightly) tell them to piss off and use a competing service instead.
Well, we'll see once the government forces through the "anti-troll" bill that does require a similar level of verification, next year.
I was going to say that this was done in New Zealand, but either the post office stopped doing it or I miss remembered. https://www.realme.govt.nz/how-apply/ now it seems that the Drivers license centers are the only place to get photo verified.
Aren't you describing a notary public? A person registered with the government who asserts with their stamp that documentation and IDs are verifiable in person?
That's part of the reason why I like having my money with an RIA that I have a relationship with: I can't make big withdrawals on the account without verifying with several people. That's a sigh of relief.
I think there is a need for authentication, especially among people that are in and out of poverty.
The catch-22 is that you can't get a job without an address, and you can't get an address without a job, so you cannot be authenticated by means available to most people! Hard to bootstrap yourself when you can't prove you exist. Having some kind of authentication that doesn't require an easily lost-or-stolen asset (ID card, birth certificate) would be helpful, as long as it is voluntary!
I'm talking about homeless people: You can't have an address if you don't have a job because you can't pay rent. Unless you live in a city with adequate public housing. Duh.
In some regions, particularly in Africa, there is no door to door delivery of mail; for example, in Kenya. Renting a PO box has traditionally been the only way to receive mail in such countries. Another use case is when the mail box at your doorstep is not very secure, you rent a po box in the post office and mail is delivered to that po box instead of your address.
> How about turning them into a kind of value-added identity verification service where any company wanting/needing an identity verification could rely on the Post Office to accept someone in person to prove who they are (through fingerprint, document, etc) and be the 3rd party to make this proof easy?
Consider how you would like the Post Office to verify your identity and then ask why someone else, e.g. the person you're trying to prove your identity to, couldn't do the exact same thing.
One advantage of an ID is that it's a physical token, so they can't just guess your password, they'd need to physically have it. Unless they can forge one, so you'd really want to use some kind of cryptography. You've just reinvented a YubiKey.
The actual problem isn't that we don't know how to solve this. It's that people prefer insecurity to minor inconveniences. Especially when the liability is on someone else.
We could even cut out the middle man and allow the USPS to offer banking services, the way it did for nearly 50 years[1]! The original implementation didn't include checking or savings accounts, but it looks like they're slowly looking into that[2].
Japan Post provides this service, except the postman goes to your door and asks for ID and verifies it on the spot. It's very easy, and an extremely cheap way for services to verify identities (it's just +100JPY on the regular postal fare)
This seems like like it would only work in a country like Japan where the mail carrier would be on time. What if you're not home when they arrive? In the US they'd give you a 4 hour window and then show up 2 hours after the end of it.
Unfortunately, the U.S. gov has gone in the direction of using a shady private company ID.me [0] to provide this service. Starting 2022, the IRS is using ID.me to authenticate login to the irs.gov website. Same with California DMV. [0] https://en.wikipedia.org/wiki/ID.me.
Millions of American citizen will be forced to provide their info to this private company.
Authentication involves you providing your cell phone number, then uploading a photograph of your drivers license or passport with that phone and then allowing ID.me to scan your face using the same phone camera.
You may think if the IRS and DMV are using this company it must be a serious identity service vetted by homeland security and what not. I did some digging around.
ID.me has a shopping site where you can shop for deals on sunglasses, sneakers and food kits [1] https://shop.id.me/. They use .me which is the top-level domain for Montenegro.
There is one hackernews thread about this company filled with clearly fake reviews made by accounts created the day the post appeared [2] https://news.ycombinator.com/item?id=13831921
It’s worse than that.
Id.me originally started by providing verification for group discounts. Fair enough needs to verify to provide a discount and facilitate commerce.
They’ve now used those groups as a stepping stone to verify the public. They want everyone.
Id.me’s Privacy Policy and Terms of Service state that they will not sell your data. Good, but they absolutely can and will sell your demographic cohort. With the buyers being their integration clients (brands) and data brokers.
Hopefully they use differential privacy techniques. Doubtful. It quickly has become a government mandated (irs.gov) Facebook style audience mining network. That’s why Google invested in them and had a seat on their board.
They were damn good to hook wink the IRS and VA on that one.
All European online banks can verify your identity with a video call in 5min. They check your info, your ID documents, that you are indeed the one holding these documents, and the security features of these documents.
6 weeks Fear and Loathe and living like a king in Las Vegas is worth of 5 years of jail mate sex?
Unless…
> “On the surface, Pinsky is an ‘All American Boy,'” Terpin’s civil suit charges. “The son of privilege, he is active in extracurricular activities and lives a suburban life with a doting mother who is a prominent doctor.”
>Truglia is still being criminally prosecuted in Santa Clara, Calif., the home of the REACT task force, which pursues SIM-swapping cases nationwide. In November 2018, REACT investigators and New York authorities arrested Truglia on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from Robert Ross, a San Francisco father of two who later went on to found the victim advocacy website stopsimcrime.org.
holy shit, no wonder people are going dark. yall better hide.
In the end Truglia's bragging to gain /props/ for a /component/ of this crime, is what lead to the REACT task force getting their /hooks/ into his /lifecycle/.
1) The ability to reset account credentials or get into a service just by using a phone number is not real 2FA and is a huge security risk generally. SMS based 2FA is not real 2FA.
2) Social engineering mobile phone first-tier customer service reps into doing a SIM swap is not hard at all.
Yes. Google will constantly remind you to add one to “secure” your account, but just ignore it. You want no recovery emails and just an authenticator app.
SMS-based 2FA needs to be eliminated completely. Authenticator apps need to come preinstalled as an essential utility on every OS. There doesn't seem to be a whole lot of pressure to improve 2FA security.
I don't think it's too heavy handed to make the practice of implementing SMS 2FA straight-up illegal. If credit card processing requires PCI compliance why wouldn't we apply similar thought to 2FA?
Doesnt that force people to not only use smartphones, but "approved" smartphones (read Android/iOS) with locked bootloaders and no root access (or the bank authenticator app will refuse to run)?
Apps just embolden employers to shirk on providing secure TOTPs or work phones. You should not be forced to use your personal property to conduct job duties.
There doesn't seem to be a whole lot of pressure to improve 2FA security.
I gave up on that ten years ago when I worked at a biometric authentication company. Banks were soon to be regulated to use 2FA, and our system was easy to use, we're all gonna be rich!
Then the banks were allowed to use security questions as 2FA. Not only were the employees not "all gonna be rich", everyone else was going to get fucked when they accidentally post something on Facebook about how their mother (neé Mary $MAIDEN_NAME) used to do $SOMETHING on $STREET_I_GREW_UP_ON. So the continued use of SMS-base 2FA, despite its frequently-published flaws, isn't going anywhere until a new way to fuck up 2FA is found.
If I had a viable solution to it all, well, I'd be rich.
> Also, don't let your mobile phone number expire and someone else get it.
How would you do this, then? I believe old numbers are kept for a certain time (6 months?) and then put back into the public pool. If we had a more technical solution (think IPv6 addresses, but for phone numbers) this shouldn't be an issue in theory. Of course, having to remember something resembling an IPv6 address to contact somebody would be a pain. I would say we could use a username system, but I believe we've seen the downsides of that way too many times already.
I don't think people appreciate just how big the crypto fraud problem is, and how much bigger it will get.
Crypto is so big, to put it in perspective, the gambling sector worldwide was estimated to be worth roughly $265 billion U.S. dollars in 2019. That is just 2/3 the market cap of Ethereum alone.
Crypto is bigger than pretty anything right now. Bigger than pro sports. bigger than the entertainment industry. Only the tech, real estate, retail, and finance industries are bigger. But those are composed of thousands of companies.
SIM swapping has really nothing to do with crypto per se, people use it to steal identities/fiat all the time.
Crypto is big, but to be fair "just" Apple is bigger than crypto. Compared to the NYSE or Nasdaq, it's small, and when compared to forex (maybe a more apt comparison), it barely registers. Incidentally, I think this is why crypto's here to stay (probably forever): it's huge and growing, very popular, and the masses seem to like it. It's like the McDonalds of financial instruments. I don't think governments care to (or can) regulate it, so as long as we're paying taxes on gains, they will let it slide.
crypto is money. So you got $2.2 trillion of money lying around. So of course criminals are going to go through any means to get some, including sim swaps, but soo much more. You cannot steal stock or real estate in the same way you can steal crypto. Crypto by definition is irreversible and unbreakable. SO even way more attractive to criminals just for that property.
