[HN Gopher] Experian's credit freeze security is still a joke
___________________________________________________________________
Experian's credit freeze security is still a joke
Author : parsecs
Score : 624 points
Date : 2021-04-26 22:01 UTC (1 days ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| Covzire wrote:
| Wow, Experian is a total scumbag company.
| emrah wrote:
| Aside from the reported problem, Experian is the worst of the
| three. Freezing/unfreezing from the website doesn't seem to work,
| asks for all kinds of PII to be mailed in yikes! Yet it does work
| (so don't mail anything in!)
|
| Total mess and they seem to have little to no incentive to
| fix/improve anything
| kemonocode wrote:
| I've been exposed to the ludicrous US credit system through my
| fiancee who was affected by the Experian hack, and frankly, I
| completely get anyone who wants to see it all torn down. I find
| it ludicrous there are _three_ different credit bureaus and they
| all seem to be equally incompetent for something as critical as
| an attempt to summarize a perception of your trustworthiness into
| a neat little file.
| kome wrote:
| americans: why are you so addicted to credit ratings? ban them.
| RhysU wrote:
| They're useful. How else would you get on a plane with only a
| suitcase, land the equivalent of a Europe away, then buy a
| house from an ecosystem of people that you have never dealt
| with before? And not overpay for the privilege? For the next 30
| years?
| KirillPanov wrote:
| Easy: fill the suitcase with cash.
| soared wrote:
| Provide (and get verified) bank statements and tax returns
| that prove your financial history, and then call some old
| landlords/lenders. Why would it be more complicated than
| that?
| YeBanKo wrote:
| Well, you essentially described credit history, which is
| what credit score is based on.
| jhgb wrote:
| Except one that is more secure, perhaps?
| RhysU wrote:
| Depends on how loose-lipped the old landlord is.
|
| I am pretty confident he or she is not going to maintain
| a list of acceptable passphrases left by former tenants
| for the purpose of authenticating credit check phone
| calls 10 years later.
| astura wrote:
| Ok now companies will see there's a huge business need to
| streamline this process so a new company will come along
| and make agreements with lenders and landlords to
| centralize all that information for ease of access and,
| congratulations, you've just created a credit bureau.
| LinuxBender wrote:
| I actually tried to get them to set my score to 0 but they
| thought I was joking. It's apparently not an option.
| YeBanKo wrote:
| Because they are essential for consumer loan industry. And the
| US has a loan industry, hence obsession with credit ratings.
| aeontech wrote:
| Experian somehow has allowed _someone_ to reset my account
| username and email not once but twice in the past month.
|
| I'm, to put it mildly, not happy, and I've no confidence it's not
| going to get reset again tomorrow.
|
| Yes, I use a complex randomly generated password.
|
| They do send an email to your previous address on the account
| notifying you of the fact though, which is the one silver lining.
| systemvoltage wrote:
| Can startup shake up this tripoly - TransUnion, Equifax and
| Experian? I am curious, what are the hurdles? To imagine any
| other way is impossible - if it is year 2050, I can't imagine
| these 3 to keep holding Americans hostage.
|
| Edit: Changing from SV to startup.
| 0xbadcafebee wrote:
| What makes you think a Silicon Valley company will result in a
| better outcome than a non-Silicon Valley company? There are a
| lot of people angry at Silicon Valley companies.
| systemvoltage wrote:
| I mean broadly in the sense a startup that's funded by YC.
| After all, we are on YC forums. It was an earnest question
| and not implying anything to do with what non-SV companies
| can and cannot do. That said, many startups from SV have
| shaken up the industry veterans. I was mostly interested in
| the roadblocks and challenges. Not really about which city
| and whom can solve this problem which is far less interesting
| to discuss.
| esrauch wrote:
| SV companies tend to be better at account security then this.
| vkou wrote:
| I can't imagine SV producing anything better.
|
| Remember - you're the product, not the customer of the credit
| agencies. You aren't a first party in that relationship - it's
| a service _about_ you, not a service for you - which is why the
| agency 's interests are not remotely aligned with yours.
|
| The only way to make it aligned with yours is through
| regulation, which forces your concerns to be taken into
| account. Unfortunately, in the valley, that's a dirty word.
| systemvoltage wrote:
| I really regret posing this question with "SV". Forget about
| SV, I wanted to open up a discussion about why do we have
| just 3 agencies monitoring our credit history? Why are they
| privatized? What are the checks and balances to keep them
| incentivized?
| vkou wrote:
| > why do we have just 3 agencies monitoring our credit
| history
|
| Because there's a lot of barriers to entry to collecting
| your financial data, and any industry with lots of barriers
| to entry, the costs of which are lessened at scale will
| result in a monopoly, or duopoly, or something of the sort.
|
| > Why are they privatized?
|
| Because we don't have any laws against them existing, and
| they are providing a valuable service to creditors,
| landlords, and employers.
|
| > What are the checks and balances to keep them
| incentivized?
|
| There are a few legislative ones, but there aren't really
| enough of them.
| PascLeRasc wrote:
| American Express has their own somewhat automated underwriting
| program for immigrants of certain countries, I wish they'd
| expand it to everyone. I'd rather just go through underwriting
| once with a company I choose like Amex and just use them for
| credit forever.
| paul7986 wrote:
| Their credit score is a racket ...my two other scores from other
| agencies are higher and very, very close to each other.
|
| Experian offers a boost product where you authorize them to
| monitor your electric bills, etc ..once I did ... gave them
| permission to do so my Experian credit rating went up to the same
| number (a point or two off) then the other two. What a racket!!!
| jfrunyon wrote:
| Most of the times I've gotten the credit bureau-style security
| questions (for example, trying to get my credit reports, or
| trying to open a bank account),
|
| - Every single one is answerable by reference to my Facebook page
| and a few old area phonebooks [remember when most people used to
| list their name, phone number, and _home address_ for the world
| to see? ah yes. good times.]
|
| - And they usually tell me I'm wrong, which would make me
| suspicious that I was a victim of identity theft, except that the
| answers I give usually match the data in the report I eventually
| receive.
| DanAtC wrote:
| As a resident of California can I invoke the CCPA and get my
| information deleted from Experian et al?
| 1970-01-01 wrote:
| The massive and swift fines they face are the punchline.
| thatguy0900 wrote:
| "Finally, your basic consumer (read: free) account at Experian
| does not give users the option to enable any sort of multi-factor
| authentication that might help stymie some of these PIN retrieval
| attacks on credit freezes.
