Comment by jofla_net

Comment by jofla_net 6 days ago

5 replies

View on Hacker News

Its not the 'voluntary' services that may or may not want to see your ID, its the existence of any and all Mandatory legislation, which would be a nightmare.

This is a tech site so I imagine the average user has some deeper understanding than most(technically), but I guess imagination is off the table.

What this would do (requiring all sites) is basically be the end for any and all attempts against identity fraud protection. Indulge a bit of imagination for a moment. If EVERY site is now required to do some form of verification, than everyone's infrastructure now becomes prime targets for PII and troves of identity information, and wherein amazon, banks, and ID.me can be considered to be at or near the top (i'd hope) for keeping their machines tied down, the reality is that EVERYONE'S servers ARE NOT so will maintained. They WILL be attacked, and shims inserted to steal such identity information, as people have ZERO idea, as they're being shunted around to all thees angel-invested ID startups, as to what is or isn't legit, during signup. Wholly, identical pages/domains, as are often seen to steal traditional PCI information, will now be repurposed to this. Its not that the reputable ones are likely to fall, its the small vendors who don't understand that once a customer is EXPECTED to fork over ID to sign up, any hiccup in the process will be unnoticed, and it'll be ripe for abuse if the server/service is ever compromised.

ltbarcly3 6 days ago

ID verification is done by 3rd parties. Nobody wants to hold a photo of your ID because it's a compliance nightmare. You aren't uploading your ID to some porn site, you are uploading it to some real-person verification company.

Reply View 3 replies
  • jofla_net 5 days ago

    Not what I'm saying. At any time before the legit handoff, there can be a decoy which users would be blissfully unaware of, shimmed in. How many times do domains change again during the singup process of whatever service you're using (page to page)? Thats a huge security issue, as it messes with what users expect, and they dont take notice one bit. At the very least its an opportunity to confuse users not to realize that the main service shouldn't hand-off at step 3, rather step 7. The other option is services verify themselves (backend), but again, thats worse.

    Designing secure services are not 'just' one and done by any means, this whole thing boils down to whether security is a trivial, and a done thing or a very hard problem, and it has always been a very hard problem.

    Its one thing to hand over credit cards with very little liability and a charge back ability, its totally another to use irrevocable IDs which cant be resent in the mail in a few days. Then theres the inter-nationality angle. I refuse to use overseas services, who dont recognize a 'drivers license' and want my passport. Sorry, not going to be stuck somewhere because my passport gets leaked and now we need to vist the only embassy 7 hours away before i return home (with kids in tow). Universal Id requirement is a cozy idea but it opens far too many incompatibilities, not to mention country-to-country.

    Reply View 2 replies
    • ltbarcly3 5 days ago

      You are making a vague argument.

      Do you think it's inherently so unsafe to use your ID in an online context that it is never a net benefit? Yes/No

      If you think it is unsafe, what alternative do you propose? If you don't have one, or your idea requires some kind of massive simultaneous buy in by all stakeholders and jurisdictions, give up, your opinion is irrelevant.

      Reply View 1 reply
      • jofla_net 4 days ago

        Yes, forgive me I was trying to cram too many ideas into a short blurb, else I can ramble on forever.

        We're just talking past each other, since there is nuance to your original statement I may be not addressing directly.

        >Presenting government ID to random entities is literally what government ID's exist for. Paranoia about this is silly.

        While this is not wrong, the problem is that with online entities (sites), the act of 'presenting' is the same as 'copying', so in order to present to a 3rd party 'site' you must do something which lets them (if they chose to) copy your ID, and easily allow someone to forge said ID and use it in other situations to 'forge' your identity, a very bad thing. This is critically different than when traditionally 'presenting' an ID when you're boarding a plane or buying alcohol which is an inherently fleeting act(serves its purpose and NOTHING more). Its also why people are uneasy about ID bar-code scanning but that's a huge whole other discussion.

        >Do you think it's inherently so unsafe to use your ID in an online context that it is never a net benefit? Yes/No

        Its not 'unsafe' on face value, but as with everything else it becomes very complicated very fast. There MUST be safeguards that disallow the occurrence of my first point, otherwise we're in the camp of facilitating ID theft, again 'copying.'

        One need not look farther than the credit card ecosystem. Stolen ones are lifted and sold by the thousands. And if you think, 'dedicated services' will be enough to stop increased theft then please let us all know why such a system doesn't solve the PCI problem. It cant and wont. The biggest travesty will be the average user becoming accustomed to scanning their ID (via picture because this is what the discussion is about) and largely getting caught up in slipstream scams like I outlined in previous posts. Id theft will get a boost, and become even more lucrative.

        PCI theft is only made 'tolerable' by the fact that cards are trivially replaceable, and this is the important part, current IDs are NOT as trivially replaceable. Plus i can only have ONE, so if it gets pinched, i cant use my other ID to take out a loan. I am ME and cant change, so it makes sense that I may be a little uneasy to give it out to watch twitter cat memes. I don't even need to mention passports, as I’ve done earlier.

        >I've had to upload my ID card to send money, open a bank account online, verify my identity for a dating app, book an international flight, and ironically to register for the app to have an electronic version of my id on my phone, and weirdly to pay a traffic ticket (why do they care who pays it?), get a discount on my Amazon Prime subscription, and finally to reset my password for my ID.me login for government websites.

        Ok, well herein lies the disconnect, as I've never had to 'present' ID for most of these situations except for government sites in my country, taxes etc, and id like to keep it that way. Its not that I’m against any form if ID, its that it must be fit for purpose.

        The whole argument, and this whole discussion is precipiced on the fact that for some reason public discourse is that the status quo, which has worked fine for several decades, must be completely overhauled and we must become accustomed to providing scans of all of our IDs on demand to all services as they are mandated to request them. This is insane. I do not work for an angel-invested ID verification service, therefore there IS NO benefit to myself in advocating for any such requirements, only negatives. It is a complete net loss to require IDs for sites which they are, mind you, completely unnecessary for. Yes, government .gov sites it makes sense, also when taking out loans or other financial information, as they already have huge security hurdles to jump though. Yes I've worked for them so I know. However, requirements for everyone else, INCLUDING PORN sites are unnecessary, the last of which has used credit cards for just such the verification since forever, but like so many other things on earth is inadequate all of a sudden!

        Yes, I also do have children, and take the burden of their well-being very seriously. It does not grant me the impetus to persuade the state to try to do my job for me, while in the process creating huge burdensome negative side effects for everyone else.

        Traditional IDs are not meant to be 'copied' as they are too costly to replace. This doesn't mean that there couldn't be token-based alternative security authentication services, but that is an entirely different discussion.

        Reply View 0 replies
SoftTalker 6 days ago

It would be a great thing, because it would finally force us to have somthing better than "I can present a piece of plastic with my picture and some numbers on it" as proof of identity.

Reply View 0 replies