[HN Gopher] Claimed AT&T hack of 70M customer records including ...
___________________________________________________________________
Claimed AT&T hack of 70M customer records including SSN, name,
address
Author : kingnothing
Score : 215 points
Date : 2021-08-20 14:51 UTC (8 hours ago)
(HTM) web link (9to5mac.com)
(TXT) w3m dump (9to5mac.com)
| curtis3389 wrote:
| If I worked at Verizon, I'd have trouble sleeping for a while.
| integrale wrote:
| Given that legislation will realistically never keep pace with
| technology, would it be crazy to implement whitelist data
| collection law, i.e., no data can be collected unless explicitly
| allowed? Hypothetically, of course -- congress actually putting
| something like this into law is a different story.
| ve55 wrote:
| It would certainly be a nice time to stop using SSNs as keys, SMS
| as 2FA, and more importantly having next to zero consequences for
| this kind of stuff.
|
| At this point we just expect this to keep happening over and over
| again with nothing changing, it's a very strange thing to
| observe...
| codegeek wrote:
| SMS as 2FA is so stupid. So many banks and financial
| institutions are doing it in America and it amazes me. I mean
| what are they spending million of dollars in
| compliance/security/SOC etc on if they can't get a basic 2FA
| done correctly ? And don't get me started on stupid password
| requirements where a more secure password generated in keypass
| etc won't be valid. Who builds this stuff today ?
| azinman2 wrote:
| It provides good security for most people and is a big ease
| of use trade off. Hardware can be lost, software is difficult
| for most people to install and use. You need solutions that
| account for 95% of people. Ideally there's non SMS for the
| other 5%, but unless Apple/Google/telcos come out with
| something better that's built in, integrated, and dead
| simple, we're stuck with SMS for a long time. Security is a
| spectrum.
| ikiris wrote:
| sms as 2fa raises the bar signifigantly for non organized
| attackers. You'd be amazed how much of the meth crowd that
| encompases.
| vlovich123 wrote:
| The challenge I've found is that I end up with a lot of
| different MFA options which makes it hard to track where my
| exposure is. In some places I have two methods because I
| set up SMS when it was available and switched to an
| authenticator app and forgot to turn down SMS. It's a shame
| there's no SSO for personal accounts that established
| dominance so that I could just have 1 account I need to
| secure (although SSO solutions never put you in control of
| being able to minimize data leakage and let providers force
| you to disclose certain information for using their
| service).
| mulmen wrote:
| Compliance is about liability, not security.
| christophilus wrote:
| Just this week, I had to sign into a service for a very large
| transaction I'm privy to. My password? The last 4 of my social.
| It's unbelievable how dumb so many of our systems are.
| cge wrote:
| I'm in Ireland at the moment, where the health system, and
| vaccination process, appears to use _mother 's maiden name_
| as a de facto password. There is no option to change it. It
| is often asked in person, and so can't be used as a
| placeholder.
|
| For business reasons, my mother has her parents' last name, I
| have hers, and this fact is easily discovered online with a
| few minutes research...
| specktr wrote:
| On a similar note, I setup my utility account this week. It
| was suggested by the representative that I use the last 4
| digits of my SSN as a pin for my account. Pretty
| disappointing how short sighted many companies are when it
| comes to security practices.
| smsm42 wrote:
| That's because if somebody gets in, it's not their problem
| for having lax authorization, it's your problem for being
| "victim of identity theft" and all the burden of proving it
| wasn't you rests on you. It costs them nothing to give out
| horrible advice, so they do it.
| ttGpN5Nde3pK wrote:
| +1.
|
| And orgs (gov and private) will continue to just ask for
| completely unnecessary information because, why not? Throw it
| in some database with root:root as the pw and shrug when it
| gets breached. It really needs to stop. The only person that
| loses is the person that now has to potentially deal with
| identity theft or getting doxxed for the rest of their life...
| 88840-8855 wrote:
| I guess that website admins dont really care as it is a
| sufficiently good measure to reduce spam/spam accounts/new
| registrations.
|
| Yes, I am a pessimist and I believe that. Why should website x
| care that there is a probability that the ISP is going to be
| hacked.
| EvanAnderson wrote:
| As I've said before, it's time to wipe the slate on SSN's. They
| are de facto public anyway. A date should be announced when the
| entire database will be published. After that date all liability
| for fraud perpetrated using an SSN as a shared "secret" will be
| assigned to the party who accepted the SSN as "authentication".
| That would solve the problem.
|
| As an aside: When it comes to an authentication source to take
| the place of silly shared public "secrets" I think it would be
| great if the United States Postal Service "pivoted" into issuing
| digital certificates to individuals. They already have
| infrastructure and procedures in place for identity verification
| and physical delivery. I suppose that's too much like a
| federally-issued ID to ever fly, though our "REAL ID" drivers
| licenses are, in effect, a federal ID anyway. I'd rather have a
| digital certificate out of the deal too.
| nashashmi wrote:
| Interesting point of view. Maybe ssn should be used for
| authentication purposes.
|
| Give SSN. Get email txt or notification to verify. SSN service
| replies back with a real Id number. Real id number is used for
| banking.
| codegeek wrote:
| I would say that most Identify Theft issues will be resolved if
| you are forced to do a 5 min video verification call. I can
| show my ID (DL, Real ID etc) just like I can do in person. It
| may add a little bit of hassle but I would trade that for peace
| of mind that some random person cannot steal my identity that
| easy just because they know my DOB, SSN etc and can fill out an
| online form etc. The video call can easily weed out the
| scammers especially because a lot of ID thefts happen where a
| young person is stealing an older person's identity or vice
| versa or it is a different Gender etc.