|
| Unless, that is, you subscribe to Experian's heavily-marketed and
| confusingly-worded "CreditLock" service, which charges between
| $14.99 and $24.99 a month"
|
| It's great to see theyre taking the knowledge that being hacked
| doesn't matter and putting it to good use
| yhoneycomb wrote:
| The worst part is if you get a FREE credit report with them,
| they sign you up for this service without you knowing. I was
| paying $20/month for the bullshit for about a year before I
| finally caught in. It's a total scam. Did a google search and
| found MANY other people complaining about the same thing. Their
| whole company is a scam.
| MereInterest wrote:
| It certainly sounds like a form of extortion to me. "We have a
| large amount of personal information that can be used to take
| out loans in your name. We, and others like us, have repeatedly
| shown that these databases are not secure. They will remain
| insecure unless you pay us."
| Aeolun wrote:
| This whole system with credit scores is utterly broken in the US.
| azinman2 wrote:
| I put a pin on my account after the first Equifax leak. Recently
| I needed to unfreeze it, and discovered that upon creating a "my
| equifax" account that I was able to unfreeze it WITHOUT THE PIN.
| Ive complained to the FTC (including screenshots) but haven't
| heard anything. It's so unbelievably insane these companies are
| allowed to operate with such massive ramifications to society and
| individuals!
| TechBro8615 wrote:
| My favorite part of this system is when they give you a year of
| it as compensation for a data breach, saying it's worth 12x its
| monthly fee (which they make up). That's not even touching on the
| fact that their solution to losing your data is asking you for
| more of it.
|
| I've never been lucky enough to be compensated with such a
| service. But it wouldn't surprise me if they were so helpful that
| they even auto-enroll you in another (paid) year at the end of
| your free trial!
|
| One also wonders why reforming the credit bureaus is not a
| bipartisan priority in Washington. Congress is apparently only
| interested in fighting over the issues that nobody can agree on.
| Don't hold your breath for any progress fixing systems that
| anyone except a lobbyist can clearly point to as broken.
|
| The problems might get some attention if the corporate media
| chose to hype them, but guess who buys a bunch of advertisements
| on their news channels?
| hcurtiss wrote:
| I recently negotiated two service contracts, one for a company
| that helps administer employment verification (e.g., if an
| employee applies for a loan), and another with a company that
| handles COBRA documentation post-termination. Both of these
| require the service providers hold some confidential
| information concerning our employees. Both contracts explicitly
| provided (i) they will not indemnify me for state/federal
| penalties if they fail to do their job, and (ii) the only
| remedies they would provide following their data breach is one
| year of credit monitoring. I told them that was crazy, and if
| there's a breach they need to indemnify me for all losses and
| liability, full stop. Both companies refused so I had our
| broker approach different companies. Those companies proposed
| contracts with the same terms and also refused to change them.
| As the employer here merely contracting with service providers,
| I can't even find contractors who will take this liability on.
| I would 100% support legislation that would impose on these
| bastards penalties for the losses associated with their data
| breaches or failure to provide the services they say they are
| going to provide. I am also comfortable with the fact that may
| cost more, but at least then the costs will be internalized by
| the proper actor. And those who can efficiently provide secure
| services to me will get my business.
| throwaway2037 wrote:
| What a great story. Thank you to share you experience. I
| wonder if (i) is not enforceable. That said, it is the legal
| equivalent of David and Goliath to win that case. Even if the
| clause is legally enforceable, could you win a civil suit on
| the grounds of negligence (poor service)? Again, maybe, but
| probably very expensive to discover! I agree: These kinds of
| clauses should not be allowed. I cannot imagine this same
| thing happens in EU with GPDR.
| zonethundery wrote:
| (i) is enforceable. You could have a negligence claim, but
| customer (if a regulated entity) is generally required (on
| a principles basis, not necessarily prescriptive) to do
| their own due diligence on the adequacy of the vendor's
| security practices. The shift away from assigning liability
| to vendors was part of Dodd-Frank, and NYDFS has taken a
| similar tack with its cybersecurity rules.
| AnthonyMouse wrote:
| > I am also comfortable with the fact that may cost more, but
| at least then the costs will be internalized by the proper
| actor.
|
| The problem with these situations is that liability would
| induce bankruptcy by a factor of a thousand. If one of these
| companies screws up, likely they did so for each of their
| customers, who each have their own customers. Plausibly
| millions of people, for vendors that aren't exactly Google-
| sized. So for any non-trivial damages they're out of business
| and you get three cents on the dollar of your indemnity
| because so did everybody else. Which is all but worthless. It
| doesn't even give them much incentive to not screw up,
| because they're only paying 3% of the damages before they
| file bankruptcy and start over, which itself only happens if
| they're unlucky. Plenty of companies would be willing to take
| those odds and they'll still be the ones with the lowest
| price.
|
| The only way for them to cover the full amount is to buy
| insurance, but then you have the liability on the wrong party
| again and they lose the entire incentive to avoid screwing
| up. We might like to believe that insurance companies have
| some magic to reduce claims, but mostly they don't and they
| just spread the cost of the liability across all their
| customers.
|
| So really all you're asking for is a law that forces you to
| pay extra in order to buy insurance. But can't you already
| buy insurance from an ordinary liability insurance company
| instead of the vendor?
| kova12 wrote:
| There's something wrong with a notion that a single actor
| can cause enormous damages, spread them out between
| community members and suffer no consequences, and I'm not
| even talking about only credit companies.
|
| For example, take an action which makes everybody spend an
| hour of their time. Disposing snail mail for example. Lets
| say there's 300M people in USA. Lets say only 100M of them
| are affected. Lets also be charitable and say that an hour
| of their time is worth $10. That's a 1B damage right away.
| It is a Fukushima level damage.
|
| I don't have a solution, but it is disturbing that we allow
| actors capable of causing such damage just go do their
| business, take risks, and if risks don't work out - just
| file for bankruptcy and suffer essentially no consequences
| hcurtiss wrote:
| I can, but the vendor's negligence causes me to suffer
| higher insurance premiums without any ability to leverage
| them into better practices. If they were obligated to buy
| that insurance, the insurers could require that their
| insured observe the underwriter's mandatory security
| practices (or otherwise they would be uninsured, and in my
| ideal universe, out of business). As it stands, the vendors
| take unreasonable risks, and I'm on the hook trying to
| insure the bloody mess that results without any control
| over the vendor's security practices.
| AnthonyMouse wrote:
| > If they were obligated to buy that insurance, the
| insurers could require that their insured observe the
| underwriter's mandatory security practices (or otherwise
| they would be uninsured, and in my ideal universe, out of
| business).
|
| Then you're hoping that the insurance company's checklist
| does more good than the overhead in enforcing it costs.
|
| Those type of guidelines generally fall into three
| categories.
|
| The first is the ones that are sensible and cost
| effective, but mostly those are the ones that everybody
| does regardless. You might marginally increase the number
| of people who do these things. This is where the possible
| benefit comes from.
|
| The second is the ones that are just ridiculous nonsense.
| Things insurance companies require because they're
| fallible entities. The typical "install antivirus on
| Linux servers" checkbox. It has no benefit but it has a
| cost and the cost offsets the benefit of the useful
| measures. The insurance company has minimal incentive not
| to do this, especially if insurance is required by law,
| because the cost is being paid by somebody else.
|
| The third are measures that are marginally effective but
| not cost effective. They do a little and cost a lot.
| Insurance companies love these because they do marginally
| reduce the number of claims and the cost is hidden, but
| it still gets passed on to the customer (you), and the
| cost exceeds the benefit. It's a deadweight loss to you
| but the insurance company has a perverse incentive to
| require it.
|
| When you put them all together you're lucky if you break
| even.
| martinflack wrote:
| > One also wonders why reforming the credit bureaus is not a
| bipartisan concern in Washington.
|
| And one solution might be to simply create a statutory strict
| liability of $1000 per consumer per breach. The (possiblity of)
| class action lawsuits would do the rest to encourage correct
| behavior.
|
| (It might encourage cover-ups as well, but you could penalize
| that, and incentivize and protect whistleblowing and well-
| intentioned security research.)
| TechBro8615 wrote:
| I can't wait to get 10 free years of credit monitoring!
| cortesoft wrote:
| > One also wonders why reforming the credit bureaus is not a
| bipartisan priority in Washington.
|
| This is a classic "concentrated benefits, disperse costs"
| problem that is really hard to solve in society. The three
| credit bureaus have a huge incentive to maintain the status
| quo, while millions of people have a small incentive to change
| it. The three credit bureaus are going to fight a lot harder to
| maintain the system than everyone else will fight to reform it.
|
| It is the same thing you see with our tax system. For
| individuals, it just isn't worth it to try to change the
| system. The effort would cost more than the gain, but the
| overall cost to society is great.
| rendall wrote:
| > _One also wonders why reforming the credit bureaus is not a
| bipartisan priority in Washington._
|
| It struck me how reflexively cynical I have become, that
| reading this question surprised me.
|
| I hope my answer doesn't come off as snarky, but sincerely,
| there's a lot of good information here:
| https://duckduckgo.com/?q=credit+bureau+lobbyists&ia=web
| dawnerd wrote:
| Meanwhile, I can't get equifax to unfreeze my credit. Whatever
| answers they have on file are wrong and tell me to call - except
| you cant reach a human without answering those same questions.
| They've yet to respond to actual mail I've sent them too.
|
| Oh well, the other agencies unlock so it just takes a little
| talking whenever I need to run a credit check explaining equifax
| is jacked up.
| PascLeRasc wrote:
| I had the same experience and could only unfreeze via the
| Equifax iOS app. Sorry this is happening.
| [deleted]
| PascLeRasc wrote:
| I really, really wish I could opt out of having accounts with the
| big 3 credit bureaus. Freezes don't appear to work - they usually
| say that I don't have an active freeze whenever I go to lift one.
| Or their website is down entirely. Or they won't let me get to
| the freeze section without clicking no on their paid monitoring
| services 8 times. For Transunion all I needed to lift a freeze
| was the last 4 of my SSN, so how does that help?
|
| I don't want to have my information with these companies. Please
| let me not participate. It's like every American was given a
| Chase Bank account at birth that we can't close, it's weird.
| anyfoo wrote:
| As someone who grew up in Europe and lives in the US now, the
| whole "credit" thing is still weird to me anyway. In Germany at
| least, credit cards are mostly only a thing because they are
| convenient to pay with online, and then often behave like debit
| cards (paying directly from your bank account) anyway.
|
| Everyday shopping happens with debit cards, bills are paid by
| wiring money.
|
| When I came here, I "built credit" by paying everything by
| credit card and making sure to pay off the entire bill
| _immediately_ to not incur any interest penalty, but when I
| read stuff like "always pay off the credit card with the
| highest APR first", my head's still spinning.
| thayne wrote:
| As someone who lives in the US, and travelled to europe, one
| of the toughest things was that many more places only took
| cash than in the states. Which meant I had to carry around a
| lot more cash than I was used to, knowing that as a tourist I
| was a target for theft (and I have been stolen from multiple
| times while abroad). With a credit card, if it was stolen, I
| could cancel it immediately, and I wouldn't be responsible
| for purchases the thief made with it. If cash was stolen, it
| would just be gone.
|
| Also, I got a better exchange rate with my credit card than
| with cash from a bank or ATM.
|
| On the other hand, I really liked that I payed for meals at
| the table instead of giving the card to the waiter, and that
| listed prices included tax.
|
| That's not to say the US system doesn't have problems, it
| definetely does. But I wouldn't want a cash-only system
| either.
| Haemm0r wrote:
| I always withdraw cash money using the debit card when I'm
| abroad. It has acceptable exchange rates(always better than
| the money exchange rates at the destination country) and
| much lower fees(mostly just a fixed amount of EUR) than the
| credit card (quite high percentage + fixed fee).
| Nextgrid wrote:
| Modern banks in the UK such as Monzo, Starling, Revolut
| and others have no FX fees.
| nicolas_t wrote:
| This really depends on the credit card and bank. My old
| French credit card that was supposed to be great for
| traveling had 2.5% conversion rate plus 0.30 euros fixed
| fee.
|
| My US amex is usually only 0.1% more than current market
| rate and so better than any debit card I have by far.
|
| In my experience, European countries are by far the worst
| when it comes to exchange rate and added fees. One
| hypothesis is that interchange fees are capped so credit
| card companies can't make as much from the merchants but
| even before that happened, I remember the fees being very
| high.
| Xylakant wrote:
| The problem with exchange rates is usually that the
| institution managing the ATM/Payment Terminal tries to
| trick you into using their exchange instead of just
| charging your card in the local currency and have your
| bank do the exchange. And the ATMs exchange rate are a
| ripoff. You're not a returning customer, so they milk you
| as much as they can. This holds true for both credit and
| debit cards. Check with your bank, they'll give you the
| proper advice and it's usually "charge in the local
| currency and let us handle the exchange."
