The Case Against Biometric IDs

"The White House and Equifax Agree: Social Security Numbers Should Go," reads a headline at Bloomberg. Securities lawyer Jerri-Lynn Scofield tears down one proposed alternative: a universal biometric identity system (possibly using fingerprints and an iris scan) with further numeric verification. Presto Vivace shared the article: Using a biometric system when the basic problem of securing and safeguarding data have yet to be solved will only worsen, not address, the hacking problem. What we're being asked to do is to turn over our biometric information, and then trust those to whom we do so to safeguard that data. Given the current status of database security, corporate and governmental accountability, etc.: How do you think that is going to play out...?

[M]aybe we should rethink the whole impulse to centralize such data collection, for starters. And, after such a thought experiment, then further focus on obvious measures to safeguard such information -- such as installing regular software patches that could have prevented the Equifax hack -- should be the priority. And, how about bringing back a concept in rather short supply in C-suites -- that of accountability? Perhaps measures to increase that might be a better idea than gee whiz misdirected techno-wizardry... The Equifax hack has revealed the sad and sorry state of cybersecurity. But inviting the biometric ID fairy to drop by and replace the existing Social Security number is not the solution.
The article calls biometric identification systems "another source of data to be mined by corporations, and surveilled by those who want to do so. And it would ultimately not foil identity theft." It suggests currently biometric ids are a distraction from the push to change the credit bureau business model -- for example, requiring consumers to opt-in to the collection of their personal data.

Or...

[msauve]

Perhaps the proletariat shouldn't have to worry about it at all, and those who rely on identity (banks, mortgage companies, etc.) should be forced to assume all the liability and burden of proof when they get it wrong. And that includes being liable for libel if they incorrectly report against someone's creditworthiness.

Just as copyright infringement isn't "theft," so too is there no real identity theft - the problem is on the other side, with those who accept numbers as a convenient but unreliable "proof" of identity. Their problem, not ours.

Re:

[Bing Tsher E]

And what the heck is wrong with paying a 'credit verification fee' rather than just freeloading on the back of all of society?

Yeah. I know. LOTS of the heck is wrong. If you're a credit card company or a huckster who sells 'easy credit'.

Re:

[Anonymous Coward]

What "credit verification fee"? Banks, mortgage companies, etc. elsewhere are already liable for such things elsewhere without a "credit verification fee" or increasing the cost of borrowing

What you consider infeasible is actually the normal way of doing things in most of the world. It works well.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Aighearach]

secured (prepaid) "credit" cards would simply be more popular. It wouldn't really be that big a deal to use something different, even for people that don't want to see the full price for what they buy and rely on having companies hide the costs behind incremental fees and surcharges.

Re:

[sjames]

It's better than having costs thrust upon me even after I decide not to do business with an organization that plays too fast and loose with ID verification. This way, the idiots will necessarily become more expensive than the careful.

Re:

[JohnFen]

People should have skin in the game to access credit.

I thought the "skin in the game" that people have is the interest on the debt they're assuming.

Re:

[Bing Tsher E]

Property is theft.

Next year, when you're a sophomore, your classes will be harder and you won't be able to hang out with the cute chicks at the lit table in the student union.

Re:

[msauve]

ProTip: ignore ACs, who don't have the courage of conviction, let alone the intelligence to understand what words actually mean.

Also, "s/the cute chicks at the lit table in the student union/your mom in her basement/"

Re: Or...

[sound+vision]

These days most of the basement dwellers I know gravitate more to the "taxes are theft" line.

Re:

[Killall -9 Bash]

Nope. Inflation is theft.

Re:

[nasch]

Great idea.

https://www.youtube.com/watch?... [youtube.com]

Re:

[Anonymous Coward]

The SSN or other taxpayer id number is basically useless now, thank Equifax. These data brokers should never have been storing it in the first place, but every business that deals with credit stores it, and even brainlessly uses it as an index or as an authentication mechanism (last four digits of your SSN?) Strangely in Canada you never get asked for your SIN (Social Insurance Number) and it's the same length as the US SSN.

So how do we solve it? First, get rid of the SSN/SIN/TAXPAYERID/etc, Replace that wi

Re: Or...

[Jesus H Rolle]

That's boring. How about an APP?!

