T-Mobile Confirms It Was Hacked
ebeip90 2021-08-17 04:51:33 +0000 UTC [ - ]
I have to wonder if all that data came from the TMobile hack.
* The caller ID was spoofed (not just the name, the actual number on my phone bill and phone app logs are a real AMEX number).
* The caller claimed to be reporting a fraudulent attempt on my account
* In order to verify my identity, please read back the six-digit PIN they're sending me (~ALARM BELLS GO OFF~)
* SMS 2FA shows up, "Enter this code to add your card to Apple Pay" (Oddly, this message doesn't carry the "WE WILL NEVER CALL YOU FOR THIS CODE" all previous SMS 2FA carried)
* I ask for a call-back number, for security purposes. I'm told "This is AMEX. This is AMEX." every time I ask.
I hung up, and froze the card. Then I called AMEX with the number listed on the back of the card. They acknowledged they did NOT call me at any point that day, that a transaction WAS attempted AFTER I froze the card, and issued a new card.
The caller was calm, call-centery, had my full name, credit card number, expiration, 4-digit CVV, and phone number.
I also learned that AMEX doesn't actually cancel the old card... my regularly billed transactions and new online purchases went through just fine with the old card info. I called AMEX to ask them to unambiguously reject all attempts for all previous card numbers, they acknowledged. Tried a few days later, the old number still works...
AbacusAvenger 2021-08-17 05:02:43 +0000 UTC [ - ]
hamburgerwah 2021-08-16 20:59:41 +0000 UTC [ - ]
As long as -- cost of compromise < cost of security -- on and on this will go.
notJim 2021-08-16 21:55:11 +0000 UTC [ - ]
I agree broadly with regulations designed to raise the cost of security flaws and so on, but I feel like there's this expectation that if we make the punishment extreme enough, people will begin writing perfect software and operating perfect servers, and I just don't buy it. It seems sort of like saying if someone causes a production issue or accidentally leaks a database, they should be summarily fired. More likely it was a mistake, and we should understand why it happened so we can prevent it in the future.
koolba 2021-08-16 22:12:30 +0000 UTC [ - ]
Sebb767 2021-08-17 01:06:57 +0000 UTC [ - ]
That's not to say that breaches like this should just get punished by a slap on the wrist; this clearly must not happen. But especially when the company is so large you simply have an insanely large attack surface that comes with it. And it only takes one weak spot on there for an attacker to get in. People have casually carried out all data from Facebook, LinkedIn and even the NSA (multiple times!) - security at that scale simply is hard.
YeBanKo 2021-08-17 06:58:24 +0000 UTC [ - ]
This is true. It is hard to design a CS backend that user user friendly and privacy cognizant at the same time.
However, the other issue is sticky habit of the companies to grab on to as much data as possible and keep it just in case. For example, this breach had SSN next to user's phone number, name and address. Why does it need to store SSN at the first place after initial verification? It is not necessary for most of it's operation. The only reason I can think of is if they want to report defaulted payments to credits bureau. Although, storing SSN can be avoided in a similar way, how payment APIs allow you to minimize handling of credit card number, of course you need support for this from credits bureau. If they aren't cooperative, you can still design the system in compartmentalized way, that simply does not keep an association between SSN and other user info in one place, because SSN is used in very narrow scenarios. There is not enough pressure on the companies right now to do that.
madrox 2021-08-17 00:09:15 +0000 UTC [ - ]
What's discussed in this thread is whether the larger a company is, the more likely it's gross negligence. The irony to me is that every large company I've worked with takes security very seriously. The only gross negligence I've seen has come from startups that willfully disregard security practices in the name of moving fast.
awsthro00945 2021-08-17 00:26:17 +0000 UTC [ - ]
Couldn't agree more. I've done security consulting for many companies of varying sizes. The large ones almost universally have massive security budgets, constant pentesting, and security audits/processes out the ass. They still get breached because security is fucking hard, no matter how much money you throw at it.
I don't buy in to the whole "if only those evil MBA manager types would allocate more budget to security and take security more seriously, they wouldn't get hacked". Every company I've worked at is scared shitless of being hacked, and have enormous security budgets. The management chain usually takes it very seriously. IME, a huge part of the problem actually ends up being the individual development teams who skip things like encryption because they think it's too onerous or they just think it's frivolous.
I cannot even begin to tell you the amount of time I have had to spend with developers arguing with them that they do need to do things like encrypt PII or enable HTTPS. "But it's only a small database of SSNs, do we really have to encrypt it? We would rather spend the developer time building something else rather than implementing encryption!" they say, and then spend hours/days arguing about it rather than just doing it.
madrox 2021-08-17 00:40:35 +0000 UTC [ - ]
This is a corollary to "nine women can't make a baby in a month."
oyashirochama 2021-08-16 23:03:22 +0000 UTC [ - ]
koheripbal 2021-08-16 22:51:27 +0000 UTC [ - ]
No one over 30 takes this position seriously.
vlovich123 2021-08-16 22:58:07 +0000 UTC [ - ]
gibba999 2021-08-16 23:04:20 +0000 UTC [ - ]
When I was young, I wasn't a fan of this sort of policy, since I looked at things less holistically, and on shorter timeframes.
Holistically, higher damages aren't anticorporation, but just shift the ecosystem. Over time, companies who treat data securely will have a market advantage. Different, more secure programming practice will evolve, and companies will innovate and compete in security.
My thinking changed around the time GDPR passed. Before, I thought policies like that were anti-corporate. After, I saw how they changed market forces, but economies did just fine or better. Externalizing costs isn't good for economies.
Sebb767 2021-08-17 01:11:55 +0000 UTC [ - ]
They shouldn't be externalized onto the victims. The cost will, by principle, always be externalized to their customers, since that is were the money has to come from.
gibba999 2021-08-17 01:22:13 +0000 UTC [ - ]
Company A has good security, which adds $5 in your costs.
Company B has poor security, which doesn't, which will lead to $500 down-the-line from a security breach and identity theft. It charges $2.50 less and otherwise has an identical product.
You have no way to know that. You will go with company B, and you will split the $5 gain, where you save $2.50 and they take $2.50 more in profit.
Company B externalizes costs onto the customer. Company A's customers have higher initial costs, but they wouldn't be defined as 'externalized.'
Sebb767 2021-08-17 01:38:52 +0000 UTC [ - ]
The situation we have here is clearly company B. So we have two options:
- Let the victim (who is or was a customer) pay the $500
- Let the company pay the $500. They need to get that money [0], so they charge their current customers more money.
Either way, the bill goes to the customer. The only difference in the second scenario is that the company needs to increase prices, which will hurt them in the long run and (hopefully) justify the additional expenses in security. But they can't create money out of thin air [1].