| KSteffensen wrote:
| This is not a general Europe thing. I live in Denmark and I
| only use cash to try and teach my kids about money. I can't
| remember the last time I paid cash for anything. I'm
| tempted to say it has been a decade or so.
| blntechie wrote:
| Very good point about using cash to teach kids about
| money.
|
| I just began teaching my kindergarten going son about
| money and some of the things he has learned watching us
| is very insightful. For all purposes, money for him is
| our phone. He has seen countless places where we pay with
| phone to buy things (using QR codes) and that has given
| him an impression that a phone can get anything from a
| store.
|
| For me, in my own childhood days, money as in cash was
| easily understandable as a finite resource because once
| it's given to someone, it cannot be taken back. So I
| learned just by watching that money carries a value and
| is limited. But just scanning a phone or card with no
| concept of finiteness will carry some repercussions I
| think in future.
|
| Will be interesting to watch the future generation who
| might grow without concept of cash money.
| xeromal wrote:
| If you're middle class or higher, a credit card is a no-
| brainer in the US. I pay for 1 international trip a year + a
| few domestic trips just using my card for every day
| purchases. I rack up points, pay everything off, and benefit
| tremendously.
| continuational wrote:
| It's a no-brainer, because whether you have a credit card
| or not, you're paying for those trips every time you
| purchase something.
| xeromal wrote:
| That's true in a macro sense but so is everyone else,
| even people paying cash sometimes.
| watermelon0 wrote:
| Doesn't the money have to come from somewhere? I assume
| merchants need to pay fees to credit card companies, and in
| turn this results in higher product/service prices?
| gnopgnip wrote:
| Technically no, no one has to explicitly lose money or
| pay for these rewards. The economy is not a zero sum
| game. There are direct costs with handling cash for
| merchants, for smaller businesses these are often higher
| than credit card interchangge/merchant fees. There are
| also indirect costs like lower sales and consumers losing
| cash due to theft.
| xeromal wrote:
| Indeed that's the truth but they charge that for every
| customer including cash customers except specific places
| like arco. So if everyone is getting charged, best get
| some benefit from it!
| jjoonathan wrote:
| ...which is a state of affairs the CC companies have
| arranged through anticompetitive terms in merchant
| contracts. Cash never had a chance to compete. The moment
| people realize they could get effectively twice the
| rewards points by squeezing out the fat cut taken by the
| CC companies, they absolutely will. CC companies will
| fight tooth and nail to make sure the fees stay invisible
| and unavoidable via cash.
| kj4ips wrote:
| That's where most of it comes from in the US, interchange
| rates on credit cards are not regulated, so they're
| generally somewhere around 2%.
|
| Which, coincidentally, is the benchmark for "decent"
| credit card rewards.
|
| Some cards will offer rewards on certain kinds of
| purchases, often up to 5%, but offering only 1%, or
| nothing for other purposes.
|
| Since the average person only has a single credit card,
| the majority of cardholders produce more in interchange
| fees than they collect in rewards.
|
| There's also some complicated accounting voodoo that I
| don't truly understand, that effectively means that banks
| can treat extended credit as a pseudo asset, plus,
| whenever alone is outstanding, it's value is added to the
| virtual money supply.
|
| It is possible for an individual customer to get
| significantly more in rewards than interchange, but as
| this is a relatively small portion of customers, most
| issuers do not seem to care.
| jjoonathan wrote:
| I know that getting a very visible 2% back from an
| invisible 4% fee is psychologically fun in a way that a
| European-style 0.5% fee isn't, but the net effect of the
| American style is still to transfer more money from you to
| the credit card company.
| btilly wrote:
| The invisible fee is paid by the merchant, not the
| consumer. And fees aren't 4%, they are generally 1.3% to
| 3.5%. With higher fees for American Express, and merchant
| types with higher fraud rates. (American Express also
| offers greater rewards to consumers...)
|
| In the end, aside from the complicated consumer reward
| part, the amount that the credit card companies get isn't
| that different from the European system.
| jstanley wrote:
| > The invisible fee is paid by the merchant, not the
| consumer.
|
| But the customer pays the merchant. It's all paid by the
| customer.
| btilly wrote:
| The customer is paying whether or not they use a credit
| card.
|
| However actual businesses have overhead for dealing with
| physical cash as well. It is slower at the teller, needs
| to be manually counted and recounted, transported
| (sometimes with security) and so on. It is not clear
| whether real costs of handling money are greater or less
| than merchant fees.
| throwawayboise wrote:
| The fact of the matter is that retail goods and services
| cost the same whether I pay cash or use a credit card. So
| might as well take the benefits the card offers.
|
| Every great once in a while I will run into a small
| business that doesn't take credit cards, or offers a
| discount for cash. But it's quite rare.
| jjoonathan wrote:
| Yeah, which the CC oligopoly has conveniently arranged
| through merchant contracts. The Europeans negotiated
| around this with legislation and won a better deal.
|
| In the US, I'm sure people would scream and cry if the
| evil government tried to take their 2% rewards, even if
| it meant 3.5% lower prices. We don't like math very much
| over here -- as this thread is proving.
| fredophile wrote:
| I doubt prices on most common purchases would change at
| all. That extra money would just go to the retailers
| instead.
| Tempest1981 wrote:
| Or resigned to the massive power of lobbyists.
| xeromal wrote:
| This was exactly my point. The amount of cash discount
| places are dwindling so you're actively losing money if
| you pay cash.
| bogomipz wrote:
| >"The fact of the matter is that retail goods and
| services cost the same whether I pay cash or use a credit
| card. So might as well take the benefits the card offers"
|
| The merchant costs for processing the purchase of those
| products is baked into price though. The net effect is
| that the fees the merchant pays push your retail price
| up. You're not really getting a benefit if you get 2%
| back and the retail price is 2% higher to account for the
| merchants processing fees.
| cyberpunk wrote:
| Schufa scores are definitely a thing in Germany; I mean, same
| thing different name..
| avh02 wrote:
| haven't been to the US, but you can get a clean schufa if
| you just move to the country. I've _heard_ that in the US
| you'd need to get and pay off debt in order to have a good
| standing, a lack of any record is considered suspicious.
| SilasX wrote:
| That is absolutely true. I was treated as subprime
| despite having no debts and a high credit score (on
| annualcreditreport.com) merely because I had never taken
| on debt. I would get rejected even for $500 department
| store credit cards! It's ridiculous.
