[HN Gopher] ID verification service for TikTok, Uber, X exposed ...
___________________________________________________________________
ID verification service for TikTok, Uber, X exposed driver licenses
Author : brw
Score : 95 points
Date : 2024-06-27 00:05 UTC (22 hours ago)
(HTM) web link (www.404media.co)
(TXT) w3m dump (www.404media.co)
| brw wrote:
| https://archive.is/9ywDK
| lizardking wrote:
| My understanding is that X has moved on from AU10TIX to using
| stripe.
| dinglestepup wrote:
| "Our customers' security is of the utmost importance"
|
| They don't even have 2FA enabled for logging into such a
| sensitive portal?
| asadm wrote:
| Users aren't their customers, Israeli govt / Mossad is.
| pbiggar wrote:
| Having an Israeli company running security for US companies is
| absurd. Their startups are an extension of the Israeli military,
| and most founders were in Unit 8200 (the group that made the AI-
| bombing systems Lavender and Where's Daddy).
| robcohen wrote:
| Why is it absurd? I'm not following.
| pbiggar wrote:
| Israel is a country whose purpose is taking land from
| Palestine, Syria, Jordan, Egypt, etc, and putting settlers on
| it to retain control, which is illegal under international
| law, and of course is also morally wrong. That's why it's
| committing a genocide in Gaza, and is the source of the
| conflict in Palestine.
|
| The entire Israel project requires spying on, suppressing,
| and manipulating the west to support their awful actions,
| like the apartheid in the West Bank. It uses its military,
| intelligence networks, money, and industry (including
| startups) to control and manipulate the west to allow the
| genocide and land stealing to keep going. It has been doing
| this for 75 years.
|
| Israeli startups are primarily created by former intelligence
| agents from Unit 8200. This isn't a conspiracy theory,
| they're more than happy to brag about this.
|
| If you run a startup, absolutely do not trust any user data
| (or your own personal data) to an Israeli company, and be
| super skeptical of any company founded by an Israeli or a
| Zionist (advocates of the Israeli project).
| slg wrote:
| Just the founder of CircleCI seemingly advocating for the
| dissolution of Israel.
| jedimind wrote:
| Just the founder of CircleCI listing some uncomfortable
| facts such that you instinctively derive the best
| resolution to it.
| ignoramous wrote:
| > _dissolution of Israel_
|
| I mostly read that as Paul calling for the head of
| tyrants, which is a positive thing for any country. If
| you read that as "dissolution of Israel", are you
| presuming Israel won't survive without its tyrants?
| sundbry wrote:
| 1) that's not what he said 2) what he said is true
| kevingadd wrote:
| Because Israeli intelligence freely and brazenly spies on
| civilians from allied countries, maybe
|
| https://www.theguardian.com/commentisfree/article/2024/may/2.
| ..
|
| I certainly wouldn't trust a startup with IDF/Mossad
| connections with my data.
| pbiggar wrote:
| That's 100% of Israeli startups.
| Alupis wrote:
| Oh how quickly we've forgotten the Snowden Leaks.
|
| They all spy on each other's citizens. When it's not
| possible to do it directly, they will use covert means a la
| NSA slurping up data via transit lines, etc.
|
| It being an Israeli startup makes your data no less safe
| from spying eyes than doing business with a UK startup or
| any other allied nation.
| JumpCrisscross wrote:
| > _Because Israeli intelligence freely and brazenly spies
| on civilians from allied countries_
|
| Everyone spies on everyone. Does Israel have a law like
| China's which mandates cooperation? It was my understanding
| they have a forcefully independent judiciary.
| chimeracoder wrote:
| > It was my understanding they have a forcefully
| independent judiciary.
|
| That may have been true ten or fifteen years ago, but is
| extremely not true today.
| Alupis wrote:
| Is there evidence of this other than "Israel Bad"?
| chimeracoder wrote:
| > Is there evidence of this other than "Israel Bad"?
|
| ...yes?
|
| From the content of your comment, it seems you're not not
| up to date on the development of Israel's internal
| government structure and balance of separation of powers,
| which has changed a lot over the last five years. But
| from the tone of your comment, it also sounds like you're
| going for a snarky dismissal rather than a good faith
| discussion, so I'm not sure talking about this further is
| going to do much good.
| Alupis wrote:
| There was an attempt at "reform" that was crushed by
| their supreme court, because that's how their government
| works.
|
| So unless you have something new to share, the assertion
| is false.
|
| It's a lot like Biden making EO's that he knows are
| unconstitutional and ultimately will be struck down by
| SCOTUS.
| chimeracoder wrote:
| > There was an attempt at "reform" that was crushed by
| their supreme court, because that's how their government
| works.
|
| That's actually not the whole story, but regardless,
| judging by the tone of your responses here and your
| recent comment history, I don't think any discussion here
| on this topic is going to be fruitful.
