If there has been a breach.



  • My line of thinking is that if your personal information ie. Social Security number Drivers License number have been scooped up in a security breach. That the information on these items is "forever" compromised. Am I correct?



  • Pretty much, which makes them horrible 'private' pieces of information.

    A SSN never changes, so it's not something that's really secure, or secure able. The use of them is so ubiquitous that using them for credit checking is just absurd



  • @Dashrender truth. I was cleaning out the garage this weekend and found my University of North Texas student ID. Lookey there, my student number is my SS number.



  • Now a DL can change every time you get a new one, so that's a little safer. But any string you have to provide over and over again as a verification of identity just make it less and less secure. No different than using the same CC number everywhere.

    There are definitely modern solutions. Some countries have created a public/private key pair through a card for their citizens. This would be significantly more secure, as long as the issuing provider doesn't have your private key backed up. 😉



  • @Dashrender That is what I was kind of thinking about. Something like a State Yubikey similar to the chips that are now on credit cards. At least make it harder for the thieves to profit.



  • @popester said in If there has been a breach.:

    My line of thinking is that if your personal information ie. Social Security number Drivers License number have been scooped up in a security breach. That the information on these items is "forever" compromised. Am I correct?

    Yup



  • @Dashrender said in If there has been a breach.:

    Pretty much, which makes them horrible 'private' pieces of information.

    Which, neither is. Both are public non-ID items. The issue is random people choosing to avoid using an ID and is effectively a scam.



  • @scottalanmiller said in If there has been a breach.:

    @Dashrender said in If there has been a breach.:

    Pretty much, which makes them horrible 'private' pieces of information.

    Which, neither is. Both are public non-ID items. The issue is random people choosing to avoid using an ID and is effectively a scam.

    Well, we'd like to say they aren't IDs, but the SSN has definitely become a defacto ID. You can hardly do anything without it - you can't get a job with it, they must report to the IRS using it, you can't get credit without it - the credit agencies only use that as a verifier of your identity, etc.



  • @Dashrender said in If there has been a breach.:

    you can't get a job with it, they must report to the IRS using it

    Umm, that is why it exists...



  • similar subject has been brought up in the UK recently. The government wanted all porn sites to use a central ID checking scheme where access will only be provided using a driving licence or passport etc. Privacy groups mentioned it would be too risky if the private information was ever leaked. This has kind of been stalled now as it was also mentioned that DNS will be encrypted by most browsers soon.



  • @StuartJordan said in If there has been a breach.:

    similar subject has been brought up in the UK recently. The government wanted all porn sites to use a central ID checking scheme where access will only be provided using a driving licence or passport etc. Privacy groups mentioned it would be too risky if the private information was ever leaked. This has kind of been stalled now as it was also mentioned that DNS will be encrypted by most browsers soon.

    If what information was leaked? the DL or central ID?

    The reality is we can't really function well without some form of central ID - hence the huge use of the SSN in the USA.
    Though I wonder - is there any kind of check between the SSN use at a creditor and the actual on file name for the assigned SSN at SS? I'm guessing not, so the initial trust is just that - simple trust.



  • @Dashrender If the DL or passport was leaked. The main 2 forms of ID accepted in the UK.



  • Another alternative they were thinking about is going to your local newsagents/shop and showing your ID there and then given a unique authorisation code to be entered online. I though both ideas were completely stupid considering a lot of people now use VPNs in the UK.



  • @Dashrender said in If there has been a breach.:

    @StuartJordan said in If there has been a breach.:

    similar subject has been brought up in the UK recently. The government wanted all porn sites to use a central ID checking scheme where access will only be provided using a driving licence or passport etc. Privacy groups mentioned it would be too risky if the private information was ever leaked. This has kind of been stalled now as it was also mentioned that DNS will be encrypted by most browsers soon.

    If what information was leaked? the DL or central ID?

    The reality is we can't really function well without some form of central ID - hence the huge use of the SSN in the USA.
    Though I wonder - is there any kind of check between the SSN use at a creditor and the actual on file name for the assigned SSN at SS? I'm guessing not, so the initial trust is just that - simple trust.

    Yes, the entire system is just "someone claims it to be true." The system is so flimsy that it is little different than using peoples' names as IDs.

    The real issue isn't using these things as IDs, although that doesn't work, but going a step further and claiming that an ID is also authentication. That's the real issue.

    It's the same as stating that a username is good enough and no password is needed. And forcing the username to be a one time numeric value, issued possibly sequentially, that is not unique, and is public.



  • @Dashrender said in If there has been a breach.:

    @scottalanmiller said in If there has been a breach.:

    @Dashrender said in If there has been a breach.:

    Pretty much, which makes them horrible 'private' pieces of information.

    Which, neither is. Both are public non-ID items. The issue is random people choosing to avoid using an ID and is effectively a scam.

    Well, we'd like to say they aren't IDs, but the SSN has definitely become a defacto ID. You can hardly do anything without it - you can't get a job with it, they must report to the IRS using it, you can't get credit without it - the credit agencies only use that as a verifier of your identity, etc.

    Yes, but it is not an ID in those cases. It's an extra part tied to your other information that together form an ID. SS on its own in not unique, so doesn't identify you.

    You have to have one, and you have to have the right one, but knowing one doesn't prove the slightest thing to the IRS.

    Credit agencies make up something unrelated in association with it.


Log in to reply