T-Mobile: Breach Exposed SSN/DOB of 40M+ People
coldcode 2021-08-18 16:51:29 +0000 UTC [ - ]
The people who suffer are those whose data is compromised and have no idea it happened.
harikb 2021-08-18 17:07:35 +0000 UTC [ - ]
From a Reuters article on same news
https://www.reuters.com/technology/hackers-steal-some-person...
> T-Mobile’s data breach is the latest high-profile cyberattacks as digital thieves take advantage of security weakened by work-from-home policies due the COVID-19 pandemic
jrootabega 2021-08-18 17:49:09 +0000 UTC [ - ]
u801e 2021-08-19 00:09:35 +0000 UTC [ - ]
jrootabega 2021-08-19 00:13:10 +0000 UTC [ - ]
A4ET8a8uTh0 2021-08-18 16:56:44 +0000 UTC [ - ]
I think only recently there was some movement to approve a vendor there.
Arrath 2021-08-18 20:00:57 +0000 UTC [ - ]
u801e 2021-08-19 00:10:51 +0000 UTC [ - ]
toomuchtodo 2021-08-18 16:55:42 +0000 UTC [ - ]
mjevans 2021-08-18 17:10:06 +0000 UTC [ - ]
Damien Miller @damienmiller Looks like T-Mobile hasn't updated the OpenSSH installation (and thus probably neither OS) since 2014. SHA256 has been the default hostkey fingerprint since the openssh 6.8 release in 2015
Retweeted: https://twitter.com/Jeremy_Kirk/status/1427144723731402756 Jeremy Kirk @Jeremy_Kirk The person who claims to have compromised T-Mobile says the company misconfigured a gateway GPRS support node that was apparently used for testing. It was exposed to the internet. That allowed the person to eventually pivot to the LAN. Proof screenshot supplied.
gurchik 2021-08-18 17:05:04 +0000 UTC [ - ]
Once on the LAN, the same person claims the data was "sitting in plaintext on an insecure backup server": https://twitter.com/und0xxed/status/1427639599636041742
gjsman-1000 2021-08-18 16:56:53 +0000 UTC [ - ]
jasonladuke0311 2021-08-18 17:21:31 +0000 UTC [ - ]
chefandy 2021-08-18 17:43:36 +0000 UTC [ - ]
midwestemo 2021-08-18 17:12:59 +0000 UTC [ - ]
iknowstuff 2021-08-18 17:00:04 +0000 UTC [ - ]
In any case, the private key is stored on a plastic ID, which acts as a smart card and can be hooked up to a smartphone/PC for identity verification and document signing online. The key is only released with a PIN, and the databases online only store the corresponding public key.
A leak of a public key without the private key is (relative to SSN) harmless.
https://en.m.wikipedia.org/wiki/EIDAS
Can we please have this in the US?
netsec_burn 2021-08-18 17:06:18 +0000 UTC [ - ]
sneak 2021-08-18 18:21:54 +0000 UTC [ - ]
Would you like each state to do it, or a federal system?
Many state DMVs sell their whole database to private companies like auto insurers and marketers. What makes you think they should continue to be stewards of this sensitive personal information when they have mishandled it so badly in the past?
Why do we need strong ID so often anyway? Most things people demand ID for don't actually need ID.
zamadatix 2021-08-18 18:58:18 +0000 UTC [ - ]
Same with state vs federal question. Right now SSNs are assigned federally and drivers licenses and birth certificates by state. It doesn't much matter which it comes from as long as the identification is trusted nationally (as it is currently with the above examples).
What DMVs are able to sell varies by state, many can't sell drivers license photos for example. SSNs are also illegal to sell based on federal law. Ultimately that comes down to the content of the law relating to creating said ID not past actions with other information.
As for why we need to identify ourselves so often it often comes down to the public use case of credit checks and various forms of identification for governmental reasons (e.g. applying for official licenses or forms or travel documents or so on). It's perfectly fine to do these 2 separate but as-is we are already tying the 2 together so why not answer both in one go with something like eIDAS.
jvanderbot 2021-08-18 19:25:25 +0000 UTC [ - ]
iknowstuff 2021-08-18 19:10:27 +0000 UTC [ - ]
Generally, with eIDAS, various websites can use an API to access the identity stored on your ID (public key) when you allow it.
Crucially, every time you want to make a legally binding change or sign a document, you need to ask your ID to use its private key to cryptographically sign it. Typically this operation needs a PIN. Without such a valid signature, you won't be able to use someone's credit line.
With a well designed system, the government can provide an API to give institutions/apps unique, but app-specific people identifiers. Those can be trusted to each be tied to a unique person, without making it possible to track the services they use (unlike the easily trackable SSN).
azernik 2021-08-18 18:54:20 +0000 UTC [ - ]
In this case, you'd have the Interior Ministry or equivalent be the certificate authority, and it can issue revocations and new certs based on the normal identity verification systems of the state.
lou1306 2021-08-18 18:47:48 +0000 UTC [ - ]
... To prevent identity theft?
sneak 2021-08-18 18:51:19 +0000 UTC [ - ]
You only do bank loans, mortgages, lines of credit and the like a few times per year.
Your ID is demanded so often in the USA there is even a hand signal for it that everyone knows (a C shape made with the right hand held up at eye level).
hhjj 2021-08-18 19:01:55 +0000 UTC [ - ]
In Europe we aren't asked IDs but usually email/phone numbers and that's for marketing reason (spamming and being able to identify customers cross businesses).
_jal 2021-08-18 19:07:17 +0000 UTC [ - ]
I routinely refuse to provide ID when asked by private businesses. About half the time they're OK with proceeding with whatever without it.
sneak 2021-08-18 19:21:43 +0000 UTC [ - ]
There are however many, many things that you are simply entirely barred from doing in the USA without showing ID. It's even worse in Europe.
Many music venues (the vast majority), all federally licensed firearms retailers, almost all hotels and modes of travel.