| Alupis wrote:
| So enlighten us maybe instead of just saying "nah hu".
| codedokode wrote:
| This means we should use national solutions and services
| instead of someone's else.
| kevingadd wrote:
| "Everyone spies on everyone" isn't an argument in favor
| of using companies with known ties to the military or
| intelligence, though...
| ryandrake wrote:
| It's gotten to the point where if a company requires you to
| upload something to verify your identity, you should treat it as
| if that something is being posted visibly to the public internet,
| and decide based on that whether it is worth providing. Companies
| repeatedly demonstrate their inability to secure personal data
| that they obtain and store, while always issuing press releases
| about how "we take security very seriously."
| bangaroo wrote:
| i mean i have worked in the industry (including a long stint in
| fintech!) for something like 20 years now and i genuinely have
| yet to work at a place that didn't just nod knowingly at the
| need for it.
|
| i genuinely struggle to recall an active effort to continuously
| train, test, and improve security that had any impact across
| any company i've worked at. it's super costly work that feels
| like a pure expense to folks who don't know any better.
|
| i recall substantially longer discussions - at the company i
| worked at that handled people's banking credentials and is part
| of one of the largest financial institutions in the world -
| about how we could spin "the disks that your secure data is
| stored on are encrypted at the OS level" to sound as secure as
| possible without lying. far, far fewer meaningful discussions
| were had about how to audit for real security issues or train
| folks to write more secure code or build more secure systems.
|
| i know that anecdotes aren't evidence but i've really met very
| few folks in my time in engineering who had experiences
| different from mine.
| TacticalCoder wrote:
| And the real scary stuff is that they demand _more_ than the
| law requires. They 're not just doing the minimal KYC/AML stuff
| (which is already a huge endeavor btw): they're going out of
| their way to get as much infos as they can.
|
| For example for AirBnB (well, granted some "conciergerie"
| service belonging to AirBnB, in France: but even if it's top-
| end it's still AirBnB) they wanted me to record a video of me
| of 20 seconds.
|
| They're not the only ones to do that: I've seen other sites
| asking these vids.
|
| The more regulated stuff, like brokers, banks, etc. shall ask
| what's legally required: proof of address (a utility bill),
| scan of the driving license, etc. but nothing more (at least in
| my experience).
|
| But the non-regulated players: they invent stuff. They make up
| shit, apparently on the spot.
|
| At some point they'll ask a blood and urine sample to "verify
| my identity".
|
| Which would be okay'ish, I guess, if they weren't so
| incompetent as to invariably leak those data when a hacker
| shows them who can code.
|
| I take it the KYC/AML will have to be modified to prevent
| anything _more_ than what is legally required from being
| collected.
| tivert wrote:
| > For example for AirBnB (well, granted some "conciergerie"
| service belonging to AirBnB, in France: but even if it's top-
| end it's still AirBnB) they wanted me to record a video of me
| of 20 seconds.
|
| > They're not the only ones to do that: I've seen other sites
| asking these vids.
|
| So basically they're trying to do a "liveness" check,
| probably under the assumption that videos are too hard to
| fake (and hopefully they compare the ID documents against the
| video). Honestly, that seems legitimate to me. With data
| leaks and generative AI, it's going to be increasingly hard
| to do the kind of identity verification tasks online that we
| take for granted.
|
| I predict there will soon be a huge necessity and demand for
| in-person notaries to verify identities for online services.
| Want to open a bank account online and there's no branch
| nearby? Go to some ID verification business with a ticket
| number from the sign up workflow, they check your documents,
| and then _they_ tell the bank if you checked out or not.
| bbarnett wrote:
| Canada Post has a service like this. They already need to
| do identity verification for some types of packages
| (certified/registered mail with mandatory Post Office pick
| up), so it's a natural extension.
|
| Not sure how rigid it is through. Probably just a glace at
| a driver's license / id card?
|
| Anyhow, a good extra revenue stream for classic postal
| services.
| jamesrr39 wrote:
| > So basically they're trying to do a "liveness" check,
| probably under the assumption that videos are too hard to
| fake (and hopefully they compare the ID documents against
| the video). Honestly, that seems legitimate to me. With
| data leaks and generative AI, it's going to be increasingly
| hard to do the kind of identity verification tasks online
| that we take for granted.
|
| I worked for a company that required these videos in one of
| the markets they served. Some countries have decent digital
| ID solutions already in place, but in many it's just a
| picture of a driving license or such that is so easily
| faked/stolen. Kind of a shame how in many countries
| officially identifying yourself online is not
| implemented/implemented badly enough that no-one uses it,
| so instead we have this poor uploading pictures of private
| documents and videos of yourself fallback.
