Not the direct point of the article, but as an aside, it really concerns me how easy it is to find a mother's maiden name these days, considering how often it's used as at least a partial proof of identity.
Being able to identify someone over the phone or internet is an incredibly hard problem that I think more startups should be working on. It is a constant battle between security and customer convenience. It is very frustrating being locked out of your own account because a company can't identify you correctly. If you combine that with the fact that companies are rarely held accountable for these security violations and it isn't a surprise that they optimize for customer convenience.
The best systems I have seen are the ones that use your credit history to ask you several questions like "Which one these four streets have you lived on?" or "Which one of these four employers have you never worked for?", but even those are gameable with some research. There has to be some better solution out there.
> The best systems I have seen are the ones that use your credit history to ask you several questions like "Which one these four streets have you lived on?"...
At least with simple "mother's maiden name" type questions, you could, if you were concerned by its insecurity, choose to use a secret value. With the automation of the process, that is not an option, while the security value of this pseudo-secret information will be eroded by its inevitable over-use.
> The best systems I have seen are the ones that use your credit history to ask you several questions
Given how bad the credit companies are at distinguishing me and my father (we share a name), I don't have much faith in this process either. What if you don't have a credit history?
Realistically most businesses don't have a need to pin an identity to a real-world person.
The credit history questions are a mixed bag. I've gotten questions like "Which make of car have you owned?" with choices of Toyota, Rolls Royce, Duesenberg, and Checker. It's not a hard guess.
Except when say 18 years ago, you stayed with a handful of friends that year because the bottom dropped out of development jobs and you can't recall every address you might have used.
Wouldn't a Google Auth type TOTP be ideal for over the phone? Is there anyone doing this?
It could be the same one I use for 2FA to the website. Or, an entirely offline flow would work too where they sent a dead-tree mail with the shared secret in QR code format.
I got pretty spooked when I opened my credit karma account and it asked me to verify if I had opened a store card a couple years ago, if I took out a loan, and a couple other questions about me.
None of them were true, because when I was first opening my credit karma account was when I first got a credit card; up to that point I had no credit history at all. When it asked me these questions, and I believe it implied one of the questions was true, I assumed my identity was stolen and got a report from transunion and equifax.
Turns out my identity was never stolen and credit karma was just being obtuse.
It's also funny how you're supposed to submit such (ostensibly) personally identifying information to a website for them to know.
So it literally only works for this purpose the first time you do it, now it's not private anymore (even if it was to begin with). Now it's on file just waiting to be leaked.
For example, how many of us are suckers who have submitted scans of our passport and drivers license to a website like coinbase.com?
It's only a matter of time until https://haveibeenpwned.com/ lets you type in your DL/passport number and it'll tell you how many scans it found in data dumps.
Just don't answer those questions "truthfully. What I mean is I use 1password to store my credentials. So whenever a site asks me to provide 3 security questions and answer I will usually select 3 random questions (especially ones that don't apply to me like "where did you meet your wife", well i'm not married), then provide an answer like "dog bow rainbow toss three". Even if one place is breached and hackers find my "mothers maiden name", it's about as useful as a one time access token.
Mother's maiden name is documented to have been in use for authentication at least as far back as 1882, and even then it was known to be a weakness [1, §3].
[1] Stephen M. Bellovin. 'Frank Miller: Inventor of the One-Time Pad'. Cryptologia 35(3), pp. 203–222, 2011. DOI: 10.1080/01611194.2011.583711
You should be giving gibberish answers to those anyway. They're probably stored as plaintext, but on the off chance they're not, treat them as a backup password and don't answer the question honestly.
For anything that involves human interaction for the verification, this doesn't really work.
I generate random strings for these and store them in my password manager. On several occasions I've called companies for whatever reason and they've asked these questions to verify my identity. When I say "oh it's a random string let me open my password manager to confirm it" they often reply with "oh it's ok, you're right it's gibberish" and consider me verified.