Perhaps you can live without music, air travel, hotels, and firearms, but I cannot.
jandrewrogers 2021-08-18 17:40:58 +0000 UTC [ - ]
Every time things like this come up, everyone asks why don't we just thing that looks like a national identity system to fix the issue, as if that never occurred to anyone in Congress. This is why: it violates the Constitution. Short of amending the Constitution, which seems highly unlikely, the US will never have a national identity system like European countries.
dragonwriter 2021-08-18 18:04:48 +0000 UTC [ - ]
No, they haven't. There are people who have speculated that it is illegal since the idea started being discussed (serious discussions are actually fairly new, mostly a burst in the late-1990s and another one shortly after 9/11, though speculative strawman negative arguments go back a bit further, at least to discussions around HIPAA in the mid-1990s.) Those speculations have extrapolated from cases that are quite distant from a national ID (e.g., weirdly, critics of the idea have suggested a national ID would violate the protection of the eight to anonymous political speech found in the first amendment under McIntyre v. Ohio Elections Commission (1995), which aside from the WTF of what a national ID even has to do with that right, is clearly false because the First Amendment applies to the states under the 14th Amendment, so if somehow the creation of a federal ID would violate a First Amendment right, the creation of a state ID would equally violate the application of that right under the 14th. In fact, we have federal (directly issued or state-issued under federal regulations) ID cards required for certain federally regulated purposes, notably:
(1) Passports (or, for certain cases, state-issued under federal rules Enhanced Driver's Licenses) for border crossing;
(2) Passports, state-issued ID’s meeting federal Real ID standards, or certain other federal or federally-regulated IDs for air travel and access to federal facilities.
There are usage or production requirements that government might adopt for ID that violate Constitutional protections that have been firmly articulated by the courts, but those generally apply to state and federal ID equally.
lostcolony 2021-08-18 18:01:03 +0000 UTC [ - ]
We have plenty of de facto ID systems. But I'd argue they aren't mandatory because -there is no political will to make them mandatory-. What is achieved by doing so?
Hell, the same political party that would object most vociferously to making them mandatory (because of religious reasons and cost to the taxpayer) is also the one pushing for laws to require issued IDs to vote, a right that -is- guaranteed in the constitution.
smsm42 2021-08-18 18:50:03 +0000 UTC [ - ]
lostcolony 2021-08-18 19:47:09 +0000 UTC [ - ]
smsm42 2021-08-18 20:16:27 +0000 UTC [ - ]
lostcolony 2021-08-19 00:51:43 +0000 UTC [ - ]
I provided an example of that, by pointing out where even the party whose stated goal is to validate a person's identity for voting (i.e., where a mandatory national ID would help with one of their stated goals; certainly, it would remove the objections the other party has) still isn't pushing for a mandatory national ID.
You commenting how multiple types of non-mandatory IDs are included in the bills that that party supports...isn't gainsaying anything I said, nor the point I was making. I'm not sure why you bothered.
markhahn 2021-08-18 19:16:12 +0000 UTC [ - ]
gnopgnip 2021-08-18 21:08:23 +0000 UTC [ - ]
jandrewrogers 2021-08-18 18:17:53 +0000 UTC [ - ]
Past attempts included things like withholding tax disbursements to non-compliant States, but the US Supreme Court deemed that coercive and therefore illegal. The Real ID Act is the latest attempt but it has been delayed for many years by State non-compliance and general unwillingness to share their identity databases with the Federal government.
The ID required to vote is a State ID, which is perfectly Constitutional. No one is requiring a Federal ID to vote. In fact, many States will not recognize any Federal ID, including passports.
lostcolony 2021-08-18 19:39:56 +0000 UTC [ - ]
Then please find and supply it. -I- have had difficulty finding it. It certainly isn't so easy to find as "here is a linked citation supporting my claim", since you've yet to provide one.
"The Real ID Act is the latest attempt but it has been delayed for many years by State non-compliance and general unwillingness to share their identity databases with the Federal government." - not at all. Everything you said just in this post is incorrect, but more egregiously (and why I'm not even bothering to point out why it's incorrect), it's also -irrelevant-. Real ID...isn't mandatory. Not at the state level, not at the federal level.
"The ID required to vote is a State ID, which is perfectly Constitutional" - there isn't an ID required to vote according to the Constitution. In practice, most states also don't require any form of ID. Hence all the bills by the GOP to try and require one, while also doing nothing to ensure it is affordable and convenient (i.e., creating a form of poll tax); the GOP doesn't even care about it as an ID system, just as a form of voter suppression.
Which is my point; no legislature, not even the people trying to require ID for things, is pushing for mandatory IDs. It's not against the Constitution as far as I can tell, and you've done nothing to convince me; it just isn't politically worth pushing for given the resistance it would face so has never happened.
dragonwriter 2021-08-18 19:55:44 +0000 UTC [ - ]
Then it should be easy to present one, preferably the most applicable one to modern proposals.
> This information is not difficult to find.
Its not easy to find the arguments of the people opposed to national ID, and its not easy to verify that the cases they cite are not about national IDs.
> All of them tried to workaround the fact that States can create mandatory identity systems but the Federal government cannot
None of the national ID debates have been about a mandatory ID (a mandatory-for-specific-purposes ID, yes, but the feds already issue a number of those.)
> (It is one of the reasons SSN cards go out of their way to assert they are not to be used as an ID.)
No, social security cards say that because they aren’t designed to validate identity, since all they contain is a name and a number and no way other than possession (which is extremely problematic) to associate that with a particular person.
> Past attempts included things like withholding tax disbursements to non-compliant States
[citation needed]
> but the US Supreme Court deemed that coercive and therefore illegal.
[citation needed]
> The Real ID Act is the latest attempt
Real ID is not a mandatory ID, but a required-for-enumerated purposes ID. The enumerated purposes are ones for which the federal government already establishes acceptable ID standards without any Constitutional challenge, under various Article I, Sec. 8 powers, Real ID is just a change to the standards. And all phases of it but for Phase 4 involving (notably) the mandated to use Real ID for commercial air travel have already gone into effect. Starting in 2014.
but it has been delayed for many years by State non-compliance and general unwillingness to share their identity databases with the Federal government.
casefields 2021-08-18 18:07:11 +0000 UTC [ - ]
Voting Rights Act is statutory like most of our laws.
dragonwriter 2021-08-18 18:14:54 +0000 UTC [ - ]
Yes it is.
> Voting Rights Act is statutory like most of our laws.
Constitutional rights are often enforced by legislation; Amendments articulating rights often explicitly authorize this. See, with regard to voting rights, the 15th, 19th, and 26th Amendments. (EDIT: also, the 14th Amendment [see Sec. 2 and 5], and, as noted in a sibling comment, the 24th Amendment. Also the 17th Amendment, though that doesn’t have a Congressional enforcement clause. Voting rights are the single most common subject of Constitutional amendments.)
azernik 2021-08-18 18:56:45 +0000 UTC [ - ]
Section 1. The right of citizens of the United States to vote shall not be denied or abridged by the United States or by any State on account of race, color, or previous condition of servitude.
Section 2. The Congress shall have power to enforce this article by appropriate legislation.
The 19th Amendment has identical language for "on account of sex", the 24th Amendment has "by reason of failure to pay a poll tax or any other tax", the 26th Amendment has "on account of age" for 18 years and older.
Like many other things in the Constitution, the constitutional text defines the general principle and the power of the federal government to enforce it, and normal legislation establishes the actual enforcement mechanisms.
Buttons840 2021-08-18 17:59:36 +0000 UTC [ - ]
volta83 2021-08-18 17:58:54 +0000 UTC [ - ]
The system can be voluntary.
If you don't need an SSN today, you wouldn't need to use that system.
If some bank or health care provider only accepts such a system, just pick another one, or create your own bank / health care provider.
smsm42 2021-08-18 18:52:32 +0000 UTC [ - ]
InitialLastName 2021-08-18 19:16:02 +0000 UTC [ - ]
I don't know of any examples, but perhaps a provider who did not take insurance would be able to avoid the requirement.
lhorie 2021-08-18 18:30:13 +0000 UTC [ - ]
Aren't passports national/federal identity systems?
snowwrestler 2021-08-18 19:53:45 +0000 UTC [ - ]
The question is whether the U.S. federal government can require all U.S. residents to get, carry, and provide a national form of identification. To my knowledge it cannot, but I’m not handy with a case citation to prove it. Watching the rest of this thread to see what people turn up.
Note that Social Security numbers are explicitly not intended to be such IDs, although many services do use SSN as a key to distinguish people from one another.
dragonwriter 2021-08-18 20:20:53 +0000 UTC [ - ]
Even state IDs aren’t generally mandatory in theory, they are mandatory for specific purposes. Like most proposed national IDs. Like Passports. Like Real ID. Like EDL. Like Military ID. Like…
> The question is whether the U.S. federal government can require all U.S. residents to get, carry, and provide a national form of identification.
No, its not. Literally no one is advocating that. Its actually pretty well established that even states, while they can require you to use ID for a whole lot of purposes, but can’t mandate that you carry and produce one generally.
iknowstuff 2021-08-18 18:04:15 +0000 UTC [ - ]
Seems weird that a SSN is not considered a national identity system? What if the federal government sunset SSNs after a bunch of big states implemented an equivalent of EIDAS on their own volition?
pionar 2021-08-18 18:17:00 +0000 UTC [ - ]
In fact, the paper cards used to say "NOT FOR IDENTIFICATION" on them. I forget when that was removed.
The military started using them for ID in the 60s, then the IRS started using them in the 70s, and it's just kind of morphed into an ID number because "everyone has one".
adzm 2021-08-18 17:48:45 +0000 UTC [ - ]
jandrewrogers 2021-08-18 18:02:12 +0000 UTC [ - ]
Prior Supreme Court cases have ruled that the Federal government cannot coerce the States, e.g. via taxation or regulatory authority, to do something for the Federal government that the Federal government is prohibited from doing itself. Without the voluntary compliance of the States, which is like herding cats, with respect to creating a national identity database, the net effect of Real ID will basically be more standardized State IDs.
dragonwriter 2021-08-18 18:23:13 +0000 UTC [ - ]
It went into effect in 2014. You are probably confusing Phase 4 requirements (the requirement for Real ID for commercial air travel being the main one) with the act as a whole. Real ID are issued, and are required for a variety of purposes.
> Prior Supreme Court cases have ruled that the Federal government cannot coerce the States, e.g. via taxation or regulatory authority, to do something for the Federal government that the Federal government is prohibited from doing itself.
Which would be relevant if cases had also established that the federal government cannot issue photo ID cards that the Federal government required for functions subject to federal regulation under the Constitution.
But no such ruling has been made, and the federal government issues a variety of IDs (passports, permanent resident ID, military ID), and mandates their use (allowing, in some cases—like commercial air travel—the use of an acceptable alternative) for a variety of purposes.
brewdad 2021-08-18 18:13:58 +0000 UTC [ - ]
You seem very sure of these Supreme Court decisions that appear to have slipped past the rest of us. Not saying you are wrong, with the firehose of info these days it's easy to miss things, even really important things.
jandrewrogers 2021-08-18 19:42:17 +0000 UTC [ - ]
There isn't one court case that informs the boundaries of the Federal government and ID, and how the government may facilitate the linking of an existing identity token to their database, it is diffused across many. The policy and regulatory practice in the Federal government threads a convoluted path through this precedent, with myriad loopholes and workarounds, and exploiting gray areas that have not been adjudicated. I've worked in this environment, which is the only reason I know about it. Every time they create a database on US citizens, they must articulate the title authority that both allows that database to exist and to be used (use and existence are, somewhat dubiously, deemed separate authorities which notionally allows them to collect data if they don't look at it -- this reasoning is not well-tested).