| hanniabu wrote:
| Should have it where your social security is a public key and
| government has your private key. You're given a device that has
| your private key to confirm things but you don't know it
| directly. Public key is used in replace of discussi security
| number. If your public key gets compromised the government
| blacklists it and gives you a new one.
|
| This is just a knee-jerk thought and I'm sure it can be
| improved, but I believe asymmetric keys are the solution.
| discardable_dan wrote:
| Nah, one-time pad with government verification for third
| parties. Keep it rolling.
| mikestew wrote:
| _If your public key gets compromised..._
|
| Do you mean private key? Or am I about to have a TIL moment?
| Because your public key is, well, public so I wonder what a
| compromise of that would look like.
| t0mbstone wrote:
| You have it totally backwards. Public keys are called public
| keys because they are intended to be public. You should be
| able to freely advertise a public key on a billboard.
|
| On the other hand, you can't really expect the average
| citizen to properly curate a private key, and a private key
| also doesn't work for verification purposes.
|
| I think the problem would be easily solved without encryption
| or keys by using the social security number in combination
| with a user-selected PIN number.
|
| Any time you apply for credit somewhere, you should have to
| provide the social and a PIN. There should also be an easy
| way to generate single-use PIN numbers that can be used when
| applying for credit.
|
| They already have a lot of the infrastructure for doing this.
| You can already put a credit freeze on your social security
| number and protect the credit freeze with a PIN, for example.
|
| Whenever I am applying for credit, I simply "thaw" out my
| social security number for a couple of days. This works
| pretty well, but it's a hassle because you have to do it for
| all three agencies. It also suffers from the problem that my
| credit could get compromised if I left it thawed out too
| long.
| ryanlol wrote:
| > After that date all liability for fraud perpetrated using an
| SSN as a shared "secret" will be assigned to the party who
| accepted the SSN as "authentication".
|
| lol. How do you think it works right now?
|
| The party who accepted the SSN (or their insurance) is liable
| for footing the bill for the fraud, except in the ridiculously
| unlikely scenario where they'd manage to collect money from the
| fraudster.
| xur17 wrote:
| It seems like someone could do us all a public service by
| combining a few of these lists and making a very public and
| hard to take down website with them all listed. Create a
| forcing function for a replacement.
|
| Not recommending anyone do this as it's obviously illegal,
| but..
| squeaky-clean wrote:
| I still doubt much would come of it until someone began to
| target lawmakers with it.
| meowster wrote:
| What laws make it illegal for a regular person to republish a
| list of SSNs and corresponding names?
| smorgusofborg wrote:
| I'm not sure if it is illegal since the US expends a lot of
| energy keeping privacy rights out of its civil rights.. But
| it would be a chore to process gdpr requests from dual
| citizens, etc.
| gumby wrote:
| In Sweden the personnumber is public info and there is no value
| to keeping it secret. Everything works fine there.
| rafale wrote:
| What are we gonna use instead? Hardware keys, like Ledger but
| for ID?
| dredmorbius wrote:
| I'm strongly partial to a wearable token. The NFC Ring is one
| highly attractive option.
|
| - It's inobtrusive enough to wear all, or very nearly all of
| the time. Contrast cards or similar carried-but-not-worn
| tokens.
|
| - It can be readily use to tap a sensor for identification
| purposes. Contrast cards or similar tokens (e.g., USB keys),
| which are far less immediate.
|
| - It is replaceable. That is, if it's compromised, stolen, or
| lost, it can be replaced. If it becomes unadvisable to
| possess, it's readily discarded and reasonably easily
| destroyed. This contrasts with biometrics or permanently
| embedded sensors.
|
| - Its absence is reasonably immediately determinable. Again,
| contrast carried-but-not-worn tokens.
|
| - The existing prevalence of ring-wearing makes use of an NFC
| ring less obvious or evident (mostly a concern in early-
| adoption periods), _or_ the opting-out of wearing one (which
| ring is the NFC ring?), without directly querying each
| individual, which ... might not work regardless (depending on
| implementations).
|
| - There are relatively few people who would be entirely
| unable to use such a device. Ready alternatives for most such
| cases exist: wrist bands
|
| - Unintentional validation (e.g., surveillance) is relatively
| easily avoided, _if_ devices require immediate contact with a
| sensor /receiver. That is, a surveillance entity couldn't
| mass scan a crowd or region quickly, but would have to
| individually query rings in close proximity. (This might be
| achieved through high-volume transit points already, but this
| already raises the ante.)
|
| - It's possible with a query/response system that multiple
| identities with the same root, but not immediately
| correlated, could be supported. (Deanonymisation or identity
| linking remains a significant problem, however.) Ideally,
| such a system could be limited to only satisfying minimum
| qualifying criteria (e.g., "I've paid a fare for this trip"),
| rather than transmitting either a full personal dossier or an
| absolute identity.
|
| Key (so to speak) challenges are in agreeing on a single
| standard, ensuring crytpgraphic robustness, and protecting
| privacy, surveillance, and other concerns, as well as
| distributing the detector infrastructure for desired uses.
| EvanAnderson wrote:
| This all sounds very reasonable, albeit I'm partial to
| chip-and-PIN for preventing unintentional validation and to
| render the token useless if lost or stolen. The ring form
| factor doesn't lend itself to PIN entry, but otherwise it
| sounds reasonable compelling. (Granted I can't make myself
| wear a ring without taking it off, fidgeting with it, and
| ultimately losing it. I've tried, failed, and lost three as
| a result.)
| dredmorbius wrote:
| An NFC ring can still require secondary authentication
| (e.g., pin) in some contexts. That would be application-
| dependent.