| ruph123 wrote:
| Its not. Schufa collects negative entries. If you did not
| pay back loans in time you will have a bad Schufa. To the
| contrary in the US you have to have "good credit" meaning
| you have to have participated in the "credit system" and
| behaved well.
|
| If you don't have any record: Great for Schufa, bad in the
| US.
| cyberpunk wrote:
| Oh I thought no debt history would equal clean credit.
| That's bananas, surely it's safer to lend to someone who
| has never been in debt? I don't get the logic..
| SturgeonsLaw wrote:
| Depending on the lender, they might actually be after
| people who are always in debt, and who pay their credit
| cards bills each month but never entirely pay them off.
| [deleted]
| elyobo wrote:
| No, it's safer to lend to someone who has handled credit
| well (i.e. by paying it back) than someone who has no
| track record.
|
| There's a catch-22 if rules are so strict so that you
| can't get credit because you haven't had credit before,
| but in general "positive" credit reporting seems pretty
| beneficial.
| paxys wrote:
| Credit cards in the USA are backed by very strong consumer
| protection laws. That is why you can mindlessly give one to
| wait staff at a restaurant who will disappear with it for an
| extended amount of time, while in any other country that
| would be unimaginable. I have also never once cared about
| credit card skimmers at gas stations or anything of the sort.
| It's the bank's responsibility to protect the card, not my
| own.
|
| Consumer culture in general means that it is very profitable
| for banks and payment processors to hand out credit cards
| like candy (with huge spending incentives), despite knowing
| that a ton of people are going to rack up debt that they will
| never be able to pay.
|
| The overall credit system is also a lot larger than just
| credit cards. The country runs on cheap debt. Everything from
| houses, education, cars all the way to TVs and dresses is
| financed with long-term payments and low single digit
| interest rates. Most of what people earn goes towards paying
| for stuff they bought in the past rather than saving for
| something they might buy later.
| matsemann wrote:
| > _I have also never once cared about credit card skimmers
| at gas stations or anything of the sort._
|
| As a European I haven't as well. But that's because it's
| been the safe chip part of the card that's been used all my
| adult life and not the easily spoofed magnet stripe.
| dmos62 wrote:
| As a European neither have I. Couldn't I just have the
| bank do a chargeback in case of a bad charge?
| maccard wrote:
| Yes. I've made claims with 2 card providers in two
| different banks in the UK (one was a transaction for a
| macbook pro in India, the other was a merchant who
| refused to cancel a recurring payment despite me making
| multiple attempts to resolve with them). Both cases
| required a verbal confirmation, and a letter to claim it
| was fraud and a refund within 5 working days.
| rsj_hn wrote:
| You are confusing a few things here. First, the chip
| cards are still vulnerable to man-in-the-middle attacks,
| which is what the modern intermediate devices now do,
| even though many still call them "skimmers" out of habit
| (some are advocating for the similar-sounding "shimmer"
| to describe these devices).
|
| They are quite effective at stealing from Europeans just
| as well as they can steal from Americans, except
| Americans are not on the hook for the stolen funds
| whereas Europeans are.
|
| Here's a Krebs on Security article that has pics of a
| shimmer found in Europe in 2015:
| https://krebsonsecurity.com/2017/01/atm-shimmers-target-
| chip...
|
| There was 1.8 Billion in chip card fraud for cards issued
| in Europe in 2018, with the highest rates of fraud in
| France and the UK in Europe in 2018, although only 20% is
| at Point of Sale and 80% is online.
|
| But the real difference vis-a-vis the US and Europe is
| not chips in cards but the massive epidemic of wholesale
| identify theft in the U.S. The vast majority (in terms of
| dollar amounts) of credit fraud in the US is part of
| identity theft, something the US suffers from due to lack
| of consistent ID cards and ID card enforcement - and very
| little todo with chip and pin technology.
|
| The US has 24 B in credit fraud, the majority of which is
| identity theft, and the largest amounts related to entire
| bank accounts and fraudulent loans being taken out, lines
| of credit being issued in someone else's name, etc, and
| not some illegal transactions stolen at gas stations with
| intermediate devices.
| sixbrx wrote:
| Chip cards are vastly safer. From the article you linked
| about shimmer attacks:
|
| "The only way for this attack to be successful is if a
| [bank card] issuer neglects to check the CVV when
| authorizing a transaction,"
|
| I'm betting the European cc fraud is mostly from residual
| magnetic stripes or online forms being used, not the chip
| usages. Do you have a specific breakdown?
| rsj_hn wrote:
| I think you are misreading the article, so let me be
| clear:
|
| If you enter your card in a compromised device, then you
| lose control over
|
| 1) how many transactions are being made
|
| 2) who you are paying
|
| 3) how much
|
| Because the chip has no way of asking you for
| confirmation about the identity and amount of the
| transaction. There is no secure keypad entry connected to
| the chip or secure bus going out.
|
| All you have is physical presence. The chip can prove to
| the input device that it is present, and the input device
| cam forward that proof to the bank. That is all the chip
| does. It does not prevent you from paying the wrong
| person, and it does not prevent you from paying the wrong
| amount. This is why compromised input devices are
| created, so that you can be charged the wrong amount and
| to the wrong party when you think you are buying gas.
|
| The chip only guarantees physical presence. Checking the
| CVV is only when there is no presence and you are trying
| to milk the attack into an offline attack rather in
| addition to the MITM attack. Why are offline attacks also
| possible? Because vendors want to support online
| purchases, where there is no physical presence. But that'
| not the MITM attack I was describing.
|
| Offline (card not present) transactions are a _second_
| issue, and indeed they are much larger (80-20) not
| present:present in terms of card fraud, but you don 't
| need shimmers to conduct card not present fraud, although
| you can certainly use them for that.
|
| Finally, not verifying CVV is not an abuse of the
| protocol, it's how you do a card not present transaction,
| which is also supported in the same payment protocol.
| It's not some weird form of protocol violation vendors
| are all mysteriously doing. It is not "doing it wrong".
| [deleted]
| Nebasuke wrote:
| There's also a reason it's much higher in the UK (I don't
| know about France) and it's the online component. The UK
| has long card numbers for debit cards, often usable
| online with just your credit card number + CVV, similar
| to how US credit cards work. This is not the case for
| debit cards in a good number of other European countries.
|
| For example, my Dutch card can only be used physically at
| an ATM using your PIN, or online by using a payment
| system like iDEAL for which you need bank login details +
| password (which is not stored on the card). It does not
| have a long card number like most US debit/credit cards.
