[HN Gopher] Inside the "3 billion people" national public data b...
___________________________________________________________________
Inside the "3 billion people" national public data breach
Author : bubblehack3r
Score : 254 points
Date : 2024-08-14 16:50 UTC (6 hours ago)
(HTM) web link (www.troyhunt.com)
(TXT) w3m dump (www.troyhunt.com)
| datadrivenangel wrote:
| "there were no email addresses in the social security number
| files. If you find yourself in this data breach via HIBP, there's
| no evidence your SSN was leaked, and if you're in the same boat
| as me, the data next to your record may not even be correct. "
|
| Seems like Troy is skeptical about this being a real full breach?
| fullspectrumdev wrote:
| A lot of these data brokers hold wildly inaccurate information.
| LeifCarrotson wrote:
| You too can be a data broker! for (i = 0; i
| < 900000000; i++) insert(first:
| random_firstname(), last: random_lastname(), ssn: i);
|
| Does anyone really really care if the name is accurate if the
| SSN is present? More than half of the SSNs in the above
| dataset are valid.
| ryanisnan wrote:
| You probably are posting this as a joke, but without a
| clear technical solution to this problem, flooding the
| industry with bullshit data seems like a great avenue.
| calvinmorrison wrote:
| In fact there are far fewer valid Socials. They follow a
| system where guessing a number of digits is fairly
| determined based on year and state of birth
| CrispyKerosene wrote:
| Troy mentions "data opt-out services. Every person who used some
| sort of data opt-out service was not present."
|
| Anyone have experience with these sort of services? A search
| brings up a lot of scammy looking results. But if services exist
| to reduce my profile id be interested.
| laweijfmvo wrote:
| I have used (free trials) and currently use (discounted annual)
| a service called incogni. It's hard to really verify what's
| going on, but they at least show the brokers they are
| contacting on your behalf, and I've directly received
| confirmations from some.
|
| Anecdotally, searching my name on Google pretty much no longer
| returns those scummy "People Finder" pages that just scrap any
| public records they can find.
|
| That said, I hope incogni is happy enough with my money that
| they themselves don't do anything scummy.
|
| Also, freeze your credit at the big three. do it now.
| 0x2a wrote:
| And turn on the Global Privacy Control header in your
| browser:
|
| https://globalprivacycontrol.org
| JohnMakin wrote:
| > Anyone have experience with these sort of services?
|
| Quite a bit. Often if you request removal or opt-out, you'll
| reappear in a matter of a few months in their system,
| regardless of whether you use a professional service as a proxy
| or do it yourself. The data brokers usually go out of their way
| to be annoying about it and will claim they can't do anything
| about you showing up in their aggregated sources later on.
| They'll never tell you what these sources are. A lot of them
| will share data with each other, stuff that's not public. It's
| entirely hostile and should be illegal. I am trying to craft a
| lawsuit angle at the moment but they feel totally unassailable.
|
| I'm extremely skeptical of any services that claim they can
| guarantee 100% removal after any length of time of longer than
| 6 months. From my technical viewpoint and experience, it is
| very much an unsolved problem.
| mistrial9 wrote:
| this is true and nothing new.. mass "gray market" personal
| information services lept into markets since VISA and
| Mastercard fifty years ago, and somewhat before that with
| driving records, in the USA. The "pure land" of democracy in
| North America was never pure, and the Bad Old Ways have crept
| into the corners since the beginning.
| JohnMakin wrote:
| The difference now though is an attempt to legislate
| personal data collection, such as the CCPA. I strongly
| believe they are violating the law, and that if I opt-out
| or request removal, an answer of "oh well nuthin we can do"
| is not acceptable when my data re-appears either on their
| platform or on another platform they provided data
| aggregation services to.
| fsckboy wrote:
| > _The "pure land" of democracy in North America was never
| pure_
|
| don't mix your pet grievances together, having full public
| knowledge of every person in your country is democratizing,
| frankly, an aid to democracy, not a hindrance. Not saying I
| want to live in that world, but it's not an impure
| democracy.
|
| Norway (and others?) already publishes everybody's income
| statements. Not healthy imo but I guess would aid more
| accurate snitching (and envious resentment).
| shadowgovt wrote:
| It's hard to make collection, aggregation, and sharing of
| facts illegal.
|
| Not to minimize the harm that can be done by such
| collections, but the law is justifiably looking for a scalpel
| treatment here to address the specific problem without
| putting the quest to understand reality on the wrong side of
| the line.
| digging wrote:
| > It's hard to make collection, aggregation, and sharing of
| facts illegal.
|
| Sure, but the US has a precedent in HIPAA. Not saying it's
| copy-paste, but... maybe it should be.
|
| I would prefer the law be more restrictive than less,
| because I don't believe this is true:
|
| > law is justifiably looking for a scalpel treatment here
| to address the specific problem without putting the quest
| to understand reality on the wrong side of the line.
|
| I believe the law may use that noble goal as cover for the
| actual goal: restrict the ability of capital holders to
| accumulate capital as little as possible. Data sharing
| isn't a public good in any way. It's mostly not even useful
| for the targeting purposes it claims. It's extremely
| reckless rent-seeking that knowingly allows innocent people
| to have their lives wrecked by identity theft.
| shadowgovt wrote:
| As someone who helps care for elderly relatives with
| widely-dispersed out-of-state families, I can point to
| HIPAA as an excellent _example_ of why crafting this kind
| of law is difficult.
|
| I think we are going to discover, once people do the
| research, that HIPAA has done net harm by delaying flow
| of information for critical-care patients resulting in
| lack of patient compliance, confusion, and treatment
| error.
|
| Yes, there is harm potential in insurance companies
| denying coverage or claims because they are privy to too
| much information about clients (a scenario that, I'd
| note, we could address directly by law via a national
| healthcare system or banning denial of coverage for
| various reasons) or by employers or hostile actors
| (including family) discovering medical facts about a
| patient. I have to weigh that harm potential against my
| day-to-day of having to fight uphill to get quality care
| because every specialist, every facility, and every
| department needs a properly-updated HIPAA directive for a
| patient (and the divisions between these categories
| aren't clear to the average non-medical observer).
| digging wrote:
| Huh, I wasn't aware of such a viewpoint. I've never had
| or heard of problems with HIPAA preventing timely or
| accurate care, even with my father going in and out of
| hospice toward the end of his fight with cancer. I'm
| really sorry to hear it. At the same time, I do have to
| wonder if that kind of problem genuinely outweighs the
| protection HIPAA has given millions of people against
| harms small and large. (I guess with the state of data
| privacy today, HIPAA may be basically useless, but that
| isn't exactly HIPAA's fault.)
| lupire wrote:
| Europe figured it out.
| shadowgovt wrote:
| Sure, I should probably have clarified "In the United
| States," where there's a First Amendment that most
| attempts to make fact-sharing illegal immediately fall
| afoul of.
|
| There are definitely exceptions, but it puts strict
| scrutiny on any novel prior constraint of speech.
| adelie wrote:
| my understanding is that there's a bit of a catch-22 with
| data removal - if you request that a data broker remove ALL
| of your information, it's impossible for them to keep you
| from reappearing in their sources later on because that would
| require them to retain your information (so they can filter
| you out if you appear again).
| wodenokoto wrote:
| They could store a hash.
| jandrese wrote:
| Which would never work because real life data is messy so
| the hashes would not match. Even something as simple as
| SSN + DOB runs into loads of potential formatting and
| data entry issues you'll have to perfectly solve before
| such a system could work, and even that makes assumptions
| as to what data will be available from each dataset. Some
| may be only name and address. Some may include DoB, but
| the person might have lied about their DoB when filling
| out the form. The people entering it might have
| misspelled their name. It might be a person who put in a
| fake SSN because they're an illegal immigrant without a
| real one. Data correlation in the real world is a
| nightmare.
|
| When you tell a data broker to delete all of the data
| about you, how can you be sure they get ALL of the data
| about you, including the ones where your name is
| misspelled or the DoB is wrong or it lists and old
| address or something? Even worse if someone comes around
| later and discovers the orphan data when adding new data
| about you and fixes the glitch, effectively undoing the
| data delete.
|
| It's a catch-22 that if you want them to not collect data
| about you they need a full profile on you in order to be
| able to reject new data. A profile that they will need to
| keep up-to-date, which is what they were doing already.
| vineyardmike wrote:
| > Even something as simple as SSN + DOB runs into loads
| of potential formatting and data entry issues you'll have
| to perfectly solve
|
| You don't have to solve it perfectly to be an
| improvement.
|
| Also this is BS. Not every bit of data is perfectly
| formatted and structured but both of your examples are
| structured data. You can 100% reliably and
| deterministically hash this data.
|
| There's so much in your argument that can be replied with
| "imperfect is better than status quo". If you give
| someone the wrong DOB, it's "not you" anyways, at least
| let me scrub my _real_ data even if the entry is
| imperfect for some people or some records.
| JohnMakin wrote:
| > You don't have to solve it perfectly to be an
| improvement.
|
| https://en.wikipedia.org/wiki/Nirvana_fallacy
| kube-system wrote:
| > You don't have to solve it perfectly to be an
| improvement.
|
| They don't _want_ to solve your problem. You aren 't
| their customer. They want to comply with the letter of
| the request in as much as it covers their own butt in
| terms of regulatory requirements and/or political optics.
| hedora wrote:
| I've heard this claim, but they could use some sort of
| bloom filter pr cryptographic hashing to block profiles
| that contain previously-removed records.
|
| There could also be a shared, trusted opt-out service that
| accepted information and returned a boolean saying "opt-
| out" or "opt-in".
|
| Ideally, it'd return "opt-out" in the no-information case.
| lynndotpy wrote:
| I've had a very bad experience with Liberty Mutual following
| a data opt-out from another service. They sent me on a
| runaround, ending with an email saying to follow "this link"
| to verify myself. (There was no link, only sketch.) I ended
| up getting a human on a phone through special means, and they
| sent me a fixed email with a working link.
|
| I should be hearing back from them in the next 32 days, as
| this was 13 days ago.
| jmkni wrote:
| If you're willing to tempt fait, the best way to 'opt-out' is
| to tell people, when they call asking to speak to 'your name',
| that 'your name' sadly passed away recently.
| actionfromafar wrote:
| I have tried that, with a particular caller. They always call
| back.
| rolph wrote:
| that sounds very traumatizing, next explain that you have,
|
| filed for injunctive relief from emotional duress due to
| actions of defendant.
|
| and cant speak any further as instructed by legal cousel
| j-bos wrote:
| Could cause you to be listed as deceased in some database
| sending your life into a Kafka story.
| lupire wrote:
| "How do you know he's dead?"
|
| "I called him on the phone and he told me!"
| bragr wrote:
| I knew someone falsely declared dead (probably a paperwork
| mixed up around pensions when his ex-spouse died). Without
| warning, he lost all of his pensions, social security,
| medicare, etc, along with most financial institutions
| freezing accounts and canceling credit cards. Many long phone
| calls, letters, and lawyers eventually resolve most, but that
| never fully purged the public and private death records so
| there would be random issue for the rest of his life (failing
| fraud checks, brief interruptions to pensions, trouble with
| the cable company).
| wongarsu wrote:
| A lot of the data opt-out services are operated by or have the
| same owners as data brokers. So at the very least they are
| selling both the poison and the cure.
| 0x2a wrote:
| Permission Slip by Consumer Reports (automated):
|
| https://permissionslipcr.com
|
| Simple Opt Out (manual list):
|
| https://simpleoptout.com
| spdif899 wrote:
| I use permission slip and I am not in the breach as far as I
| can tell
| paulgerhardt wrote:
| Consumer Reports just published (as in last week) a report[1]
| surveying a number of these services and found almost all of
| them to be a little bit effective, none of them to be highly
| effective, and the cheapest of the lot to be the most effective
| (EasyOptOuts).
|
| Of note, opting out of a service by yourself by hand was only
| 70% effective ($0). Using EasyOptOuts was around 65% effective
| ($20) and using Confidently was only 6% effective ($120).
|
| [1] https://innovation.consumerreports.org/wp-
| content/uploads/20...
| tjoff wrote:
| Since it is Troy I assume it is legit, and I haven't read the
| link yet. But... How does he know that?
|
| Has the opt-out services leaked as well? Or is noone using
| them? How would we know?
| layer8 wrote:
| TL;DR:
|
| > an intriguing story that doesn't require any further action.
| 29athrowaway wrote:
| Time for services everywhere to stop using SSNs for
| identification and for the US to move on to a more advanced form
| of identification.
|
| And lock your credit.
| wood_spirit wrote:
| What can an attacker who knows your SSN still do with that
| information nowadays? Genuinely curious, as the SSN is just
| this strange in distinct password thingy the Europeans like me
| hear about on HN but have no actual parallels with.
| blackeyeblitzar wrote:
| The SSN is used as a way to genuinely identify someone,
| unfortunately - it's like having to give out your password
| each time you rent an apartment or buy a car or obtain
| medical care or any number of other transactions. Having this
| info (along with other basic info like name/address/date of
| birth) lets you effectively pretend you are them. You can
| take loans out in their name or call some service to do a
| password reset (since you have all the info to verify you are
| them) or whatever else. But it's not like there is one
| particular way in which the information can be used - it's
| dependent on what businesses LET you do with that info. In
| 2024, NO business should use SSN to verify identity or
| authorize sensitive transactions but many do, and what they
| let you do varies significantly.
| acdha wrote:
| I think it's important to distinguish between
| identification and authentication. As a unique database
| primary key, they're fine. The problem was when a bunch of
| businesses decided it'd be too expensive to check things
| like government ID and started using them for
| authentication purposes. Nobody blinks an eye at using a
| phone number or email address on an application, but we
| should treat using your SSN or past addresses for
| authentication the same way we would if someone says they
| could approve a loan if you know your phone number and zip
| code.
| quantumfissure wrote:
| If they have your address; birthday; and SSN a whole lot.
| Generally, they could apply for credit cards; loans; set
| something to bill to you; etc...
|
| Fortunately, it's getting harder without previous addresses
| or other verification methods.
|
| For non-Americans that don't know, our Social Security number
| is generally assigned at birth or when you become a citizen
| by the Social Security Administration. Social Security is a
| disabled or elderly benefit we all pay into (roughly 7.5%
| employee and 7.5% employer - ~15% total). It's the only
| number we all get, since not everyone gets a driver's
| license; ID; passport; or other identifier. Unfortunately,
| it's been used to identify us for _everything_ , and until
| recently was typically in plaintext on most forms (medical;
| tax; student; etc...).
|
| CGP Grey has a good summary of how it came about and why it's
| become a problem: https://www.youtube.com/watch?v=Erp8IAUouus
| cesarb wrote:
| > It's the only number we all get, since not everyone gets
| a driver's license; ID; passport; or other identifier.
| Unfortunately, it's been used to identify us for
| everything, and until recently was typically in plaintext
| on most forms (medical; tax; student; etc...).
|
| I fail to see the problem with that. As you said, it's an
| _identifier_ , like an username or your full name. There
| should be no issue with everyone knowing your full name, or
| your username; why there should be an issue with everyone
| knowing your SSN, or it being in plaintext everywhere?
| krab wrote:
| I heard there was a similar problem with the bank account
| number in the US - that you could use it to withdraw
| money without an actual password or strong
| identification. Hence the popularity of cheques, PayPal
| and similar services that weren't needed that much in
| Europe.
| tjohns wrote:
| You're right that bank account numbers in the US are
| insecure, but you're wrong that this is why checks are
| popular here.
|
| Checks are actually the _source_ of the problem. If you
| have access to blank check stock and MICR laser toner
| (both readily available on Amazon, since business
| accounting departments will routinely print their own
| checks for payroll / bills), you can make seemingly
| valid checks to withdraw funds from any account number.
| This is still a problem.
|
| The reason why checks are popular is because until
| recently there hasn't been a cheap + accessible +
| official + unencumbered way to do electronic transfers
| between personal accounts. The infrastructure existed
| (ACH), but only businesses could actually initiate
| deposits/withdrawals. Individuals could initiate full-
| service wire transfers, but those are risky (there's no
| way to reverse one done in error) and banks typically
| charge $25/transfer - which is far too expensive to use
| for anything routine.
|
| PayPal came into existence so people could purchase goods
| online (on eBay, specifically) and have the option of
| performing a chargeback if the goods weren't delivered as
| advertised.
|
| (Checks will probably still persist for some time, since
| all the online payment services want to charge percentage
| fees if they think you're acting as a business. The
| beauty of checks is that they just work and don't insist
| on taking a cut of the payment.)
| lcnPylGDnU4H9OF wrote:
| > username
|
| Think of it as being the username and password. That's
| how many institutions have treated it for a long time.
| kemitche wrote:
| Because it was used as BOTH an identifier AND proof of
| identity, for a long time. If it were used properly as
| simply an identifier, you'd be right, but there are still
| many cases where knowledge of the number is used as proof
| (or partial proof, along with birthdate/address/etc) of
| identity.
| pwg wrote:
| > why there should be an issue with everyone knowing your
| SSN, or it being in plaintext everywhere
|
| Because far too many businesses, esp. financial ones
| (banks/credit unions/etc.) have _also_ incorrectly used
| it as a password to authenticate that "voice on phone"
| is really John Q. Public and/or that "grifter in chair
| across desk" is really John Q. Public. I.e., they used
| the fact that "person X" knew number Y as proof that
| person X was really person X.
|
| We can argue that it was never intended to be used this
| way (a true statement), that knowledge of it provides no
| such proof (also true), and that using it as such was
| always wrong on the part of these businesses (also true),
| but the fact is, many did use it this way, and, sadly,
| many still do use it this way. And it is this misuse that
| is the "issue" with everyone knowing everyone's SSN.
| lr4444lr wrote:
| Time for the US credit bureaus to lock _everyone_ by default.
| hypeatei wrote:
| Does anyone else just not give a fuck at this point about their
| SSN? I feel like maybe early 00s this would be scary but it's
| clear that everyone's SSN is out there already or waiting to get
| breached from a shady private data broker.
|
| The problem lies in how institutions treat the SSN, not the
| number itself.
| rolph wrote:
| if you know place of birth, and place of ssn application, you
| can determine most of the ssn. the final 4 are supposed to be
| random, but are blurted out to rooms full of people and tech,
| during service.
|
| the integrity of SSN security, was lost a long time ago
| enlightens wrote:
| as of 2011 they are fully random instead of being based on
| geographical region and groups
|
| https://www.ssa.gov/employer/randomization.html
| rolph wrote:
| yeah its too bad it took so long for that to happen.
| xboxnolifes wrote:
| > the integrity of SSN security, was lost a long time ago
|
| The security never existed, since they were never intended to
| be secrets. At best it was theater.
| acdha wrote:
| Yes. 99% of the time "identity theft" means a huge company cut
| corners on their security policies and wants us to subsidize
| their negligence. Every so often there are cases like that guy
| who pretended to be his former coworker for decades but they're
| rare enough that they make the news internationally. Most of
| the time it used to be things like instant credit applications
| where they didn't "slow" purchases with ID checks.
|
| The good news is that companies have lost the presumption of
| competence there. In the 80s if a company said they'd confirmed
| that an applicant was you using your SSN, a lot of people would
| falsely believe that was sufficient but by now they're not
| going to get far if they sue you unless they can provide better
| evidence because everyone knows huge breaches have happened
| many times.
| lupire wrote:
| Not good news. Doesn't matter if the business is presumed
| competent. What matters is that the business can steal your
| assets to pay for their losses.
| uticus wrote:
| I've finally figured out the play: war of attrition.
|
| Eventually enough data will be leaked to make moot the benefits
| of securing any personal data. At that point everyone stops
| trying and moves on to more financially rewarding activities.
|
| I mean even if I'm an elephant, and data breaches are blind men,
| eventually enough blind men will draw a true comprehensive
| picture.
| johnnyballgame wrote:
| Extreme Privacy by Michael Bazzell is a great resource to learn
| how to limit exposure to these aggregator services.
|
| https://inteltechniques.com/book7.html
| NoMoreNicksLeft wrote:
| Can't the SSA just issue 330 million new social security numbers,
| and tell people to be more careful with them from this point
| forward?
| blackeyeblitzar wrote:
| The SSA has shown absolutely no urgency on this issue. Their
| existing policy is that having your SSN compromised is not
| enough to issue a new number. You have to actually be a victim
| of a financial or identity crime that abused your SSN for them
| to _consider_ a new number. In reality what they should be
| doing is giving everyone accounts that can generate tokens for
| use with each transaction, to maintain a trail of where leaks
| originate and also to expire these temporary tokens. Instead
| they've stuck to this archaic system.
| acdha wrote:
| The SSA specifically told people not to misuse SSNs this way
| and it seems like a poor use of taxpayer funding to spend
| billions bailing out businesses' bad decisions, even if that
| was legal (Congress would have to specifically authorize it),
| since we'd be back to the same problem with five years.
|
| If we were going to do something, we'd make government ID
| include an NFC token for PKI purposes since public keys can't
| be compromised in the same way, but nobody is jumping to pay
| for that, especially in a country where you have so many people
| prone to wild conspiracy theories (I am especially amazed by
| the guys who freak about a national ID as big brother but never
| say a word about the credit reporting industry) and the
| enduring "Mark of The Beast" religious fears.
| toomuchtodo wrote:
| > If we were going to do something, we'd make government ID
| include an NFC token for PKI purposes since public keys can't
| be compromised in the same way, but nobody is jumping to pay
| for that, especially in a country where you have so many
| people prone to wild conspiracy theories (I am especially
| amazed by the guys who freak about a national ID as big
| brother but never say a word about the credit reporting
| industry) and the enduring "Mark of The Beast" religious
| fears.
|
| Login.gov gets us pretty far until NFC can get baked into
| credentials. Would love to see passport cards evolve into
| this [2], but again, lots of work and political will to make
| that happen. In the meantime, remote and in person proofing
| to bind IRL gov credentials to digital identity must do.
|
| (As of December 31, 2023, over 111 million people have signed
| up to use Login.gov to date, with over 324 million sign-ins
| in 2023; this is ~1/3rd US population; no affiliation)
|
| [1] https://login.gov/
|
| [2]
| https://travel.state.gov/content/travel/en/passports/need-
| pa...
| acdha wrote:
| Yeah, I love login.gov and especially how they embraced
| things like WebAuthn faster than entire industries like
| finance but I can only imagine how much screaming there
| would be if usage became a requirement outside of
| government.
| tjohns wrote:
| The problem with login.gov is that nobody can use it
| outside of the US government. I can't use my login.gov
| account to attest my identity to my bank.
|
| So my bank will continue to use my SSN as proof of identity
| for loans.
| toomuchtodo wrote:
| Not yet, but we'll get there.
|
| https://beeckcenter.georgetown.edu/wp-
| content/uploads/2021/1...
| TimedToasts wrote:
| Painting those of us concerned with privacy as "people prone
| to wild conspiracy theories" is a very bad faith take.
|
| Please do not give the government any more power over me than
| they already have, thanks.
| acdha wrote:
| > Painting those of us concerned with privacy as "people
| prone to wild conspiracy theories" is a very bad faith
| take.
|
| Fortunately that's not what I'm doing. I suggest reading
| more carefully and trying to come up with a scenario where
| the government having standard identifiers meaningfully
| harms your privacy but a mess of identifiers and a huge
| private industry linking them does not.
| blackeyeblitzar wrote:
| It is crazy to me that data brokers are even a legal form of
| business. All of these services should be opt in at minimum. If
| they are obtaining publicly available information and making it
| easier to access, they should have to maintain insurance or a
| deposit with the government to compensate victims of
| cybersecurity incidents. Telling people to get credit monitoring
| is in NO WAY an acceptable way to make us whole. They need to pay
| for a lifetime of monitoring and INSURANCE up to the net worth of
| affected individuals. This needs to become law ASAP.
| SteveNuts wrote:
| We're two decades into "The Digital Millennium" and our laws
| are still stuck in 1999 (except for the ones that ya know,
| allow dragnet spying).
|
| I'd wholeheartedly support any candidates that push for a
| data/privacy "Bill of rights".
| acdha wrote:
| I'm optimistic for Harris, not just because she's so much
| younger and less beholden to industry, but because she
| created an entire unit for privacy protection when she was
| the California AG:
|
| https://oag.ca.gov/news/press-releases/attorney-general-
| kama...
| krageon wrote:
| There has _never_ been a US president that had anything
| close to ethical behaviour (to wit: the ones that existed
| after drone strikes became a thing all signed off on drone
| strikes. Those hit a _lot_ of innocent people. The US has
| never stopped having slavery. I could go on). It is really
| the height of fanciful thinking to believe that the flavour
| of the month US leader will be any different.
| _moof wrote:
| _> It is crazy to me that data brokers are even a legal form of
| business._
|
| Ah, yes, but they're _businesses_ , you see - the most
| important class of entity in America. We the _people_ can
| evidently go fuck ourselves if it means some scumbag gets to
| make a buck.
| throwup238 wrote:
| _> While the specifics of the data breach remain unclear, the
| trove of data was put up for sale on the dark web for $3.5
| million in April, the complaint reads._
|
| I guess they failed to sell it because links to the leaked data
| on usdod.io have been available on Breachforum/Leakbase for over
| a week now. Someone created a magnet link yesterday and it's
| fully seeded so speeds are fast.
|
| The data in the breach is irreversibly public now.
| toomuchtodo wrote:
| Ahh, cool, pour the corpus through GPTs and start tweeting
| Congressional rep personal info at them until they pass a law
| to outlaw data brokers (in keeping with historical precedent
| [1] [2]).
|
| [1] https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act
|
| [2] https://jolt.law.harvard.edu/digest/dodging-the-thought-
| poli...
| conductr wrote:
| For argument sake, instead of outlawing data brokers wouldn't
| it be better to design a better ID system that renders one's
| name, dob, and SSN as harmless information?
|
| I don't know what that would look like but if I had
| congresses attention I'd like them to fix the problem rather
| than playing whack-a-mole with banning data sources. I don't
| think any actual solutions come from that.
| toomuchtodo wrote:
| https://news.ycombinator.com/item?id=41249568
|
| https://news.ycombinator.com/item?id=40961834
|
| TLDR Login.gov, and publishing a circular to allow
| businesses to use it to identity proof. Push all liability
| onto the business for losses if this method is not used to
| identity proof. ID card as ljm mentions, such as a passport
| card. Very similar to credit card EMV chips and the
| liability shift from magstripe.
|
| > I don't know what that would look like but if I had
| congresses attention I'd like them to fix the problem
| rather than playing whack-a-mole with banning data sources.
| I don't think any actual solutions come from that.
|
| Aggregating data means it can be lost. You must therefore
| make aggregating and storing data toxic, and impossible to
| be leaked through eventual mismanagement.
| ljm wrote:
| In many countries in Europe, your ID card contains a chip
| with a cryptographic key, much like chip&pin on a debit or
| credit card.
|
| Those bits of information are worthless when you need to
| create a cryptographic signature with your ID card to do
| almost anything important.
|
| If the card is lost or stolen they can just remove your old
| one from the keyserver. It's literally just public key
| crypto.
|
| Identity theft is rampant in the countries that don't have
| such a system and basically require you give them
| increasing amounts of private information to prove who you
| are. In the UK that's every address you've lived in for 5
| years, your council tax bill, your energy bill, your bank
| statement for a month... all because British people think
| an ID card means you'll get stopped on the street to show
| your papers.
| ygjb wrote:
| > all because British people think an ID card means
| you'll get stopped on the street to show your papers.
|
| That's probably because all of the anti-immigration and
| anti-foreigner people who are asking the government to
| stop people and ask them for their papers... this is not
| unique the the UK, Canada, or the United States either,
| and some of the countries plan to do more than just
| deport people.
|
| Strong identity is increasingly a meaningful technical
| requirement, but glossing over the human impact of strong
| identity controls by the government is not going to have
| good outcomes either.
| pasc1878 wrote:
| Not really in Britain. Labour tried to introduce some
| national id in early 2000s, the right wingers were the
| ones who objected the most. The same right wingers who
| are most anti-immigration
| dotancohen wrote:
| > Identity theft is rampant in the countries that don't
| have such a system
|
| No, fraud is rampant in the countries that don't have
| such a system. Calling it identity theft makes it sound
| like the onus on preventing the practice is on "whoever's
| identify was stolen", instead of correcting pinning the
| onus on the bodies issuing accounts and loans without
| verifying information or identity.
| ethbr1 wrote:
| The US has infrastructure, but it's only issued to
| military and federal employees.
|
| https://en.m.wikipedia.org/wiki/Common_Access_Card
| https://en.m.wikipedia.org/wiki/FIPS_201
| Workaccount2 wrote:
| The US has three dumb points pushing back on this.
|
| The first is religious nuts who think it would be a "mark
| of the beast"
|
| The second is anti-government types who are, well, anti-
| government anything.
|
| The third is many business owners, because it would
| become much harder/risky to hire illegal immigrants to
| work.
| autoexec wrote:
| The "mark of the beast" types are pretty much fine with
| cards that have chips in them, but they really hate it
| when you threaten to implant those chips into people and
| they want cash to remain an option - same as the anti-
| government types. I don't share their apocalyptic or
| anti-government concerns, but I'm actually kind of
| grateful for their passionate opposition to both of those
| things anyway. I don't really want an implant and the
| option of using cash is a very good thing.
|
| The anti-government types do hate the idea of a national
| ID, but they're already forced to carry a drivers
| license/state ID, and SS card so they've pretty much lost
| the battle already.
|
| I'm afraid that it's the business owners who are our
| biggest hurdle.
| bobthepanda wrote:
| Eh, depending on the flavor, the mark of the beast types
| don't even really like barcodes. Allegedly Hobby Lobby
| does not use a barcode inventory system for this reason.
| nine_k wrote:
| Correct. But not insurmountable.
|
| Make the ID card optional, so that it simplifies things
| if you have it, but still allows operation without it. If
| 80% of law-abiding population has the card, only the
| stubborn deniers will remain targets of easy identity
| theft and fraud based on it. Partly it will stop being
| worth the effort, partly it will serve as a good control
| group.
|
| Allow but do not require to use the card for employee
| identification. Whoever insists on hiring undocumented
| immigrants, could continue. Most industries don't do
| that, and would reap the benefits of a more secure
| identification.
|
| Don't make the card universal. A bank card with a chip
| does not identify you for governmental agencies, but
| prevents a lot of PoS fraud. It could prevent credit
| fraud if banks allowed me to require the card to take a
| loan in my name, or to make a transfer larger than $10,
| and provided the card identity check service to each
| other and to credit unions. Phones with NFC can read bank
| cards, so it's a good way to say "it's me, I confirm" in
| a secure way.
|
| Evolutionary, opt-in, piecemeal solutions often have
| higher chances to succeed than abrupt all-at-once
| changes.
| hattmall wrote:
| >Most industries don't do that
|
| They absolutely do, but most of the immigrants have a
| form of ID that gives the companies some measure of
| deniability. As long as the I-9 goes through, not my
| problem. If it doesn't, well that's where contractors
| come in. Official numbers say around 14 million illegal
| immigrants. Reasonable estimates are closer to 22 and
| some non-hyperbolic estimates go as high as 40 million.
| 77pt77 wrote:
| > The third is many business owners, because it would
| become much harder/risky to hire illegal immigrants to
| work.
|
| Big one, but even though employing illegal immigrants is
| a crime, it's almost never prosecuted.
| crote wrote:
| > Those bits of information are worthless when you need
| to create a cryptographic signature with your ID card to
| do almost anything important.
|
| That depends on the type of attack you're protecting
| against. It might prevent an attacker from filing your
| taxes for you, but many companies are still going to use
| this kind of information as primary key. But it's not
| going to stop an attacker from pretending to be a bank
| employee, calling a genuine bank employee via a secret
| internal-only number, and claiming they've got Mr. Doe in
| their branch trying to do a critical transaction but
| their phone broke so they can't use the bank app. Yeah,
| the Mr. Doe living at 987 Main Street, that one. See, you
| even verified their ID, and it has a SSN of 123456
| printed on it - just compare that to our customer
| database to make sure it's legit!
|
| It also opens up a whole new type of attack. The problem
| with those smart cards is that there isn't really a way
| for the user to know what operation is actually
| happening. You're using a regular PC or smartphone to
| interface between the smart card and whatever entity
| you're trying to communicate with. But that could just as
| well be a phishing website _pretending_ to be that
| entity, or malware doing a MitM. Or even just a random
| website pretending to need a signature for "age
| verification" when it's actually applying for a loan
| behind the scenes.
|
| There's no "Do you really want to sign over your house to
| XYZ?" message on the _card itself_. And suddenly the
| government /bank/whatever is getting a request with a
| cryptographic signature which can _obviously_ only be
| made by you - why would they have to double-check it if
| it cannot _possible_ be fraudulent?
|
| I agree that we should be moving to more secure systems,
| but those ID smart cards aren't a one-size-fits-all
| solution.
| mynameisvlad wrote:
| That seems entirely like an implementation detail that
| doesn't have anything to do with the smart card interface
| itself.
|
| It's not like it's rocket science to have the reader
| application detail what the request is used for, and
| encoding it in the request/response, verified when used,
| so that it can't be used for anything but the approved
| purpose.
| nine_k wrote:
| As a potential Mr. Doe, I'd love to have an ability to
| opt in to a stricter mode of banking. I would voluntarily
| ask my bank to refuse certain types of transactions in my
| name unless my identity can be confirmed by secure
| machine-readable means at my presence; internal phone
| calls should not qualify. It could be a bank card, or a
| passport -- yes, both can be physically stolen, but it's
| much harder to pull off, and I would immediately warn my
| bank when I notice.
| haswell wrote:
| I'd replace "instead of" with "in addition to".
|
| Going after data brokers seems like low hanging fruit, and
| necessary even if the ID system needs to be replaced. This
| is a top level issue that need to be addressed regardless.
|
| While I think it'd be great to design a system where the
| information you mention is harmless (I'm curious how this
| would work without just shifting the problem to whatever
| new identifier is established), the reality is that this
| information is _not_ harmless, and will continue to be
| dangerous to leak for the foreseeable future due to the
| myriad of systems that use this data in its current form.
| Any theoretical project to replace this would likely be a
| long and drawn out undertaking. Addressing the information
| environment in the meantime seems like a good idea.
| kube-system wrote:
| It's politically a non-starter in the US. US states have a
| lot of power that is derived from their ability to maintain
| their own ID systems. The states have fought for almost 20
| years on requirements as simple as REAL ID.
| 77pt77 wrote:
| Plenty of countries have smart cards with chips and RSA
| keys that can be used to verify ID with much higher level
| of certainty, but then they usually don't use it.
|
| Even just name, DOD and last 4 of the SS number and you are
| done.
|
| It's ridiculous.
| bhaney wrote:
| > Someone created a magnet link yesterday
|
| Are you against simply sharing the infohash here? I'd like to
| download the leak to see what information it has on myself and
| my family, but I don't really relish the idea of signing up for
| a breachforums account and sifting though its posts if I can
| avoid it.
| flockonus wrote:
| fyi that is likely to be a crime, at the very least has been
| cases of websites being punished for linking to illegally
| distributed IP (even if not hosting it).
| bhaney wrote:
| I'd be worried about legal repercussions if we were talking
| about the latest Disney movie, but this is merely the
| private information of a billion people. Never seen IP law
| give much of a crap about that before.
| ethbr1 wrote:
| Private information on people is Equifax's IP.
| jmprspret wrote:
| Is this NPD's "IP" though? Is my personal information that
| company scraped, now that company's intellectual property?
| lynndotpy wrote:
| BitTorrent uses something called a "distributed hash table",
| for which there exist services to search it (btdig, etc). You
| can use one of those alongside the torrent name (NPD) to find
| it.
|
| I haven't downloaded it, but my understanding is that the
| data comes compressed and with a (weak) password.
| hypeatei wrote:
| Here is a strongly encrypted base64 version to keep hackers
| out:
|
| bWFnbmV0Oj94dD11cm46YnRpaDozY2FhNzFmM2VjOGNiY2NjNmZjYTRmZWI3M
| Tg1ZGEyYmFiMTQ5YmE3JmRuPU5QRCZ0cj11ZHA6Ly90cmFja2VyLm9wZW5iaX
| R0b3JyZW50LmNvbTo4MCZ0cj11ZHA6Ly90cmFja2VyLm9wZW50cmFja3Iub3J
| nOjEzMzcvYW5ub3VuY2U=
|
| Allegedly, the password (also base64 encrypted) is:
|
| aHR0cHM6Ly91c2RvZC5pby8=
| qingcharles wrote:
| Do you know if the Rhysida ones get torrented?
|
| https://www.ransomlook.io/group/rhysida
| quantumfissure wrote:
| For non-Americans (and Americans) that don't quite understand
| what SSN is and why it's a problem, CGP Grey [1] has a great (and
| short) video about the history and why it's not technically an
| identifier, but has become one.
|
| [1] https://www.youtube.com/watch?v=Erp8IAUouus
| fragmede wrote:
| The video doesn't quite get into the problem of identity theft,
| which is when someone uses your stolen creds to claim they are
| you, and then go on a shopping spree which may include buying a
| car under your name. You shouldn't be liable for debts incurred
| after having your identity stolen but proving that is a lot of
| work.
| adamomada wrote:
| I never really understood why the onus is on any person to
| prove they didn't do something. Shouldn't the shaggy defence
| be sufficient?
|
| e.g. You get hauled into court for a lawsuit demanding the
| loan repayment, for a loan someone else used your name to
| get?
|
| - It wasn't me.
|
| https://en.wikipedia.org/wiki/Shaggy_defense
| jandrese wrote:
| The reason the Shaggy defense doesn't work is the default
| assumption of the courts is that you're a deadbeat trying
| to game the system. This assumption comes about because in
| the majority of cases it is the truth. The system would be
| a lot nicer if there weren't people trying to scam it every
| hour of every day of the week.
| pocketarc wrote:
| > This assumption comes about because in the majority of
| cases it is the truth.
|
| Are we saying that if you can show you have enough income
| / assets, it'll be that much more likely that you'll be
| fine in those cases?
| kbenson wrote:
| > a deadbeat trying to game the system.
|
| The problem with putting a value judgement on this is
| that it will precondition people to assume good faith or
| bad faith on the validity of the assessment based on how
| they interpret the fairness of the court system.
|
| Instead, we could just say that the majority of the cases
| are people trying to get out of legitimate debts. If we
| wanted to go farther, we could say that's because some
| people just don't feel responsible for their own debts
| and some people make a choice that a last ditch effort to
| get out of a debt they know they should pay rather is the
| lesser of two evils when the alternative is to continue
| to fail to provide adequately for their family given
| their circumstances, and how different people may draw
| that line at different points.
|
| That's harder to articulate and a larger discussion that
| may be a tangent people aren't interested in discussing
| though, so it's probably just simpler to keep the value
| judgements out of it if the intent is to keep the
| discussion productive.
| autoexec wrote:
| Instead, we could just say that the majority of the cases
| are people trying to get out of legitimate debts.
|
| There's another discussion which could be had about just
| how legitimate even "legitimate debts" actually are in
| some cases but that's even more in the woods.
| acchow wrote:
| "Identity Fraud" is institutionalized victim blaming. The
| claim is that the person who's identity was stolen was
| defrauded (and they should protect themselves or fight
| back), but in reality it was the creditor that got
| defrauded.
| enlyth wrote:
| Is that even a Shaggy defense? The whole point of the
| Shaggy defense was that it's saying it wasn't you despite
| overwhelming evidence ("She even caught me on camera - it
| wasn't me")
|
| But in this scenario, there is basically zero evidence it
| was you
| adamomada wrote:
| I thought it was, they would have to have some sort of
| evidence of your name, dob, ssn, blood type, etc. But in
| the end it was just your information used fraudulently;
| you the person did not authorize the loan and therefore
| it really isn't your loan.
| kube-system wrote:
| When someone named adamomada comes to the bank for a loan,
| the presumption is that adamomada will repay the loan.
|
| If they knew it wasn't you, they wouldn't have written the
| loan in the first place. They're asking you to repay it
| because they really do think it was you.
|
| If "it wasn't me" was all anyone had to do to get out of
| paying a loan, many people would do it.
| rvnx wrote:
| It's much more subtle, fraud is accepted and part of the
| business. Even if you are not 100% certain of the
| identity of the person, what matters is how likely you
| are going to get paid back.
|
| For example, when you purchase online, some merchants do
| not check who is the owner of the card, or the address.
| It's done on purpose, because some people borrow the card
| of the others, some people don't want to use their card,
| etc. And overall it's all about risk management, but if
| the holder is really the one in front of you is just one
| factor among others.
| kube-system wrote:
| It's not "accepted" as much as it is just simply
| impossible to completely avoid at any kind of scale.
|
| Even if online payments were eliminated, and you had to
| show up in person with a birth certificate and passport
| to perform a transaction, fraud would be non-zero.
|
| To have a functioning business, people need to be able to
| use the system.
| freehorse wrote:
| In many other places SSNs are non-sensitive data. There is
| not much one can do just knowing a SSN. Usually one has to do
| some kind of verification (eg using some sort of
| authentication app, if online). Which is why it is so
| confusing.
| sangnoir wrote:
| > You shouldn't be liable for debts incurred after having
| your identity stolen but proving that is a lot of work.
|
| The first step is to call it what it is: fraud by
| misrepresentation. The owner wasn't deprived access to their
| identity (a key component of theft), they weren't even
| involved in the transaction. Companies want to have their
| cake and eat it - have low barriers to making sales/offering
| loans without rigorously verifying the identity of the person
| benefiting _and_ be shielded from losses when their low-
| friction on-boarding fails lets in fraudsters.
|
| If a home buyer is duped into transferring deposit into a
| fraudsters account, they don't blame it on corporate
| "identity theft" and put the escrow agent on the hook by
| default.
| CivBase wrote:
| "Identity theft" is just fraud, rephrased to make us the
| victims instead of the defrauded companies.
|
| That's why SSNs are still such a big deal. Why fix the
| problem when you can just make it someone else's problem?
| krackers wrote:
| As brilliantly satirized by the mitchell & web sketch
| https://www.youtube.com/watch?v=CS9ptA3Ya9E
| acchow wrote:
| Not only an identifier, many places use it as a secret.
| cbsmith wrote:
| Which is dumb.
| jpcookie wrote:
| And where is this information that this random group supposedly
| has? I have yet to see proof of that being real
| seanw444 wrote:
| BreachForums I believe.
| lynndotpy wrote:
| I was able to get a hand on it, and I was able to confirm that
| some records of loved ones are indeed present (although mine
| was not.)
| tmaly wrote:
| I sure wish the US had a version of GDPR.
|
| I get a data breach notice at least a few times a year. I got one
| for my kids two months ago for their medical data. I thought
| HIPPA had huge penalties but I guess not.
| dgellow wrote:
| Doesn't California have a similar set of regulations?
| EvanAnderson wrote:
| For years I've said the entire SSN database just needs to be
| published alongside legislation strictly assigning liability to
| any company who defrauded as a result of using the SSN as a
| "secret". That would fix the problem with SSN's and "identity
| theft" quickly.
|
| Part 1 has been accomplished. Let's get part 2 going!
|
| Aside: It amazes me how the American public has allowed defrauded
| companies to assign the company's loss as a liability to innocent
| individuals (in the form of "identity theft"). It would be great
| if we could get that changed in the minds of the public. A well-
| informed public could collectively turn "identity theft" into the
| "bank's problem" (from the old adage "If you owe the bank a
| billion dollars they have a problem..."). The insurance industry
| would swoop in as the defrauded parties start making claims and
| shoddy security practices would get tightened-up.
|
| (Edit: I fear insurance companies coming in to "fix this" to some
| extent-- citing my experiences with PCI DSS compliance auditing
| and Customers who have had 'cyber insurance' policies coming with
| ridiculous security theatre requirements. Maybe we can end up
| with something like a 'cyber' Underwriters Labs in the end.)
|
| (Also: Yikes! I hate that I just typed 'cyber' un-ironically.)
| sorokod wrote:
| The obligatory Mitchell & Webb sketch
|
| https://m.youtube.com/watch?v=CS9ptA3Ya9E
| EvanAnderson wrote:
| YES!
|
| I couldn't remember their names and absolutely was thinking
| of this.
| janalsncm wrote:
| Identity theft is a very clever term to shift blame from the
| company to the consumer.
|
| https://youtu.be/CS9ptA3Ya9E
|
| It's a comedy bit but I take its point seriously: if the bank
| gives away money, it's the bank's job to make sure it is
| repaid. Not mine, unless I was actually a party to the
| agreement.
| Eji1700 wrote:
| Well then you're up against the wall of digital verification.
|
| I know there's a fuck load of situations where the banks are
| 100% screwing the customer to their benefit, but there's a
| legit conversation about people who give out their passwords,
| or claim they did, when money gets wiped out.
|
| If you meet all the requirements to identify yourself to the
| bank, at what point does the bank have to say "this is that
| person, and that transaction is legal".
|
| Now granted:
|
| 1. With passkeys and biometrics and 2FA we've got a lot of
| better ways to make these accounts secure, and hopefully more
| idiot proof. I'm hoping we start getting rid of email/phone
| for 2FA as a valid option though.
|
| 2. The moment the police are treating it as an identity theft
| case, the bank should be required to pony up. I don't know if
| that's the case (and wouldn't be surprised if they fight it
| tooth and nail), but at that point you have a state or
| federal entity acknowledging this is not a legit transaction,
| and therefore you should be compensated by the bank, and they
| can get their money back from the insurance companies that
| insure against this kind of thing.
| lupire wrote:
| Banks should get insurance to cover their negligence. They
| weren't careful.
| previousjs wrote:
| See how credit cards work (at least where I have lived).
| Someone fraudulently cloned my card after a petrol
| station visit and I got it fixed as soon as I noticed the
| weird transactions. The bank or VISA footed that cost. UK
| has statutory law on this. Probably because of how CCs
| used to work with that carbon copy crap.
| EvanAnderson wrote:
| In the US merchants are the ones footing that cost,
| either in merchant fees (which they then pass on to the
| Customer in the form of higher prices) or directly (by
| the credit card company refusing to pay the merchant).
|
| It might be different now, but in the late 90s I sold
| some laptops to a buyer using a stolen credit card. The
| cardholders had no fraud liability but my company ended-
| up having to eat the cost of the stolen laptops. The
| credit card company simply didn't pay the amount of the
| fraud in their settlement with us.
| coder543 wrote:
| The Google Authenticator app (just as a mainstream example)
| was released 14 years ago. When we're _still_ waiting for a
| lot of banks to even support TOTP, consider me unimpressed
| with the level of effort banks are putting into securing my
| accounts.
| autoexec wrote:
| > If you meet all the requirements to identify yourself to
| the bank, at what point does the bank have to say "this is
| that person, and that transaction is legal".
|
| Our current system is entirely built on ridiculous levels
| of trust, mostly for convenience / cost saving reasons.
| I've made payments over the phone with nothing more than
| the information found on the bottom of every check I've
| ever sent. I routinely hand my credit card to waitstaff
| making 7.25 an hour and in that moment I'm handing every
| last one of them the ability to snap a photo of my card on
| their phones and go on a shopping spree at my expense.