|
| There are cases (e.g., mass-transit turnstiles) where
| this _isn 't_ desirable --- the intent is to maximise
| throughput. (The quesiton of whether or not validating or
| fares are a net benefit is also open.)
|
| For a more secure facility, or payment system, tag + pin
| (and potentially other identifiers) would be preferred.
| gruez wrote:
| That's basically what some countries have: IDs with a
| smartcard built in which functions like a HSM
| zug_zug wrote:
| Proposed alternative - you get your own private-key as an
| identifier. Nobody ever can ask for the private key, they can
| only ask for a signed message that proves identity. Thus a lot
| of categories of fraud are no longer possible because there is
| no shared reusable number in the event of a leak.
| discardable_dan wrote:
| In Denmark, you are issued a one-time pad. You get a new one
| with some frequency. If you lose it, you are issued a new
| one.
|
| In that case, third parties could use a government website to
| get a row/col and ask you to verify, and the website could
| say yes/no. Yes, there is a risk of your one-time pad being
| stolen, but it is no greater than the current risk that any
| US citizen's tax documents or SS card can be stolen.
| xxpor wrote:
| How do they bootstrap the verification when you say you
| lost your key?
| mjevans wrote:
| That's an annoying denial of service attack; and you
| would typically do this by making the burn require very
| little authentication and the recovery a visit to a local
| government office, such as the police or a court.
| discardable_dan wrote:
| You can read more here:
| https://www.wikiprocedure.com/index.php/Denmark_-
| _Replace_Lo...
| sillysaurusx wrote:
| What do you do when you lose your private key?
|
| Who issues the private key? "get" implies it comes from
| somewhere, i.e. a CA system.
|
| If the government is the CA system, and your private key is
| your identity, how do you establish your identity in the
| event that you lost your key?
|
| The nice thing about SSNs being immutable is that none of
| these are concerns. (It's also the bad thing about SSNs being
| immutable.)
| azinman2 wrote:
| That and I can memorize my SSN.
|
| We do have one thing in the US that's physical proof, and
| that's your birth certificate. But I'm sure people lose
| them and they can be pretty easily fabricated.
| MeinBlutIstBlau wrote:
| I'm at the point where I just want a tattoo or chip embedded in
| me. Like I'm integrated in the system at this point. I can't
| exactly go off grid.
| 55873445216111 wrote:
| "How come no tattoo?!"
| Forbo wrote:
| For those wondering, this is a reference to Idiocracy:
| https://www.youtube.com/watch?v=BdPmNM0IF7Y
|
| I believe the direct quote is "Why come you got no tattoo?"
| 55873445216111 wrote:
| I am Not Sure.
| 55873445216111 wrote:
| Yes! SSNs are already not private given the number of hacks
| that have occured. Today, the real damage comes from the fact
| that people/businesses still believe they are private. Publish
| a list of all SSNs would eliminate the misperception once and
| for all and force people to verify identity in a better way.
| SSNs should only ever be used for your employer knows how to
| report who paid what taxes to the IRS. If someone else wants to
| use my SSN to claim that they paid my taxes, fine with me!
| barbazoo wrote:
| Not sure if it's a problem of perception or just the lack of
| legal responsibility. As long as the legal and financial risk
| isn't owned by the party using the SSN for a purpose they
| shouldn't (identification), nothing will change.
| rory wrote:
| 100%. The very concept of "identity theft" feels like
| corporate newspeak to shift the onus of remediation from
| the party that actually got defrauded (the company) to
| someone uninvolved in the transaction.
| nybble41 wrote:
| > SSNs should only ever be used for your employer knows how
| to report who paid what taxes to the IRS. If someone else
| wants to use my SSN to claim that they paid my taxes, fine
| with me!
|
| That could go the other way, with someone else filing their
| _income_ under your SSN without any corresponding
| withholding. This, too, needs better authentication than a
| mere SSN can provide.
| tshaddox wrote:
| > After that date all liability for fraud perpetrated using an
| SSN as a shared "secret" will be assigned to the party who
| accepted the SSN as "authentication". That would solve the
| problem.
|
| Except that the problem isn't which party is legally liable.
| The problem is that the legal system is almost entirely
| inaccessible to the vast majority of people.
| SevenSigs wrote:
| Maybe we need to tell each individual company that our SSN is
| public when they ask for it and why they rely on it to identify
| me... another form of ID that they like to use when you apply
| for credit is previous addresses/cars/etc... as if that isn't
| public.
| codegeek wrote:
| I think that we need to somehow make it harder for companies to
| request SSN if that continues to be a "secret". I cannot tell
| you how many times a Doctor's office casually asks for an SSN
| on a sheet of paper in plain text and I am like Why. I always
| fight that and found out that in a lot of cases, they just have
| it there and they didn't care when I didn't fill it. Some of
| them do force me (probably for credit/billing reasons) but I
| always try not to fill it out.
|
| Also why are these phone companies persisting SSNs in database
| ? Why can't they run the credit check initially and discard the
| SSN. There should be laws around this and enforced. It is time
| to hold these companies accountable. We are so tired of being
| worried that our ID may get stolen.
| xxpor wrote:
| When I got my Covid shot at Safeway they asked for it. I just
| didn't fill it out and no one even asked for it. I still had
| the record show up in Washington's vaccination DB, so it
| wasn't for that either.
|
| I hope them asking for it didn't discourage someone without
| an SSN from getting their shot, since immigration status
| isn't relevant to eligibility.
| meowster wrote:
| I always leave it blank on the forms at doctor's offices
| and other medical facilities, no one has ever brought it up
| and asked for it.
| cftm wrote:
| Blame the insurance companies - most major insurance
| companies use your SSN as a mechanism for identifying the
| patient. The member ID #'s can be used but it's quicker to
| just input the SSN.