| rsj_hn wrote:
| In both the US and EU, credit card fraud is 20% POS and
| 80% online.
| faster wrote:
| I once had a conversation with a couple friends of friends
| who did targeting for the credit card industry, figuring
| out which demographics to send cards to. Their goal was to
| find people who paid responsibly and spent irresponsibly.
| If people who pay well weren't irresponsible enough in
| their spending, incentives would be provided. I'm sure this
| is even worse now with all the data and data-driven tools
| available.
| dkarp wrote:
| I cannot understand how this works at restaurants in the
| US.
|
| Last time I visited it went like this:
|
| 1. I get a bill ($50 for example) and give the server my
| card
|
| 2. A card payment notification appears on my phone for the
| $50 payment with my bank
|
| 3. The receipt comes back with a tip field where I write
| $10 and sign
|
| 4. The server now updates the payment and a few days later
| when the payment clears, the amount has changed to $60
|
| But what if the server chose to enter $20 instead of the
| $10 I specified? Do I have to keep the receipt and remember
| to go check that the cleared payment matches a few days
| later? How else would that be caught?
|
| In the UK, you enter the tip on the card machine when you
| put your card in, so the payment is immediately taken and
| everything is clear. I really want to know why I shouldn't
| worry about the above scenario next time I cross the pond!
| danielecook wrote:
| It does seem weird. All I can say is that changing the
| tip amount is rare. I've never seen it happen, or perhaps
| I've never noticed.
|
| Additionally, I don't worry about it thou because my past
| experience suggests I can reverse the charges if I call
| the credit card company fairly easily.
| anaerobicover wrote:
| > But what if the server chose to enter $20 instead of
| the $10 I specified?
|
| Unless they have complicity with management, the risk
| over reward is too great to try this. If they kept the
| skim small to be unnoticed -- $3-5 on each check, perhaps
| -- it may still not add up to being worthwhile. Most
| people in the world are not criminal masterminds; I think
| sometimes engineers like us forget that others are not
| constantly looking for loopholes in everything. :)
| xwdv wrote:
| One call to your credit card company about the fraudulent
| charge and it's resolved. They will do an investigation
| and the price of the original transaction before the tip
| will be discovered. Also, the employee who changed the
| tip amount will likely be fired.
| naturalauction wrote:
| Additionally the whole charge is likely to be reversed
| (or it has been for me in similar situations) and the
| business will have to pay a pretty big ($20+) fee. Of
| course the employee could be a bad actor but it's in the
| businesses best interest to try to ensure that isn't the
| case. I think if there are too many chargebacks, the
| business gets designated as high-risk and will also have
| to pay more processing fees.
|
| One thing to note about the US is that card processing
| fees are more than double what they are in the UK/EU. It
| allows CC companies to eat the costs of fraud more
| without passing it onto the consumer/business.
| dkarp wrote:
| Right, so you're saying it up to me to notice and call
| the credit card company?
|
| In that case, I need to go through my statement and
| remember that the $70 charge was supposed to be $60, or
| have the receipts and check it. That isn't something I
| have to do here, because it all happens at the same time.
|
| Or are you saying that the penalty for the
| restaurant/server is high enough that this sort of thing
| just doesn't really happen much?
| xwdv wrote:
| Here's the thing man, until you personally see it happen
| at least once, don't bother worrying about it. The odds
| are super slim and the incentives to commit tip fraud on
| one meal are high risk for little gain. I've never seen
| it happen or heard of it happening.
| chrisdhal wrote:
| I've never seen it happen and I use credit cards for
| everything. I can't remember the last meal in a
| restaurant that I didn't use a credit card. I've never
| heard of it happening from any friends or family either.
| It just isn't a thing.
|
| Same with stealing number. Yes it's kind of strange that
| most of the time the server just takes your card and
| disappears for a while, but I've never heard of a number
| being stolen from anybody I know. Of course, it does
| happen, but it's very rare.
| phlo wrote:
| > The country runs on cheap debt. Everything from houses,
| education, cars all the way to TVs and dresses is financed
| with long-term payments and low single digit interest
| rates.
|
| Can you point to a few examples of TVs or dresses being
| financed in the low single digits? I'm genuinely curious --
| as an outsider, my impression of US credit was always one
| of a system that charged predatory interest. That
| impression is mostly based on seeing credit cards
| advertised at 15-25% APR, and hearing stories of student
| loans with interest rates that approached the double digits
| (for debt that's not dis-chargeable in bankruptcy, no
| less).
|
| My point of reference are Switzerland and Germany, which
| have legal caps on interest rates around 10-13%. Credit
| agreements with higher interest rates are nullified,
| voiding all interest claims. As a result, the growing rate
| for unsecured debt is somewhere in the 8-10% region. (And,
| of course, significantly lower for secured debt, like
| mortgages or car leases.)
| xwdv wrote:
| Certainly. There's many cards that provide promotional 0%
| interest rates for 12 months. The idea is every 12 months
| you sign up for one of these cards and you can make
| minimum payments with no interest, when the card is
| reaching the end of its promotional period you just pay
| it off in full and don't use it anymore unless there's
| good rewards.
| phlo wrote:
| Ah. I hadn't considered credit card churning. Thanks!
|
| (I do have some reservations -- I'm guessing that only a
| small minority of cardholders attempt to churn their
| balance from card to card or pay it off before the end of
| the promotional period. 12-month lines of credit don't
| come for free, and if the expected average payoff wasn't
| worth it, credit card companies would probably stop
| running these promotions.)
| xwdv wrote:
| It is 100% free money. The catch is you will be charged
| all the interest in some cases if you reach the end of
| the promotional period and haven't paid off the card in
| full, or something like that.
| naturalauction wrote:
| This exists in the EU and Switzerland too, look at
| Klarna. They take 3% of a transaction from the merchant
| (depends on the country) and charge no interest fees at
| all for the end user. Even a financially responsible
| buyer might find it worth paying off later since there is
| no interest.
| phlo wrote:
| Oh, I have no doubt that there are situations where it
| may make sense to buy things on credit. Houses and cars
| can often be financed at good conditions. I've yet to see
| an example where this applies to small purchases.
|
| Klarna offers a variety of payment methods. The 30-day
| factoring looks fine (3% charged to the merchant, no
| interest to buyers). But as far as I can tell, any
| financing they offer beyond 30 days comes with
| significant interest. Their product page for Ratenkauf
| [1] says "Es fallen Zinsen an." ("Interest is charged").
| When I look at their demo store [2], they indicate a
| 10.43% APR for a EUR400 purchase paid over 12 months.
| This, of course, falls on the right side of the law and
| has a pretty small risk of ruining people -- still, I
| don't think there are many scenarios where you'll end up
| better off after paying 10% interest on anything.
|
| [1]
| https://www.klarna.com/de/verkaeufer/produkte/ratenkauf/
| [2] https://www.klarna.com/demo/de/de-DE/kp/p-sunglasses-
| de/. You'll have to add the sunglasses to your cart and
| proceed to checkout.
| jwr wrote:
| > Credit cards in the USA are backed by very strong
| consumer protection laws. That is why you can mindlessly
| give one to wait staff at a restaurant who will disappear
| with it for an extended amount of time, while in any other
| country that would be unimaginable.
|
| But how is this specific to "credit" cards? Don't debit
| cards get the same protection? The point here is that in
| the US one _needs_ to have "credit history" in order to do
| things like rent an apartment, which is not a thing in the
| EU.
|
| As to security, the EU has largely gotten around the
| problem by implementing modern payment systems. In Poland
| no waiter will "disappear" with your card, they will bring
| a mobile terminal to the table, so that you can use your
| (contactless) card.
|
| In fact, living in Poland currently, I can't remember the
| last time I used a _physical_ card anywhere. For the last
| two years or so I 've only been carrying my phone with me,
| no wallet at all.
| op00to wrote:
| No. Debit cards do not get the same protection.
|
| I have never had my credit checked for an apartment.
|
| I too only use my phone for most credit card
| transactions.
| herbstein wrote:
| > In fact, living in Poland currently, I can't remember
| the last time I used a physical card anywhere. For the
| last two years or so I've only been carrying my phone
| with me, no wallet at all.
|
| Here in Denmark we recently got an official digital
| drivers license. You verify your identity with the
| government issued 2FA system, scan the NFC chip in your
| (non-expired) passport, and you're golden. The digital
| license is as valid as the physical license.
|
| Couple this with NFC payment being a requirement anywhere
| that takes payment, the banks having developed a way of
| transferring money between accounts in different banks
| instantly based on just a phone number, and the digital
| drivers license, there's never a need to have my wallet
| on me. At the moment I'm not even sure where it is --
| it's somewhere in the apartment.
| teachingassist wrote:
| Credit cards also have stronger consumer protections than
| debit cards in several European countries.
|
| e.g.
|
| https://www.moneyadviceservice.org.uk/en/articles/how-
| youre-...
| luma wrote:
| In the US debit cards work completely differently than
| CCs. In the event of fraud, the debit card holder is
| technically responsible for any losses. Your bank might
| step in to deal with that, or they might not.
|
| With a credit card company it's always the card issuing
| company's problem to address.
| jdofaz wrote:
| I don't use my debit card because I don't want to fight
| to get my money back, but that doesn't mean you are
| liable for fraud.
|
| https://www.consumer.ftc.gov/articles/0213-lost-or-
| stolen-cr...
|
| "If someone makes unauthorized transactions with your
| debit card number, but your card is not lost, you are not
| liable for those transactions if you report them within
| 60 days of your statement being sent to you."
| sofixa wrote:
| > In the US debit cards work completely differently than
| CCs. In the event of fraud, the debit card holder is
| technically responsible for any losses
|
| That seems very backward. And as you might suppose,
| really isn't the case in the EU. Fraud is fraud, and it
| might take time, but you'll get your money back.
| diggernet wrote:
| > it might take time, but you'll get your money back.
|
| And that's really the key difference between credit and
| debit.
|
| With a debit card, if there is fraud, the money is gone
| from your checking account. You will get it back, but it
| will take time, and in the meantime you may be suffering
| from all kinds of unpleasant effects of having a suddenly
| and unexpectedly empty checking account.
|
| With a credit card, if there is fraud, you have a debt on
| the books. You will get it removed, but it will take
| time, and in the meantime you still have all your money.
| Frost1x wrote:
| The US is all about risk, money, and power transfer.
| Maybe everywhere is but I've only lived in the US.
|
| In the case of of CCs, there is an assumption that a
| certain portion of people will take high interest credit
| offered by the cards and that they will incur interest
| and have to pay that. The rates are often incredibly
| high, something like 20%+. To encourage more people to
| use these cards to increase the population and likihood
| people will be forced to pay these interests, CC
| companies offer incentives like cash back, no-interest
| periods to encourage borrowing behavior or
| misunderstanding of the boundary time for payments for at
| least one hefty interest payment, etc. They also offer an
| alternative to people who have difficulty receiving a
| loan for some item any other way.
|
| Debit cards on the other hand are offered by traditional
| banks. Many of these are free and associated with free or
| nearly free accounts (usually requiring your regular
| income deposited or a minimum balance they can invest
| elsewhere while you let it sit idle). Banks are not
| incentivized for you to spend money. It's in their
| interest for your money to sit in your account theyre
| investing elsewhere or for them to charge you various
| service fees. They're less inclined to give you
| incentives and protections to use these cards.
|
| If consumers get to a point of using credit cards in a
| responsible manner (essentially more people exploiting
| their benefits than CC providers exploiting them), you'll
| see these features and protections slowly peeled away.
| Many cards used to even offer price protection where if
| an item changed prices than the price point you purchased
| at, the CC company would refund you the difference.
| Obviously enough people took advantage of this vs the
| pool of people paying high interest that these features
| slowly peeled away. Time and value limits were introduced
| and tightened, card providers began to remove these, and
| now few if any cards provide this. This is _one_ consumer
| feature /perk that used to exist that no longer exists
| because the normalized increasingly responsible use of
| cards by consumers. There are several more (rental
| protection, road side protection, flight delay
| protections, and a host of perks). Now you often have to
| pay a fee for a card that has such perks and need to be
| sure your spending rates are high enough to warrant the
| fee.
|
| Payment systems aren't about payment systems and
| detecting fraud, they're about building complex systems
| people want to participate in under the assumption the
| complex system will at large extract wealth from the
| people using the system, not the other way around. Even
| something as trivial as just paying for exchange of
| services/good would be straightforward but it's not, it's
| gamed to pass risks, extract money, and transfer power.
| anaerobicover wrote:
| > It's in their interest for your money to sit in your
| account theyre investing elsewhere or for them to charge
| you various service fees.
|
| Generally true, but I have suspected that banks have
| begun getting payments from the payment processors,
| however (Mastercard/Visa). Most recent time I created my
| checking account the bank nearly insisted that I have a
| debit card although I strongly preferred to have only ATM
| access with it. Additionally the largest banks have most
| certainly figured out squeezing fees from people for use
| of the debit cards.