| Frieren wrote:
| > The more regulated stuff,
|
| They have been regulated for a reason. Without regulation
| they will also do all kind of stuff. (They still do a lot of
| really harmful stuff, but not as much as they could
| otherwise)
| Terr_ wrote:
| I dimly recall some sci-fi quantum-technobabble book where a
| character is reminiscing that a collapsed government's most
| important duties were (A) identity and (B) official
| timekeeping.
|
| The US Federal Constitution, back in 1787, immediately
| authorized a government-run postal service. If a similar
| scenario was echoed today, I think it would/should contain a
| government-run _identity service_.
|
| Governments already have a compelling interest to identify
| people for the purposes of the legal system, property
| ownership, etc. With all that happening _anyway_ , might as
| well have an API that allows for attestation and Single-Sign-
| On.
|
| ___
|
| _P.S.:_ _Not_ having it isn 't really an option, since it's
| a void that will still get filled, just differently... Either
| with a hodgepodge of half-broken systems, or an abusive
| private monopoly, and no accountability or good appeals
| process.
| space_fountain wrote:
| Obama briefly pitched the idea of this. A lot of people
| worried that the government providing services with the
| ability to verify identities would kill anomenlty online
| and it died.
| pphysch wrote:
| And yet anonymity/privacy is already dead for the average
| consumer, and we don't get to benefit from a public,
| reputable SSO service...
| akira2501 wrote:
| > a government-run identity service.
|
| Sponsored and standardized, maybe, /run/ definitely not.
|
| These entities love creating things like "No Fly Lists" I
| can only imagine what their greedy little hands would do
| with the authority to strip one of the ability prove their
| identity.
| krapp wrote:
| I wanted to step in and make fun of the Mark of the Beast
| people and paranoid gun owners who always freak out about
| things like this but then I considered what half the
| country would do if they had control over the immutable
| legal identities of gay and transgendered people, and I
| realize they might actually have a point.
|
| It's not that a national identity service is a bad idea,
| it's a good idea and the US should have it, like it
| should have nationalized healthcare, education, UBI and
| gun control that's actually effective. It's that the
| _United States government_ specifically can 't be trusted
| to implement it at any level and in any way that won't
| lead to undesirables in mass graves. We just can't have
| nice things here.
| anon291 wrote:
| I mean... realistically, everyone should just assume their data
| is public, because if it's not for private companies, most
| states have had their systems hacked and data taken.
| ww520 wrote:
| The amount of data collected is truly getting out of hand.
|
| I was buying an iPhone from a cell carrier for their bundled
| cell plan deal. They used Stripe for payment processing. Stripe
| asked me to upload my driver license/passport and took a video
| of my face so their "AI" could verify my identity. I've been a
| customer with the carrier for years so my profile and credit
| card info were with them already.
|
| The data collection was unbelievably intrusive. Really, I could
| just walk down to an Apple store to get the phone and went with
| another cell carrier. I did exactly that. Stopped the
| transaction and took my business elsewhere.
| akira2501 wrote:
| They take the security of their cash flow very seriously. Which
| is partly why the anti-regulation vibe in Silicon Valley bums
| me out so much. The writing is literally on the wall here.
| alwa wrote:
| It says the company claimed that the credential leak was
| discovered and remediated 18 months ago, meanwhile the leaked
| credentials were still working as of a month ago.
|
| Is this level of governance and sophistication really typical of
| vendors in this space? Sprawling enterprises I can imagine losing
| track of the odd place or two where the credentials are used, but
| a vendor who only does one thing, specifically a high-trust thing
| like this?
|
| Even if they don't have the wherewithal to be thorough in-house,
| am I confused to imagine that such a firm would have to carry
| insurance, which would tend to bring in specialists to make sure
| this kind of remediation is done right?
| jdp23 wrote:
| Yes, it's very typical. There are almost never any consequences
| for actions like this.
| wepple wrote:
| > but a vendor who only does one thing, specifically a high-
| trust thing like this?
|
| They're not in the business of being trustworthy or secure,
| it's just another software shop trying to grow product.
|
| > which would tend to bring in specialists to make sure this
| kind of remediation is done right?
|
| Ideally, sure. In reality an insurance company has many
| thousands of customers, they can't possibly do any real
| assurance beyond basic compliance. Managing access and
| credentials is a hard problem for well staffed security teams,
| let alone a single compliance auditor.
| diebeforei485 wrote:
| I've noticed that companies are generally happy to say they use
| (for example) Plaid to handle your bank account details, but
| often bury or hide who is handling your passport details.
|
| This is unacceptable. If you want my ID, you'd better disclose
| who you're sharing my ID with. And ideally give me a choice of
| providers.
| aketchum wrote:
| > And ideally give me a choice of providers.
|
| This sounds good I guess but would be pretty annoying in
| practice for basically no upside for the business. I could see
| having 2 providers that are both randomly used so that we can
| continue business when one has an outage. But even then I would
| not be showing the option to my customers. The vast majority of
| users would be more confused by the options than happy about
| having options, and likely hurt conversion.
| astroid wrote:
| Didn't X switch to Stripe already? There was a huge uproar over
| people protesting Palestine being concerned about having their ID
| (with home address), biometrics (which they admitted to
| collecting), and other info to a company with such direct ties to
| Israel.
|
| I don't know about this company specifically, but I know it's
| common for the government to essentially act as an incubator for
| tech companies, so the concerns probably weren't unwarranted.
|
| I guess even with the switch, some people probably verified prior
| so it likely has some impact on X still -- and maybe this is
| actually what moved the needle internally, since the users were
| calling it out as a concern for quite some time.
|
| I had no clue uber and tiktok used them though, so that's good to
| know - thankfully I haven't given them my biometrics as of yet.
| octopoc wrote:
| Oh wow didn't know that stripe has Israeli ties. Thanks for the
| heads up--I'll try to shop around for a more ethical
| alternative. May not be able to though--launch is imminent!
| astroid wrote:
| To clarify, Stripe does not - Au10tix does, which they moved
| away from.
|
| Stripe is Headquartered in US / and I believe Ireland - not
| Israel. Sorry for the confusion.
| thephyber wrote:
| So you commented without verifying the fact was true? And it
| turns out it isn't.
|
| Slow down. Don't trust vague statements that don't cite
| sources. Look for the nuance in the situation. Be curious and
| try to learn, don't just follow the crowd.
|
| Also, it's fucking weird to me to assume that all Israeli
| private businesses are unethical. Sure, there's probably
| some. Sure, their tax dollars are fungible with the
| government actions you consider unethical.
|
| But aren't you penalizing the secular tech entrepreneurs of
| Israel by divesting from anything related to the country?
| These are the same demographic that spent every weekend for
| most of 2023 protesting their own government's attempt to
| become more subservient to the Netanyahu coalition.
| ChemiSpan wrote:
| > penalizing the secular tech entrepreneurs
|
| During the divestment against South African apartheid,
| anyone was a fair target.
|
| And yes Israel has been labeled an apartheid state by all
| the major human rights groups, including Amensty, HRW, and
| Israel's own Btselem. Linking the 3 reports below, in case
| you are interested in reading.
|
| https://www.amnesty.org/en/latest/campaigns/2022/02/israels
| -...
|
| https://www.hrw.org/report/2021/04/27/threshold-
| crossed/isra...
|
| https://www.btselem.org/publications/fulltext/202101_this_i
| s...
| thephyber wrote:
| I also noticed you missed the most important thing about
| the GP comment of my reply: he misread which whether the
| relevant company was on the unethical side of the
| equation and seemed willing to divest without any
| skepticism or curiosity.
| ChemiSpan wrote:
| It's true though, AU10TIX is connected to Israeli
| intelligence which seems to be a reason why X switched to
| Stripe. I think the confusion was whether it was Stripe
| or AU10TIX.
|
| > AU10TIX is a subsidiary of ICTs International, a
| company established by former members of the Shin Bet and
| El Al airline security agents.
|
| Ron Atzmon, the founder of AU10TIX, spent his military
| service with the Shin Bet's notorious unit 8200. Which
| also produced the infamous Israeli Pegasus spyware used
| by repressive regimes like Saudi Arabia to spy on
| citizens.
|
| https://www.mintpressnews.com/identity-verification-or-
| data-...
| Levitz wrote:
| You can draw that type of criticism with any boycott
| though. Does whoever cleans the office at Lockheed Martin
| deserve to be punished for the actions of the company?
|
| The point is to create repercussions for a country, that's
| going to affect _someone_ , sure, but that's the point.
| Same as why people don't generally care about random
| Chinese or Russian companies when people decide to boycott
| those.
| thephyber wrote:
| Moving companies is far lower friction than changing
| nationality.
|
| Ethics are relative and have tradeoffs. How many innocent
| people are you willing to hurt to change the behavior of
| the IdF / Israel's Oslo Area C policies / Netanyahu's
| government coalition?
|
| If you are too sloppy with the splash damage, how are you
| any different than the IdF or Hamas? Would you even
| punish Stripe for Israel's military/government behavior
| because you read some unsourced comment on social media?
|
| I would rather target boycotts to the most precise
| entity, within reason, so the entity knows what they are
| being punished for and what change in behavior would
| change the boycott to a non-boycott.
|
| If you don't set an objective standard, then you will
| always be subject to your own emotions or a mob
| mentality.
| rchaud wrote:
| > But aren't you penalizing the secular tech entrepreneurs
| of Israel by divesting from anything related to the
| country?