| codegeek wrote:
| But they already get a copy of our Insurance Cards.
| Shouldn't that be enough ?
| [deleted]
| jader201 wrote:
| Ironically, having it in plain text on a piece of paper in
| some random doctor's office is much more secure than having
| it hashed in some website's database.
|
| Possibly even more secure than that same doctor having it in
| their system.
| silisili wrote:
| Good point. But realize it's only on that paper for a few
| mins before being typed into their system.
|
| Doctor's offices are so archaic at times. Only a handful
| let me do the forms online in advance. And even those have
| more paper for me to waste when I arrive.
| mancerayder wrote:
| I agree, but I am afraid that our two party system, which is
| incentivized to 'politicize' (I dislike that broad term)
| everything, it would be quite hard. The one party proposes it,
| the other party will find "reasons" why it's either government
| overreach, or discriminatory, or something something something
| depending on the ideology. Purported ideology. Most likely it's
| another horse that gets debated in debates about a package of
| other things.
|
| But yes, I wish we could be as modern as some European
| countries. I haven't heard of these identity theft issues in
| France, where everyone has a national identity card.
| PoignardAzur wrote:
| There's still some identity theft issues, because "everyone
| asks your SSN for no reason" becomes "everyone asks for a
| scan of your id for no reason".
|
| For instance, when I was looking for an appartment, the State
| had a service to both authenticate and watermark some
| documents (id and proof of income, among others).
|
| The watermark was a bunch of big bars with "this is intended
| for rental search" written on them. Kinda low-tech, and it
| feels like a creative attacker could use software to strip
| them out, but it's cool they did that.
|
| In theory, we have some very good APIs for securely
| authenticating someone (France Connect in particular), in
| practice administrations are slow to adopt them.
| r-w wrote:
| This is the problem with having the public and private key
| be the same. Anyone should be able to access your public
| key, and anyone you deal with should be able to ask you to
| use your private key to verify your identity. The problem
| is when that entire process is reduced to "give us the
| number the government uses to ensure you're you. Don't
| worry, we won't use it to convince anyone else we're you ;)
| Or leak it so anyone else can do the same ;) ;) ;)"
| PoignardAzur wrote:
| On the long run, they'll hopefully solve these problems
| with SSO.
| unanswered wrote:
| > Anyone should be able to access your public key, and
| anyone you deal with should be able to ask you to use
| your private key to verify your identity.
|
| First, let's assume the identity would be backed by a
| somewhat decentralized system; e.g. the identity could be
| backed by any state/territory's existing ID cards.
|
| The problem is making the request signing step secure and
| accessible to... well, anyone, tech-savvy folks included.
| Software for installation to a computer is an obvious no-
| go. A mobile app is probably a good idea but in any case
| I think we can assume a website will be a necessity.
| You've got to be able to give that website your _private
| key_. Guess what, you 've already lost - as soon you tell
| people to type their key into _this_ website, people will
| type their private key into any old website now. (I
| remember when my mom, with the best of intentions but
| without my prior knowledge, filled out my FAFSA info, SSN
| and all, on a scam .com site despite how many times we
| were told "fafsa.gov" or whatever.)
|
| But let's pretend that's a solvable problem, just for the
| same of argument. Let's assume it's a federal government
| provided site which you can provide with your private key
| on demand to do signing on your behalf and it's
| relatively secure actually keeping the key in your
| browser. And there's a mobile app option which can store
| the key locally with better security and do signing in
| memory which can actually be wiped after. Fine. Now
| convince the public that this site/app do not constitute
| a Federal database of identities. You and I know it
| wouldn't, as described, but _I would not blame anyone who
| objected on those grounds one bit_ , because without the
| necessary knowledge it absolutely would seem like a
| Federal ID, and folks are right to be wary of a single
| source of identity information. After all, all that does
| is take the SSN problem and add to it civil liberties
| problems. The distinction between SSNs and a [somewhat]
| decentralized PKI scheme with a centralized signing app
| for security/anti-phishing reasons is a distinction
| essentially impossible to convey to any but the _most_
| tech-savvy.
| barbazoo wrote:
| In Germany the postal service does what GP described by
| validating someone's identity for various purposes
|
| > Deutsche Post offers a secure identity check service - to
| millions of users every year.
|
| > On behalf of your contracting party
|
| > To ensure that only identified persons have access to
| sensitive services
|
| > To sensitive services including those from the financial
| services sector (such as opening an online bank account),
| telecommunications (activating a prepaid SIM card), health
| care (access to health information) or the mobility industry
| (including car sharing).
|
| https://www.deutschepost.de/en/p/postident.html
| all2 wrote:
| Why is activating a pre-paid sim card a "sensitive
| service"?
| jdavis703 wrote:
| To mitigate criminal activity ranging from stolen phones,
| to cellphone-activated bombs to evading wiretaps. I'm not
| arguing this is a good reason, but likely the reason this
| exists as a requirement.
| gumby wrote:
| Let me point out that this service should not be necessary:
| every german ID has a physical key infrastructure necessary
| for any shop or vendor to do this with a local terminal,
| yet the enabling legislation deliberately didn't instruct
| the government to build out any ecosystem.
|
| Compare this with, say, Estonia where practically
| everything can be handled through the keys in the ID card.
| EvanAnderson wrote:
| Stories about foreign countries and their societal
| infrastructure, as an American, make me really envious and
| sad for my country's state of affairs.
|
| It's kind of like the feeling I get looking at somebody
| with a very nice car or house: "Oh, it would be neat to
| have such a thing but there's no way I'd ever splurge and
| get that." It's difficult for me to conceive of some things
| other countries have as just being "normal".
