Rich Freeman via plug on 4 Mar 2021 09:38:36 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Chime

On Thu, Mar 4, 2021 at 9:27 AM jeffv via plug
<> wrote:
> Great point. Banks have all sorts of regulatory hoops, and be certain
> they want to know you. One thing is they like to see how much you're
> depositing and how frequently. Because if you have money, you must be
> laundering and not paying taxes to yer Uncle Sam. They are forced to
> report transactions of $10k or greater, via the amusingly-named Know
> Your Neighbor Act.

I don't think the anonymity is directly the issue, because ultimately
they're still going to demand all that info from you when you set up
an account.  Just having a gmail address from you doesn't satisfy
their regulatory requirements in most countries.

I think the issue is throttling attacks.  Services like gmail make it
very hard to create sock puppet accounts and use them to abuse
companies.  Oh, sure, it isn't hard to create a few of them, but they
very quickly catch on and they'll demand stuff like mobile number
verification (with a well-known cell phone provider), and so on.

So, by requiring an email address from a well-known service like gmail
the bank is basically using Google to throttle attacks against them.
Vetting a new customer takes time, costs money, and has a risk of not
detecting a customer that will cost them a lot more money.  If you
give attackers an infinite number of cheap attempts to sneak past your
account vetting process, they'll probably manage to succeed and cost
you a lot of money, and they still cost you money every time you keep
them out.  So, requiring an email address with a provider that deters
such attacks is a way of reducing the number of attacks they have to
fend off.

I've seen this sort of thing with a couple of accounts.  Ditto with
websites that block access from tor nodes (some do this even for
non-exit relay nodes), or anonymizing VPN exit IPs.

I'm not a fan of this practice, but I do see why companies do it.  The
fact is that a very small number of users can cause a large number of
headaches for them, and steps like this are pretty effective at
greatly reducing their impact.

Where I get more upset with it isn't when companies try to tie you to
some kind of traceable identity for legal reasons, but when they then
also use it to do things like force you to only have a single account
or do things that reduce your privacy online.  (Discord comes to mind
as one such service - having multiple accounts on Discord is pretty
painful, which means anybody on the same two Discord sites as you can
correlate your identity across those sites.)

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --