Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is fundamentally a regulatory and economic problem. The exact challenge-response flow and physical artifacts/electronic credentials we use to assert identity and request access with change over time. Businesses are only motivated to prevent fraud if they will be liable for losses. They have managed to label it "identity theft," as if you forgot to lock up your bicycle, and give ironic post-breach advice to their customers like installing anti-virus software and not surrendering information to unsolicited callers.

Incentives need to be aligned. The Trump Administration cancelled the investigation into Equifax. Target's stock price barely budged. Regulations may not be a panacea as the OPM breach suggests. "Cyber insurance" is an interesting market. Ideally insurers would require best practices to be followed for policy issuance and claim payout. But that can lead to compliance box checking, and litigation/coverage struggles instead of actual security.



What you say about Target's stock price is true, but markets exist to price assets, not to punish malefactors. What this shows is that the market decided losing a ton of data wouldn't affect Target's bottom line; this supports your point about incentives but is itself not something in need of adjustment. The market is literally signaling that losing customer data isn't going to cost a company anything.


I think we'd probably all be using private/decentralized identity systems if it wasn't for KYC/AML regulations. The problem is that decentralized and some private identity systems are all "vulnerable" to pseudonymization, so it make KYC/AML impossible.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: