Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Hizonner a day ago

OK, but what model would you suggest?

Apple has no adequate way to actually verify who anybody is without (a) forcing them to physically visit one of a small number of offices (it can't be every store), and (b) probably charging a significant fee to cover the cost of doing real verification.

And even that demands assuming that the identifying information on the account is right.

throwaway48476 a day ago | parent | next [-]

For account recovery in store verification is viable. They're already collected data on their customers via payment processors.

I would also force users to watch a video explaining the security features and quiz them before turning them on. You can't expect users to immediately understand how the security model works.

ghusto 8 hours ago | parent | prev | next [-]

> OK, but what model would you suggest?

I don't know, I'm not a multi-billion dollar multinational organisation employing some of the smartest and highest paid engineers in the world.

Off the top of my modest head though, an ID check at one of the thousands of stores they have around the world sound like it could work.

mingus88 a day ago | parent | prev | next [-]

I have a hard time believing this when they also have Apple Cash and Apple Pay.

Even with their strong privacy fundamentals they know more about their account holders than any single business should.

oarsinsync a day ago | parent | prev | next [-]

> Apple has no adequate way to actually verify who anybody is without (a) forcing them to physically visit one of a small number of offices (it can't be every store), and (b) probably charging a significant fee to cover the cost of doing real verification.

My bank is able to verify me remotely to login to their app from a new device in under 15 minutes, just with a photo of my ID card and a video of my face. And the bank is liable for any losses caused if they misidentify me.

Why can my bank do it but apple cant?

Hizonner a day ago | parent | next [-]

Your bank verifies that against the copy of your ID that was collected in person when you opened the account (unless you're using some fly-by-night FinTech "bank", anyway). At a minimum, the bank has already collected, and checked, a bunch of other information that it can use to verify you (more than Apple can collect without mass user rebellion). It has reasonable confidence you haven't lied about that information. The bank can use that information to look up more about you in public records (which the bank knows how to do because, unlike Apple, it doesn't operate in every jurisdiction in the world). And I suspect that the ID/video check is on top of proving you already know a password.

Perhaps even more important, the bank knows exactly what liability it's assuming, and what risk it's exposing you to. There's a limit on how much money the app will let you move (even if the bank doesn't tell you what it is). All the transactions you can do are defined by the bank, it knows what's going on at all times, and it can and does apply extra checks for risky-looking transactions.

And bank transactions in general have a whole reversal-based security layer on top of all that.

On the other hand, people use their Apple accounts to log into God-knows-what third party systems with God-knows-what risks and God-knows-what other security measures or lack thereof.

Oh, and also the bank charges you ongoing overt or hidden fees specifically to cover the costs of securing your money. And of insurance if it fails to do so.

oarsinsync 16 hours ago | parent [-]

Online-only bank Chase from JPM, charges me £0, has a £10k limit on transactions without requiring further verification, and successfully verified me online in under 15 minutes, despite having never seen any of my real documents in person, despite me logging in for the first time in 2 months from a new device that they’ve never seen.

Meanwhile Apple is unable to manage to identify its own customers in its home jurisdiction.

Hizonner 11 hours ago | parent [-]

> charges me £0

You haven't figured out that there are hidden charges? They're not giving you an account because they love you. They're giving you an account because they're making money on your deposits and/or transactions and not passing it on to you. And the money they're making is pretty proportionate to their risks; the more money you have to lose, the more they're going to make.

Whatever revenue iCloud manages to eke out of a random iPhone is going to be far less, and far less correlated with risk. Apple has to structure the system around the user who buys zero premium services.

> has a £10k limit on transactions

So a low limit by the standards of what we're talking about here, and a nice, quantifiable, insurable amount to boot. Which, as I said before, is the most important part of the whole thing. Oh, and I suspect you'll find out that the limit magically gets lower if the money is being sent to wesellgiftcards.com or whatever.

The person featured in the sob story here claims to have lost an entire career. That's going to be worth quite a bit more than that transaction limit, but how much more is hard to say because it's unquantifiable. It is of course stupid to make that dependent on your iPhone, but Apple still has to worry about it if Apple starts trying to take on responsibility for that kind of stupidity.

> despite having never seen any of my real documents in person

You should get a more responsible bank. Although nowadays they may be able to pull, for instance, your ID pictures from government databases to compare with whatever you send them over the Internet... since they have the numbers (and maybe the authorization) to do the lookups. Unlike Apple.

> Meanwhile Apple is unable to manage to identify its own customers in its home jurisdiction.

"Home jurisdiction" is irrelevant. It's not about where your headquarters are. It's about where you operate. Whatever Apple sets up in its "home jurisdiction", it also effectively has to support throughout the world. There aren't enough phone buyers in Cupertino to support Apple's valuation.

JumpCrisscross a day ago | parent | prev [-]

> Why can my bank do it but apple cant?

Banks write off tens of billions of dollars of fraud costs a year. They can do this because money is fungible.

wmf a day ago | parent | prev | next [-]

The person in the article who has their whole professional life in a stolen Apple account would probably be happy to visit Apple HQ in person.

KingInTheFnord a day ago | parent | prev | next [-]

They do, they simply choose not to as a business. They should be forced to.

newsclues a day ago | parent | prev [-]

Digital identity is an essential aspect of modern life.

The fact that the government doesn’t have a great standard for identity and it’s left to banks and tech companies is crazy.

20after4 a day ago | parent | next [-]

Identity is a really hard problem to solve. Just about any scheme you can think of to verify identity, some smart criminal can think of a way to exploit or circumvent/abuse the system.

newsclues 15 hours ago | parent [-]

Oh no a hard problem. Too bad we don't have smart people to solve it.

You know there are smart criminals who use fake, or fraudulent passports and travel documents? And yet we still go through the process of using them because a system with some control is better than chaos and no control.

unyttigfjelltol a day ago | parent | prev [-]

Yes, this is literally one of a handful of core government functions.