| ▲ | slashdev 5 days ago |
| All these endless data breaches could be reduced if we fixed the incentives, but that's difficult. We could never stop it, because humans make mistakes, and big groups of humans make lots of mistakes. That doesn't mean we shouldn't try. It seems to me a parallel path that should be pursued is to make the impact less damaging. Don't assume that things like birth dates, names, addresses, phone numbers, emails, SSNs, etc are private. Shut down the avenues that people use to "steal identities". I hate the term stealing identity, because it implies the victim made some mistake to allow it to happen. When what really happened is the company was lazy to verify that the person they're doing business with is actually who they say they are. The onus and liability should be on the company involved. If a bank gives a loan to you under my name, it should be their problem, not mine. It would go away practically overnight as a problem if that were changed. Companies would be strict about verifying people, because otherwise they'd lose money. Incentives align. Identify theft is not the only issue with data leaks / breaches, but it seems one of the more tractable. |
|
| ▲ | DicIfTEx 5 days ago | parent | next [-] |
| > I hate the term stealing identity, because it implies the victim made some mistake to allow it to happen. When what really happened is the company was lazy to verify that the person they're doing business with is actually who they say they are. The onus and liability should be on the company involved. You may enjoy this sketch: https://www.youtube.com/watch?v=CS9ptA3Ya9E |
| |
| ▲ | rendaw 4 days ago | parent | next [-] | | Okay, I'm inclined to agree here, but what I don't see addressed is: If you set up an account with a username and password, then write it down on a slip of paper, and then drop that in a cafe, and someone else logs in as you and drains your account, is the bank liable for that too? Are all services with logons? But that looks identical to identity theft in a lot of ways. If bank mandated security controls are breached, or they don't provide adequate controls, I feel like that that's on them. But if they've done their part and you've been irresponsible then that's on you. But where's the dividing line? And saying the banks have more responsibility can also justify more biometrics and surveillance. Is the differentiating factor here that the bank (or whatever) is allowing access with insecure credentials (name, date of birth, phone number) instead of the primary credentials? | | |
| ▲ | slashdev 4 days ago | parent [-] | | In the case they gain access to my account, I agree with how you presented it. If someone emptied my account with info about me they could find in data breaches, that shouldn’t be on me. If they gave a loan or a credit card to someone pretending to be me. That’s now on my credit rating and historically very difficult to undo. |
| |
| ▲ | MichaelZuo 5 days ago | parent | prev | next [-] | | It is really strange that is not already the case. | | |
| ▲ | Buttons840 5 days ago | parent [-] | | "It's really strange that the status-quo favors those with more wealth and power." | | |
| ▲ | Aardwolf 5 days ago | parent | next [-] | | They can also get their identity stolen though | | |
| ▲ | samrus 5 days ago | parent [-] | | I highly doubt it. If someone comes in and claims to be an account holder for a multi billioniare (even a non-famous one) i promise you the banks gonna go through alot more hoops to make sure its the right person. Its only woth the proles they just hand wave that away and blame you for it |
| |
| ▲ | MichaelZuo 5 days ago | parent | prev [-] | | That doesn’t seem like a sensible reading as that would be tautological. By definition wealth and power enables those who have it to modify the status quo, otherwise we would call that having delusions of wealth and power. | | |
| ▲ | aspenmayer 5 days ago | parent [-] | | > That doesn’t seem like a sensible reading as that would be tautological. > By definition wealth and power enables those who have it to modify the status quo, otherwise we would call that having delusions of wealth and power. Wealth and power do not obligate one to do the right thing, it’s true. That doesn’t mean that the onus doesn’t remain on the power structure whose decision making capabilities are enabled by technological means. There’s no one else whose hands last touched the apparatus from whence their technological power flows. We could ask the public collectively to respond, but their hands don’t rest upon the levers of power. Should we raise taxes on the lower and middle classes to pay for it too? There’s no need, as the truly wealthy don’t need to touch their assets directly or even pay them any mind, as they have hired help for that. The devaluation of privacy hits the little people first, and hardest. Elites are not able to be bothered even performatively by these issues, as they are not subject to these particular failure modes of society. https://en.wikiquote.org/wiki/Anatole_France > Cela consiste pour les pauvres à soutenir et à conserver les riches dans leur puissance et leur oisiveté. Ils y doivent travailler devant la majestueuse égalité des lois, qui interdit au riche comme au pauvre de coucher sous les ponts, de mendier dans les rues et de voler du pain. > It is the duty of the poor to support and sustain the rich in their power and idleness. In doing so, they have to work before the laws' majestic equality, which forbids rich and poor alike to sleep under bridges, beg in the streets and steal loaves of bread. | | |
| ▲ | MichaelZuo 4 days ago | parent [-] | | How does this relate to the prior comment? | | |
| ▲ | aspenmayer 4 days ago | parent [-] | | It seemed like you were saying that those in power have a vested interest in solving this social problem because they have more to lose because they have more skin in the game. They actually have almost no exposure to this failure mode because they have lawyers and accountants. They have entire family office services. They don’t suffer due to identity theft even when it happens. Failure isn’t an option or even a distinct possibility, because losses due to identity theft have already been priced into their exposure to liquid markets, and they’re insured for illiquid assets. It’s not the same for the little people. That was my point. | | |
| ▲ | MichaelZuo 4 days ago | parent [-] | | This doesn’t seem to relate? The only thing I said was it’s tautological… if they couldn’t affect the status quo to their desires, then they wouldn’t be considered to have wealth or power in the first place. | | |
| ▲ | aspenmayer 4 days ago | parent [-] | | They (elites who want to solve the problem/change the status quo) are not able to do so because most elites are okay with the current status quo. | | |
| ▲ | MichaelZuo 5 hours ago | parent [-] | | How is this point relevant to my point? It seems to be completely unrelated to the tautology. |
|
|
|
|
|
|
|
| |
| ▲ | slashdev 5 days ago | parent | prev [-] | | That was hilarious, thanks for sharing! |
|
|
| ▲ | JumpCrisscross 5 days ago | parent | prev | next [-] |
| > these endless data breaches could be reduced if we fixed the incentives, but that's difficult It’s honestly unclear if the damage from data breaches exceeds the cost of eliminating it. The only case where I see that being clear is in respect of national security. |
| |
| ▲ | ponector 5 days ago | parent | next [-] | | >> if the damage from data breaches exceeds the cost of eliminating it. Definitely not. Damage is done to customers but costs to eliminate are on the company. Why should company invest more if there are no meaningful consequences for them? | | | |
| ▲ | AlotOfReading 5 days ago | parent | prev [-] | | The more important point is that the people who would have to pay to avoid data breaches (companies) are not the ones who suffer when they happen (the public). It's the same problem as industrial pollution. |
|
|
| ▲ | afarah1 5 days ago | parent | prev | next [-] |
| The solution already exists: MFA and IdP federation. One factor you know (data) and the other you posess, or you are (biometrics). IdP issues both factors, identification is federated to them. Kind of happens when you are required to supply driver's license, which technically you own and is federated id if checked in government system, but can be easily forged with knowledge factors alone. Unfortunately banks and governments here use facial recognition for the second factor, which has big privacy concerns, and the tendency I think will be federal government as sole IdP. Non-biometroc factors might have practical difficulties at scale, but fingerprint would be better than facial. It's already taken in most countries and could be easily federated. Not perfect but better than the alternatives imo. |
| |
| ▲ | SoftTalker 5 days ago | parent | next [-] | | I'm unconvinced that biometrics are a good approach. You can't change them if a compromise is discovered. | | |
| ▲ | afarah1 5 days ago | parent [-] | | I also don't like it but it seems to be what most institutions are going for. It's a strong factor if required in person, the problems start when accepting it remotely. But having to go to the bank seems like the past. |
| |
| ▲ | eptcyka 5 days ago | parent | prev [-] | | So what? My data will still get sold online and then agencies/businesses will take advantage of it to do differential pricing. 2fa does not solve the problem of data leaks. |
|
|
| ▲ | NoPicklez 5 days ago | parent | prev | next [-] |
| I don't see the term stealing identity as something that implies I have done something wrong to allow it. If you have something stolen from you it doesn't mean you have done something wrong to allow that. If someone broke into a bank vault and stole your money it wouldn't be considered your fault. The challenge in cyber security is that the person potentially stealing your identity lives on the other side of the world and that's why the focus is on the end user to be as secure as they can. But if you have something stolen from you, you are still the victim. |
| |
| ▲ | AuryGlenz 5 days ago | parent [-] | | Yeah, it doesn’t imply you did something wrong. However, the “attack” is against the institution they get a loan from, not you. You didn’t give them money under false pretenses. You had absolutely nothing to do with it. |
|
|
| ▲ | Phui3ferubus 4 days ago | parent | prev [-] |
| > All these endless data breaches could be reduced if we fixed the incentives, but that's difficult. EU fixed the incentives with GPRS and DORA, that was the easy part. In theory company that doesn't follow "secure by design" will end up bankrupt by (revenue dependent) fines. In practice the enforcement is lack luster, courts are lenient and international cases take ages, even if both countries are in EU. |