>I don't think governments care to (or can) regulate it
China has literally banned Bitcoin. Their approach is to roll out their own digicoin.
Governments have been very slow to figure out how to approach crypto, but the current Wild West of tax evasion, money laundering and virtual bank robberies won't go on forever. Just like counterfeiting and money laundering exists today, there will continue to be exploitation of the financial system, but it will be explicitly criminalized.
> China has literally banned Bitcoin. Their approach is to roll out their own digicoin.
China "banning" cryptocurrency is a meme at this point (I think they've banned it 4 times now).
> Wild West of tax evasion
You literally cannot evade taxes, so I'm not even sure what this means. All US exchanges report everything to the IRS/SEC. And if the exchanges don't, your bank certainly will. Moving money in your bank account and not reporting it as income is a big no-no so good luck to anyone that tries to do this.
> Just like counterfeiting and money laundering exists today
This is kind of a faulty analogy, it's not like cash is banned, and most of those things are done with cash. People seem to like crypto markets as a speculative instrument. Is that good/bad? I don't know, but it's probably here to stay.
The idea of equating <insert anything> to crypto market cap needs to stop. $265B in actual real dollars is exchanged between two parties every year for gambling. That means a business pays a salary to someone and then that someone gives that money to someone else.
Crypto market caps doesn't necessarily mean that someones earned currency is transferred to another one and it doesn't representing an annual value. In other words `income != net worth` or `revenue != asset value`
The market cap of Ethereum is a worthless estimate of value. Ethereum has no backstop for value, unlike a casino or a company. Microsoft trading at $300 will never go to $0.01, there are enough raw assets at play to keep Microsoft worth $1. But Ethereum can go to $.01 there are no fundamental reasons for it. So, the price is purely speculative, so you can in no way whatsoever compute the total value of Ethereum as marginal price * number of Eth out there
no it is is not. there are $470 billion of eth out there. some if locked up, but a lot of it held by people and exchanges. hence efforts to steal it. The market for eth is huge and very liquids and deems it worth $3970. Whether or not the value is subjective is irreverent to the fact that there is a huge market.
No, there are $470 billion if you make the huge mistake of assuming you can sell each one at the same price.
This is an issue for stocks also. If 100% of Amazon share holders tried to sell simultaneously the price would fall precipitously. But, Amazon is at least backed by assets, dividend potential, and IP.
from the perspective of the scammer, there is a huge and liquid market. way more liquid than the market for fenced goods. we're talking tens billions of dollars eth traded a day on many exchanges. that is like 1000x as much stolen by this one kid. the market is big enough to support a lot of criminals. plus, many of them are not going to be cashing out.
I'm sure they're an upstanding company, but using the word 'propriety' instead of 'proprietary' is an instant turnoff for me. Security is a details-oriented endeavor, and everything from marketing to implementation needs to be squeaky clean. But, maybe that's just me!
It may have qualified as a criminal case, but you as a citizen can't really do much to get the police, AG or a federal agency to devote their resources to it. Suing someone in a civil court is a pretty straightforward thing to do.
It would seem like a failure of the justice system if they didn't consider that this met the criteria of a criminal case. Could have also helped set a lot of precedents to deter such crimes in future.
175 comments
[ 5.6 ms ] story [ 257 ms ] threadRefreshing to see these active theft and wire fraud prosecutions.
Never did any myself, but have friends who have done well with these cases. They essentially allow the lawyers to share in the appreciation of crypto.
I think the best solution is to cut the mobile providers out of the equation altogether. I've long advised removing your phone number from anything you can, or at least substituting a voip service that can't be social engineered over the phone. Some services don't let you use voip services for multi-factor or signup, so your mileage may vary.
Also, it's important where possible to use types of multi-factor that don't rely on your phone number. The tricky part is, so many sites will let you reset your password if you can receive a link via SMS at the phone number on file for the account. Which means anyone who SIM-swaps you then can reset the passwords on those accounts that allow SMS resets (which is a lot, still).
You should soldier through it. Google Voice is a decent free service domestically, unless paranoid. I use it in the reverse manner as I expect you would intend (if you'd intend to generate many virtual throw away numbers to forward back to your phone until the forwarding is manually severed). My actual phone number has changed many times over the years, but my GV number stays the same. Eventually, I got rid of my phone altogether. That was January 2014. But jobs will often require I carry the on-call cell (which I almost never need to use and just for work). Boy I sure miss those cell phone bills every month, not. I just realized GV has saved me at least $10K since I cancelled my cell contract.
Target outright refused for Target circle a couple years ago. Recently 7-11 had accepted my Google voice number to get points on in store purchases but now that I live somewhere where I need a car, the gas pump decided the number was invalid when I tried to get the discount on gas from the pump I'm worried since I basically never gave out my actual cell for over a decade now
Most SIM-swappers are retiring with their ill-gotten crypto, but the ones remaining are at the "bribing prosecutors" level now.
With crypto skyrocketing and the pitfalls of SMS becoming more apparent, I fully expect the jump to amateurs purchasing and leveraging state-level 0days against unwitting wallet holders.
The gap between profit and cost is getting larger, and more crypto-millionaires are going to get their Teamviewer 0dayed.
Yes there is: change your bank. If your bank is still using SMS based 2FA, get the hell out of there. If you really need to keep that account for reason X, move out all your assets to another bank and keep enough funds to fund X there.
Have any suggestions for a bank that supports TOTP? I have yet to find a decent bank in the US that supports this.
Charles Schwab and USAA use TOTP but aren't exactly main stream banks. Both use a Symantec client and don't officially support third party authenticator apps.
Not too many banks with physical locations in my area AND 2FA more secure than SMS.
However, the point of needing to login to your Google account is well taken. And I have 2FA on that.
unfortunately it's also very easy for somebody to submit falsified port documentation to port away your voip number to their own carrier.
In many cases even easier than doing a SIM swap, since the oldschool way to do a port is to literally print out one page of a bill with your name on it (Anybody could edit this by inspect element on a legit bill of their own and swap your name), print it, sign it in ink, scan it, and send it to the carrier requesting the port-in
> reply
Why not use a special phone number for 2FA? How do hackers know your phone number?
We have more and more kinds of accounts, financial products, online services, etc. that would benefit from some kind of real in-person verification at points in the process (initial application, maintenance, changes to account) that are imperfectly done with credit checks, questions/answers, logins, etc.
We have Post Offices in nearly every corner of this country. How about turning them into a kind of value-added identity verification service where any company wanting/needing an identity verification could rely on the Post Office to accept someone in person to prove who they are (through fingerprint, document, etc) and be the 3rd party to make this proof easy?
Sure you would need to have normal fraud protections, etc. but I bet the act of having to come to a post office would make things very secure / reliable. And it would give the post office a new function. I heard of this being done in some other countries.
It seems like a way to avoid us all having to pay for fraud so frequently.
When I went looking at them they were boasting with using AI, and then in the meeting it turned out it was mostly farmed out to someone in India.
When I opened a bank account (n26) in Germany this is how they verified my identity (along with a brief video call) as a foreigner so the idea has merit.
Seems like a private company providing services to these gov agencies on authentication. Seems like a better solution than showing up at the post office.
I wonder how id.me differs, and how we haven’t centralized on one solution yet
Both are generally available for free by being a customer of your local small bank or credit union. These could be easily adopted by web companies for password resets, account withdrawals above self-set limits, etc.
I mean the every day kind of verification that fuels our daily transactions and benefits from instantaneous info being transmitted back and forth, to easily get a credit card approved for example.
Doing this instantaneously implies skipping the heavyweight process. Which I assume means doing something like a one time (or periodic) cumbersome in-person process, and then repeating a quicker online process. Any private company could create such a system right now, bootstrapping off the notarization framework to do the heavy lifting.
But credit cards and other traditional financial institutions don't actually care about identity in such a strong sense. The standard process for setting up online access for a new account at a brick and mortar bank involves leaving the bank, going to their website from home, and entering your not-particularly-private information to sign up. That could be easily modified to setting up initial access credentials right in the bank if they wanted to, but the traditional financial system is pretty forgiving for the most part.
So we're really talking about custodians of new bearer instruments (eg cryptocurrency), which are more like cash. Hence my reference to these new holding companies being the ones that should be integrating notarization into their exceptional account access methods. Of course they could also just insist on the use of real security tokens, require a second one for backup purposes, and simply not use SMS at all.
