People get caught up in this all the damn time, and blame the wrong system.
There should always 3 steps in accessing a secure system (eg bank account): Identity, Authentication, Authorization.
Just because there is a unique identifier that is known publicly, it does not imply that the person presenting that identifier is the actual entity to which that identifier was issued. The identifier is just an identier, it does not prove anything. It is not really all that different than your name. Just knowing your name should not give me access to anything.
To prove the entity presenting the identifier is actually the entity to which the identifier belongs you have to do authentication. And authentication does have to rely on some sort of secure exchange of secrets (ie not of publicly available information). These should be secrets known only to the correct entity and to the entity performing authentication (and authenticator need not even be the same organization that issued the identifier in the first place)
And once you've matched the entity to the identifier, then the last step: does that entity with that identifier have the authorization to perform whatever task they're asking to be done? Not every entity has the equivalent of root access to everything they have legitimate access to.
Identity, Authentication, Authorization.
3 different steps, with 3 different sets of constraints.
The problem in the US is most organizations never perform any even vaguely valid authentication validation. SS#, phone number and an address or two (all public data, if you're willing to pay one of the credit bureaus) and you can get access to most random person's accounts.
In fact, you can have Authorization without identity, directly based on a secret, but who would use that when we can request Identity with background tracking.
There should always 3 steps in accessing a secure system (eg bank account): Identity, Authentication, Authorization.
Just because there is a unique identifier that is known publicly, it does not imply that the person presenting that identifier is the actual entity to which that identifier was issued. The identifier is just an identier, it does not prove anything. It is not really all that different than your name. Just knowing your name should not give me access to anything.
To prove the entity presenting the identifier is actually the entity to which the identifier belongs you have to do authentication. And authentication does have to rely on some sort of secure exchange of secrets (ie not of publicly available information). These should be secrets known only to the correct entity and to the entity performing authentication (and authenticator need not even be the same organization that issued the identifier in the first place)
And once you've matched the entity to the identifier, then the last step: does that entity with that identifier have the authorization to perform whatever task they're asking to be done? Not every entity has the equivalent of root access to everything they have legitimate access to.
Identity, Authentication, Authorization.
3 different steps, with 3 different sets of constraints.
The problem in the US is most organizations never perform any even vaguely valid authentication validation. SS#, phone number and an address or two (all public data, if you're willing to pay one of the credit bureaus) and you can get access to most random person's accounts.