|
| No one is entitled to your or my business. A boycott is
| about voting with your wallet. It's not exactly withholding
| humanitarian aid as a famine looms.
|
| If such companies feel that they are being unfairly singled
| out, they're free to demonstrate their opposition to the
| the actions of their government.
| thephyber wrote:
| I'm not opposed to voting with your feet/wallet. I
| encourage it.
|
| But make sure your vote is targeted to what behavior you
| want to change.
|
| If you want to train behaviors in a child, you need to
| react+respond immediately and proportionately. You don't
| wait six months to reward a desirable behavior. To be
| most effective, You try to reward/punish immediately and
| you let them know why.
|
| If you avoid Stripe because you mistook them for some
| other company which is based in Israel, which had no real
| ability to affect their government's policies, they won't
| interpret that as "we are being punished for supporting
| Israel's unethical policies". They will interpret that
| correctly as an irrational consumer noise in the data. If
| you want to enact change, let your target know why you
| want them to change, in what way, and then do it to the
| person/people most authorized/responsible for enacting
| the change.
| rchaud wrote:
| In this case the person who brought it up was wrong and
| acknowledged it.
|
| Generally speaking though, the net impact of a boycott
| may even be negligible when it comes to Israel because of
| our government's largesse towards Israel's military
| industrial complex. Whatever little money is witheld by a
| boycott from a small minority of voters in the West is
| dwarfed by the many billions in taxpayer money that
| Western governments commit towards ensuring that the IDF
| has more F-16s per capita than anywhere else on earth.
| ignoramous wrote:
| > _penalizing secular tech entrepreneurs_
|
| "If you kept the small rules [like secularism], you could
| break the big ones [like occupation]."
| ganeshkrishnan wrote:
| >Oh wow didn't know that stripe has Israeli ties.
|
| you misunderstood OP. He meant the previous authenticator for
| X was autotix which was Israeli and then they switched to
| Stripe which is NOT.
| JumpCrisscross wrote:
| Wow, look at that list of clients: eToro, Coinbase, Payoneer [1].
|
| Is there any way to determine if your information was leaked? The
| driver's license picture should qualify as biometric information
| under some states' laws [2].
|
| [1] https://www.au10tix.com
|
| [2] https://www.huschblackwell.com/2023-state-biometric-
| privacy-...
| smittywerben wrote:
| I could be wrong here but I want to say that a driver's license
| ID number would even be protected under the pre biometric data
| privacy laws.
| tptacek wrote:
| Until pretty recently drivers license ID numbers in many
| states were effectively public, and if your license was
| issued at least 10 years ago, it probably still is.
| smittywerben wrote:
| California was among the first to include driver's license
| numbers among personal information. The earliest I can find
| for my state is 2019. I'd not be surprised if some double
| standards continue to exist where the DMV itself is selling
| your personal information.
|
| > "Personal information" means an individual's first name
| or first initial and last name in combination with any one
| or more of the following data elements...
|
| > 2. Driver's license number or California Identification
| Card number.
|
| https://en.wikipedia.org/wiki/California_Senate_Bill_1386_(
| 2...
| tptacek wrote:
| I don't mean simply that the DMV might sell your
| information; I mean that given your name and some basic
| information, I can potentially just generate your valid
| ID. Millions of drivers license IDs are essentially
| public. It's always a little weird to me to see people
| treating them like hazmat. I sort of get why? Hazmat
| whatever you can? But an Illinois drivers license for a
| 40-year-old is public.
|
| Imagine if, until relatively recently, a social security
| number was a truncated MD5 hash of your name and
| birthday. That's the flavor of the problem here.
| WarOnPrivacy wrote:
| > I want to say that a driver's license ID number would even
| be protected
|
| The feds made sure our DL data wasn't protected.
|
| ref: https://cyberplayground.org/2011/12/07/drivers-privacy-
| prote...
|
| Florida gets hundreds of millions of dollars each year
| selling it's residents DL data.
|
| ref: https://www.wftv.com/news/local/can-florida-legally-
| sell-you...
| miki123211 wrote:
| I'm surprised identity verification by logging into your bank
| and/or carrier isn't more common in the US.
|
| They have your data anyway, it's much harder to impersonate
| somebody this way, it doesn't require the verifying company to
| hire any workers to do the verification, you could even do it
| without the site you're verifying yourself at learning anything
| about you.
| thephyber wrote:
| > identity verification by logging into your bank
|
| Do you mean you expect me to give my banking site/app
| credentials to X?
|
| PayPal used two small (less than $1) transactions and the
| verification that I own the bank account was verified by
| correctly identifying the two transaction values.
|
| Plaid, I believe, uses 3rd party auth with some banking
| institutions that support it, to pull read-only data from my
| bank account on my behalf.
|
| South Korea and Estonia use government-issued digital
| certificates that private institutions can use.