I have thought for a while that the old 'what is your porn name?' joke of combining first pet's name and mother's maiden name was probably originally invented by con artists looking to gather info.
I don't think it was invented by them, but I'm sure it's been used extensively by them since then. I think it was just someone that thought it was funny.
This has always been a funny "secret" to me since I have a hyphenated last name – gee, my last name is "Dolan-Gavitt", I'll give you two guesses what my mother's maiden name is.
I would have no idea what your mother's maiden name is? With only your post as a reference point, I would assume that you're a woman married to a man, and then assume Dolan is your paternal last name, and Gavitt is your married last name.
Encountering men with hyphenated last names is uncommon enough (for me) that I don't know the rules for that, so if that's the case, I don't know either.
But looking up myself (and my brother) I noticed that the record date is a month or two past the actual month. So for me being born in March seeing myself listed as June and in my Brothers case seeing September listed as December. Well, makes me wonder if they had backlogs back then. But most happy it is that way, I know my actual birth certificate has the correct date (still have the original) and those are accessible in some form or another. Just mindful that not all records are that accurate.
In Sweden we have ”Mobilt bankid” which is a digital identification that you download from your bank and then assign a password to it. After this has been completed you can identify yourself through an official app. Most serious organizations asks you to identify yourself through this app when handling business over the phone.
BankId is a 2FA mechanism that proves that you are who you say you are. Before you can download the mobile app (Mobilt BankId) and assign a password, the bank must issue you a card with a certificate on it (BankID på kort[0,1]).
You use this card to then validate the Mobilt BankId, since it creates a chain-of-custody for identity, as it were.
In other words, someone with your personnummer on-hand can't just download Mobilt BankId and then assign their own password because they're lacking the physical evidence [read: the BankId på kort], which prevents them from falsely representing that they are you.
How Mobilt BankId works with BankId is that it houses a certificate (much the same as BankId på Kort) and leverages the same auth prompting mechanisms for challenge/response to authenticate the user. Essentially, it "replaces" the kort but only in the sense that the kort is required to be physically present in the system. With the Mobilt BankId app, the certificate is always present.
Sorry for the long-winded explanation but it isn't as simple as downloading the app and assigning a password and don't want people to get the wrong idea. :(
I am guessing that most standard and reliable (i.e. you know the answer and it's not going to change) questions are vulnerable to discovery by a halfway determined attacker. That said, there are probably questions/answers that historically would have required at least some degree of serious investigation to uncover that are now often trivially discoverable.
DNA would actually be a great way of doing identity. As long as you're alive, your DNA can be checked. And it's not really feasible for someone else to fake.
You also don't lose it or forget it, like you would password or 2FA device.
You also can't change it, though, if someone gets a hold of it. Someone with a bit of your blood could impersonate you forever, and you wouldn't be able to stop them.
I was honestly baffled to see the proliferation of DNA analysis companies... aren't people concerned about the importance of the data they're giving out? AND you pay to give them that data... leaves me speechless.
How accustomed we've become to giving our privacy away.
I bet insurance companies would pay handsomely to know all your genetic health risks before they insure you. I am none of the things you described but think having our genetic information out there is not a good idea. Call it a gut feeling but I listen to my gut.
The speechless part is because of how recklessly some people give out information that an insurance company could use against you for example... specially when these companies make no mention of respecting your privacy in their terms.
I considered using these under a fake name, but from reading the article, it seems like that wouldn’t be enough.
I do see the appeal that this indformation has for individuals, of course.
Yes. Everyone has a remarkable inability to ask the question 'Who benefits?' when they engage with a service. Like Facebook, with consumer genetic tests you give up whole lot to get back very little. You are the product.
Your DNA is no more your private property than your or your grandmother's face.
It's just not that big a deal. You shed your DNA everywhere. Knowing it isn't more useful than information about your life that is already collected and used to manipulate you all the time. It's one of the weaker forms of personal information available.