> Company A's customers have higher initial costs, but they wouldn't be defined as 'externalized'.
You're right - I was wrong about the definition of externalized.
[0] Technically, they don't - they could go bankrupt. But that would be the first scenario all over again.
[1] Unless we're talking about a bank, of course ;)
gibba999 2021-08-17 04:23:45 +0000 UTC [ - ]
If company B tries to charge customers an extra $500, they'll be more expensive than company A, and customers will go to company A. They'll exactly go bankrupt. If they could have charged customers $500 extra and kept it, they would have done that from the get-go. The money won't come from customers, at least in a market with any competition.
Where will it come from? Well, the money will ultimately come from company B's investors. There are several mechanisms by which this can happen:
- Company B has a billion dollars in the bank. It spends $500 million on damages. It now has $500 million in the bank, and is worth $500 million less.
- Company B has zero dollars in the bank, but an otherwise solid business. It issues new equity, diluting existing equity, to raise $500 million. Existing shares are worth $500 million less.
- Company B has zero dollars in the bank, and a negative net worth. It files for bankruptcy. A court reorganizes it to pay the debtors (e.g. the customers). Old shares are worth $0, and the company is now owned by its debtors -- it's customers. The shares aren't quite worth $500 each, but customers get as much as possible, and the business keeps chugging along. No one loses their job.
Once investors notice, they'll start to include data security into company valuations. Insurance companies will do likewise. Keeping poor security will decrease profits, and security will improve. On the other hand, I don't think many companies will fold -- in the sense of letting customers and employees down -- based on this.
lmm 2021-08-17 09:06:16 +0000 UTC [ - ]
amelius 2021-08-16 22:05:51 +0000 UTC [ - ]
amelius 2021-08-17 09:35:08 +0000 UTC [ - ]
chrisbolt 2021-08-16 21:10:50 +0000 UTC [ - ]
yzmtf2008 2021-08-16 21:05:28 +0000 UTC [ - ]
Zelphyr 2021-08-16 21:11:06 +0000 UTC [ - ]
Either way, there needs to be far stiffer penalties levied against companies who don't secure their systems better and lose sensitive customer data.
dstick 2021-08-16 21:08:42 +0000 UTC [ - ]
ghayes 2021-08-16 21:11:01 +0000 UTC [ - ]
For context, I'm very likely in this breach, but it wouldn't make me any happier to hear T-Mobile was shut-down tomorrow.
dstick 2021-08-17 14:00:01 +0000 UTC [ - ]
Right now only the company is accountable as if it’s some sort of living creature, and the penalty is always money. Which as you aptly put, they have in abundance!
gibba999 2021-08-16 23:08:40 +0000 UTC [ - ]
And a corporate dissolution isn't the outcome. The outcome is that T-Mobile goes into bankruptcy, with its customers as the debtors. The outcome of that is that a bankruptcy court divides up the assets to maximize payout to you.
Most likely, this means:
- T-Mobile, as an entity continues to exist, as-is..
- Shareholder value is wiped out...
- And handed to customers, as the customers become shareholders.
T-Mobile has a 180B market cap, which probably means you acquire stock worth a grand or so.
weimerica 2021-08-17 04:00:28 +0000 UTC [ - ]
Let’s not pretend there isn’t a deterrent.
[0] - https://www.google.com/amp/s/www.businessinsider.com/breivik...
YeBanKo 2021-08-17 06:38:20 +0000 UTC [ - ]
> The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driver's license information, and IMEI numbers, unique identifiers tied to each mobile device.
Now, this seems like a lot. I hope we will see a detailed technical analysis of the break eventually.
bpodgursky 2021-08-16 21:24:03 +0000 UTC [ - ]
missedthecue 2021-08-17 05:44:55 +0000 UTC [ - ]
stjohnswarts 2021-08-18 00:06:54 +0000 UTC [ - ]
gruez 2021-08-16 21:12:25 +0000 UTC [ - ]
dave5104 2021-08-16 21:16:26 +0000 UTC [ - ]
pama 2021-08-17 00:39:32 +0000 UTC [ - ]
gruez 2021-08-17 02:24:08 +0000 UTC [ - ]
>and possibly change name
>I wouldn’t use a compromised IMEI phone for 2FA
Why?
>get new SSN
That might be prudent to do, but at worse it's a few hours of hassle. I searched around and it looks like all you have to do is fill in a form (https://www.ssa.gov/forms/ss-5.pdf) and supply the required documents. At US median wages it's a few hundred dollars, max.
>the potential losses from the selling of this information have any real limit.
Well not really? Suppose someone crashed into your house, making a hole in the wall that allows thieves to steal potentially unlimited amounts of goods from your house. Should the driver be liable for all thefts from your house in perpetuity? Or only between the time of the crash and when you can reasonably get the wall fixed (or in the case of identity theft, changed your SSN)?
meowster 2021-08-17 04:23:51 +0000 UTC [ - ]
Even if you do get a new SSN I wonder what the process is for changing it with the credit bureaus.
cortesoft 2021-08-16 21:07:13 +0000 UTC [ - ]
gruez 2021-08-16 21:09:59 +0000 UTC [ - ]
2. hire cyber-mercenaries to hack company
3. ???
4. profit
vmception 2021-08-16 23:57:37 +0000 UTC [ - ]
Instead of just cash
Then management gets replaced
mdoms 2021-08-16 21:02:48 +0000 UTC [ - ]
It absolutely would not. Yes we would see greater investment in cyber security and it would pay dividends, but the idea that we can totally eliminate data breaches if we just try really super hard is unrealistic.
Teever 2021-08-16 22:06:57 +0000 UTC [ - ]
If there was sufficient regulatory force to induce companies to make the choice between not hoarding data or not existing then I'm sure that business would carry on as it has for millennia.
warkdarrior 2021-08-17 17:17:46 +0000 UTC [ - ]
refurb 2021-08-16 22:56:07 +0000 UTC [ - ]
nogbit 2021-08-16 23:30:02 +0000 UTC [ - ]
polka_haunts_us 2021-08-16 20:39:33 +0000 UTC [ - ]
I guess it's unreasonable to expect the good times to last like that but man, I'm still deeply unhappy with T-Mobile right now.
abawany 2021-08-16 20:45:40 +0000 UTC [ - ]
samstave 2021-08-16 20:58:49 +0000 UTC [ - ]
https://i.imgur.com/jKEA3Tw.png
I NEVER use my GV number... I just don't know how they get my number to begin with....
But the numbers that are super spam are all the ones with ~4 second VM.
I keep hearing from this weird New Jersey Jewish Accent where he tells me "I am under attack for someone who is causing my pain and attempting to steal money from me and if I pray and send him money he will take care of this attack against me"
This spam call is really good at avoiding number blocking - and I get ~2 calls per month from this recording... (The accent is like if Mel Blanc attempted to do an over-the-top Jewish accent... its really over the top. I recommend everyone listen to it and picture "The Producers" with Mel Blanc singing it...
I actually listen to it every few months or so because how comical the message is.
abawany 2021-08-16 21:14:00 +0000 UTC [ - ]
r00fus 2021-08-16 21:27:03 +0000 UTC [ - ]
Oh and my cell phone area code is different than the local area code - so I ignore all calls from my (xxx) - xxx range regardless.
My family/friends have my direct#.
sosborn 2021-08-16 21:33:00 +0000 UTC [ - ]
They don't need to get it. They can just take random guesses with valid area/country codes.
dopamean 2021-08-16 21:02:49 +0000 UTC [ - ]
abawany 2021-08-16 21:13:35 +0000 UTC [ - ]
mfkp 2021-08-17 04:07:51 +0000 UTC [ - ]
abawany 2021-08-17 06:05:33 +0000 UTC [ - ]
mfkp 2021-08-17 06:09:45 +0000 UTC [ - ]
I haven't been marking the numbers as spam, but maybe I'll try to do that to see if the number of calls reduces.
abawany 2021-08-17 06:31:59 +0000 UTC [ - ]
Hopefully marking as spam will help too. One thing I like about Voip.ms vs. GV is that in the former, I can mass block an entire range of number using wildcards, which is rather satisfying especially since I setup the rules to ring as busy vs. just hanging up to keep their systems online a bit longer vs. freeing them to disrupt their next victim.
saxonww 2021-08-16 20:55:29 +0000 UTC [ - ]
The only technique that works is to not answer the phone unless it's from a known contact. Most spam stuff won't leave a message, or it will be a consistent ~4 seconds of silence. Fi (or Android? IDK) has a call screening function which 9/10 if I send something to it, they will hang up before the automated preamble finishes.
brandonhorst 2021-08-16 21:04:31 +0000 UTC [ - ]
aesh2Xa1 2021-08-17 01:11:14 +0000 UTC [ - ]
samstave 2021-08-16 22:10:51 +0000 UTC [ - ]
In addition to the Hilton and Marriott Hotel Chains for their "You recently stayed at the [Hotel]" calls...
I was an elite member at Marriott for years, and I am convinced that my numbers were released in their breaches.
leeoniya 2021-08-17 04:30:24 +0000 UTC [ - ]
i ported my mobile number to them a week ago hoping to only ever need an LTE, 5G or WiFi data connection for cell service.
alas, i discovered that MMS (and therefore group SMS, too) dont't work through SIP protocol. that's a deal breaker for me, unfortunately. looks like i'll have to port it back out to AT&T, Verizon or T-Mobile :(
abawany 2021-08-17 06:08:06 +0000 UTC [ - ]
rsuelzer 2021-08-17 08:50:26 +0000 UTC [ - ]
abawany 2021-08-17 14:18:28 +0000 UTC [ - ]
ASalazarMX 2021-08-16 21:10:19 +0000 UTC [ - ]
Big email providers are very good at filtering spam, so if enough people blocks calls, the only spam venue left would be instant messaging.
yuy910616 2021-08-16 21:23:42 +0000 UTC [ - ]
My assumption is that they have some sort of CMS software and that it costs money to call. If you don't answer - they'll keep trying you. But if you do answer and costs them money - they'll put you in the 'do not call' list.
Just my guess - but so far it has worked for me personally.
mwint 2021-08-16 21:34:03 +0000 UTC [ - ]
I have a bookmark for https://www.getcreditcardnumbers.com/ - I happily give them all the credit card numbers they want (the ones from that site pass the checksum, but of course isn’t valid in combination with a made up expiry and CVC).
After a couple card numbers fail, they cuss me out, sometimes threaten my life, and never call again.
My theory is they get flagged by their payment processor if they submit many bogus credit card numbers.
It’s about a 10-minute investment once a month. Less time than I used to spend answering and hanging up on spam calls.
vessel 2021-08-17 00:53:26 +0000 UTC [ - ]
ASalazarMX 2021-08-16 21:48:59 +0000 UTC [ - ]
mwint 2021-08-17 03:05:55 +0000 UTC [ - ]
(1) Usually they think my name is the guy who had my phone number almost 10 years ago. I “correct” them to a fake name, but it shows their record keeping is not good enough to track anyone down.
(2) If they tried to follow through on the death threat, they’d have a hard time getting a visa with “need to kill citizen” as the justification.
Early on, I had a temporary bump in calls after doing this. If you stick with it for a few weeks, eventually you’ll get on enough “real” do-not-call lists that the calls fade away.
ASalazarMX 2021-08-16 21:42:38 +0000 UTC [ - ]
My record is a call of around 14 hours. The autodialer called me after 10:00pm (supposedly illegal here), and there were no operators to take the call. I left my phone charging with the call active, and went to sleep, since the caller pays the call. Kept the call until I needed to go out, and I like to think that even if the call wasn't expensive because it was bulk price, maybe having a line busy helped slow down spam for others.
I don't do that anymore because spam calls have multiplied, it would mean answering more spam than I'd like.
blisterpeanuts 2021-08-17 03:16:28 +0000 UTC [ - ]
heisenbugtastic 2021-08-16 22:56:21 +0000 UTC [ - ]
nerdponx 2021-08-16 21:30:27 +0000 UTC [ - ]
Is there a way to tell if a phone number is from a VoIP service? It'd be great if I could just block those wholesale, as well as any text message that's sent from an email address.
toast0 2021-08-17 06:57:15 +0000 UTC [ - ]
Comment below was written for voice calls, SMS may be more tractable.
(Assuming US numbers) Yes, but it costs money. You can get (free) data from NANPA on which carrier was originally allocated the number, but it may have been ported.
But, the big blocker is a lot of source numbers are spoofed; not sure if a spoofed landline is less spammy than a spoofed VoIP; although an unallocated number is probably more spammy (OTOH, allocation data isn't always timely updated). If you could get the equivalent of Received headers, that would be a lot more useful, but that's not really an option.
mwint 2021-08-16 21:43:48 +0000 UTC [ - ]
aaaaaaaaaaab 2021-08-16 20:55:10 +0000 UTC [ - ]
njovin 2021-08-16 20:59:15 +0000 UTC [ - ]
There are initiatives in the works to prevent this behavior but they keep getting delayed, presumably because the telcos will have to do some work that doesn't fill their pockets so they're dragging their feet.
oceanghost 2021-08-16 23:23:36 +0000 UTC [ - ]
Most people I know get between two and ten calls a day, with Id say 3 or 4 being the median.
There are two sorts of calls-- actual spam calls that try and sell you something. And calls to verify a number is active-- these calls just are just silence, but if you pick up, your number will be added to a list of valid phone numbers and sold to spammers.
The spammers then take phone numbers and try to match them up with data breeches etc, or just cold call.
I don't think most people fall for these fraudulent calls, but the elderly are very vulnerable. I've helped several friends parents get control of their computers back after they willingly gave control of it to someone who who claimed to be from "Microsoft tech support" even though they had a mac.
skissane 2021-08-16 21:25:51 +0000 UTC [ - ]
a) Recently it has been computer voices leaving me voicemails claiming I've ordered thousands of dollars of stuff on Amazon, and I need to call some number to cancel the order
b) I got one guy claiming to be from a major ISP and saying my Internet was broken and he needed to help me fix it. I knew it was nonsense because I don't even use that particular ISP
c) Recorded messages claiming the Australian government is going to prosecute me for tax evasion, and if I just wait for the call centre operator to come online, they'll fix the matter for me by accepting payment of unpaid taxes
I think they are just dialling random numbers, looking for easily-tricked people.
ASalazarMX 2021-08-16 21:11:56 +0000 UTC [ - ]
It forced me to silence all calls from strangers. We have laws and a system to block and report spam callers, but it seems they don't work anymore.
samstave 2021-08-17 00:17:19 +0000 UTC [ - ]
ASalazarMX 2021-08-17 03:55:57 +0000 UTC [ - ]
brnt 2021-08-16 21:04:39 +0000 UTC [ - ]
Bayart 2021-08-17 02:31:53 +0000 UTC [ - ]
BrandoElFollito 2021-08-16 22:18:25 +0000 UTC [ - ]
stordoff 2021-08-16 21:16:00 +0000 UTC [ - ]
I also occasionally get calls from unknown numbers, which I don't answer, but if I look them up are usually associated with spam calls. My grandmother also gets them fairly often on her landline, usually of the "there is a problem with your computer" scam variety, but sometimes trying to sell her insurance for a random appliance.
g_p 2021-08-16 21:32:44 +0000 UTC [ - ]
I have even been quite generous in giving out one (i.e. using for any online stores that insist on a phone number), and I've yet to really have any unsolicited call that I can think of.
Phone numbers do get recycled by operators, so there's definitely some luck - I've seen some issues with landline numbers, specifically people trying to trace former users of the number. I imagine if you get "unlucky", you might really have little option beyond call blocking or trying to get a new number.
I did find it interesting that, at least for N=1, giving out your number fairly freely, including when you shop online (but not opting in to marketing etc) didn't seem to result in any issues, even after 8 years or so.
S_A_P 2021-08-16 20:49:15 +0000 UTC [ - ]
gruez 2021-08-16 21:08:58 +0000 UTC [ - ]
Why do spammers need leaked phone numbers? Can't they just call/message every number?
pininja 2021-08-16 21:23:12 +0000 UTC [ - ]
Jim Browning videos are a fantastic resource to learn more about the inner workings of scams https://youtube.com/c/JimBrowning
yuy910616 2021-08-16 21:30:10 +0000 UTC [ - ]
So isn't the popular idea that you should NOT answer spam calls wrong? Logically, you should answer every spam call and try to get them to stay on the line for as long as possible, therefore maximizing their cost.
This is assuming they have some CMS software on the backend that allows them to categorize numbers.
gruez 2021-08-16 21:34:45 +0000 UTC [ - ]
You also have to factor in your costs as well. I checked a random VOIP service and they charge a penny per minute, or $0.60 per hour. The federal minimum wage is an order of magnitude higher at $7.25/hour. Therefore it's more expensive for you to stay on the line to mess with them.
Nzen 2021-08-16 21:36:19 +0000 UTC [ - ]
[0] https://lennytroll.com/about.php
On the tangential topic of war dialing (calling every number as an exploration) I recommend checking this discussion https://news.ycombinator.com/item?id=27602383
easrng 2021-08-16 21:19:21 +0000 UTC [ - ]
judge2020 2021-08-16 20:53:20 +0000 UTC [ - ]
0: https://www.att.com/support/article/my-account/KM1051831/#:~....
1: https://safebrowsing.google.com/safebrowsing/report_general/
dwighttk 2021-08-16 21:25:11 +0000 UTC [ - ]
I know I can block a caller, but I don’t know enough about how these scams work to know if blocking a number slows them down at all.
I just don’t let my phone ring ever so I don’t deal with too much of the spam. Every once in a while I open the phone app and see I have like 15 new voicemails. I’m guessing I do that once a month so they are just calling every other day.
bbarnett 2021-08-16 21:12:45 +0000 UTC [ - ]
dheera 2021-08-16 20:42:28 +0000 UTC [ - ]
capitainenemo 2021-08-16 20:52:12 +0000 UTC [ - ]
ARandomerDude 2021-08-16 20:47:44 +0000 UTC [ - ]
sillystuff 2021-08-17 01:53:35 +0000 UTC [ - ]
Install sox
play -q -n synth 0.2 sin 950;play -q -n synth 0.2 sin 1400;play -q -n synth 0.2 sin 1800
bpicolo 2021-08-17 00:24:45 +0000 UTC [ - ]
paulddraper 2021-08-16 21:54:34 +0000 UTC [ - ]
samstave 2021-08-16 21:04:47 +0000 UTC [ - ]
sergiomattei 2021-08-16 20:56:07 +0000 UTC [ - ]
Lord, that's an insane amount of data.
SavantIdiot 2021-08-16 21:21:26 +0000 UTC [ - ]
ryanmcbride 2021-08-16 22:48:14 +0000 UTC [ - ]
SavantIdiot 2021-08-17 00:14:33 +0000 UTC [ - ]
ryanmcbride 2021-08-17 16:45:11 +0000 UTC [ - ]
jonathantf2 2021-08-18 11:29:56 +0000 UTC [ - ]
sscotthall 2021-08-16 22:47:44 +0000 UTC [ - ]
nothis 2021-08-17 00:09:02 +0000 UTC [ - ]
travoc 2021-08-17 00:46:54 +0000 UTC [ - ]
kgwxd 2021-08-16 22:53:16 +0000 UTC [ - ]
One said my main checking account bank access was locked out due to suspicious activity just minutes after I did something I might expect a bank to flag (paying an individual via PayPal and multiple charges at a single gas station). I wasn't in a position to verify it at the time (I don't do bank stuff on my phone, and I certainly wasn't going to click the link), so I switched to using another card while I was out. A few hours later, I got another phishing message about the card I had switch to.
I don't get many phishing attempts on my phone and they've always been for banks or other services I don't even use. I'm really hoping it's just coincidence that I got 2 semi-believable attempts in a row because the alternative is that they're able to see what I'm doing in real-time.
bogomipz 2021-08-16 22:25:34 +0000 UTC [ - ]
For the record this shitty company also had a customer data breach in 2018[2], 2019[3] and 2020[4]. With this latest hack it makes 6 data breaches in 5 years. At what point will this negligence be considered criminal?
[1]https://money.cnn.com/2015/10/01/technology/tmobile-experian...
[2]https://threatpost.com/t-mobile-alerts-2-3-million-customers...
[3] https://www.geekwire.com/2019/t-mobile-discloses-breach-expo...
[4] https://www.zdnet.com/article/t-mobile-says-hacker-gained-ac...
nashashmi 2021-08-16 23:20:58 +0000 UTC [ - ]
No hacks now.
twostorytower 2021-08-16 23:49:41 +0000 UTC [ - ]
blackbear_ 2021-08-17 09:01:21 +0000 UTC [ - ]
I changed bank.
xyst 2021-08-17 02:09:55 +0000 UTC [ - ]
janvdberg 2021-08-16 22:14:28 +0000 UTC [ - ]
tyingq 2021-08-16 22:36:00 +0000 UTC [ - ]
"Audit Flags: NO_PCI NO_SOX"
Ouch.
Also, "IBM 9117-MMD" would be a POWER7+ server that was EOL in December of 2020.
oars 2021-08-16 23:28:26 +0000 UTC [ - ]
Auditors can exclude these systems? WTF
tyingq 2021-08-16 23:52:30 +0000 UTC [ - ]
"Audit" in this case is the more generic term relating to the company responsibilities to audit systems with sensitive data.
They are saying the system is not subject to governance type controls for either PCI or Sarbanes-Oxley. Which is ironic given what was leaked out of it. And yeah, that probably means they told cybersecurity auditors this system wasn't subject to rules associated with PCI and/or Sarbox.
gibba999 2021-08-16 23:13:01 +0000 UTC [ - ]
https://www.telekom.com/en/corporate-responsibility/data-pro...
Most such issues are business-as-usual there.
chrischen 2021-08-16 21:44:22 +0000 UTC [ - ]
dang 2021-08-16 22:17:57 +0000 UTC [ - ]
T-Mobile investigating claims of 100M customer data breach - https://news.ycombinator.com/item?id=28192423 - Aug 2021 (183 comments)
sakopov 2021-08-16 21:35:41 +0000 UTC [ - ]
rvz 2021-08-16 20:49:38 +0000 UTC [ - ]
But also unfortunately, let the SIM hacking games begin.
derwiki 2021-08-16 20:54:31 +0000 UTC [ - ]
dvdkon 2021-08-16 21:07:11 +0000 UTC [ - ]
My name and address is actually public as a self-employed Czech. My date of birth shouldn't be hard to find and plenty of people even publish it (why shouldn't they?), my mother's maiden name might be somewhere too, and I don't even have her as a friend on any social media platform.
I really think it's time to start accepting no less than a unique password, hardware identification key or a physical visit to a location with a forgery-resistant ID card.
devnulll 2021-08-16 21:01:44 +0000 UTC [ - ]
The OPM leak remains the most significant overall of which I'm aware. The Experian leak tops my commercial data leak list, although they get bonus points for then selling people their own data protection service(s).
deadbolt 2021-08-17 01:57:43 +0000 UTC [ - ]
aspectmin 2021-08-16 21:30:48 +0000 UTC [ - ]
sneak 2021-08-17 00:10:36 +0000 UTC [ - ]
The problem is that so many vendors won't do business with you without government ID.
The hacks would be a nonissue if the vendors would let us open accounts without identity information.
I am glad I have an old tmo postpaid account in a fake name with no DOB or SSN on file. I'm not sure such is possible to get today.
Bhilai 2021-08-16 22:02:23 +0000 UTC [ - ]
brnt 2021-08-16 21:07:07 +0000 UTC [ - ]
sofixa 2021-08-16 21:24:43 +0000 UTC [ - ]
lyx0 2021-08-17 15:12:02 +0000 UTC [ - ]
brnt 2021-08-16 21:30:02 +0000 UTC [ - ]
sofixa 2021-08-16 21:40:25 +0000 UTC [ - ]
So a mobile operator having your social security number would be extremely weird.
pengaru 2021-08-16 20:54:00 +0000 UTC [ - ]
kimbernator 2021-08-16 20:58:30 +0000 UTC [ - ]
georgyo 2021-08-16 21:10:10 +0000 UTC [ - ]
They are not periodically running credit checks. If they were, then people with active credit monitoring would be notified, even for "soft" checks.
belltaco 2021-08-16 21:33:22 +0000 UTC [ - ]
meowster 2021-08-17 04:28:21 +0000 UTC [ - ]
Mordisquitos 2021-08-17 09:42:47 +0000 UTC [ - ]
Basically, the seller never stores (and ideally never even sees) the buyers' card numbers. Instead, the card numbers are stored by the PSP, which then issues seller-specific tokens associated to each card. The seller can then store the tokens, and use them to process any payments to their verified accounts. If the tokens are ever leaked or stolen they are useless to an attacker, as these tokens can only be used with that specific PSP to perform payments in favour of the seller for whom they were issued in the first place.
t3rabytes 2021-08-16 20:54:59 +0000 UTC [ - ]
blacksmith_tb 2021-08-16 21:13:33 +0000 UTC [ - ]
dionidium 2021-08-16 20:58:37 +0000 UTC [ - ]
nealyoung 2021-08-16 21:00:56 +0000 UTC [ - ]
meowster 2021-08-17 04:29:17 +0000 UTC [ - ]
social_quotient 2021-08-16 21:01:31 +0000 UTC [ - ]
swiley 2021-08-16 20:57:18 +0000 UTC [ - ]
gruez 2021-08-16 21:27:18 +0000 UTC [ - ]
sorry_outta_gas 2021-08-16 20:55:28 +0000 UTC [ - ]
aaomidi 2021-08-16 20:55:55 +0000 UTC [ - ]
nsxwolf 2021-08-16 21:02:21 +0000 UTC [ - ]
timdev2 2021-08-16 21:20:33 +0000 UTC [ - ]
If that's the case, it would be an incremental improvement if the credit agencies implemented some tokenization scheme, sort of like credit card gateways do.
Not that anyone should trust the credit agencies either, but you'd still be removing unnecessary points of potential compromise.
meowster 2021-08-17 04:29:37 +0000 UTC [ - ]
aaomidi 2021-08-18 22:00:09 +0000 UTC [ - ]
Going to collections over $50 is stupid.
exabrial 2021-08-17 02:04:22 +0000 UTC [ - ]
leeoniya 2021-08-17 04:26:05 +0000 UTC [ - ]
wait, why does t-mobile have SSNs?
88840-8855 2021-08-16 21:15:58 +0000 UTC [ - ]
barbarthjdj 2021-08-16 20:57:44 +0000 UTC [ - ]
atok1 2021-08-17 04:28:24 +0000 UTC [ - ]
When breaches like this happen, all executives must step down.
ColemanJ 2021-08-18 00:33:08 +0000 UTC [ - ]
ColemanJ 2021-08-17 23:40:08 +0000 UTC [ - ]
sangd 2021-08-16 20:56:01 +0000 UTC [ - ]
bigwavedave 2021-08-17 01:28:40 +0000 UTC [ - ]
akira2501 2021-08-17 07:31:51 +0000 UTC [ - ]
sangd 2021-08-17 03:10:10 +0000 UTC [ - ]
bigwavedave 2021-08-17 19:08:14 +0000 UTC [ - ]
It's just an old password found in a breach years ago, they don't have anything else that's real. The difference here is that if they call and leave a voicemail with personal info, go to the police. They're not gonna bother tracking down a social engineering email, but they may be more inclined to go after verbal blackmail.
criticaltinker 2021-08-16 20:40:26 +0000 UTC [ - ]
Is it possible that one day the market for SSNs and other private data will become so saturated that exfiltrating such data becomes unprofitable?
On a slightly more serious note, is anyone aware of a compilation of prices paid for such data? I'm imagining something like a Consumer Price Index [1], but for stolen private data. Maybe far in the dystopian future inflation will make life harder for hackers.
[1] https://www.bls.gov/cpi/
martinald 2021-08-16 20:47:24 +0000 UTC [ - ]
Ransomware ransoms have increased massively. They were often a few thousand dollars only a few years ago, now often hear about $50m+.
On the smaller scale SMS/email phishing has got absolutely enormous too in volumes. Banks and credit card providers are refunding 100s of millions (if not more) in fraud, in actually a very low margin business (retail banking). It genuinely could threaten the ability of banks to continue operating retail banking services if it continues to almost exponentially grow.
rlpb 2021-08-16 21:48:10 +0000 UTC [ - ]
Preventing this kind of fraud is a solved problem. The reason it still happens is that banks are forced, through competition, to minimise "identity proving" burden for consumers, in a "get credit now with instant approval!" kind of way.
At the moment we're stuck in a "marketing armageddon" of banks competing with each other by not properly verifying identity before granting credit or transferring away money. This seems to me like a Tragedy of the Commons.
If, across the board, people were required to prove their identity properly before banks rely on them, then the problem would go away overnight. It'd be a bit more tedious for consumers, but I don't see how that would cause banks to fail. The cost would merely move from fraud to identity verification.
Perhaps some people wouldn't be sold credit that they can't afford, but I don't buy that such people are keeping the banks afloat. Before banks stop operating retail banking services, I'm sure they'll just start actually verifying identity properly to keep that market.
hn_throwaway_99 2021-08-16 21:56:59 +0000 UTC [ - ]
There are, of course, easily added forms of additional verification - for example, Stripe just added their Identity service which lets you take a picture of your driver's license and then match the image against a selfie. But that puts "friction" in front of the application process, so most banks don't do something like this unless other signals make them think the application has a high fraud risk.
If basically everyone's Name, SSN, DoB and Address is easily viewable public info, this will all change.
madamelic 2021-08-16 23:37:45 +0000 UTC [ - ]
Shortly before BBVA closed them, I was in a back-and-forth to open an account with Simple.
First, my ID was too shiny, then it wasn't black and white, then it wasn't color, then they wanted a picture of my apartment building, then ...
it was just on and on and on for three weeks. It got to the point where I asked what exactly they wanted and they literally told me that they cannot tell me because it would allow me to commit fraud. I asked if I could talk directly to their fraud team to figure out what exactly: nope. Can't do that, they can't talk to you.
So I was expected to either read their minds or play infinite whack-a-mole with them where they say one thing in one email then say the opposite in the next.
pas 2021-08-17 00:02:46 +0000 UTC [ - ]
specialist 2021-08-17 03:22:04 +0000 UTC [ - ]
This achievement then unlocks Privacy technology.
Currently, PII must be stored as plaintext. Required for matching records across systems.
Once UUIDs are used, all data at rest, at the field level, can be encrypted.
cite: Book Translucent Databases 2nd ed.
MichaelZuo 2021-08-16 23:02:41 +0000 UTC [ - ]
mlindner 2021-08-17 01:58:36 +0000 UTC [ - ]
claytongulick 2021-08-17 03:45:35 +0000 UTC [ - ]
They have refused to provide me service if I don't give my SSN.
To get around it, I've had to open business accounts with my EIN.
mixmastamyk 2021-08-17 06:43:05 +0000 UTC [ - ]
yebyen 2021-08-17 11:46:58 +0000 UTC [ - ]
That being said, you are right, there are prepaid options and postpaid with a deposit ($50) that can put you outside of this SSN requirement on T-Mobile. I guess you have to know to ask for them. It is for credit, that's the only reason they can ask for your SSN.
Everything is credit based now, and for some people their phone bill might even be their first positive (or negative) mark on a credit score rating.
hn_throwaway_99 2021-08-17 13:26:57 +0000 UTC [ - ]
SAI_Peregrinus 2021-08-17 15:27:08 +0000 UTC [ - ]
yebyen 2021-08-17 21:30:34 +0000 UTC [ - ]
I have no idea why it would be to the advantage of a business like T-mobile to get you on a postpaid plan when there is no possibility of running up your bill. It's still the option they push on hardest when you walk up to the storefront.
The credit model is the default model. That was my point. I don't know that I had a point.
You shouldn't need to maintain a credit account just to keep a phone number, but I guess it's real estate and that's valuable, they will put it back into the pool if you ever stop paying the bill. I haven't had to deal with these kind of problems myself for a long time, but the pain is still fresh.
mixmastamyk 2021-08-18 03:36:08 +0000 UTC [ - ]
eitland 2021-08-17 09:36:11 +0000 UTC [ - ]
Many places it is to prevent abuse.
I don't think I have been able yo legally get a phone number in Norway without identifykng myself for years.
Maybe if you go to a lawyer they can sort something, but that will be another league for most of us.
mschuster91 2021-08-17 00:05:39 +0000 UTC [ - ]
The best solution would be if the US introduced mandatory passports or other forms of ID cards with smartcard capability, similar to the German Personalausweis. It has a secure cryptoprocessor with key vault, meaning it can be used to sign documents (if the bureaucracy to get a signature CA wouldn't be completely stuck for years now, SIGH), but especially companies willing to use authenticated data can fetch them securely over any NFC enabled terminal. Quite ingenuous.
This would entirely kill ID fraud at the source. The problem only seems to be an aversion in some parts of the US population against ID documents.
ericbarrett 2021-08-17 02:59:18 +0000 UTC [ - ]
javajosh 2021-08-17 04:59:25 +0000 UTC [ - ]
specialist 2021-08-17 03:27:15 +0000 UTC [ - ]
In addition to the sky faerie grifters, the anti-rationality mentats categorically oppose allowing government to govern.
bdhess 2021-08-17 07:30:46 +0000 UTC [ - ]
addingnumbers 2021-08-17 14:45:44 +0000 UTC [ - ]
RFID: Sign of the (End) Times? https://www.wired.com/2006/06/rfid-sign-of-the-end-times/
On social media, vaccine misinformation mixes with extreme faith https://www.washingtonpost.com/technology/2021/02/16/covid-v...
rsuelzer 2021-08-17 08:39:03 +0000 UTC [ - ]
mschuster91 2021-08-17 07:50:52 +0000 UTC [ - ]
mindslight 2021-08-17 02:10:27 +0000 UTC [ - ]
6502nerdface 2021-08-17 00:56:11 +0000 UTC [ - ]
So, does Germany not have ID fraud anymore?
dtx1 2021-08-17 01:50:37 +0000 UTC [ - ]
zabatuvajdka 2021-08-17 02:40:31 +0000 UTC [ - ]
All of this fraud is an extension of that deregulation, which leaves people exposed. Frankly a slower moving economy is probably BETTER in the long run, but it’s all numbers and figures nowadays. People are reduced to an SSN number.
mschuster91 2021-08-17 07:51:48 +0000 UTC [ - ]
2021-08-17 01:07:33 +0000 UTC [ - ]
TedDoesntTalk 2021-08-17 00:56:00 +0000 UTC [ - ]
d0gsg0w00f 2021-08-17 03:59:44 +0000 UTC [ - ]
eropple 2021-08-17 05:03:07 +0000 UTC [ - ]
But you know that. It must be hard to be so aggrieved.
TedDoesntTalk 2021-08-18 14:35:41 +0000 UTC [ - ]
Why is obtaining an ID "intentionally designed" this way. Don't you need to get a driving license to drive? A passport to re-enter the country? Do disadvantaged groups not get driving licenses?
eropple 2021-08-18 15:47:58 +0000 UTC [ - ]
Because when you make the places to get them few in number and difficult to get to, then make the lines to get them very long, you create hurdles for people who have jobs that are not overly friendly towards long or variable absences.
This is intentional, much as many places in the United States have reorganized voting locations to themselves be difficult to get to. Disenfranchisement is intentional.
> Don't you need to get a driving license to drive? ... Do disadvantaged groups not get driving licenses?
Many in the United States live in urban areas where they're not required and where they may not be economically feasible. (These folks tend not to vote for the people who are pushing ID requirements.)
> A passport to re-enter the country?
The set of Americans who never have cause to leave the country is very large.
TedDoesntTalk 2021-08-18 21:11:35 +0000 UTC [ - ]
eropple 2021-08-18 22:02:32 +0000 UTC [ - ]
the_mar 2021-08-17 01:07:02 +0000 UTC [ - ]
_huayra_ 2021-08-17 04:55:32 +0000 UTC [ - ]
Most of the online transactions I do with my credit card in Europe require me to verify them via some approval app (often the bank's own app) before they're submitted.
But I guess it's more profitable to just let US folks spend spend spend and rack up huge debt burdens. The interest is probably higher than whatever anti-fraud efforts cost them at the moment.
avianlyric 2021-08-17 09:14:14 +0000 UTC [ - ]
Here in the UK strong customer authentication and strong proof of identity is a requirement in law, breaching it lands you in significant amounts of hot water. So at the bank I used to work at, identity theft was pretty rare and only made up a tiny fraction of the fraud we saw.
A much bigger share of the pie, and the area that we really struggled with, is customer authorised payments. The customer gets socially engineered into parting with their cash, and as a bank we're expected to reimburse them if we can't prove that we didn't take steps to detect the scam in progress and prevent the customer making the transaction.
8ytecoder 2021-08-16 22:59:01 +0000 UTC [ - ]
And proper identify verification - like looking at the document in person - also has downsides. It still can be forged. Just a little harder than what we have. (Other countries with mandatory physical KYC and a wet signature still have fraud issues)
Overall I think it’s a lot of added cost and inconvenience for a slightly better benefit.
ipython 2021-08-16 23:05:07 +0000 UTC [ - ]
HomeDeLaPot 2021-08-16 23:49:56 +0000 UTC [ - ]
toast0 2021-08-16 21:55:30 +0000 UTC [ - ]
This is nice when it's actually you, but it's a giant PITA to unravel when it's not. My spouse's name and SSN was used to rent an apartment in Oakland, as well as attempts to open credit cards at the apartment address (thankfully they tried to open an account at Amex but she already had one there and they called to confirm; at least one issuer said they were likely to approve). We were able to get all the credit applications denied/cancelled, but the rental lease is harder; the leasing office says they can't do anything without a criminal complaint and Oakland PD won't talk to us.
BayAreaEscapee 2021-08-16 23:29:42 +0000 UTC [ - ]
Are you aware that California Penal Code sections 530.5-530.8 require the law enforcement agency in the area of an identify theft victim to take a police report?
https://leginfo.legislature.ca.gov/faces/codes_displayText.x...
toast0 2021-08-16 23:54:57 +0000 UTC [ - ]
Also, we're not in California. We reported to our local PD, who did call us to get additional information, but obviously isn't going to spend a lot of time on something they can't do anything about. Oakland PD could presumably visit the apartment and see who's there or something.
Most of the things you're supposed to do revolve around documenting things (which allowing a police report does), so that when these accounts get reported on credit reports later, you can contest them and they'll be dropped. But in the mean time, there's nothing to be done about a fraudulent lease.
nerdponx 2021-08-16 21:29:18 +0000 UTC [ - ]
The downside is that the "help" will probably just consist of funneling more taxpayer money to large shareholders and execs, while banks figure out ways to dodge liability without actually solving the problem.
toomuchtodo 2021-08-16 21:48:34 +0000 UTC [ - ]
Maybe banks have to bleed more (Reg E mostly protects consumers from this fraud exposure) before they’ll come willing to regulators asking for it. If that’s the path to success, it’s a shame but not surprising.
https://www.congress.gov/bill/116th-congress/house-bill/8215...
https://fcw.com/articles/2021/08/12/infrastructure-digital-i...
“A draft version of the Senate infrastructure bill, which was obtained by FCW, included $500 million for the Department of Labor to institute a grant fund to supply states with digital identity proofing tools that are compliant with National Institute of Standards and Technology to combat fraud in unemployment insurance benefits.