In practice, the US government outsources identity stuff to companies like Lexis-Nexis, which rely on duck-typing to determine identity since this doesn't require the person being identified to carry a token. Just about everyone carries an ensemble of tokens that are sufficient for identity purposes if you have fewer database building prohibitions than the US government.
ciabattabread 2021-08-19 04:30:57 +0000 UTC [ - ]
rhizome 2021-08-18 18:48:06 +0000 UTC [ - ]
sneak 2021-08-18 18:22:50 +0000 UTC [ - ]
The feds have all of the secure flight data and all of the Real ID license/state ID card data, linked to SSN.
jandrewrogers 2021-08-18 19:47:48 +0000 UTC [ - ]
renewiltord 2021-08-18 18:03:33 +0000 UTC [ - ]
AbjectFailure 2021-08-18 17:45:46 +0000 UTC [ - ]
SahAssar 2021-08-18 17:15:04 +0000 UTC [ - ]
I have the ID card with smartcard capabilities too but I've never seen any place in sweden where they are used, but it's good to know I have it if I need to identify in the rest of europe.
iknowstuff 2021-08-18 17:34:04 +0000 UTC [ - ]
[1] https://developer.apple.com/documentation/security/certifica...
jeffmcjunkin 2021-08-18 19:14:48 +0000 UTC [ - ]
The whole point of a smart card (same as a military CAC, and almost the same as a TPM chip on computers) is to sign operations using the private key, without allowing export of that private key. They're still made of atoms, like all objects, and susceptible to physical key extraction attacks.
dahfizz 2021-08-18 17:21:43 +0000 UTC [ - ]
gruez 2021-08-18 17:23:03 +0000 UTC [ - ]
pengaru 2021-08-18 17:34:26 +0000 UTC [ - ]
It's just pre-paid or credit-based contracts AIUI.
My power company asked for my SSN when setting up the utilities, after plainly refusing to provide it they said a $250 deposit would be required, done!
jonny_eh 2021-08-18 18:24:34 +0000 UTC [ - ]
dharmab 2021-08-18 19:04:50 +0000 UTC [ - ]
astura 2021-08-18 19:16:45 +0000 UTC [ - ]
If you don't pay your bill or pay off your phone you get reported to the credit bureaus and sent to collections.
astura 2021-08-18 17:29:08 +0000 UTC [ - ]
IDs are only required if you want a post-paid plan and/or monthly financing for your phone. It's a rotating line of credit.
jorvi 2021-08-18 18:27:01 +0000 UTC [ - ]
swiley 2021-08-18 17:18:10 +0000 UTC [ - ]
Absolutely not. How about not requiring an ID? There are plenty of carriers here that don't do that.
astura 2021-08-18 17:24:38 +0000 UTC [ - ]
If you don't want to show id there's plenty of prepaid options (including with TMobile). You can also pay someone else to put you on their plan - the carrier only has the identification information for the plan owner.
wil421 2021-08-18 17:41:36 +0000 UTC [ - ]
Harvard has a list I found on google.
toast0 2021-08-18 18:14:01 +0000 UTC [ - ]
The postpaid plans are usually more expensive than prepaid, and they require a SSN and I'm not going to make the difference back by investing the payment for a month.
memco 2021-08-18 18:57:29 +0000 UTC [ - ]
astura 2021-08-18 19:06:20 +0000 UTC [ - ]
Post paid plans can also have a minimum term/termination fees, which the carrier would be interested in collecting.
Post-paid plans are also often grandfathered when prices increase for new customers.
swiley 2021-08-19 16:10:49 +0000 UTC [ - ]
Anything that touches the phone network is cursed.
cma 2021-08-18 18:44:06 +0000 UTC [ - ]
merb 2021-08-18 17:08:37 +0000 UTC [ - ]
gostsamo 2021-08-18 17:16:02 +0000 UTC [ - ]
merb 2021-08-18 17:25:26 +0000 UTC [ - ]
gostsamo 2021-08-18 17:41:04 +0000 UTC [ - ]
wiredfool 2021-08-18 19:05:08 +0000 UTC [ - ]
gostsamo 2021-08-18 21:16:56 +0000 UTC [ - ]
https://www.lawsociety.ie/globalassets/documents/committees/...
iknowstuff 2021-08-18 17:35:01 +0000 UTC [ - ]
est31 2021-08-18 19:46:10 +0000 UTC [ - ]
Personally I'm not even that sad about this German situation because often "improving" things digitally means centralizing them so you suddenly have one big database of 80 million germans containing all their data. A hack of that is way more dangerous than a hack of a single municipality's database. The larger the database, the larger the payoff for the hackers.
merb 2021-08-18 20:57:01 +0000 UTC [ - ]
solatic 2021-08-18 19:05:05 +0000 UTC [ - ]
You make it seem like the EU has an ideal system, but the truth of the matter is that identity verification, in a way that is both reliable enough to allow it to be used for making legal commitments (that cannot be backed out of), is flexible enough to suit a long tail of edge cases (the intellectually disabled, the elderly, children, etc.), and is secure enough against loss or theft is a very hard problem.
pokoleo 2021-08-18 19:12:30 +0000 UTC [ - ]
> What if you lose your card?
Each country could keep a log of revoked publishable keys. Countries do more complex things to validate VAT IDs today, so this wouldn't be out of the blue.
> How do you prove your identity to get a replacement? How do you prevent someone from reporting your card as stolen, representing themselves as you, and getting a new card (with a new PIN) issued in your name?
Governments need to solve the same issue with lost passports today. In some cases you can have other people to vouch for you, putting their own identities on the line. In other cases, you use other forms of ID (including immutable things like biometrics). Society has generally made this not a problem, and a new form of ID won't make it worse.
> What if you forget your PIN, how do you reset it?
At the worst, it's treated as a lost card and get a replacement. There are probably ways to make this better but my point is: solveable.
LeifCarrotson 2021-08-18 17:09:18 +0000 UTC [ - ]
> And he causes all, the small and the great, and the rich and the poor, and the free men and the slaves, to be given a mark on their right hand or on their forehead, and he provides that no one will be able to buy or to sell, except the one who has the mark, either the name of the beast or the number of his name.
Additionally, politicians who pay lip service to these beliefs have an extremely strong and malleable voting bloc. It's a little crazy that a modern society is held hostage by such superstitions, but that's the way it's been. Fortunately, we just this year crossed beneath the 50% church membership threshold and the numbers continue to drop.
dotcommand 2021-08-18 17:42:19 +0000 UTC [ - ]
It's crazy how a nation of "religious fundamentalists" created the modern world. Crazy how "religious fundamentalists" created the wealthiest nation.
There has always been a backlash against centralized/federalized anything. From taxes to gun registration to you name it. As it should be. But you'll be happy to know that the trend is towards more centralized control and power.
paulryanrogers 2021-08-18 17:54:01 +0000 UTC [ - ]
Not sure that responding to an overly reductive conclusion with an even more reductive conclusion is helping.
FWIW I wouldn't say that fundamentalism itself did much to advance the world or make any nation rich. Except perhaps to motivate some people to seek unexploited resources elsewhere.
Bhilai 2021-08-18 18:05:47 +0000 UTC [ - ]
And yet support a sprawling state government machinery almost as powerful as the central/federal government so much so that states can dictate terms and laws they want and "local" cities and counties have to abide by it.
markhahn 2021-08-18 19:23:31 +0000 UTC [ - ]
markhahn 2021-08-18 19:22:21 +0000 UTC [ - ]
whoaisme 2021-08-18 17:57:03 +0000 UTC [ - ]
rjzzleep 2021-08-18 17:45:55 +0000 UTC [ - ]
The Baltic states have a private key that is actually usable to an end user. Open source, document signing format that works.
Plus a process that allows updating these keys in a safe fashion. None of that exists with the EU infrastructure.
umvi 2021-08-18 17:52:37 +0000 UTC [ - ]
paulryanrogers 2021-08-18 17:55:15 +0000 UTC [ - ]
swiley 2021-08-18 17:26:20 +0000 UTC [ - ]
Retric 2021-08-18 17:33:54 +0000 UTC [ - ]
swiley 2021-08-18 17:54:38 +0000 UTC [ - ]
dharmab 2021-08-18 18:08:32 +0000 UTC [ - ]
JTbane 2021-08-18 18:06:44 +0000 UTC [ - ]
gruez 2021-08-18 17:20:19 +0000 UTC [ - ]
markhahn 2021-08-18 19:41:15 +0000 UTC [ - ]
it's really a belief that the state is malign - and the further away (ie, federal), the worse. which is ironic because feds get vastly more scrutiny than some podunk local government.
rank0 2021-08-18 17:13:17 +0000 UTC [ - ]
Everyone has an ssn already wouldn’t that qualify for the mark?
pueblito 2021-08-18 17:18:10 +0000 UTC [ - ]
tristor 2021-08-18 17:24:28 +0000 UTC [ - ]
oasisbob 2021-08-18 17:51:41 +0000 UTC [ - ]
gjsman-1000 2021-08-18 17:26:11 +0000 UTC [ - ]
addingnumbers 2021-08-18 17:27:17 +0000 UTC [ - ]
Biblical prophecy finds way to legislators in battle over ID plan http://archive.boston.com/news/local/maine/articles/2007/03/...
> Fears about the federal government and the mark of the beast stretch back 100 years. ... The fears are anchored in St. John's warnings about the Roman government -- which conducted census surveys in Jesus' time -- that are recorded in Revelation, he said.
> "Whenever you have an active government that seems like it's trying to gather data on its citizens or take away certain freedoms, pretty often this particular prophesy is cited," he said.
hobs 2021-08-18 17:28:44 +0000 UTC [ - ]
When bar codes were introduced there was religious fervor and resistance about the mark of the beast on every product - its a real and persistent meme among the christian crazy.
enkid 2021-08-18 17:42:37 +0000 UTC [ - ]
dharmab 2021-08-18 17:23:54 +0000 UTC [ - ]
gjsman-1000 2021-08-18 17:14:50 +0000 UTC [ - ]
So imagine a dictator, or a tyrannical government (say China) who said you need to worship Xi Jinping to receive the chip implanted in your body for identification purposes. Something like that they speculate. And that if you don't worship Xi, you don't get the chip, and you can't buy or sell anything.
waylandsmithers 2021-08-18 17:51:44 +0000 UTC [ - ]
kook_throwaway 2021-08-18 18:14:04 +0000 UTC [ - ]
amanaplanacanal 2021-08-18 18:33:17 +0000 UTC [ - ]
kook_throwaway 2021-08-18 21:47:49 +0000 UTC [ - ]
lbotos 2021-08-18 17:35:28 +0000 UTC [ - ]
the-dude 2021-08-18 17:35:00 +0000 UTC [ - ]
toast0 2021-08-18 18:11:00 +0000 UTC [ - ]
Since you need a SSN for a child to get the tax benefits of a child (as of 1986), and most parents will want those, it's an easy sell to get a SSN while processing the rest of the birth paperwork, rather than doing it later. I was born before 1986 and I believe my parents applied for SSNs for me and my siblings around then because it was needed for tax purposes.
dharmab 2021-08-18 18:03:09 +0000 UTC [ - ]
SSNs are not universal, either. There are some unions and religious groups that have legal exemptions.
astura 2021-08-19 02:31:12 +0000 UTC [ - ]
Exempt from participating in social security (the program), not exempt from having a social security number. In fact, getting a social security number is the first step in applying for an exception from social security. Basically, SSA needs to track you as being exempt from social security, which requires a unique identifier.
da_chicken 2021-08-18 17:18:01 +0000 UTC [ - ]
outworlder 2021-08-18 17:30:40 +0000 UTC [ - ]
Yes, the SSN is already used as a very weak form of identification, something it was never intended to.
Are you approaching this from a logical standpoint?
KoftaBob 2021-08-18 18:00:32 +0000 UTC [ - ]
Much of Revelation was the early Christian community talking shit about Emperor Nero using code so they don't get killed. It's not meant to be a prophecy of a future dystopia.
moistbar 2021-08-18 17:17:03 +0000 UTC [ - ]
mcherm 2021-08-18 17:22:48 +0000 UTC [ - ]
So, even if you consider it absurd, this particular belief IS widely-enough held to influence behavior and public policy in the US.
[1] https://covid.cdc.gov/covid-data-tracker/#vaccinations_vacc-...
moistbar 2021-08-18 17:59:30 +0000 UTC [ - ]
Please show me where it lists the reasons for not vaccinating on the page you linked, as I only see numbers on whether or not people are vaccinated. As it stands, your claim has zero statistical evidence to back it up. In fact, your link has zero relevance to your claim in any way.
minikites 2021-08-18 17:03:12 +0000 UTC [ - ]
No, because a significant amount of people in the USA think any kind of federal identification system is the "mark of the beast" from the biblical book of Revelation.
dharmab 2021-08-18 17:09:43 +0000 UTC [ - ]
odiroot 2021-08-18 18:00:34 +0000 UTC [ - ]
rhizome 2021-08-18 18:57:56 +0000 UTC [ - ]
amanaplanacanal 2021-08-18 18:40:28 +0000 UTC [ - ]
rank0 2021-08-18 17:09:51 +0000 UTC [ - ]
minikites 2021-08-18 17:21:28 +0000 UTC [ - ]
http://archive.boston.com/news/local/maine/articles/2007/03/...
>"People are very concerned if the federal government gives you a number, it will be the mark of the beast," said Missouri Rep. Jim Guest, the sponsor of a resolution similar to Whitaker's. "There are everyday people who get the connection to 666."
https://www.register-herald.com/news/local_news/is-real-id-a...
>Hudok emphasized he wasn’t saying that those enrolled in the global system are under the thumb of the ultimate Beast, but said the use of Real ID means biblical prophecy is “well under way.”
https://apps.itd.idaho.gov/Apps/MediaManagerMVC/NewsClipping...
>But some evangelical Christians take the "mark" of Revelation more literally, and believe that a number-based identification system in the U.S. will eventually spread throughout the world, only to be used by a global dictator (the antichrist) who will control international trade with the numbers issued under the Real ID program.
swiley 2021-08-18 17:27:59 +0000 UTC [ - ]
You're as ignorant as the people you mock.
dhosek 2021-08-18 17:47:14 +0000 UTC [ - ]
https://www.christianpost.com/news/the-national-biometric-id...
https://www.fisherphillips.com/news-insights/don-t-give-your...
http://archive.boston.com/news/local/maine/articles/2007/03/...
I'm a Christian and I find most of those arguing that it's the mark of the beast (or the road there) to be disingenuous at it's root (there's an awful lot of anti-Christian stuff being flogged in the name of Christianity), but to claim that this isn't being done in the name of religion is to miss what's happening out there. Turn your car radio to the far left of the dial and listen to some Christian talk radio some time—there's a lot of craziness being put out into the world in the name of religion.
quickthrowman 2021-08-18 17:57:15 +0000 UTC [ - ]
Yes, using a 1st century AD apocalyptic book about the Romans to interpret contemporary government policy is by definition disingenuous.
dhosek 2021-08-19 02:25:49 +0000 UTC [ - ]
nateberkopec 2021-08-18 16:53:59 +0000 UTC [ - ]
Would that really be such a bad thing? Both seem completely replaceable as authentication steps.
jvanderbot 2021-08-18 17:00:22 +0000 UTC [ - ]
Check a photo ID. Check a public cert. Take a fingerprint.
Buttons840 2021-08-18 17:23:46 +0000 UTC [ - ]
Is a credit agency illegally spreading false information about you? Not their problem, after all, they can't be expected to know they're spreading false information. Also, they advertise that they are in possession of credit monitoring systems capable of detecting this false information. How is this not libel?
lotsofpulp 2021-08-18 17:05:14 +0000 UTC [ - ]
jjtheblunt 2021-08-18 16:58:52 +0000 UTC [ - ]
jgillette 2021-08-18 18:00:03 +0000 UTC [ - ]
withinboredom 2021-08-18 18:40:59 +0000 UTC [ - ]
astura 2021-08-19 02:40:07 +0000 UTC [ - ]
x0x0 2021-08-18 19:47:10 +0000 UTC [ - ]
stretchwithme 2021-08-18 17:00:24 +0000 UTC [ - ]
Would that situation persist for decades?
miohtama 2021-08-18 16:59:59 +0000 UTC [ - ]
stretchwithme 2021-08-18 17:03:42 +0000 UTC [ - ]
But SSNs aren't even ONE factor.
It's time the US government entered the 21st century.
stretchwithme 2021-08-18 17:01:02 +0000 UTC [ - ]
Gwypaas 2021-08-18 17:11:48 +0000 UTC [ - ]
cryvate1284 2021-08-18 17:03:02 +0000 UTC [ - ]
withinboredom 2021-08-18 18:42:07 +0000 UTC [ - ]
tadfisher 2021-08-18 17:11:03 +0000 UTC [ - ]
jaundermann 2021-08-18 17:31:37 +0000 UTC [ - ]
A4ET8a8uTh0 2021-08-18 16:52:29 +0000 UTC [ - ]
What is the tipping point? Did we manage to pass it altogether ( asking since even I took this news as... eh, why bother )?
Honestly, what needs to happen to make it 'not so'.
MattGaiser 2021-08-18 16:55:28 +0000 UTC [ - ]
vmception 2021-08-18 18:20:22 +0000 UTC [ - ]
Could probably boost the GDP by 2% by just acknowledging that compliance is a waste of time and ending that regime.
lotsofpulp 2021-08-18 16:49:53 +0000 UTC [ - ]
gruez 2021-08-18 17:27:13 +0000 UTC [ - ]
lotsofpulp 2021-08-18 17:42:27 +0000 UTC [ - ]
It is akin to “the process is the punishment” when you get tied up in the US legal/criminal justice system, even if you are innocent.
yupper32 2021-08-18 16:55:04 +0000 UTC [ - ]
You're not going to do much damage creating a T-Mobile account with my SSN. You will signing up for a credit card or resetting the password on my bank account.
lotsofpulp 2021-08-18 16:58:30 +0000 UTC [ - ]
Which would include pretty much all consumer level/retail financial companies I think, but certainly is not limited to them.
When entity A defrauds entity B by pretending to be entity C, entity C should not be affected in any way, other than letting entity B know they were not party to the transaction.
In other words, it should be entity B’s responsibility to prove entity C engaged in a transaction with them before being able to affect entity C’s credit.
And that would solve all of this nonsense very quickly.
mrtnmcc 2021-08-18 19:15:37 +0000 UTC [ - ]
"One moment sir..."
"Congratulations! you have very good credit, Welcome to TMobile."
...It's baloney, I think they just try to get it for leverage if you have a bill outstanding.
Anyway, very glad I gave them a fake SSN.
EDIT: I did learn they use the last four digits as an initial pin in some cases, so good to remember whatever nonsense number you tell them.
meowster 2021-08-18 19:53:07 +0000 UTC [ - ]
x0x0 2021-08-18 19:43:14 +0000 UTC [ - ]
Kinda funny the plan I bought from walmart because I'm cheap had no credit check so no dob/ssn and it turned out to be significantly more secure than what was available if you shared your credit info with tmobile.
fridif 2021-08-18 17:01:37 +0000 UTC [ - ]
Why should T-Mobile care who it is they are giving phone service to? As long as the bills are paid on time, it shouldn't matter. Here's my order ID and my password.
And before anyone makes the terrorism argument, it would seem that our country has deprioritized that initiative.
vlozko 2021-08-18 18:27:31 +0000 UTC [ - ]
Therein lies the problem. Phones these days are sold on loans and this is a postpaid service meaning each billing cycle you owe for the prior billing cycle. People defaulting on phone bills is more common than you think.
I recall some time about ~25 years ago where Sprint was offering a no credit check/no deposit special. They ended it due to having to write off a large portion of their non-paying users. It also ended up being a net loss of total users for them, an unheard of situation in a time of rapid growth and a market nowhere near saturation.
dheera 2021-08-18 19:35:25 +0000 UTC [ - ]
I don't mind paying phone bills upfront at all.
vlozko 2021-08-18 22:54:32 +0000 UTC [ - ]
toast0 2021-08-18 18:19:40 +0000 UTC [ - ]
It's super helpful if T-Mobile knows who I am so they can give me a new sim when my phone is lost or stolen. Of course, it's not great when they give someone else a new sim when they claim to be me and that my phone is lost or stolen.
barbazoo 2021-08-18 17:21:36 +0000 UTC [ - ]
I'm assuming that's what they use your SSN for, to run a credit check. I'm not saying that's ok, just that that's how it's done.
curun1r 2021-08-18 18:24:52 +0000 UTC [ - ]
We really need to start attaching eye-watering financial penalties to companies that leak data so that we make the only sane decision be not storing that data in the first place. Collect it and shuttle it to where it needs to go...but under no circumstances commit it to at rest storage.
dawnerd 2021-08-18 18:14:21 +0000 UTC [ - ]
Sevii 2021-08-18 18:44:17 +0000 UTC [ - ]
slg 2021-08-18 16:52:48 +0000 UTC [ - ]
chrismarlow9 2021-08-18 17:18:17 +0000 UTC [ - ]
withinboredom 2021-08-18 18:54:53 +0000 UTC [ - ]
2OEH8eoCRo0 2021-08-18 17:00:54 +0000 UTC [ - ]
slg 2021-08-18 17:05:47 +0000 UTC [ - ]
dougbarrett 2021-08-18 16:54:17 +0000 UTC [ - ]
iknowstuff 2021-08-18 16:59:24 +0000 UTC [ - ]
In any case, the private key is stored on a plastic ID, only released with a PIN, and the databases only store the corresponding public key.
A leak of a public key without the private key is harmless.
slg 2021-08-18 17:02:30 +0000 UTC [ - ]
When I go to a bank for a loan, I should give them some form of private id as proof I am who I say I am (this doesn't have to be a federally issued number).
When companies communicate about me with each other (such as running a credit check on me which is likely why T-Mobile even had SSNs) they should use my public id.
lotsofpulp 2021-08-18 17:08:03 +0000 UTC [ - ]
The solution is pretty simple, the government should require others to prove they engaged in a transition with you before being able to put an unpaid debt on your credit report, not the other way around.
InitialLastName 2021-08-18 17:34:06 +0000 UTC [ - ]
You appear to be operating under a misunderstanding: The government doesn't organize credit reports. Credit reports (in the US, at least) are compiled by independent companies, who operate with very little oversight or recourse (and occasionally leak lots of data themselves).
sidewndr46 2021-08-18 19:13:09 +0000 UTC [ - ]
lotsofpulp 2021-08-18 17:41:36 +0000 UTC [ - ]
sethhochberg 2021-08-18 16:58:23 +0000 UTC [ - ]
They became a defacto identifier for many institutions just because US citizens and permanent residents generally have one - but aside from convenience, they're pretty problematic compared even to something like a UUID/GUID.
If you were trying to design a true national ID number, you'd probably want to approach the problem more like a database designer would: you'd want something that had possible unique values far exceeding the reasonable number of people you expect to exist before the collapse of society, that was reasonably random and difficult to predict based on other known attributes about the person, that by spec was never shared with another person, etc.
Spooky23 2021-08-18 17:04:28 +0000 UTC [ - ]
We already have such a system, it’s called a passport, and it has complementary “cousins” like passport cards and nexus cards. That framework could easily be built upon, but there is a mountain of paranoia and stupid to climb first.
Instead we have the current system where fraud is endemic and where millions of people are marginalized by poor access to ID.
gregoryjjb 2021-08-18 16:59:57 +0000 UTC [ - ]
stickfigure 2021-08-18 17:08:23 +0000 UTC [ - ]
gjsman-1000 2021-08-18 16:53:37 +0000 UTC [ - ]
iknowstuff 2021-08-18 16:57:00 +0000 UTC [ - ]
In any case, the private key is stored on a plastic ID, only released with a PIN, and the databases only store the corresponding public key.
A leak of a public key without the private key is harmless.
nickthemagicman 2021-08-18 17:04:26 +0000 UTC [ - ]
SSH been using it all these years and still going strong.
toomuchtodo 2021-08-18 16:58:03 +0000 UTC [ - ]
bcherny 2021-08-18 17:01:13 +0000 UTC [ - ]
gjsman-1000 2021-08-18 17:05:26 +0000 UTC [ - ]
brewdad 2021-08-18 18:21:31 +0000 UTC [ - ]
bcherny 2021-08-18 18:53:33 +0000 UTC [ - ]
gjsman-1000 2021-08-18 16:58:40 +0000 UTC [ - ]
There is literally no reason why Americans would trust the central government to be more secure than T-Mobile at this point.
toomuchtodo 2021-08-18 16:58:50 +0000 UTC [ - ]
gjsman-1000 2021-08-18 17:02:42 +0000 UTC [ - ]
encryptluks2 2021-08-18 17:06:39 +0000 UTC [ - ]
UseStrict 2021-08-18 17:03:37 +0000 UTC [ - ]
If anything it might encourage companies to smarten up if there was a law on the books that required companies that get compromised to pay for the re-issuing of the user tokens to every impacted individual.