|
| As insane as our system is, it's mostly worked. Even though
| I've been made to pass around my account info countless
| times, I've never once had my accounts cleaned out. If a
| single mother with less than 1k in her account gets robbed,
| I have a hard time blaming her. She had zero say in the
| design of this system, and she's the person least able to
| deal with the cost of the consequences of it.
|
| On the other hand, I have very little problem putting the
| blame on the banks which do control much of the system and
| who can more than afford to cover the costs of such
| incidents. This puts a small amount of financial pressure
| on them to improve the systems they've created and forced
| the rest of us to use in order to participate in society.
|
| There are all kinds of things they could be doing to reduce
| fraud, but they don't. Mostly for convenience / cost saving
| reasons. I consider their refusal to take even simple steps
| to improve the security of their systems as their implied
| consent to continue accepting the responsibility for the
| still rare instances where criminals take advantage of
| their inaction.
| kube-system wrote:
| US law does generally make fraud the bank's problem. Identity
| theft isn't loophole in this, it is a situation in which there
| is a logical ambiguity in differentiating one fraud from
| another. If they just believed everyone who said "it wasn't me
| that spent that money!" that would just be opening _another_
| vulnerability.
| EvanAnderson wrote:
| I think we've got liability pretty well buttoned-up in the
| banking industry. I'm more concerned about the non-bank
| businesses. (I recently obtained utilities at a new house.
| All three utilities-- electrical, gas, and water/sewer-- use
| my SSN as an authenticator for my account. In 2024.)
| kube-system wrote:
| It isn't great, but I don't think there's much risk there.
| There's not really much of a motivation for some random
| person to get into my utility account. The balance is never
| positive. Utilities are physically bolted to my house.
| They're pretty heavily regulated too. If someone wanted to
| steal electricity from my house, they can use the outlet on
| my patio that has zero authentication whatsoever.
| janalsncm wrote:
| Are there any ways to check the breach to see if my information
| is there, other than downloading it myself? I'm not sure of the
| legality of doing so.
| jaderobbins1 wrote:
| There is a free service call Have I Been Pwned which uses your
| email address to see what data breaches you are part of
| (https://haveibeenpwned.com/).
|
| While it uses your email to check (not SSN) odds are if they
| have your SSN in the dataset they also have your email.
| xf5f wrote:
| I've seen https://npd.pentester.com/ floating around
| heartbreak wrote:
| The data seems to be at least 15 years old.
| ghm2180 wrote:
| I am just dreading the day when a near simultaneous cyberattack
| on a high number of(more vulnerable like middle-lower income
| individuals) start in a DDoS fashion:
|
| 1. Credit histories will be(unlocked) used to file multiple
| credit applications and tax credits will be applied for.
|
| 2. Multiple Cell phones will be hijacked through Sim Hijacking or
| other zeroday attacks to make it very difficult to get back in.
|
| 3. A person's profile will be used to attack the most vulnerable
| things: - Their families will get fake calls to create confusion.
| - Their financial services will be frozen or worst weak 2fac auth
| ones will be compromised.
|
| 4. Deep fake image and videos will be created from compromised
| accounts to sow further mayhem.
|
| This already happens in targeted and one startegy of teh other
| fashion. Imagine what one could do with a bit more compute and
| completed profiles and orchestrate this kind of terrible
| vengeance.
| kurthr wrote:
| Luckily, there aren't multiple hostile nation states capable of
| this. /s
|
| All that I can see preventing it is deniability and eco-
| political risk.
| njarboe wrote:
| I wonder how many governments have this capability right now? I
| would guess at least three.
| lifeisstillgood wrote:
| I am wondering what the numbers are like for this to be
| realistic.
|
| I am not too sure of the end goal other than general chaos.
| Let's say it's 2 days of an attack, (that's about how long any
| co-ordinated response would need at minimum).
|
| So attackers need to sow chaos across the USA. They apply for a
| million unsecured loans of say 20k each. That's 20 billion.
|
| I honestly don't know what the daily personal loan application
| rate is, but america has about 150M adults, 1% of them applying
| on the same day will not only raise flags but would basically
| grind the system to a halt - each loan office would have daily
| maximums and a massive spike coukd not be handled. And once the
| massive crowd is noticed and made public then the financial
| immune system comes into play.
|
| I can imagine taking out the cell network through a sort of SS7
| ddos, but I suspect that cell towers might have a dose more
| vulnerabilities (probably not as basic as all the admin
| passwords are ComC4astSux but close)
|
| In general Chaos seems to come from attacking the limited
| services that act as our safety net (ambulance, police, sewage,
| electricity). We know these are vulnerable in non obvious ways
| - crowdstrike for example.
|
| Making otherwise fit and healthy citizens have a shitty day is
| less impactful than we might think - it will be the "blip" day
| - as I say 48 hours later the Treasury secretary goes on TV and
| announces all personal loans that day got cancelled or some
| other fix - finance has a fairly good immune system when it
| sees the need.
|
| But overall, if we are going to worry about some attacks, let's
| look at the ones that attack our freshwater supplies - and that
| might not mean some terrorist - in the UK our sewage handling
| has been under attack by Private Equity for decades and SWAT
| teams are not allowed to shoot people in Belgravia
| no_wizard wrote:
| In the US, the government could help alot if they simply moved
| to a national ID system and dismantled social security numbers.
|
| The national ID systems I've seen proposed have alot more
| security from the ground up, and could replace the passport
| system.
| BadHumans wrote:
| The US has done itself a disservice with their actions
| because few people trust the government. A national ID system
| means a database of all Americans that would very likely be
| used for surveillance and monitoring. I'm saying this as
| someone who has Global Entry so it's not like I'm afraid of
| being in a US database but I see the concerns.
| velcrovan wrote:
| Even before this, anyone operating a service who isn't treating
| SSNs as public knowledge in 2024 needs to be, well, shamed or
| penalized or something.
| JumpCrisscross wrote:
| "The database DOES NOT contain information from individuals who
| use data opt-out services. Every person who used some sort of
| data opt-out service was not present."
|
| Like what?
| fnord77 wrote:
| From the NPD website:
|
| > Please be advised that we will not collect, use, disclose,
| sell, or share the sensitive personal information or sensitive
| data of California, Virginia, Colorado, or Connecticut residents
| as those terms are defined by the CCPA/CPRA, VCDPA, CPA, or
| CTDPA, respectively.
| smcin wrote:
| Discussion from last week:
| https://news.ycombinator.com/item?id=41184420
| puzzledobserver wrote:
| Several other commenters have brought about the sneaky wordplay
| involved in saying "identity theft" instead of simply calling it
| "fraud on the bank", and somehow turning the person into the
| victim rather than the bank that has been defrauded.
|
| Has anyone tried to argue this point in court? Has this survived
| / how did this terminology shift survive judicial scrutiny?
___________________________________________________________________
(page generated 2024-08-14 23:00 UTC)