|
| There are lots of ways to deal with high assurance
| authentication, but very few are popular in the US.
| derf_ wrote:
| _> PayPal used two small (less than $1) transactions and the
| verification that I own the bank account was verified by
| correctly identifying the two transaction values._
|
| Based on my experience with (non-PayPal) financial
| institutions in the past year, this is going away. For now,
| it appears you can still force them to fall back to this when
| providing your login credentials does not work, but who knows
| how much longer.
| thephyber wrote:
| It was pretty good trick for validating ownership of a bank
| account back in 1998, but I'm happy they are moving to
| something else. There are far better options, and most
| banks are capable of much higher assurance validation now.
| miki123211 wrote:
| > Do you mean you expect me to give my banking site/app
| credentials to X?
|
| No no. Over here (Poland), the way this works is that you get
| a big list of banks, you click on one, get redirected to
| _their_ site, log in there, complete any 2FA they need you to
| complete, are given the typical oAuth "this application
| wants to access this sort of data" consent screen, and then
| are redirected back if you consent.
|
| This is mostly used for fast online bank transfers, which we
| often use for online payments instead of credit cards, but
| there's also a system to use this for ID verification.
| baobabKoodaa wrote:
| Same thing is very common here in Finland.
| rchaud wrote:
| Same system is used in Canada to authenticate indviduals
| who are logging into the government tax portal, or
| submitting their tax returns electronically through a tax
| preparation software.
| thephyber wrote:
| Oh. In Single-Sign On / OAuth terminology, the bank's
| website is the Identity Provider (IdP).
|
| Banks in the US depend on government-issued ID and
| information contracted from credit bureaus (3 big companies
| that are effectively data brokers about consumer lending
| behavior). We have federated identity, but in a weird,
| ineffective way.
|
| Every once in a while, someone bold makes a political
| proposal to make our authentication / identity proof
| systems simpler, but then people realize the privacy
| implications (and religious fundamentalists point to the
| "mark of the beast" part of the Bible) and then the
| proposal doesn't go anywhere.
| miki123211 wrote:
| The interesting part about this is that such a system
| wouldn't necessarily need to come from the government.
| There are companies that need verification and want to do
| it cheaply and with little friction, and there are banks
| and carriers who could make some extra money on it.
| stevekemp wrote:
| > Do you mean you expect me to give my banking site/app
| credentials to X?
|
| In Finland it is common for many online shops to handle
| payment, and authentication, using a banking account.
|
| You never hand over your actual banking credentials, instead
| it is something akin to OAUTH2 - so you're at a merchant site
| and you'll see "Pay with Online BanK" with logos to click for
| whichever bank you have an account with. Exactly the same as
| "Login with Google/Github/Facebook/etc".
|
| I changed my name last year, and due to other integrated
| services many companies automatically updated their records
| when the change became legal. These kind of integrations seem
| common and thus far "secure".
| flutas wrote:
| > I'm surprised identity verification by logging into your bank
| and/or carrier isn't more common in the US.
|
| I've been seeing more and more carrier based verification, but
| it's hidden in the disguise of 2 factor auth.
|
| Cash App and Capital One are two examples I can give concretely
| that do this, as I've been locked out of my account a few times
| until I can get my husband to read me back the 2fa code (cell
| carrier has a pre-marriage last name for me and refuses to
| update it).
| residentraspber wrote:
| Been working in the Fintech space for the past 3 years and what
| I've learned is that deep down no bank trusts any other. No
| other bank wouldn't trust that a random bank actually correctly
| verified the persons identity before giving them an account.
|
| I imagine this also works with other vendors. All you need is 1
| company with a weak process.
| hermitdev wrote:
| Probably a lot of it is due to know your customer (KYC)
| rules. _I_ am not allowed to take _your_ word that you 've
| done your due diligence; I have to do my own.
|
| I've spent ~20 years working in and around finance, on the
| trading side. If your lawyers aren't paranoid about KYC,
| that's a major red flag.
| callalex wrote:
| What are the chances that anyone goes to prison for this? If the
| answer is "none" this will just keep happening.
| gurchik wrote:
| > While PII data was potentially accessible, based on our current
| findings, we see no evidence that such data has been exploited.
|
| How is this possible, when the journalist accessed the data to
| confirm it contained PII?
|
| Each day I am more and more interpreting "we see no evidence" as
| "we didn't really look." That way their statement can be
| technically correct, without divulging any evidence that might be
| used against them when users sue for damages.
| ThePowerOfFuet wrote:
| > Each day I am more and more interpreting "we see no evidence"
| as "we didn't really look."
|
| They see no evidence of it because there were no log entries
| telling them so.
|
| Why there weren't, on the other hand, is a question far outside
| the scope of such statements.
| treeFall wrote:
| See no evidence, hear no evidence
| notaustinpowers wrote:
| It's even a more blatant lie because 404media found the
| credentials in a Telegram group. So, yeah, there's no way this
| _wasn 't_ exploited by multiple people.
| hanniabu wrote:
| High-profile fintech partners: Mercury, Stripe, Affirm,
| Airwallex, Alloy, Bond (now part of FIS), Branch, Dave, EarnIn,
| TabaPay, and previously worked with Wise and Rho, though both
| have since migrated to other bank partners
|
| Leaked account holder info: name & address, email, phone,
| unencrypted SSN/TIN, DOB, fintech platform
|
| Leaked account info: status, type, balance, last activity, opened
| date, account number, daily limits
| stefan_ wrote:
| Why on earth are these identity verification companies storing
| this data? Once the verification is done, the data must surely be
| promptly deleted?
| toast0 wrote:
| I imagine they save the data in case there's a question about a
| verification. Then they can go back to the archive and say we
| got these images, we took steps X and Y to validate them, so we
| were good. If they destroy the verification images, they
| wouldn't be able to defend a verification claim. OTOH, they
| wouldn't have to worry about the security of storage for those
| images. (They'd still need to worry about security of the
| images during processing)
| neilv wrote:
| Of course they leaked the data. Any seasoned techie could've seen
| that coming from the start.
|
| One of these days, some seasoned and principled lawyer, who knows
| a bit about tech, is going to get ticked off, and decide to make
| one of these companies truly pay for their gross negligence.
|
| Then, gazing at the obliterated company, other companies will try
| to get legislation to let them let them off the hook, but some of
| those companies will decide the party of recklessness is probably
| over, and that they need to start acting responsibly and
| competently.
| ryandrake wrote:
| Problem is, "Evil Hackers" always get the blame rather than the
| negligent companies, who play the victims. They trot out all
| the usual flawed analogies about locked doors and burglars, to
| excuse their negligence, and it works! So, the only legislation
| we ever see is to be Tougher And Tougher On Hackers instead of
| holding these clown companies responsible for the data they act
| as custodians of.
| singleshot_ wrote:
| For negligence to arise there must be, inter Alia, duty and
| proximate harm. I think you'll find the identity services
| have a duty to their contractual partner, the website, but
| not to the victim whose identity was stolen. And there's a
| circuit split as to whether any of these people were even
| harmed.
|
| While litigation seems appealing, the answer here is
| legislation.
| throwaway48476 wrote:
| The problem is there are zero consequences for leaks. Customers
| should be owed automatic compensation for the companies giving
| their data away.
| lotsofpulp wrote:
| That is needlessly complicated. The problem is the US federal
| government does not provide identity verification API as an
| infrastructure service. And they easily could using the
| USPS's physical locations and their workflow in processing US
| passport applications, which already involves identity
| verification.
|
| Or even just coordinating the 50 states' motor vehicle
| commissions or whatever since they are also verifying
| identities to issue drivers' licenses and state
| identification cards.
| throwaway48476 wrote:
| There are monied interests that do not want a tight
| American ID system.
| MiguelX413 wrote:
| What are they?
| kevin_thibedeau wrote:
| Agriculture and food processors want their undocumented
| workers.
| simondotau wrote:
| The transition to documented humanoid robots might take
| less than a decade.
| swatcoder wrote:
| Are you suggesting that bulk-buying a year of Experian credit
| report access for the few people who haven't already won a
| subscription from some other leak isn't a consequence? Or
| that being able to see your own credit report isn't
| compensation enough? Heresy!
|
| /s
| ignoramous wrote:
| > _zero consequences_
|
| Zero fucks given: "None of those companies responded to
| multiple requests for comment from 404 Media."
| 2OEH8eoCRo0 wrote:
| > make one of these companies truly pay for their gross
| negligence.
|
| I think our whole industry is rotten and we need to drastically
| rethink a lot of what we do. This is unacceptable and it
| shouldn't be this hard. We need a reckoning.
| JohnFen wrote:
| > Any seasoned techie could've seen that coming from the start.
|
| At this point, it's pretty safe to just assume that any
| personal data any company has about you will be leaked sooner
| or later.
| gotodengo wrote:
| For various reasons I started to open a bank account with
| Mercury, before deciding to use another provider.
|
| When I said I'd no longer be finishing the application and to
| please delete my passport info, first they ignored the second
| part. When I replied again asking them to delete my data they
| replied about KYC laws and assured me the data was securely
| stored of course.
|
| At that point I gave up. Maybe they could delete the data if I
| fought, maybe their hands were tied, maybe me fighting would
| end up flagging my info as a money laundering risk. But I
| immediately imagined exactly this leak happening.
|
| They're not the only vendor affected that had my data, nor is
| this breach the first, but that's the one that stings the most.
