Yawn. Another day another breach.

Have we gotten to the point yet where simple possession or knowledge of personal data is insufficient to prove identity? Seems like we should have been there years ago.

▲

bill3389 3 hours ago | parent | next [-]

'what you know, what you have, what you are' are used in classic authentication. 'what you know', typically are the knowledge only you should know, like password. 'what you have' are the things only you should have, like key card, MFA,. 'what you are' are some biological identities, like your finger print.

Banks servers ordinary people and most useful way to identify those people are 'what you know'. DOB are the most commonly used.

some banks and other organizations start to give up 'what you know' as most people give up too much personal information over social media and bad guys can easily acquire them. now they transfer 'what you have'. like sending you a message and you have to click the link to prove you are the person who you claimed.

▲

koakuma-chan 4 hours ago | parent | prev [-]

Why should knowledge of personal data be sufficient to prove identity? When I call my bank, they ask, what is your birth date, as if it isn't basically public info.

▲

SoftTalker 4 hours ago | parent [-]

It never should have been, that's what I'm saying. But for a long time if you could answer a question like "what street did you live on in 1996" or even the classic "what was your mother's maiden name" that could get you a password reset over the phone.

That era has to end if it hasn't already. Just because an unknown voice can answer questions about me doesn't mean it's me. And these days, you might not even be able to trust a voice-print.

All this "personal data" has to be made valueless. Then people will stop stealing it, and if they do, it won't matter.

	▲	koakuma-chan 4 hours ago \| parent [-]
		Oh I misread