Erik Bernhardsson    About

On the Equifax breach and how to really prevent identity theft

bar code tattoo

A funny thing about being a foreigner is how you realize people take broken things for granted. I’m going to go out on a limb here claiming that the US has a pretty dumb banking system. I could talk about it all day, but right now I want to focus on a very particular piece of it: how to verify your identity online.

Of course, since the Equifax breach, people are freaking out about the fact that your SSN are floating around all over internet. That’s bad. But what’s even worse is that the system was built to fail like this eventually. SSN is a terrible secret to authenticate with. The first three numbers are based on the area, credit checks usually allow one or even two digits to be wrong, and at some point we’re going to have to recycle social security numbers from dead people. Sounds fun. So what should we do? I think the correct thing is to assume that social security numbers are a publicly known number.

There’s nothing weird about this. Sweden has a similar number, and while sharing is not recommended, it’s certainly not a big deal.

Let’s talk about 🇸🇪

So how do you verify your identity online in Sweden? Through this wonderful thing called BankID — a service that claims 7.5M active users. This is out of a population of 10M people, meaning basically everyone has it.

How does it work? Basically as a two-factor authentication system. You install an app on your phone. Any time you need to identify yourself online, you usually start with your “SSN”:

bank id 1

After that, the website asks you to launch the app on the phone:

bank id 2

On the phone, you now have to approve the request by typing in a password:

bank id 3

Sweden’s version of the IRS uses it if you want to pay your taxes online. You can even use it to buy stuff. The most sick thing though, is that BankID has an API. So if you’re some random third party whatever provider, and you want to verify the identity of a person, you can integrate it. There’s a bunch of node packages even.

How do you get a BankID though? Online banks offer to set you up. And online banks always use two-factor authentications in Sweden, usually through a physical device that you have to pick up at a bank branch (where you have to go visit and show an ID card or drivers license to pick it up… the card carries biometric information so is very hard to forge).

So why does this work? Basically everyone in Sweden has a bank account. There’s only a handful of banks, which are pretty much colluding to some extent, but on the other hand the government has regulated all their fees down to basically zero, meaning they don’t make all their money screwing lower income people. So I think Sweden ended up in some kind of weird Nash equilibrium where there’s so few of them that collaborating on an ID service is not very hard, and they are regulated enough to realize they might as well take their fees and try to build useful consumer products out of it. It’s not just this. They also built their own version of Venmo that something like 70% of the population uses.

Anyway, I think the probability that this will ever happen in the US is roughly zero, sadly. The banking industry is too fragmented and many people don’t have bank accounts, so we can rule out that player. The federal government would never do it, but maybe adopt it if someone else does it. So I think realistically maybe the only one that could pull something off is if the state like California adopts it. More specifically maybe the Tax Service Center or DMV. But I don’t know, and I’m not going to describe a comprehensive launch plan here. All I can do is dream of a time where the US would actually do digital infrastructure efficiently.

Erik Bernhardsson

... is the CTO at Better, which is a startup changing how mortgages are done. I write a lot of code, some of which ends up being open sourced, such as Luigi and Annoy. I also co-organize NYC Machine Learning meetup. You can follow me on Twitter or see some more facts about me.