| mistrial9 wrote:
| it is selection bias -- the people with miserable and
| oppressive systems do not report it in detail, in
| English, on YNews right?
|
| second, many systems of law treat individuals quite
| differently.. many systems that are not repeated in
| detail, on YNews, do not give much choice to an
| individual by design
| EvanAnderson wrote:
| I'm not suggesting that the United States is particularly
| bad. There are definitely many places in the world that
| are much worse off from so many perspectives (lack of
| rule of law, system of governance, economy, social safety
| net, class mobility, corruption, etc).
|
| It could be better in so many ways, though, too. It would
| be nice if younger people (say, sub-70) would (and could
| be permitted to) take up the mantles of leadership.
| nitrogen wrote:
| _It would be nice if younger people (say, sub-70) would
| (and could be permitted to) take up the mantles of
| leadership._
|
| I'd really like to read a speculative fiction/scifi where
| every generation operates under its own system of laws,
| and you can opt in to a neighboring generation's laws
| instead once every N years or something.
| kanbara wrote:
| only issue with Postident is that they are annoying and
| weren't accepting certain passports for foreign nationals
| for a time. also, they have an online system you can
| sort-of use now but also not really, and you cannot use a
| valid permanent residence card even tho it's issued by
| the german govt... it _is_ pretty alright though
| hiccuphippo wrote:
| Third world country here. Even we have ID cards and no
| identity theft issues. I don't get why the US doesn't get on
| with the times. Same for the metric system.
| zucked wrote:
| It's infuriating, because with the proper messaging, this is
| a bipartisan issue. Righ, left and everyone between have had
| identities stolen. Stolen identities cost businesses money -
| I'd wager millions, maybe billions collectively every year.
| There's literally _no_ reason why a more secure form of
| identify verification needs to be a partisan issue.
|
| Which is exactly why it will be :(
| [deleted]
| figassis wrote:
| Why is it so much harder and costlier for companies to be able to
| store credit card numbers, but not SSNs? I mean there is a whole
| certification process that costs hundreds of thousands of dollars
| to get pci certified, but you could say an SSN has the same of
| not larger risk profile. You can cancel credit cards, can't get a
| new SSN. What is stopping government from implementing the same
| requirements? No one asks for your card number that is not
| certified, and certainly you would not give it if asked, even if
| they said it's mandatory. So why the SSN leniency?
| x0x0 wrote:
| A globally unique id is incredibly useful to many businesses,
| particularly since half of America changes their names. Often
| repeatedly. So there will be incredible back pressure at
| implementing this.
| nathanaldensr wrote:
| When does this end? When do our useless governments put a stop,
| once and for all, to these ridiculous lax security practices in
| corporations?
|
| I feel like I'm being _forced_ to become a luddite--not because I
| don 't love technology but because it's being used for such evil
| and potentially life-destroying purposes.
| briffle wrote:
| A converstation earlier this week pointed out the EU system:
| eIDAS [0]. it looks pretty interesting how its decentralized.
|
| I could see something like this running from each state's DMV
| (or the postal service if you didn't want to use your local
| state DMV) to help ensure you are you.
|
| It would be interesting to hear what people that use it say,
| because i'm sadly stuck in a very US world :)
|
| [0] https://en.wikipedia.org/wiki/EIDAS
| Forbo wrote:
| We already have systems for notarization, perhaps we could
| try to leverage that, updating it for more modern purposes. I
| could see them issuing things like smart cards. Then again we
| have some pretty hardcore religious zealots who refuse to do
| anything even remotely resembling a national ID system, so it
| will continue to be fragmented and subject to each state's
| implementation.
| throwaway98797 wrote:
| if the cost of identity theft, i mean bank fraud, was put on
| the banks this would be less of an issue.
|
| all companies do not need better security. banks need better
| processes so my ssn and address cant be used to mess up my
| life.
|
| the banks have the money to fix this.
| hncurious wrote:
| Our government is run by a gerontocracy born decades prior to
| PCs and the internet. They have no idea what the root problem
| is or how to fix it. How many of them even know the absolute
| basics? What a for loop is? Or Postgres? Or http vs https?
| Anything they actually do will be written by lobbyists on
| behalf of tech giants and other multinational corporations and
| big donors.
|
| Between that and the increasingly fundamentalist, censorious,
| puritan, social justice takeover of tech companies, I also feel
| like I'm being forced to become a luddite despite my life long
| love for technology.
| IncRnd wrote:
| Of course they understand. The issue is that they don't care.
| They don't care about you or me. They don't care about
| whether you have Internet access and if you do whether it is
| slow or fast. They don't care whether you are homeless or
| rich or if you are high on drugs or a personal trainer to the
| stars.
|
| If you make a big enough issue about how they apparently
| don't understand, they will create a committee to study the
| issue then ignore the findings. They don't care about you or
| your problems.
| kjkjadksj wrote:
| I think the takeaway is that government represents too many
| people and you cant satisfy everyone, so leaders listen to
| citizen action groups and lobbyists who are able to
| aggregate all these different viewpoints into more broadly
| popular legislation and show with their supporters that
| these ideas would be popular among a given electorate.
| IncRnd wrote:
| After having interacted with politicians, I am firm in my
| belief that most of them don't care about their
| constituents.
| EvanAnderson wrote:
| At the federal level I think the care is chiefly about
| re-election. At the state level I see a mix of people who
| are involved out of a sense of civic duty, and people who
| have designs on moving up and acquiring more power.
|
| If politicians represented fewer constituents I think
| they'd be forced to care more about their constituents,
| if only because each individual voter wields more power.