In addition to the program administered by the Labor Department, the draft legislative language called for the Office of Management and Budget to develop a plan for federal digital identity verification, including an inventory of current efforts and a study of the feasibility of establishing a governmentwide system that provides equitable access to users of government services and protects privacy. There was talk in the administration and in the Senate of adding $3 billion in funding for governmentwide identity solutions as part of the infrastructure bill.
Instead, the entire section on program integrity covering the digital identity grants program and the OMB policy push was removed from the bill before it came up for a vote and was not offered in any of the amendments that came up as the bill was debated on the Senate floor.
The White House and various Senate press offices by and large did not respond to emailed questions from FCW about what happened with the digital identity section of the bill.”
vosper 2021-08-16 21:46:39 +0000 UTC [ - ]
[0] It obviously is for government departments.
tialaramex 2021-08-16 22:51:51 +0000 UTC [ - ]
The government (and not private corporations) tracks births, deaths, immigration, emigration, and of course it chooses to issue identity paperwork.
In general the closest commercial entities like banks can do is identity matching. So e.g. maybe Bank A asks you "Hey, do you have, like, a mortgage? Who with?" and you pick Bank X from the list of six options and OK, either that's a lucky guess or you know that "you" have a mortgage with Bank X.
This is pretty poor, it's something, but it's not very much, it's up there with Facebook's "Here are some pictures of people, which of them is your friend?" which of course falls down when either: You "friend" people you don't actually know and wouldn't recognise; or your "friends" don't like Facebook having accurate photo data and intentionally mislabel random other people or things with their name...
And as with the Facebook thing it breaks in surprising and hard to reproduce/ demonstrate ways. Maybe you think of this as your Big Bank mortgage, but if you check the small print it's actually a Different Bank mortgage, that Big Bank are re-branding, and so you just picked wrong.
So yes, in practice government is where this would get solved, if you've any appetite for solving it.
onion2k 2021-08-16 21:05:37 +0000 UTC [ - ]
The revenue isn't 6 BTC. It's 6 BTC * however many people are willing to buy at that price. More suppliers would surely drive the price down, but at this point there are probably tens of thousands of people who'd buy if the data was cheaper, so it'll remain profitable for a long time.
trimbo 2021-08-16 21:07:19 +0000 UTC [ - ]
vngzs 2021-08-16 21:19:40 +0000 UTC [ - ]
2021-08-16 21:50:07 +0000 UTC [ - ]
bbarnett 2021-08-16 21:11:08 +0000 UTC [ - ]
(Napoleon Dynamite 'Gawd!')
paulddraper 2021-08-16 21:52:57 +0000 UTC [ - ]
vngzs 2021-08-16 20:59:52 +0000 UTC [ - ]
[0]: https://go.flashpoint-intel.com/docs/pricing-analysis-of-goo...
criticaltinker 2021-08-16 21:51:49 +0000 UTC [ - ]
Here are a couple excerpts I found interesting:
> FULLZ: Slang for a full package of personal information connected to an individual, fullz provide enough information for a criminal to steal and profit from a victim’s identity. Fullz generally include the victim’s name, Social Security number, date of birth, account numbers, and more.
> REPRESENTATIVE SAMPLE OF 2019 FULLZ PRICING IN USD
> 2018 credit card and fullz from service industry $10
> Cashing out bank accounts and fullz empty it $4
> EU/Asia/UK credit cards / fullz $860
> $20,000 bank loan cashout using fullz $30
> Fullz SSN - DoB $5
> REPRESENTATIVE SAMPLE OF 2019 IDENTIFICATION DOCUMENTS AND PRICES IN USD
> U.S. passport PSD template $18
> Driver’s license template, passport, certificates $1,000
> UK driving license, passport pack, PSD photo $3-$26
> Australian passport PSD template $18
> Canadian passport PSD template $26-$46
> France passport PSD template $45
> Germany passport PSD template $46
> Netherlands passport PSD template $50
> Spain passport PSD template $45
> Sweden passport PSD template $5
> Turkey passport PSD template (fully editable) $45
vmception 2021-08-17 06:30:27 +0000 UTC [ - ]
Usually US and China and the OFAC list are excluded due to differing regulations
Nobody knows or cares. The financial institution, the capital raiser, the person with their ID used
You’re just trying to get into some presales or trade derivatives and that doesnt have criminal liability
xtiansimon 2021-08-18 11:58:19 +0000 UTC [ - ]
Not before the bevy of PII data points can be integrated into larger and larger datasets describing _individuals_.
Right now if you breach one database, you have one ‘snapshot’ of the elephant. Add more and more data, and soon you can make connections between private and public information.
What then? You could model a lot of information.
What street were you born on? First school? Early childhood friend?
Sound familiar?
twistiti 2021-08-16 22:25:36 +0000 UTC [ - ]
A valid US valid social security number is estimated at 2$, a USA selfie with holding ID is estimated at $100 $2
SkyMarshal 2021-08-16 22:34:36 +0000 UTC [ - ]
prirun 2021-08-17 01:49:40 +0000 UTC [ - ]
Terrible company IMO. I ended up not doing a transaction with them and they wouldn't delete my data from their systems. Companies are just asking to be hacked when the store all this unnecessary data for people who are not even their customers.
contravariant 2021-08-17 00:17:03 +0000 UTC [ - ]
Not to mention that it's somewhat pointless as a method of verification in the first place since you can't exactly check the validity of an ID in a grainy selfie.
criticaltinker 2021-08-17 03:35:31 +0000 UTC [ - ]
throwawayboise 2021-08-16 21:35:20 +0000 UTC [ - ]
SSNs were never secret until fairly recently.
I guess an up-to-date cross-reference of SSNs and current active accounts of other types might always have some value to certain buyers.
whoomp12342 2021-08-16 21:23:27 +0000 UTC [ - ]
8ytecoder 2021-08-16 22:54:06 +0000 UTC [ - ]
fingerlocks 2021-08-16 21:15:50 +0000 UTC [ - ]
Overton-Window 2021-08-16 21:12:49 +0000 UTC [ - ]
73r7fudhdjduru 2021-08-16 21:43:11 +0000 UTC [ - ]
vmception 2021-08-17 03:46:35 +0000 UTC [ - ]
People can do very lucrative things with your identity that dont cause any liability to you. This may be more common than the horror stories, and there is no way to collect the data.
Think about it, someone shut out of the credit system uses your identity and gets a credit card and helps improve your credit score. Many people might see the unfamiliar line and just not bother, many people would never notice.
Think about things which wouldn't get reported: you would never know if someone had opened another checking account in your name, right now.
What about doing ID verification at an exchange merely to pass know-your-customer and anti-money laundering requirements to get greater withdrawals? Innocuous, as all account holders have to do that.
Yeah some people are probably getting framed.
Its more likely that this gets investigated properly and shocks everyone into repealing some money-stigmatizing laws since the wrong people are getting indicted.