In the US, you do have certain rights to your image. I cannot use an identifiable photograph of you for marketing or advertising without your permission. (That's why, for example, a lot of conference registrations require you to affirmatively agree that photos or videos of you may be used for marketing purposes.)
But pretty much any other use of a photo in a public place is fair game if it doesn't misrepresent you in some way.
Agreed, "My DNA is my personal property," is a weak argument.
"My DNA is my personally-identifying data," is a better one.
The question of what rights we have to our personally identifiable information is not yet answered fully, and the debate is an important one (e.g. consider GDPR and the "right to be forgotten").
Data's worth is recognized today by those who are harvesting it from us. The mountains of data which only a few multinational corporations can gather and store in globally-distributed data centers are imperative to machine learning and the artificial intelligences they are making, which will soon direct a great many of our daily conveniences at potentially great profit to them.
So it is important for us to today define what rights we demand to such a valuable resource, which is created solely by, and living within, the only item any of us has true natural possession of: our very bodies.
Just because there are dozens of other pieces of personal information that are collected by the powers that be and used to manipulate people doesn’t mean they all are justified.
I wonder if DNA will actually become less usable in convictions as a result of these sorts of developments. With it being easier to identify an individual based on DNA at a crime scene, eventually someone is going to be accused and turn out to have an ironclad alibi proving they couldn't have done the crime, even though their DNA was present.
If someone downloads my DNA from 23andMe, they can't really plant it at a crime scene can they?
Even if they could synthesize DNA from that information, they'd need to mix it with SOMETHING to show that it's not planted. Is the information collected by 23andMe even close to accurate enough to do something like this?
In the article Someone1234 commented in sibling apparently the innocent suspect's DNA was on the victim (they think maybe because she rode in his cab).
This may be a good moment to get a refresh on this question:
Can anyone recommend a sequencing service that offers some semblance of a reasonably solid privacy guarantee (in exchange, of course, for a suitable fee)?
At GeneInfoSec we are working on a method that will allow all sequencing services to encrypt DNA molecules themselves. With this molecular encryption even your sequencing service will not have access to your genetic data.
The real lesson is that your DNA was never a secret at all. Almost the entirety of it is shared with many people (your family) and you literally leave it everywhere you go. Don't assume any of it will be kept hidden.
If you read the article you'll note that the key problem is not what the author did, it's what her relatives did - uploading their own DNA. It is trivial to discover relatives by DNA match, so using a set of DNA samples you can easily construct a social graph based on family relations. If you can then identify any point in that graph, you can identify individuals. The countermeasures therefore consist of things like: 1) don't add your DNA to a database and 2) Don't allow your family to add their DNA to a database.
> Don't allow your family to add their DNA to a database.
IE, DNA is my personal property, hence, I own my family. Come off it.
You cannot claim to be concerned about individual privacy when your recommendation for how to protect your privacy is to intimately examine your family member's actions and then actively attempt to prevent them from doing something that is -- according to your ethics -- their right.
But a fake entry in the database would result in a negative match. Thus the researcher would (at least at first) eliminate you as a possible candidate.
Of course, uploading fake DNA with your real name would have other implications — your relatives that upload their own DNA and look for matches might suspect infidelity on the part of your parents... and relatives of the "fake DNA" might think the same of their father/grandfather/etc.
I'm fairly certain the non-ironclad part is in the handling and processing (testing labs screw up quite often), not in the actual methodology or ability to accurately identify individuals.
Collection of evidence is also another likely place to make a mistake. The issue is that a non-pristine sample taken from a public place (like a crime scene) may have multiple DNA profiles represented in it. I'm not highly familiar with the technology but I've read that techniques like PCR that "amplify" the DNA collected from the original sample by synthesizing copies of the DNA can further exacerbate the issue.
> One of the biggest strengths of PCR(e) for DNA typing is the degree to which DNA
can be amplified. Starting with a single DNA molecule, millions or billions of
DNA molecules can be synthesized after 32 cycles of amplification. This level of
sensitivity allows scientists to extract and amplify DNA from minute or degraded
samples and obtain useful DNA profiles. In this context, the sensitive nature of
PCR works in a lab's favor, but it can cause problems if great care is not taken
to avoid contaminating the reaction with exogenous DNA.