| I certainly think that I have more power to influence my
| local politicians than I do my state representatives (let
| alone my federal representatives). My local politicians
| also live more proximate to me, and share more in the
| physical problems of the region. My US Senators live in
| my state, and that's about all they have in common with
| me.
| IncRnd wrote:
| This is what we get as a society when we aren't
| collectively involved. Why should our politicians care
| when we don't? How many of your neighbors have done the
| work to change politicians' votes or to raise their own
| politicians up?
|
| I agree with you, but I also think there are many
| disparate problems we can point at. Ultimately, it all
| boil down to - we get the results of our efforts.
| bwship wrote:
| I am becoming less luddite, but way more partial to older
| technology.
| mancerayder wrote:
| There's a both sidesism here - one party that's demanding
| censorship (because misinformation, danger, etc.) when they
| used to fight it, the other party seemingly defenders of
| classic big corporate entities, yes it does seem hopeless.
|
| I think it has to get worse before it gets better. If almost
| everyone's personal information, SS and so forth, even
| IMEI's, addresses, mother's maiden, you name it, is available
| on the dark web, then that'll basically mean the corporate
| world will have to create a new mechanism. For example, the
| most obvious is the entire system in which credit worthiness
| is determined.
|
| I know two people with identity theft issues, and in both
| cases people opened up accounts that impacted credit
| worthiness. That's really lousy if you spend a long time
| searching for a home to buy, and when you're in contract
| something like this happens and your credit gets dinged.
| Blame the banks and the credit industry as much as the
| hackers. They made this impossible-to-contain information
| literally the _key determinant of your ability to get a loan
| in order to purchase a home_.
| caeril wrote:
| This situation could be greatly improved if these companies
| didn't have or need to have this data in the first place.
|
| Prepaid mobile plans carry a lot of stigma with them -
| perceived to be "low-class", or even criminal by many. But at
| least your SSN and address won't be in their database.
| gizdan wrote:
| I don't know about the US, but here in the UK prepaid mobile
| isn't necessarily looked down upon, but it's significantly
| more expensive than a contract. It's the main reason why
| people just go with a contract despite being locked in for 2
| or more years. Even sim-only contracts are considerably
| cheaper.
| brewdad wrote:
| In the US, prepaid is a much cheaper option for all but the
| highest volume users. The drawback is that you get
| deprioritized on the cell towers making mobile data nearly
| unusable in many cities or at large gatherings like
| sporting events.
| MeinBlutIstBlau wrote:
| I've been using Liberty for a while now and it's been fine.
| It's 2G but I'm like 90% of the time always around wifi I
| trust so not a major deal. No reason to blow tons on data I
| don't use.
| _rs wrote:
| With AT&T at least if you want the highest priority on their
| towers you have to be on their Elite plan (QCI 7 I believe),
| which is post-paid only
| trasz wrote:
| What does the "priority on the towers" do?
| brewdad wrote:
| If you want to use your mobile data, you get sent to the
| back of the queue. Higher priority users might get
| 50mbps. You will be lucky to get 1mbps and in some cases
| less than that.
|
| I don't know if there is an impact on call availability
| as well.
| hypothesis wrote:
| Yikes. Is that something that AT&T openly advertising?
| rvz wrote:
| > Here is the data that is available in this leak:
| Name Phone number Physical address
| Email address Social security number Date
| of birth
|
| Not only the phone number but the physical address?
|
| If this is true, absolutely outrageous.
|
| > The hacker has said he is willing to reach "an agreement" with
| AT&T to remove the data from sale.
|
| Might as well pay the hacker's ransom, AT&T to remove the data
| from sale otherwise if leaked; a massive fine (probably larger
| than the hacker's ransom) awaits you.
|
| First T-Mobile and now (if true) AT&T. Let's see who is next to
| unveil another hidden breach... maybe Verizon has something to
| hide?
| christophilus wrote:
| > a massive fine (probably larger than the hacker's ransom)
| awaits you.
|
| If you mean, massive executive bonuses, and zero policy
| response by the government, then yes.
| idiotsecant wrote:
| >a massive fine (probably larger than the hacker's ransom)
| awaits you.
|
| Based on past experience, unlikely.
| ryanlol wrote:
| https://krebsonsecurity.com/2015/11/fcc-fines-
| cox-595k-over-...
|
| Cox had to pay up over a few social engineering calls.
| dylan604 wrote:
| >a massive fine (probably larger than the hacker's ransom)
| awaits you. ... maybe Verizon has something to hide?
|
| If we're just making stuff up, then maybe Verizon is the hacker
| trying to take down the competition? It's as likely as ATT
| being fined anything significant
| mrtweetyhack wrote:
| why does ATT have your SSN? Sounds like a lawsuit to me :)
| cowturds wrote:
| If only we could <i>change</i> our SSN just like we can name,
| address, and bank accounts
| gjsman-1000 wrote:
| First T-Mobile, then AT&T (except that AT&T is denying it, which
| is hopeful). All eyes on Verizon...
| chasil wrote:
| The nice thing about using an MVNO (aside from cost reduction)
| is that the carrier never receives any of that PII.
|
| I like the Red Pocket plans on Ebay, and they never asked for
| an SSN.
| travisporter wrote:
| How are MVNOs able to offer a lower price than the carriers?
| I was interested but didn't switch because I was worried they
| are selling my info or something.
| detaro wrote:
| They usually spend less on advertising/store presence/...
| (e.g. around here the large mobile networks have branded
| shops and such, the MVNOs almost never have and either sell
| only online or a supermarket brand and piggybacking on that
| store network), their plans might have restrictions the
| main network ones don't have, ...
|
| And in reverse, better brand recognition/(impression of)
| service quality allows the network operators to charge more
| and still get customers, the MVNOs need to be cheaper to
| compete with that.