FWIW another more convenient way of doing brick and mortar verification is to snail mail out a letter with a code on it to the address of record. It obviously doesn't have super security properties (anyone can steal mail), but it's much better than electronic-only non-verification and much nicer than surveillance database verification.
Yes from what I know, you technically do not need to get a will notarized. But getting it notarized makes it a "self proving will", which will be easily accepted by a court. If you don't do the notarization at the time, your poor executor will likely need to hunt down the witnesses and get them to sign affidavits.
A trust, you need notarized.
I've used it for Know-Your-Client type stuff with banks, but it is theoretically open to most if not all businesses. Every time I've needed to interact with it, it's been a straightforward process as a consumer.
[1]: https://www.canadapost-postescanada.ca/cpc/en/business/posta...
(Use your translation service of choice if desired.) https://www.sagawa-exp.co.jp/service/kakunin/
I've always thought that a code-signing certificate tied to a natural person should be more valuable than one tied to a faceless corporation, but the industry is (poorly) built around selling high priced certificates to anyone with enough money to start a business.
Imagine being able to get a code signing certificate in a single afternoon by signing up, taking your ID to Canada Post, and downloading your certificate after the identity verification is submitted. That would be quite the difference from the current awful experience where someone in a foreign country guesses and makes judgement calls based on the documentation you snail mail to them.
Keep the post office option for the folks that don't have an ID, but for most people, this would be the most straightforward option.
Basically, I don't think a natural person is enough protection against malice. Something like "stick 1 million dollars into escrow, and if someone uses your cert to spread malware, we keep it" is a much stronger incentive. (Not what's done, of course.)
Belgium has an identity service based on this. Governmental OAuth. https://www.csam.be/en/about-csam.html | https://iamapps.belgium.be/sma/generalinfo
They publish their own eID reader (middleware) and browser extensions. https://eid.belgium.be/en
Even with an official Linux version. :) https://eid.belgium.be/en/linux-eid-software-installation
The post office used to issue normal identity cards, but today I only think it's the DMV equivalent and the police that does that.
https://www.ceskaposta.cz/en/sluzby/egovernment/czechpoint
Its usually situated on post offices or local government offices and makes it possible to get verified electronic signature that you can then use to prove your identity electronically. It can also access various government registries, etc.
But lawmakers in this country are allergic to having the government manage anything
Making money while doing something actually useful? Not my government, not when there's a tiny sliver of profit to be funneled to wealthy special interests!
Congress has slowly been fucking the USPS to death at the behest of FedEx, UPS, et al lobbyists.
> “You would have to work very hard to come up with a worse idea than having the government become a national bank executed through the post office,” [Sen. Pat Toomey, a Pennsylvania Republican] said. “Even if the U.S. Postal Service was the most competent, professional and best-run organization on the planet, they should not be in the business of banking.
> “We have banks,” Toomey continued. “The idea that the government is going to do a better job is just laughable.”
What a moron.
https://www.oleantimesherald.com/news/gop-senators-oppose-id...
But like other things during the 'Regeanomics era', it was cut, along with forcing the USPS to pay pensions 10 years in advance. The context does help to explain the reason why our USPS Grumman vans are well over their service life, and no where near retirement yet.
This is false, as the factcheck.org reference posted above in this thread makes clear.
You also get a digital inbox—Berichtenbox—to organize and centralize all communications from those agencies.
It is difficult to overstate how much life is made better when the government is well-organized and that organization is exposed to you through good UX. I'm now back in the US, it's been 2+ weeks since my renewed passport was supposed to have been mailed to me, and no one at the State Department knows anything.
The obvious reality here is that in the wake of no proper national identification system, social security numbers have been used instead. It's not a question of whether or not we have a national ID, it's really just a question of whether we have a functional one or an inadequate one. Nonetheless politicians would likely be committing suicide with their constituents in some districts if they were to support a push towards a better system.
[0] https://en.wikipedia.org/wiki/Religion_in_the_United_States#....
Historically that was sort of the case. I'd argue today that we mostly rely on state-issued IDs (especially but not necessarily driver's licenses) which are now overlaid with RealID requirements.