|
| Anecdotally I'm being swarmed by text message spam for the
| first time in months. I have to assume people are running
| through new breach data to find live numbers.
| DannyBee wrote:
| "One of these days, some seasoned and principled lawyer, who
| knows a bit about tech, is going to get ticked off, and decide
| to make one of these companies truly pay for their gross
| negligence."
|
| Principled lawyer who knows about tech here: This won't happen.
|
| 1. It's probably not gross negligence - gross negligence is an
| extreme departure from ordinary standards of care - the
| ordinary standard here seems to be to suck at security :)
|
| Legislation could establish a standard of care here and make
| this kind of thing gross negligence, but that hasn't really
| happened yet.
|
| It's also not obvious they owe a duty of care to anyone in the
| first place, without which negligence is impossible (at least
| regular old negligence) - this also needs legislative fixing
| unless you want to end up arguing about it forever.
|
| 2. Damages are basically all speculative - what is your actual
| injury here, and how much can you _prove_ the value of it. Lots
| of people on HN love to say how much X or Y is worth. What can
| you actually prove in terms of _real_ loss?
|
| It's fun to argue speculative loss (ie the value of your
| personal information maybe being stolen in the future, etc),
| but most cases are about real loss.
|
| In practice where it's too hard to calculate we often end up
| with statutorily set damages. That also hasn't happened here.
|
| Sorry to burst your bubble - without a bunch of legislation
| here, nothing is going to happen outside of the regular old
| class action lawsuits and $5 coupons.
| neilv wrote:
| dupe: https://news.ycombinator.com/item?id=40812118
| brw wrote:
| This is the original article (as mentioned by Gizmodo) which I
| submitted to HN yesterday, but it got killed immediately
| because of the signup wall. It went into the second chance pool
| (https://news.ycombinator.com/item?id=26998308) just now but
| not before another article on the same matter was submitted it
| seems. Not sure what the procedure is in that case. I'll ask
| dang.
| dang wrote:
| Ah ok since this is the original article we'll merge the
| other thread hither. Thanks!
| treeFall wrote:
| Why are US citizens biometric identities being sent to Israel?
| Aren't there laws about sensitive information like this leaving
| US data centers?
| sundbry wrote:
| Good question. I was required to submit ID to Au10Tix for an
| Azure vendor account, and noticed that was outsourcing the data
| to Israel.
| frugalmail wrote:
| Recently there was mass infringement by the Democrat politicians
| or government reps of our 1st Amendment rights indirectly through
| social media as proven by the #TwitterFiles.
|
| The fact that these sites are now forcing users to submit to
| these identity disclosures simply because of some potentially
| fabricated rationale is really concerning.
|
| All of that with the nonchalant attitude of these data service
| providers, I'm deeply concerned.
| leni536 wrote:
| Does the ID verification service retain personal information
| after verification? If so, why?
| teeray wrote:
| Don't worry though, with these new age verification laws for 18+
| sites we'll totally get ID checks right this time. /s
| qchris wrote:
| I sometimes think that situations like this are eventually going
| to lead to legally-required professional licensing for certain
| tasks in software development.
|
| Obviously, not everyone who writes code needs a development
| license (what, I'm going to get licensed to write a blog or put
| up a site with fruit jokes?"), but if your business is going to
| involve personally-identifiable information, then you need actual
| engineering, and the folks that do that engineering need
| certification. This is a similar mechanism to how engineering
| licensing even started (in the US anyway), where Wyoming
| basically got tired of water infrastructure being built by people
| who didn't know what they were doing.
|
| Licensing could also help provide individual engineers with
| leverage against managers or C-suite folks who want to move fast
| & break things. When you're in a professional class with
| exclusive sign-off capabilities, it's easier to be say "we have
| to do this right or it's my ass, back off" and should the company
| says "fine, you're fired", goes ahead with managing the PII, and
| a leak like this happens, the company's liability goes way way
| up. That situation overall tends to improve the leverage that
| skilled workers (like those who know how about database
| management for PII and endpoint configuration) have to do things
| right. There's a number of pitfalls that can happen with
| licensing as well, but I'd be curious to see if a push for
| something like this emerges over the next few years.
| doe_eyes wrote:
| > Obviously, not everyone who writes code needs a development
| license
|
| That's actually a very likely outcome. The startling statistic
| is that roughly half of professions require occupational
| licensing. In some places, you need licensing to become a
| florist. Software engineering is an absolute outlier as far as
| highly-paid jobs go.
|
| I don't think this is right, but that's the world we're living
| in and we should stop fooling ourselves. There's a lot of SWEs
| who are talking about wanting some targeted regulation. Well,
| it's coming wholesale, and a fruit joke website is not going to
| be exempt.
___________________________________________________________________
(page generated 2024-06-27 23:00 UTC)