| chasil wrote:
| The process of porting numbers between MVNOs is more
| difficult than using a main carrier with brick-and-mortar
| locations.
|
| I ported my landline to Page Plus in the late 2000s
| (which took over a week). I still have that number, and I
| have never spoken to a person when porting it between
| MVNOs (always over chat or email). My last port to Red
| Pocket took two days to get right. This can be a
| frustrating procedure, and many people prefer the major
| carriers for in-presence customer service for issues like
| this.
|
| I have repeatedly switched between Verizon and AT&T when
| necessary due to phone hardware or coverage, and MVNOs
| usually allow this to be done (a limited number of times)
| through automated simcard changes with no customer
| service interaction.
|
| The one surprising thing about my recent move to Red
| Pocket is the lack of voicemail in the included plan
| (it's available with a surcharge). I'm not certain if I
| miss it.
| lftl wrote:
| I'm sure it varies from MVNO to MVNO, but most of them are
| deprioritized before the carriers direct customers during
| congestion.
| swiley wrote:
| >which is hopeful
|
| That's like saying "the house is on fire but there's little
| smoke which is hopeful." Of course they're denying it!
| ourmandave wrote:
| I wonder what the settlement for my data be stolen will be?
|
| 1. $10 off a new AT&T phone. When you sign a 5 year contract.
| Excludes all other offers.
|
| 2. A free month of AT&T limited service. When you sign a 5 year
| contract. Excludes all other offers.
|
| 3. Or absolutely nothing, like the last bazillion times.
|
| The suspense is killing me. I hope it lasts.
| rsync wrote:
| I bought a new iPhone with cash, signed up for a Verizon MVNO
| using an assumed name and used an impersonal email address (and
| assumed name) for my Apple ID (which I seldom use).
|
| Nobody in this chain has my real name or any significant PII. I
| don't care if any of them get "hacked".
|
| Further, if my phone is lost I just recreate the chain and point
| my (twilio) number to the new SIM card. I can temporarily forward
| SMS to email for a day or three. Yes, of course twilio has an
| assumed name.
|
| None of this was difficult nor illegal nor expensive.
|
| The enabling factor is that Visa/MC do not actually verify
| cardholder name (even though everyone thinks they do).
|
| So _my bank_ sort of knows who all the providers are, but they 'd
| need to collude with (MVNO or twilio or Apple) to have any real
| PII which could then be stolen ...
|
| My threat model is PII theft via hacks (like this one) and
| wayward employees at each provider. My threat model is not state
| actors or LEAs.
| slownews45 wrote:
| Interesting - I've always wondered if something like this is
| possible.
|
| Even just if privacy.com or someone would let me signup with a
| fake identity to t-mobile. Then who cares if these folks get
| hacked?
| [deleted]
| EvanAnderson wrote:
| Can you elaborate on "The enabling factor is that Visa/MC do
| not actually verify cardholder name"? Are you saying that
| you've got a credit card under an assumed name?
| rsync wrote:
| No, of course not.
|
| I am saying that merchants do not have the ability to verify
| card holder name.
|
| Your transaction will process properly with Mickey mouse as
| first last.
|
| Only amex verifies cardholder name.
|
| EDIT: relevant stackexchange is here:
| https://security.stackexchange.com/questions/220724/i-can-
| pa...
| BeefySwain wrote:
| > None of this was difficult nor illegal nor expensive.
|
| Is giving a false name to the CC companies not illegal in
| some way? At the very least I'm certain it is a breach of
| contract.
| brewdad wrote:
| I think OP is saying that they give a fake name to the
| vendor, not the CC card company. Walmart (maybe?) isn't
| checking that the billing name you give them matches the
| name on the card. I don't know how true this is across
| all vendors.
| rsync wrote:
| This is correct.
|
| I have the same, real-name relationship with my bank and
| card issuers that you or anyone else has.
|
| Rando-web-merchant, on the other hand, never gets my real
| name.
|
| "I don't know how true this is across all vendors."
|
| Almost 100%.
|
| There _is_ a rarely used program called "verified by
| visa" that takes you through an additional verification
| step and encourages you to create some sort of account
| linked to your issuing bank (or something) but I have
| only run into that once in the years I have adopted this
| practice.
| quesera wrote:
| Slightly mitigating:
|
| Merchants can request Address Verification (AVS) from the
| network, but the result is purely advisory: the merchant
| can ignore a mismatch if they choose. In my experience,
| most do ignore it.
|
| This is also true of the CVV/CVV2/CSC/etc. Most web
| vendors require it, but it is not required to complete a
| transaction. _Theoretically_ the provision of a correct
| CVV indicates that the consumer has the card in-hand.
| Chargeback appeals are somewhat more likely to succeed if
| the transaction included the CVV.
| EvanAnderson wrote:
| I appreciate the response and the link to the Stack
| Exchange question. I wasn't "getting" what you were saying,
| but now it makes sense. That's probably something I'll
| start doing too. Thanks for the idea.
| derwiki wrote:
| When I use a privacy.com virtual card, I can use any
| name/address and the transaction is approved.
| dellcybpwr wrote:
| My hero!
| vlovich123 wrote:
| I've been wanting the government to roll out a zero proof ID
| mechanism so that businesses don't need any info. Just have a
| unique ID that's a representation of that one unique
| representation. Visit a new Dr's office? Instead of an SSN
| generate a new ID they can use to contact you with the government
| as the intermediary. The business never gets your PII and the
| government already has your PII and needs to keep it secure (and
| is politically culpable to breaches). Some care needs to be taken
| to ensure that the government is actually blinded to the identity
| of the entity you connect with so that they can't connect the
| dots about activity, but I think this is tractable.