As a practical matter it's probably indistinguishable from what a federally-issued ID would be and I'm mostly content with not adding any more layers of identity verification than are really necessary. I'd probably oppose a push for a broadly required federal ID--although I have a passport (and a global entry card).
This doesn't invalidate your point, but man it irritates me how many states have chosen to retain a noncompliant ID tier in order to avoid eating costs or raising fees. At least my state offers a full EDL so there's some added value, but it's absurd that the 'default' local ID isn't adequate for domestic air travel.
For people without a passport, it's extremely easy to have lost a birth certificate at some point over the years. And I honestly have no idea how easy or hard getting a new one issued is from some potentially far away city or town.
That's not why. States like California have dragged their feet for a decade with RealID compliance because they want to keep IDs for people in the US illegally indistinguishable from those for citizens, permanent residents, and others here legally.
Can you elaborate on this for us non-USA people?
The main reason to oppose this is that if you had a low friction government ID system, surveillance capitalism would then require you to present your ID to do anything whatsoever and all privacy would disappear forever.
A state-issued ID generally doesn't work over the internet, which is good. Some of them can be read electronically in person, which is already being abused to a limited extent and should be gotten rid of.
Which is the general response to your concern: "This is already a problem" means we need to go the other way and address that so that doesn't happen anymore, not intensify the problem and set it in concrete so it can never be fixed.
Centralized identity is a design flaw. Your bank needs to know if you're authorized to withdraw from your account, which is why you have a bank card. Your email provider needs to know if you're allowed to access your email account, which is why you have an email password. Your apartment building needs to know if you're authorized to enter, which is why you have an access card. What we don't need, and should not have, is a single primary key binding all of these things together so it can be correlated in a single database.
Since then the UK has imposed ID (technically "proof of right of residence", but that kind of has to be ID) on having a bank account, having a job, and both buying and renting houses. All without having a coherent ID scheme other than passport or driving license.
Privacy and anonymity are not the same; there are many domains where anonymity is reasonable and default, but also many domains where it is not; in those someone can respect privacy and at the same time refuse to deal with anonymous partners, and it's an entirely reasonable choice that they should be able to make not only in theory but in practice - having an effective, secure mechanism for a person to verify their identity to someone else.
Proper identities are a key basis for trust - without them you can do one-off immediate barters (perhaps many times), but prolonged relationships, various forms of credit and "credit-like-effects", accumulation of reputation are highly beneficial for society; and from the perspective of incentives it's worth noting that the harder it is to "get away with" betraying trust and start from zero, the less incentive there is to defect and more incentive to cooperate; there's a good reason why the game theory iterated Prisoner's dilemma (which relies on preserving identities) gets so much better average results for everyone than non-iterated or fully anonymized Prisoner's dilemma.
But I agree - NFC passports are already kinda doing that, but there isn’t enough services that support it.
While it's doubtless sometimes necessary, I'm generally a fan of not having to go into an office for money transfers and so forth. It's also worth remembering that this sort of thing may (normally) be pretty low overhead for a lot of us but isn't for e.g. people who aren't very mobile.
This is such a high barrier to entry, however, that people will simply not do it for something that isn't absolutely critical. Online services compete with each other to be as frictionless as possible, whereas this is the exact opposite of that.
"What is the meaning of notary service?
A notary is a publicly commissioned official who serves as an impartial witness to the signing of a legal document. Document signings where the services of a notary are likely include real estate deeds, affidavits, wills, trusts, and powers of attorney. The main reason a notary is used is to deter fraud."
Every state has its own requirements to become a notary(with one requirement being posting a $10k bond or purchasing insurance, so you have something to lose if you make an egregious mistake).
You can require counterparties notarize any documents you'd like, and reject anyone who declines. And you can do this without needing to change the law to increase the scope of responsibility of the USPS. It's illegal for the USPS to offer notary services, although they're often located near notaries: UPS Stores usually offer it.
But then we also have a notary public system, which is already in the business of verifying identification for official purposes. That could do it too.
Or, you know, it's hard to innovate when you're in organizational crisis mode trying to prefund 50 years of retirement while not being allowed to market-rate your core service...
If the political system stops public sector organisations innovating, they won't innovate. See, for example, BT in the UK, who were looking into investing in fibre optic rollout in the 80s and 90s until Thatcher snuffed that idea out and we're only now starting to get fibre to the premises rolled out in significant numbers.
https://www.techradar.com/uk/news/world-of-tech/how-the-uk-l...
That's because it has been a target of right-wing attack for decades starting with the republican-led 2006 bill that effectively bankrupted it overnight by requiring a massive 50 years of health benefits to be funded.[1]
So when you have a service (not a business) that is constantly being picked apart and hamstrung from completing its most basic functions, you can't possibly blame them for not innovating. Well you can, but it is not in good faith.
https://www.politifact.com/factchecks/2020/apr/15/afl-cio/wi...
And that's assuming there is a post office near you (or you have a car), and you're able-bodied enough to get there independently.
I can say from personal experience that I have point blank refused to pick up Signature on Delivery (ie, the sender instructed the postal service not to leave the package on the porch) items from the post office in the past and demanded a refund from the seller. I'd do the same if I was asked to go down there to verify an account for Uber or whatever.
[0] https://auspost.com.au/business/identity/voi-solutions-for-c...
If an online service like eBay, Facebook or Uber required this level of verification, people would (rightly) tell them to piss off and use a competing service instead.
Well, we'll see once the government forces through the "anti-troll" bill that does require a similar level of verification, next year.
[0] https://www.theregister.com/2021/11/29/australia_troll_bill/
I think there is a need for authentication, especially among people that are in and out of poverty.
The catch-22 is that you can't get a job without an address, and you can't get an address without a job, so you cannot be authenticated by means available to most people! Hard to bootstrap yourself when you can't prove you exist. Having some kind of authentication that doesn't require an easily lost-or-stolen asset (ID card, birth certificate) would be helpful, as long as it is voluntary!
Consider how you would like the Post Office to verify your identity and then ask why someone else, e.g. the person you're trying to prove your identity to, couldn't do the exact same thing.
One advantage of an ID is that it's a physical token, so they can't just guess your password, they'd need to physically have it. Unless they can forge one, so you'd really want to use some kind of cryptography. You've just reinvented a YubiKey.
The actual problem isn't that we don't know how to solve this. It's that people prefer insecurity to minor inconveniences. Especially when the liability is on someone else.
[1]: https://en.wikipedia.org/wiki/United_States_Postal_Savings_S...
[2]: https://federalnewsnetwork.com/agency-oversight/2021/10/usps...
Possible in some places!
In many European countries the post office also offers banking services.
Millions of American citizen will be forced to provide their info to this private company. Authentication involves you providing your cell phone number, then uploading a photograph of your drivers license or passport with that phone and then allowing ID.me to scan your face using the same phone camera.
You may think if the IRS and DMV are using this company it must be a serious identity service vetted by homeland security and what not. I did some digging around.
ID.me has a shopping site where you can shop for deals on sunglasses, sneakers and food kits [1] https://shop.id.me/. They use .me which is the top-level domain for Montenegro.
There is one hackernews thread about this company filled with clearly fake reviews made by accounts created the day the post appeared [2] https://news.ycombinator.com/item?id=13831921
What could go wrong ?
They’ve now used those groups as a stepping stone to verify the public. They want everyone.
Id.me’s Privacy Policy and Terms of Service state that they will not sell your data. Good, but they absolutely can and will sell your demographic cohort. With the buyers being their integration clients (brands) and data brokers.
Hopefully they use differential privacy techniques. Doubtful. It quickly has become a government mandated (irs.gov) Facebook style audience mining network. That’s why Google invested in them and had a seat on their board.
They were damn good to hook wink the IRS and VA on that one.
https://californiaglobe.com/articles/monetizing-data-the-edd...
Horrible deterrent, because it isnt a deterrent
Unless…
> “On the surface, Pinsky is an ‘All American Boy,'” Terpin’s civil suit charges. “The son of privilege, he is active in extracurricular activities and lives a suburban life with a doting mother who is a prominent doctor.”
holy shit, no wonder people are going dark. yall better hide.
In the end Truglia's bragging to gain /props/ for a /component/ of this crime, is what lead to the REACT task force getting their /hooks/ into his /lifecycle/.
2) Social engineering mobile phone first-tier customer service reps into doing a SIM swap is not hard at all.
I gave up on that ten years ago when I worked at a biometric authentication company. Banks were soon to be regulated to use 2FA, and our system was easy to use, we're all gonna be rich!
Then the banks were allowed to use security questions as 2FA. Not only were the employees not "all gonna be rich", everyone else was going to get fucked when they accidentally post something on Facebook about how their mother (neé Mary $MAIDEN_NAME) used to do $SOMETHING on $STREET_I_GREW_UP_ON. So the continued use of SMS-base 2FA, despite its frequently-published flaws, isn't going anywhere until a new way to fuck up 2FA is found.
If I had a viable solution to it all, well, I'd be rich.
Also, don't let your mobile phone number expire and someone else get it.
I can log in to the previous owner's TikTok account with just his number.
I signed up for a food delivery service two days ago and it autofilled all the details with his full name and address for me.
How many other sites let you log in with just a phone number? Asking for a friend...
How would you do this, then? I believe old numbers are kept for a certain time (6 months?) and then put back into the public pool. If we had a more technical solution (think IPv6 addresses, but for phone numbers) this shouldn't be an issue in theory. Of course, having to remember something resembling an IPv6 address to contact somebody would be a pain. I would say we could use a username system, but I believe we've seen the downsides of that way too many times already.
You port your number to a super-cheap carrier and keep paying for their lowest subscription, even if you don't need it anymore.
I payed for 5 years $5 per month to keep a number alive, even if I wasn't living anymore in the country that issued it.
Crypto is so big, to put it in perspective, the gambling sector worldwide was estimated to be worth roughly $265 billion U.S. dollars in 2019. That is just 2/3 the market cap of Ethereum alone.
Crypto is bigger than pretty anything right now. Bigger than pro sports. bigger than the entertainment industry. Only the tech, real estate, retail, and finance industries are bigger. But those are composed of thousands of companies.
I’m sure there’s a better term for it
Crypto is big, but to be fair "just" Apple is bigger than crypto. Compared to the NYSE or Nasdaq, it's small, and when compared to forex (maybe a more apt comparison), it barely registers. Incidentally, I think this is why crypto's here to stay (probably forever): it's huge and growing, very popular, and the masses seem to like it. It's like the McDonalds of financial instruments. I don't think governments care to (or can) regulate it, so as long as we're paying taxes on gains, they will let it slide.
In fact you can
https://www.bbc.com/news/uk-england-essex-59069662
China has literally banned Bitcoin. Their approach is to roll out their own digicoin.
Governments have been very slow to figure out how to approach crypto, but the current Wild West of tax evasion, money laundering and virtual bank robberies won't go on forever. Just like counterfeiting and money laundering exists today, there will continue to be exploitation of the financial system, but it will be explicitly criminalized.
China "banning" cryptocurrency is a meme at this point (I think they've banned it 4 times now).
> Wild West of tax evasion
You literally cannot evade taxes, so I'm not even sure what this means. All US exchanges report everything to the IRS/SEC. And if the exchanges don't, your bank certainly will. Moving money in your bank account and not reporting it as income is a big no-no so good luck to anyone that tries to do this.
> Just like counterfeiting and money laundering exists today
This is kind of a faulty analogy, it's not like cash is banned, and most of those things are done with cash. People seem to like crypto markets as a speculative instrument. Is that good/bad? I don't know, but it's probably here to stay.
The idea of equating <insert anything> to crypto market cap needs to stop. $265B in actual real dollars is exchanged between two parties every year for gambling. That means a business pays a salary to someone and then that someone gives that money to someone else.
Crypto market caps doesn't necessarily mean that someones earned currency is transferred to another one and it doesn't representing an annual value. In other words `income != net worth` or `revenue != asset value`
Example of how this works: https://news.ycombinator.com/item?id=29471847
This is an issue for stocks also. If 100% of Amazon share holders tried to sell simultaneously the price would fall precipitously. But, Amazon is at least backed by assets, dividend potential, and IP.
I'm sure they're an upstanding company, but using the word 'propriety' instead of 'proprietary' is an instant turnoff for me. Security is a details-oriented endeavor, and everything from marketing to implementation needs to be squeaky clean. But, maybe that's just me!
Request: can anyone help clarify why this needed to be civil and didn't qualify for criminal?