Re:

[ctilsie242]

I like the idea of a smart card that uses some type of PIN + biometrics, where the biometrics are used to associate a username, or as part of MFA, and a PIN used for unlocking the card. The card would then be a certificate store. Swipe the card at the bar, the pub knows you are over 21, so their butt is covered legally. They don't need your name or anything else. A job requires a degree? They get a cert from the university that is also signed by an accrediting agency showing that there was a B. S. awar

Re:

[JohnFen]

Replace that with your Biometric Passport.

Most Americans don't have a passport, and many can't get one.

Force all Liability on the Lenders

[LeftCoastThinker]

This exactly. The real problem here isn't identity theft, it is the pathetic level of verification used by the lenders. I agree that putting all liability on the lenders is the right approach (there are already laws on the books to this effect for the most part), but there is virtually no way to totally eliminate the harassment that an ID theft victim gets, because the lenders are still going to pursue collection on the premise that you are just a deadbeat borrower.

99% of all ID theft would evaporate if f

Re:

[pnutjam]

The US screws up any attempts at banking verification. Everyone in the world uses secure PIN debit cards and the US matches the secure chip with a fucking signature, for transactions over $20, who gives a rip about anything under that amount, AMIRITE?

Re:

[david_thornley]

So, the bad guy gets a photograph and fingerprints and has a government ID card made that'll look good enough with a mediocre scan. Unless you're saying the applicant should always appear in person for credit decisions, there's no connection between bad guy and recorded data. We could avoid a lot of fraud by requiring people to go places physically, and disrupt a very large amount of business.

The credit-giving agency then has to call a phone number, and get someone who will say they're the guy being im

Re:

[LeftCoastThinker]

"Unless you're saying the applicant should always appear in person for credit decisions"

That is exactly what I am saying, either in person on site or at a local notary public to verify their identity. And when they appear in person, the person who is applying should be required to have a high resolution, full facial photograph with no obstruction (glasses, hats, hoodies, etc.). That photograph and a set of their fingerprints should then be compared with those on file and filed with the application for cre

Re:

[KingBenny]

the proletariat , woaw ... personally, call me a lamer of whatever but i don't see the difference between a database full of social security number strings or the key matching someone's biometric ... you can't alter data in the blockchain (or what was that? unless you got 51% or more ... satoshi was a democrat hm ?) but if you got the key to a wallet you can empty it right so call me a lamer or whatever, point out the fact that i have no degrees to stand on, i don't owe a security firm and i didnt do time f

The dangerous biometrics

[markdavis]

Fingerprints and DNA should not be used for biometrics. Period.

Using fingerprints or DNA and allowing a third-party to have access to that data is unacceptable. Not only because the government and big business should have no need to track what people are doing but because they should not have fingerprint registration data (which will be horribly abused) .

Stand up for your rights, people... and the rights of your children. Once you give this data to the government or big business, it will NEVER be erased or restricted, regardless of claims, policies, or laws- it will go into huge databases and shared between agencies and used however they want for as long as they want. Even worse, with every crime investigation, you will be searched without probable cause. It is a genie that can't be put back into the bottle.

Fingerprints are something you leave all over the place all the time. They are easy to lift, copy, and forge. Easy to fake, easy to use to frame people. Time after time they have been shown to be poor for security and yet very effective at tracking people.

DNA is even worse. Like fingerprints, you leave it all over the place all the time. Samples can be lifted and planted and analyzed. DNA is more than a means to ID, it contains very sensitive information about you.

Iris scan is better than DNS or fingerprints- there is no leaving your iris image all over, and it doesn't say that much about you. But your eyes (iris,
not retinal) could be scanned without your permission by any high resolution camera pointed at your face, even your own.

There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can. You have to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.

Example: http://www.m2sys.com/palm-vein... [m2sys.com]
More info: https://en.wikipedia.org/wiki/... [wikipedia.org]

We also need to realize that IT IS NOT EVERYONE'S BUSINESS WHAT WE ALL DO. The first step in securing freedom is privacy. When you are tracked, you are losing your freedom, whether you realize it or not. You should not have to positively ID yourself for ALL transactions. A good example is age verification. There is an important place for anonymity and semi-anonymity in a free society.

Re:The dangerous biometrics

[Junta]

Yep nothing like a credential I leave behind on any surface I touch.

It's funny, there's a room at work that (in part) is secured by a fingerprint reader. it's about 10 feet from a door that you can see the fingerprints clearly left behind as people push the doors open on the way to the fingerprint reader.

Re:

[Junta]

Also amused that in all of our cases, there's a lock and a very sturdy door. And nothing but sheetrock right next to the door separating a determined individual from getting in, without so much as tripping an alarm.

Re:

[chihowa]

I used to work at a place like that, too. [youtube.com] The janitors would use the key on their huge keyring to bypass all of the security and grab the garbage cans.

Re:

[markdavis]

>"Deep vein palm scan? What kind of expensive piece of equipment is that going to take every time I want to do a credit check on a potential customer? Jesus H. Christ. It needs to be simpler than that."

I wasn't referring to using this for everyday transactions, precisely because we shouldn't have to use biometrics for such trivial things (it is dangerous). Biometrics should be reserved only for IMPORTANT ID, like interactions with the police, court, deeds, wills, sensitive medical care, etc.

As for expen

Re:

[grumling]

That's the problem, there's no difference between everyday transactions and big deal transactions. We see this all the time in software exploits, where something like a low level serial port driver has an unmatched bug that can be used by clever hackers to take over a system. Those "would you like to save 10%" store credit cards are checked using the same systems that mortgages and cars loans use.

Until tokenized systems are more widespread, and people figure out that having a wallet full of plastic shouldn'

Re:

[ShanghaiBill]

Deep vein palm scan? What kind of expensive piece of equipment is that going to take

A box with an IR light and two $5 CMOS cameras.

Re:

[rahvin112]

And once that scan data is lost and someone finds a way to duplicate it with a thin plastic coat over the palm of their hand you are fucked because you can't change your scan. Anything that relies on bio-metrics is a massive failure as even if it's not fakable now it will be after the implement it and you can't change your fucking bio-metrics.

The problem has always been using a fixed number for identity. A number I might add that was never intended for such and that congress actually banned it being used a

Re:

[ShanghaiBill]

duplicate it with a thin plastic coat over the palm of their hand

Wrong. The reason my description said TWO cameras, is that it takes stereoscopic 3D images. It also takes multiple images a few milliseconds apart, to detect the pulse in the arteries/veins.

Re:The dangerous biometrics

[Anonymous Coward]

There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can. You have to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.

Vein matching has been used forensically, most notably to tie Khalid Sheikh Mohammed to the murder of Daniel Pearl [wikipedia.org].

Forensic identification

According to a 31,000-word investigative report published in January 2011 by Georgetown University faculty and students,[11][12][13][14][15] U.S. federal investigators used photos from the video recording of the beheading of American journalist Daniel Pearl to match the veins on the visible areas of the perpetrator to that of captured al-Qaeda operative Khalid Sheikh Mohammed, notably a "bulging vein" running across his hand.[4] The FBI and the CIA used the matching technique on Mohammed in 2004 and again in 2007.[3] Officials were concerned that his confession, which had been obtained through torture (namely waterboarding), would not hold up in court and used vein matching evidence to bolster their case.[2]

Granted, this was using a bulging surface vein rather than a deep vein, but it was done by using images taken from a video. The point is that biometric data leaks and once out can not be retrieved or changed. It makes for a terrible password for that very reason.

Deep palm vein matching may not presently have a known method for creating dummy fakes, but that does not mean it never will. Best to rule out biometrics for all authentication tasks and leave it solely for use in identification without authentication.

Re:

[markdavis]

>"Deep palm vein matching may not presently have a known method for creating dummy fakes, but that does not mean it never will. Best to rule out biometrics for all authentication tasks and leave it solely for use in identification without authentication."

What you are saying is very true. That is why I qualified it with "I know of." Probably anything can be defeated, but deep vein currently stands as one of the best, most practical biometric. You can get something very secure, like a retinal scan, but

Re:

[Anonymous Coward]

You already said it, but in your example, those were surface veins, not deep veins. Deep veins can't be seen from any distance with visible light nor from a distance with any known technology. Further, the palm is a more protected area that is rarely visible casually for more than a brief instant (think about where your hands are most of the time- holding something, in your pockets, on a keyboard, face-down in most cases when not holding something and obscured otherwise).

If deep palm vein scanning becomes a norm, then so will deep palm vein scanners. Now it doesn't matter how often I put on gloves and then put my gloved hands into my coat, if I'm taking then out and allowing them to be scanned every time I get on the subway, buy a slushee, or purchase movie tickets. The devices themselves become the weak link, and the secret hash that they produce from each scan becomes a known quantity.

Biometrics, as a class, can not successfully be used to solve authentication problems

Re:

[dgatwood]

Biometrics, as a class, can not successfully be used to solve authentication problems because once lost, they can not be changed. They are excellent for identification problems: UUID's, primary keys, usernames. But they make terrible passwords and must not be used for authentication.

Exactly. It is provably impossible to guarantee a trusted endpoint when under someone else's control, and that's where any sort of identifier breaks down for authentication purposes, no matter how seemingly unique.

Consider the

Re:

[nasch]

It seems to me the problem is single factor authentication. If I have to provide my iris (or whatever) scan and a password, then it becomes much more difficult to impersonate me. Assuming of course the data is stored properly and I don't do anything stupid.

Re:

[david_thornley]

And then there's the problem that you have to give out your password everywhere you go, while keeping it secret. Might as well use the Social Security number.

Re:

[F.Ultra]

So now we have to invent some form of gloves that external parties cannot take off you when you are sleeping (or being sedated).

Re:

[techno-vampire]

Even worse, with every crime investigation, you will be searched without probable cause. It is a genie that can't be put back into the bottle.

Oh, for heaven's sake, put your tinfoil hat back on and get back on your meds! I was first fingerprinted when I joined the navy back in '69, and I've been fingerprinted since then by at least one other (county, not federal) agency since then. And, in the 48 years since that fingerprinting, I've never been searched by any investigative agency, with or without prob

Re:

[markdavis]

>"I''ve never been searched by any investigative agency, with or without probable cause, nor been a Person of Interest in an investigation"

I can almost guarantee that you have. Just because nothing has come from those searches [that you know of] doesn't mean you haven't been searched and there isn't a risk. If your latent print just happens to be on or around something of interest, it will be run and it will connect to you; and there is a small chance it will connect to you even if it isn't you.

Re:

[markdavis]

>"I can almost guarantee that you have" [had searches done on a databases that contain your prints]

Reply to self- just to clarify (since after I read my reply again, it might not be evident), every time ANY collected print is searched, it is compared to every print to which they have access. If your print is in one of those databases, you are being searched. And since the databases are shared, it is likely that at least high-level-agency searches will search through just about every database out ther

Re:

[techno-vampire]

If your print is in one of those databases, you are being searched.

I don't know what you mean by the word "searched," but it's not one I've encountered, and at 68, I've probably run across every meaning for "searched" that there is. Just running a database search looking for a match to a fingerprint is not searching any of the people who's prints are in that search, which is one of the reasons you don't need a warrant do search your own databases. I have never had my home, person, car or workspace sear

Re:

[techno-vampire]

Strictly speaking, of course, I don't have to prove my innocence, I just have to create a reasonable doubt in the jury's mind. That's how the criminal justice system works in the USA. How it works where you live, I've no idea.

Re:

[david_thornley]

Depends where in the US and who you are and what you look like. People have been convicted on scanty evidence before.

Re:

[rtb61]

Let's not worry about the people, let's concern ourselves with the computers. The computer said so, should never ever be enough to identify some one. Just like that person being real and actual, not just virtual so the record of them actual, a real hard copy. To rely on biometric data, relies totally on the record of biometric data being associated with you. Alter that database link, associate someone else's biometric data with your legal identity and they become you.

This limits prime record data to hard c

Re:

[Aighearach]

Stand up for your rights, people

I would expect neckbeards around here to have learned this lesson from watching the movie Porky's growing up! Never consent to biometric examination.

Immutable Data

[Anonymous Coward]

Any system that relies on immutable data for day-to-day identification is doomed from the start.

That's the problem with the Equifax breach-- all the data I use to prove who I am-- SSN, driver's license, data of birth-- it's all been leaked. Biometrics doesn't change this-- except now my iris pattern, my thumbprint, my DNA-- they all get leaked-- but they still can't be changed once leaked.

We need something resembling a distributed PKI setup so that I can carry an "id card" with a private key I can sign transactions with-- but I need to be able to regenerate that key relatively simply at any local government office (and revoke any old keys still floating around). Note this shouldn't be my "show badge to enter" type ID-- this should be used for taxes, voting, credit checks-- things that you might today use an SSN for.

But this idea that we can have one identification that never changes, and is immune to data breaches, is just not feasible.

This shouldn't be hard to do.

Re:

[burtosis]

Fixing your credit in the future is easy! Simply rip out both eyes and replace them, use a crispr variant to change enough genetic markers, then cut off all the skin on your fingers and buy new skin. That should hold you for at least a few weeks till they the data gets stolen again.

Re:

[gl4ss]

that solution exists, but it has it's problems.

really credit systems in general are the problem. they don't care if they get the identity wrong because the credit goes against the real person and not the fraudster.

Social Security numbers are already gone

[turkeydance]

somewhere, out there, beneath the pale moonlight. or...And then you'll have to eat your lunch all by yourself 'Cause I'm already gone

Accountability is dead

[MangoCats]

Who in their right mind would stand up and be accountable for operations that exceed their personal fortune by factors of 1000s? What possible form of compensation could be adequate for such liability?

Yes, corporate operations transparency and accountability are great measures to improve the current situation. Unfortunately, we're more likely to get gun control and single-payer health care passed first.

Re: Accountability is dead

[sound+vision]

Who would accept the accountability? Someone who feels they are competent enough not to fuck up the entirety of what they are held liable for. Of course, at some organizations the hiring/promotion process is... Not great. You get people who take high-level salaries with little understanding of the work they are supposed to oversee. Or worse yet, you get people who *think* they are competent (Dunnig-Kreuger effect). The corporate culture at many places has a way of weeding out people who *do* have a firm und

Amy national ID would be exploited

[david.emery]

By its nature, any national ID system would be the basis for tracking, if that ID is used for commercial as well as governmental purposes. So the question should not be "Would biometrics enable more illicit tracking?" but rather "Would biometrics be less susceptible to misuse than the current SSN?"

Re:Revalation 13

[dgatwood]

Christians have been on the watch out for a one world government that controls all trade.

Most Christians generally recognize that Revelation was about Emperor Nero, some two thousand years ago. How do we know this? Hebrew letters also have a numerical value, and the Hebrew letters for Nero's name sum to 666. The rest of the things in Revelation are also historical, mapping onto actual events not long after the time of Christ. There's no biblical support for the view that anything in Revelation is about the future (anymore). It's all ancient history (now).

Re: Revalation 13

[sound+vision]

Remember that currency was a new thing for most people the Romans introduced it to. What was on the coins? The name and the mark of the beast.

Re:

[dgatwood]

The numerical value of Nero Caesar IS 666. And Nero was the beast (metaphorically, in much the same way that today lots of folks say that Donald Trump is Hitler).

Re:

[Johnny5th]

What christians have you been talking to? Aside from a few people that I know, no one in my social circle has ever heard of that. Also fun fact: ~666 years between Babylon (the first beast) and Nero.

Re:

[dgatwood]

So while the original author was trying to make a point about the Emperor Nero in a way that wouldn't get him sent to the circus even faster, that doesn't preclude a wider prophetic meaning.

Certainly true. And nothing about my statement is intended to imply that there won't be a second coming of Christ; most Christians do believe that there will be; that just isn't what Revelation, specifically, is about (except, as you say, perhaps as a secondary meaning). To that end, we shouldn't assume that the specif

SQRL is a possibility

[surfdaddy]

If Steve Gibson ever gets the coding completed (the spec is already public I believe) this could be a potentially good solution, not perfect but much better than SSNs.

Should All The Data Be Always Available

[ChrisC1234]

I honestly wonder if we should start removing some data and keeping it in offline or non-instantaneous storage. Or maybe some sort of distributed storage. Honestly, there is no reason for some company to have everyone's SSNs and other data readily available 24/7. Certain relevant pieces could be kept online for easy access, but what if any access of the data required accessing it from some sort of offline/nearline storage. Or even just a time delay to retrieve the data from the system (and not just a bu

Re:

[burtosis]

You are failing to not apply logic.

Name vs proof.

[gurps_npc]

ID has two steps: 1)Username and 2) proof of identity. Biometrics make for a great username/login. You always have them and they take no effort to 'remember'. They make for a horrible proof/password:

1) They can't be changed if someone gets a hold of yours.

2) You leave copies all over the place (fingerprints, DNA samples, pictures of your eyes).

3) It is pretty easy to fake them.

Wonderful

[burtosis]

Fixing your credit in the future sure is easy! Simply rip out both eyes and replace them, use a crispr variant to change enough genetic markers, then cut off all the skin on your fingers and buy new skin. Fill out all 17 forms in triplicate and visit both state and federal offices to recertify. That should hold you for at least a few weeks till they the data gets stolen again.

How dare you say something sensible

[wickerprints]

American corporations have had a long and illustrious history of bending over its consumers and fucking them in the ass as hard as they can. And the government's role in this is to codify new and innovative ways of facilitating this collective boning. So when someone points out that a new proposal is wrong, I just want to pet their head gently and say, "oh, aren't you just the most darling idealist ever."

This has never been about protecting people. It's always been about money, power, control, and findin

Make HIPAA laws apply to banks

[Anonymous Coward]

One change to HIPAA law : âoe the ss number, DOB are both PHIâ ( protcted health information). Doctors deal with the draconian HIPAA lase and still survve. Ti e bor banks amd Equifax to followthe same guide.ines

Yeah, But...

[Marlin Schwanke]

The White House and EquiFax have two different reasons for wanting to do away with Social Security numbers. EquiFax wants to diminish the damage done by their handing over of our SSNs to hackers. The White House just wants to do away with Social Security. Oh, and Medicare and Medicaid.

Losing game

[RhettLivingston]

What we really need to blow this scheme out of the water is for some really wealthy bad guys to fund a project focused on using CRISPR or similar technology to change the DNA markers that have become standard in the DNA databases. Since they don't have to follow normal research rules, the research could be greatly sped up. As a side benefit, the results would leak into real medical science and speed that up - very much like the way porn has led technical development of the internet many times in the past.

In

There is perfect security

[guruevi]

Biometric IDs are fine if they are used as a portion of a key to unlock data.

The best way to assure that hacks like this wonâ(TM)t have an impact is by expecting Equifax is only allowed to store an encrypted version of your data. They can still make encrypted queries against the data and get encrypted results but they donâ(TM)t get the true data. And although homomorphic encryption isnâ(TM)t all that fast yet, for what banks need it for (adding and subtracting numbers) its actually very doabl

Identification vs authentication

[Aethedor]

Biometrics are often heard as the alternative for the password. To see if that's a good alternative, let's take a look at the characteristics of both username and password.

The username

• - It's not secret. It's often your name, e-mail address, employee number, etc.
• - It's very common for people to have the same username at different systems. Specially at companies.
• - Changing your username is not possible in most cases.

The password

• - It should be kept secret.
• - For improved security, you should choose a different password for each system.
• - Most systems allow you to change your password.

Now, let's take a look at the characteristics of biometric information:

• - They are not secret. You leave your fingerprints everywhere and with high resolution camera's it's not difficult to take your iris scan.
• - Since you have only 10 fingers and two eyes, you will probably have the same biometric ID for many systems.
• - You are not able to change any of your biometric information.

Conclusion: biometric information is more like a username than like a password. So, the only way to properly use biometrics is to use it for identification, not for authentication. Giving biometric information to the government for authentication purposes, is dangerous. The government probably doesn't understand this topic very well, so they will probably use it in the wrong way (for authentication). Because they believe it to be more secure (thanks to all the sales talks of companies selling biometric stuff), you end up having an even more bigger problem than now in case of identity theft.

We tried it in the UK

[Anonymous Coward]

We tried biometric ID cards the UK more than ten years ago.

Wikipedia:
"The register was officially destroyed on Thursday, 10 February [2011] when the final 500 hard drives containing the register were shredded at RDC in Witham, Essex."

https://en.wikipedia.org/wiki/Identity_Cards_Act_2006

Alternative - the GPG Model

[ytene]

The big problem with any form of widely-available and widely-supported identity verification scheme is that government tends to think that they need to run centrally and be centrally controlled - which in turn makes a big target for criminals [and potentially institutional abuse].

As an alternative, I would offer the model adopted by GNU Privacy Guard, which is entirely federated, but, best of all, under the control of the individual concerned.

For those not familiar with GPG, here is [in my own words]

Re:

[david_thornley]

This requires each individual to have a private key, secret, not given to anyone, and available for use whenever the individual's identity is verified. The private key is impossible to fake (assuming good asymmetric crypto is used), but there's many ways a bad guy could get hold of it. If it's on a card or something, someone could steal your wallet. If it's a number you type into a system, well, keyloggers do exist. If compromised, it would be very difficult to rebuild the trust.

It works well for the

Re:

[ytene]

I can't deny the valid challenges you raise, but the reason for offering the GPG model as an alternative to the current approach is that it works to hand control back to the User.

I am sure that we could come up with ways of protecting the private key - but really my focus was on taking back control...

Re:

[david_thornley]

I like the idea of control for the user, I just don't see how it could happen.

Re:

[ytene]

"Where there's a will, there's a way..."

If we can put a man on the moon, we can do this.

Securing an organization

[gordona]

There are a lot of governance frameworks thst can be followed for establishing good cyber security policies, such as those from COBIT, NIST, ISO, etc. They donâ(TM)t guarantee that the organization will be risk free (thats impossible), but help to reduce risk to acceptable levels, if they are followed and policies are reviewed and updated frequently. But if authentication procedures are too restrictive or expensive (relative to the value of the assets being protected) the organization can lose custom

Biometrics != Third Party Biometrics

[Wrath0fb0b]

The article (and much of the subsequent hollering in the comments) conflates two very related items: biometrics in general and a third-party biometric system in which that information is submitted to some centralized place.

On the latter, I have nothing but agreement for what was said about its stupidity and danger, so there is no need to repeat all that -- I incorporate and agree with it here.

But on the former, there is still great promise for biometric systems that are designed specifically to avoid ever s

Biometric IDs are fine, if...

[bradley13]

Biometrics are fine, as along as people realize exactly what they are. They are one step in a possible identification process.

Like an SSN, biometrics are unchangeable. However, using them in identity theft is considerably harder. Creating a fake fingerprint is possible, but it's not trivial. It's like putting a better lock on your front door - one you can't open just by jiggling it: it keeps the stupid thieves out, but the slightly less stupid ones will just come in through the window. As such, biometrics a

The serious problem with biometrics

[JohnFen]

The serious problem with biometrics is that if your "id" is stolen, you can't change it. You're simply screwed.

The fix is simple

[Shotgun]

Credit reporting agencies make money by sending my information to people that pay for it. If someone was asking questions about a friend of mine, simple politeness would require me to inform my friend that so-and-so was asking about him.

Me: "Hey, Bill. You're ex was asking about you the other day."
Bill: "You don't say. What did you tell her?"

The way to fix this whole credit reporting mess is that if someone makes an inquiry to the reporting agency (i.e., someone asks about me), the reporting agency shoul

Settled, then.

[BenBoy]

"The White House and Equifax Agree: Social Security Numbers Should Go,"

Well then, with two such highly skilled, intelligent entities, with such marvelous track records, sayin' so, gosh, I'm in! Scan me first!

It's all ones and zeros anyways

[Mozai]

So if we stop using numbers, and use fingerprints or retinas instead, that's supposed to be more secure... but how do we communicate the biometric patterns over the wire to prove our identities? We encode the patterns as numbers. And the other party must have a record of those encoded numbers to compare with to see if there's a match.

We're still using social security numbers, we're just using very pretty numbers. And numbers that can't be revoked when (not if) there's another breach.

Just use CAC/PIV

[flink]

The federal government already maintains a national ID database for military personnel, civil servants, and government contractors. It consists of a smart card containing a certificate tied to the USG PKI. The card is unlocked with a PIN and can be used for signing documents or signing/encrypting emails. The documentation requirements are almost exactly the same as for getting a passport (e.g. birth certificate + state ID). These cards are already recognized by most federal agencies, and can be soft aut

Re:

[Big Hairy Ian]

And when an organization get's hacked or accidentally leaks my Biometric info how do I change my Fingerprints/Retina/DNA etc? Also what about people who have not got viable Fingerprints or Retinas?

Re:

[SNRatio]

Biometric ids are intrinsically secure - so long as they are only used to verify your identity in person, not remotely. It doesn't matter if someone hacks your data, it would still be pretty hard for them to fake your IPD, and pretty expensive for them to make custom contact lenses to fake an iris scan.

Re:

[Marlin Schwanke]

You know of course that “The Moderators” are other SlashDot readers? I get “Mod Points” several times a month. I generally use mine to mod up insightful or truly funny posts. Occasionally, I’ll mod down someone who is really out of line. Is the alt-right active here? I’ve no proof but it would surprise me. I think that anonymity of most forums does bring out the angry and mean spirited without an organized conspiracy required.

Re:

[thegreatbob]

One huge factor you are missing is that when you're offtopic, you get modded offtopic. So no, moderators aren't censoring calls to ban bumpstocks, they're downmodding offtopic copy-pastas.

Re:

[thegreatbob]

It should also be noted that no, I am not taken in by whoever is spamming under your name; I am referring to entirely different issues. e.g. this article is regarding why biometric IDs are/aren't a good idea... what have you to say on that matter?