|
| Same thing with medical records. The current design is abhorrent.
| Every medical provider has an independent copy of your records.
| You should be the only one with a copy (or with a storage
| provider you designate) with strict timely access controls (eg
| doctor gets the records for 30 days for review or something).
| That I have to fill out a form to get my own medical records is
| retarded.
|
| This stuff isn't hard, but it's hard to make money on so there's
| perverse incentives to keep the status quo.
| tsjq wrote:
| TMobile: 100M
|
| ATT : 70M
|
| suffice to say nearly all adults of USA.
|
| I am surprised how come not a single high profile person faces ID
| Theft and related troubles from these many data leaks !
| lotsofpulp wrote:
| Tmobile was 40M.
|
| It is all small pickles anyway compared to Sep 2017's Experian
| leak of 147M people's records:
|
| https://www.consumer.ftc.gov/blog/2019/07/equifax-data-breac...
|
| A credit reporting agency's information is all the important
| information you would need about someone to do something
| fraudulent with their identity.
| jmount wrote:
| In the US many companies publicly share their EIN (the equivalent
| of SSN for companies), and somehow the laws are set up that this
| isn't a source of identity theft.
| lotsofpulp wrote:
| You cannot get a loan with a company's EIN, nor can you
| (easily?) get money from the government by filing tax returns
| with a company's EIN.
|
| Therefore there is not much value in fraudulent use of EINs.
| gigel82 wrote:
| Interestingly, I stopped being an AT&T customer 4 years ago but
| just this morning I received a phishing SMS containing my real
| name and a mention of AT&T overpayment or some-such.
|
| Could be a coincidence, or it could be the data is already out
| and being used.
| nabakin wrote:
| The seller hasn't sold the data yet. Unless it has already been
| available behind the scenes and changed hands, I don't think
| the breach is related.
| gzer0 wrote:
| I received the exact same thing. I was also a customer of AT&T
| around 4 or so years ago.
|
| The odd thing to me was the phishing text said to CALL ATT's
| very own number. No links or anything.
| gigel82 wrote:
| Mine included a link. I already removed it so can't look at
| it now, but it definitely included one of those minified
| links that immediately scream "phishing".
| sgc wrote:
| I received the same thing yesterday.
| IncRnd wrote:
| An SMS can be crafted to attack your phone if you view the
| message.
| knubie wrote:
| I know this doesn't add much to the conversation but I got the
| same text this morning and I am currently still with att.
| tyingq wrote:
| I'm usually skeptical about denials, like AT&T is doing here. But
| in this case, there would be some incentive for the hackers to
| misrepresent the source/freshness/etc of the data.
|
| Given the recent T-Mobile hack, if they can tag the data as
| coming from AT&T and being fresh, it might fetch a higher price
| either from AT&T, or data buyers. In other words, it could be a
| re-label of some older exposed data.
| kingnothing wrote:
| The hackers selling the info are well known for providing fresh
| data, to the point that they've given away old data for free. I
| doubt they'd risk their reputation on reselling a different
| leak.
| tyingq wrote:
| Ah, thanks...not mentioned in the linked article. There's
| more info in the source article:
| https://restoreprivacy.com/att-data-breach-70-million-
| custom...
|
| The hacker group is "ShinyHunters".
| lotsofpulp wrote:
| I wonder if the price of leaked data dropped after
| Experian's data leak from Sep 2017 that included basically
| everyone in the US that uses credit.
|
| I imagine the difference in data since the Experian leak
| are for people that became adults since Sep 2017 or
| immigrants or some information about new addresses/names
| from moves/marriages, etc.
| Jaepa wrote:
| Interestingly it looks like T-Mobile US also had a very similar
| data breach a couple days ago.
|
| > We have determined that the types of impacted information
| include: names, drivers' licenses, government identification
| numbers, Social Security numbers, dates of birth, T-Mobile
| prepaid PINs (which have already been reset to protect you),
| addresses and phone number(s).
|
| https://www.t-mobile.com/brand/data-breach-2021
| 41209 wrote:
| Everyone should put a lock on their credit.
|
| Also since it takes a few days to remove the lock, you can't
| impulse buy a car ( or another big ticket item).
|
| At this point the only thing I'll ever need to do a credit check
| for is a new apartment.
| metaphor wrote:
| What AT&T service compels consumer SSN disclosure to begin with?
| oenetan wrote:
| If you take out credit, or don't want to pay security deposit,
| they ask for it
| metaphor wrote:
| Thanks for the clarification.
| mancerayder wrote:
| I think it's any contract with a carrier. They want the ability
| to go after you and hurt your credit if you refuse to pay, is
| my guess. It's disgusting.
| lotsofpulp wrote:
| How is it disgusting for a lender to be able to look up
| someone's credit history and determine if they are an
| appropriate credit risk for them?
|
| The alternative is everyone gets (or does not get at all)
| credit on the same terms without regards to personal behavior
| or risk profiles, which is a valid option, but I would still
| think "disgusting" is a strong word to describe the prior
| scenario.
| afrcnc wrote:
| Someone posts eight SSNs on a hacking forum and some wild claims,
| and reporters run it as a legitimate 70 million hack. And people
| wonder why the term fake news exists.
| slownews45 wrote:
| except these companies are crap at security and the folks
| posting have a relatively good reputation? That said - yeah,
| maybe post 500? This could just be trash as you say.
| codegeek wrote:
| Knowing what we know about these companies and their security
| practices, I would give benefit of doubt to this "someone" who
| posted on a hacking forum.
| [deleted]
___________________________________________________________________
(page generated 2021-08-20 23:01 UTC)