> Because extremely small samples of DNA can be used as evidence, greater attention to contamination issues is necessary when identifying, collecting, and preserving DNA evidence. DNA evidence can be contaminated when DNA from another source gets mixed with DNA relevant to the case.
Readit News
The best systems I have seen are the ones that use your credit history to ask you several questions like "Which one these four streets have you lived on?" or "Which one of these four employers have you never worked for?", but even those are gameable with some research. There has to be some better solution out there.
At least with simple "mother's maiden name" type questions, you could, if you were concerned by its insecurity, choose to use a secret value. With the automation of the process, that is not an option, while the security value of this pseudo-secret information will be eroded by its inevitable over-use.
Given how bad the credit companies are at distinguishing me and my father (we share a name), I don't have much faith in this process either. What if you don't have a credit history?
Realistically most businesses don't have a need to pin an identity to a real-world person.
It could be the same one I use for 2FA to the website. Or, an entirely offline flow would work too where they sent a dead-tree mail with the shared secret in QR code format.
Their founder is going to jail but the tech was OK - take a photo of your ID with your phone and look into the camera. Do the faces match?
None of them were true, because when I was first opening my credit karma account was when I first got a credit card; up to that point I had no credit history at all. When it asked me these questions, and I believe it implied one of the questions was true, I assumed my identity was stolen and got a report from transunion and equifax.
Turns out my identity was never stolen and credit karma was just being obtuse.
(And to your point, I literally had to provide it earlier this week to Chase’s fraud department.)
So it literally only works for this purpose the first time you do it, now it's not private anymore (even if it was to begin with). Now it's on file just waiting to be leaked.
For example, how many of us are suckers who have submitted scans of our passport and drivers license to a website like coinbase.com?
It's only a matter of time until https://haveibeenpwned.com/ lets you type in your DL/passport number and it'll tell you how many scans it found in data dumps.
[1] Stephen M. Bellovin. 'Frank Miller: Inventor of the One-Time Pad'. Cryptologia 35(3), pp. 203–222, 2011. DOI: 10.1080/01611194.2011.583711
I generate random strings for these and store them in my password manager. On several occasions I've called companies for whatever reason and they've asked these questions to verify my identity. When I say "oh it's a random string let me open my password manager to confirm it" they often reply with "oh it's ok, you're right it's gibberish" and consider me verified.
It really is a pretty outdated and sexist system, really.
Encountering men with hyphenated last names is uncommon enough (for me) that I don't know the rules for that, so if that's the case, I don't know either.
If you know the person's name and roughly when they were born (which you can get from the age) and where, you can get the Mothers Maiden name easily.
I found mine here https://www.freebmd.org.uk/cgi/search.pl in a couple of clicks.
But looking up myself (and my brother) I noticed that the record date is a month or two past the actual month. So for me being born in March seeing myself listed as June and in my Brothers case seeing September listed as December. Well, makes me wonder if they had backlogs back then. But most happy it is that way, I know my actual birth certificate has the correct date (still have the original) and those are accessible in some form or another. Just mindful that not all records are that accurate.
BankId is a 2FA mechanism that proves that you are who you say you are. Before you can download the mobile app (Mobilt BankId) and assign a password, the bank must issue you a card with a certificate on it (BankID på kort[0,1]).
You use this card to then validate the Mobilt BankId, since it creates a chain-of-custody for identity, as it were.
In other words, someone with your personnummer on-hand can't just download Mobilt BankId and then assign their own password because they're lacking the physical evidence [read: the BankId på kort], which prevents them from falsely representing that they are you.
How Mobilt BankId works with BankId is that it houses a certificate (much the same as BankId på Kort) and leverages the same auth prompting mechanisms for challenge/response to authenticate the user. Essentially, it "replaces" the kort but only in the sense that the kort is required to be physically present in the system. With the Mobilt BankId app, the certificate is always present.
Sorry for the long-winded explanation but it isn't as simple as downloading the app and assigning a password and don't want people to get the wrong idea. :(
[0] - https://www.bankid.com/en/om-bankid/detta-ar-bankid
[1] - https://support.bankid.com/sv/bankid/bankid-pa-kort
You also don't lose it or forget it, like you would password or 2FA device.
Deleted Comment
Deleted Comment
How accustomed we've become to giving our privacy away.
Unless you have secret illegitimate children or you left DNA behind at a crime scene, using DNA analysis services can only benefit you.
Also since 23andMe is selling data to pharmaceutical companies, they very much benefit from your DNA.
I considered using these under a fake name, but from reading the article, it seems like that wouldn’t be enough.
I do see the appeal that this indformation has for individuals, of course.
If you give a company your dna voluntarily and agree to the terms permitting them sell it though... different story.
It's just not that big a deal. You shed your DNA everywhere. Knowing it isn't more useful than information about your life that is already collected and used to manipulate you all the time. It's one of the weaker forms of personal information available.
But pretty much any other use of a photo in a public place is fair game if it doesn't misrepresent you in some way.
"Doing bad things isn't a big deal because of all the other bad things already being done." is not a good justification:
Should an individual feel free to "dox" you with impunity because Google and Facebook have been doing it to you for years anyway?
"My DNA is my personally-identifying data," is a better one.
The question of what rights we have to our personally identifiable information is not yet answered fully, and the debate is an important one (e.g. consider GDPR and the "right to be forgotten").
Data's worth is recognized today by those who are harvesting it from us. The mountains of data which only a few multinational corporations can gather and store in globally-distributed data centers are imperative to machine learning and the artificial intelligences they are making, which will soon direct a great many of our daily conveniences at potentially great profit to them.
So it is important for us to today define what rights we demand to such a valuable resource, which is created solely by, and living within, the only item any of us has true natural possession of: our very bodies.
Deleted Comment
https://www.theatlantic.com/magazine/archive/2016/06/a-reaso...
https://www.idtdna.com/pages/products/custom-dna-rna/dna-oli...
https://www.bbc.com/news/science-environment-19412819
Even if they could synthesize DNA from that information, they'd need to mix it with SOMETHING to show that it's not planted. Is the information collected by 23andMe even close to accurate enough to do something like this?
Can anyone recommend a sequencing service that offers some semblance of a reasonably solid privacy guarantee (in exchange, of course, for a suitable fee)?
Your inputs will be very dearly appreciated.
IE, DNA is my personal property, hence, I own my family. Come off it.
You cannot claim to be concerned about individual privacy when your recommendation for how to protect your privacy is to intimately examine your family member's actions and then actively attempt to prevent them from doing something that is -- according to your ethics -- their right.
Of course, uploading fake DNA with your real name would have other implications — your relatives that upload their own DNA and look for matches might suspect infidelity on the part of your parents... and relatives of the "fake DNA" might think the same of their father/grandfather/etc.
Deleted Comment
> One of the biggest strengths of PCR(e) for DNA typing is the degree to which DNA can be amplified. Starting with a single DNA molecule, millions or billions of DNA molecules can be synthesized after 32 cycles of amplification. This level of sensitivity allows scientists to extract and amplify DNA from minute or degraded samples and obtain useful DNA profiles. In this context, the sensitive nature of PCR works in a lab's favor, but it can cause problems if great care is not taken to avoid contaminating the reaction with exogenous DNA.
https://www.promega.com/~/media/Files/Resources/Profiles%20I...
> Because extremely small samples of DNA can be used as evidence, greater attention to contamination issues is necessary when identifying, collecting, and preserving DNA evidence. DNA evidence can be contaminated when DNA from another source gets mixed with DNA relevant to the case.
https://www.ncjrs.gov/nij/DNAbro/evi.html
Deleted Comment