nemothekid 2021-08-18 17:00:11 +0000 UTC [ - ]
gjsman-1000 2021-08-18 17:01:05 +0000 UTC [ - ]
After all, how did the NSA's top-secret Vault7 weapons get stolen considering that they were following "best practices"? And then proceed to bring havoc to the world with WannaCry...
ozzythecat 2021-08-18 16:54:36 +0000 UTC [ - ]
toast0 2021-08-18 18:20:45 +0000 UTC [ - ]
sizzzzlerz 2021-08-18 18:30:53 +0000 UTC [ - ]
kristopolous 2021-08-18 18:36:08 +0000 UTC [ - ]
As in, could someone go out, buy things that would get flagged as fraud on their own card, then say they didn't make the purchase when called by the fraud investigator, and Visa/Mastercard would be too busy tracking down the bigger ticket frauds at the moment and then just let it slide and reverse the charges?
My personal integrity stops me from attempting this crime, but I believe it would work.
Ozzie_osman 2021-08-18 18:26:22 +0000 UTC [ - ]
bcherny 2021-08-18 16:53:19 +0000 UTC [ - ]
What concrete proposals exist for phasing out SSN as proof of identity in the US?
And how can I (as a person in tech) get involved?
toast0 2021-08-18 18:23:33 +0000 UTC [ - ]
> And how can I (as a person in tech) get involved?
Wide distribution of name, ssn, dob lists seems to be a good way to reduce the effectiveness of SSN as proof of identity. If you'd like to get involved, you can probably take part in breaches or distribution. /s
bcherny 2021-08-18 18:54:44 +0000 UTC [ - ]
mixmastamyk 2021-08-18 19:31:04 +0000 UTC [ - ]
toast0 2021-08-18 19:28:53 +0000 UTC [ - ]
shishy 2021-08-18 17:09:06 +0000 UTC [ - ]
> Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.
Hmmm, I get why he says this, but what is the practical scenario here? We remove phone numbers from accounts after we make them? But doesn't that just mean we disable 2FA, making our accounts less secure and therefore more likely to be compromised by other means?
IncRnd 2021-08-18 17:15:47 +0000 UTC [ - ]
Encryption of sensitive data is freely available. When the data gets stolen, it would not contain the sensitive data, since that would be in a non-readable format. It is a liability for companies to store these incredibly large amounts of personal data in centralized locations.
f32jhnjk33jj 2021-08-18 17:28:04 +0000 UTC [ - ]
Ansil849 2021-08-18 17:02:18 +0000 UTC [ - ]
Maxburn 2021-08-18 17:11:17 +0000 UTC [ - ]
vlozko 2021-08-18 17:58:08 +0000 UTC [ - ]
jcun4128 2021-08-18 17:36:33 +0000 UTC [ - ]
adoxyz 2021-08-18 20:08:03 +0000 UTC [ - ]
I think by know everyone in the US has a few lifetimes of free Identity Theft protection from most companies they've ever interacted with.
Ansil849 2021-08-18 17:01:11 +0000 UTC [ - ]
encryptluks2 2021-08-18 17:08:49 +0000 UTC [ - ]
NelsonMinar 2021-08-18 19:30:04 +0000 UTC [ - ]
tyingq 2021-08-18 17:01:02 +0000 UTC [ - ]
adrianmonk 2021-08-18 17:18:47 +0000 UTC [ - ]
If you want to accept credit card payments, the industry requires PCI compliance (https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec...), which actually does involve taking substantial steps to protect those card numbers. An outside organization does some amount of validation that you're handling the card numbers in a reasonable way.
There's a difference here, which is that if personal details like names, date of birth, and driver's license are leaked, it affects individuals' interests. But if card numbers are leaked, it affects the interests of huge corporations.
Those corporations have the resources and power to get involved and protect their interests in a way that consumers don't.
Zelphyr 2021-08-18 17:26:27 +0000 UTC [ - ]
janitor61 2021-08-18 17:30:07 +0000 UTC [ - ]
https://www.experian.com/freeze/center.html
https://www.transunion.com/credit-freeze
https://www.equifax.com/personal/credit-report-services/cred...
axus 2021-08-18 16:59:06 +0000 UTC [ - ]
iamricks 2021-08-18 16:48:30 +0000 UTC [ - ]
tyingq 2021-08-18 16:51:47 +0000 UTC [ - ]
Here's a screenshot they uploaded as proof of the hack: https://pbs.twimg.com/media/E848JkGUUAIhIq5?format=jpg
You can see that it's running Goldengate, software used to replicate Oracle or other databases. So it probably had all the DB credentials needed to just export the whole database.
switz 2021-08-18 17:17:27 +0000 UTC [ - ]
Well at least they weren't lying.
gjsman-1000 2021-08-18 16:52:14 +0000 UTC [ - ]
eralps 2021-08-18 17:04:51 +0000 UTC [ - ]
bigwavedave 2021-08-18 17:35:49 +0000 UTC [ - ]
Yep, here you go: "No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed," T-Mobile said. "We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files. No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file."
minikites 2021-08-18 16:50:51 +0000 UTC [ - ]
tyingq 2021-08-18 16:57:19 +0000 UTC [ - ]
The total cost to them was ~$300M, and the CEO had to step down. Though $300M when your annual revenues are ~90B isn't really a huge hit. Less than 1/10th of net earnings for a year.
https://www.thesslstore.com/blog/2013-target-data-breach-set...
ciabattabread 2021-08-18 18:29:48 +0000 UTC [ - ]
99mans 2021-08-18 17:03:07 +0000 UTC [ - ]
swiley 2021-08-18 16:48:20 +0000 UTC [ - ]
criticaltinker 2021-08-18 16:52:15 +0000 UTC [ - ]
This article does seem to report different numbers - 47M instead of 100M.
dang 2021-08-18 19:50:18 +0000 UTC [ - ]
T-Mobile Confirms It Was Hacked - https://news.ycombinator.com/item?id=28202399 - Aug 2021 (248 comments)
T-Mobile investigating claims of 100M customer data breach - https://news.ycombinator.com/item?id=28192423 - Aug 2021 (191 comments)