| naniwaduni wrote:
| There is a very strong, very simple alignment of
| incentives that you'd think shouldn't really matter, but
| makes a huge difference: with credit, the burden is on
| the _bank_ to collect money from _you_.
| Svip wrote:
| > very strong consumer protection laws
|
| What if you go bankrupt as a consumer in the US? Credit
| cards are scarily easy to come by in the US, which suggests
| to me that credit card issuers aren't worried about
| consumers potentially unable to pay them off. Which further
| suggests to me that it's not really the consumers being
| protected, but rather the credit card companies.
|
| How does consumer bankruptcy work in the US? Raking in a
| lot of credit card debt, that you cannot afford, could make
| one liable for life.
| throwawayboise wrote:
| > What if you go bankrupt as a consumer in the US
|
| You will have difficulty getting credit for 5-7 years.
| You may think "fine, I'll just pay as I go" but credit
| checks are often part of the approval process for an
| apartment lease, or applying for a job.
| matttb wrote:
| I had a property management company tell me they wouldn't
| rent to me if my credit wasn't good enough even if I paid
| the entire lease up front
| verall wrote:
| Yes, because you could do more than the value of the
| lease in damage to the property, and then be so insolvent
| that there is no way to recover any of the money from
| you.
|
| I'm not saying I agree with this. Landlords are
| ridiculously abusive, as a renter you will frequently be
| asked to pay a $300+ nonrefundable "application fee"
| before they will show you the lease document. They then
| can put whatever terms they want into the lease,
| understanding that many renters would not be able to
| afford another application fee.
| KSteffensen wrote:
| Why are credit checks part of applying for a job? Isn't
| the employer supposed to pay you?
| frockington1 wrote:
| If you are in mountains of debt you would be more
| vulnerable to embezzlement and bribery. Generally only
| relevant for security and financial industries
| fredophile wrote:
| It may be included as part of a background check. If you
| need to apply for a security clearance then any debt you
| have is relevant to that process.
| [deleted]
| malka wrote:
| > credit checks are often part of the approval process
| for an apartment lease, or applying for a job.
|
| And then, your country tries to shame China for its
| "social score".
| Karunamon wrote:
| There's a pretty broad difference between a system that
| determines "does this person honor their payment
| agreements according to the objective metrics of their
| payment history and credit usage" and a system that
| determines "is this person a 'good citizen' according to
| an opaque set of random metrics, many of which are non-
| financial and defined by the state".
|
| Comparing them directly in this way is not only
| disingenuous, it indirectly handwaves the objectively
| oppressive system China runs.
| Clewza313 wrote:
| Which, contrary to popular perception, is not even a
| monolithic government scheme but a bunch of mostly
| unrelated initiatives, the best known of which is
| Alibaba's Sesame.
|
| https://en.wikipedia.org/wiki/Zhima_Credit
| ryandrake wrote:
| If you want to understand the USA or figure out why
| something here is the way it is, the answer is usually
| "because it lets corporations extract the most money out of
| regular people." Everything, from seemingly odd little
| cultural quirks to enormous institutions like how we do
| health care, systems that were deliberately designed and
| things that emerged organically: everything is the way it
| is because it optimizes wealth transfer from ordinary
| people to corporations. That's usually the most
| straightforward explanation.
| ycuser2 wrote:
| A little bit off-topic: If you want an explanation in
| Germany what things are the way they are, it's often
| because "otherwise the insurance wouldn't pay in worst
| case".
| refurb wrote:
| That's a very cynical view and not accurate.
|
| Having lived in other countries, I actually missed the
| benefits that robust competition drives. Consumers in
| some countries are paying fees that went away 20+ years
| ago in the US.
|
| And as grandparent says, the robust _protections_ offered
| in the US are a huge plus to consumers. In other
| countries they aren't so generous as to forgive fraud and
| the like.
| unityByFreedom wrote:
| Giving loans is a good thing. With them, as the comment
| above yours points out, people finance education, cars,
| and homes that they can afford to pay off later due to
| having a higher salary than before.
|
| _Predatory_ loans are bad and governments do try to
| crack down on those. Going from "it's easy to get credit
| in the US" to "the US lets corporations steal from
| regular people" is a bit much.
| yrro wrote:
| On the other hand, the abundance of credit has driven up
| the prices of education, cars, homes, etc.
| Caprinicus wrote:
| Car prices in America are among the lowest in the
| developed world though. It's difficult to compare
| education as you're getting a wildly different product
| depending on what specific university you go to.
| ntwalker wrote:
| They pretty much have to be. The infrastructure of the US
| is such that if cars cost what they do in Europe then a
| massive section of the population would be entirely
| locked out of the economy unable to hold a job.
| klmadfejno wrote:
| When people need something, prices tend to go up, not
| down.
| gher-shyu3i wrote:
| Giving loans with 0 interest is a good thing, however,
| giving loans with anything above 0% interest ins a
| terrible thing. We've known this for literally thousands
| of years.
| unityByFreedom wrote:
| If you're willing to give me an interest-free loan then I
| will take it and invest it in an index. Generally
| speaking, discounted loans are only available from
| governments or friends for specific purposes like
| education or health when they want to invest in people.
| Even then you still have people taking advantage because
| money is fungible. It's hard to do this in a sustainable
| manner.
| gher-shyu3i wrote:
| The premise is that the economy must not be based on
| loans, it's not sustainable as we are seeing today (not
| to mention it's parasitic). Loans are given out for
| charity purposes. If you want to invest your money, there
| are many moral ways.
| [deleted]
| frockington1 wrote:
| Id rather take a 30 year mortgage out at 4.5% and invest
| it elsewhere as 4.5% is less than my expected return.
| patentatt wrote:
| And mortgage rates are much lower than that now too, <3%
| is quite realistic
| frockington1 wrote:
| I recently heard Denmark has negative mortgage rates for
| natural born citizens. Losing money if you don't take it.
| dmos62 wrote:
| I somewhat agree with what you said, but I think you
| sidestepped the intriguing question of why so many people
| in US seem to use credit.
| leetcrew wrote:
| time value of money and capital gains tax make it less
| efficient to pay cash for large purchases. why _don 't_
| people in the rest of the world use credit?
| xwdv wrote:
| Money now is worth more than money later, why is that a
| hard concept to understand?
| dmos62 wrote:
| For one, I've never felt that way. If I were a business,
| that might be different.
| leetcrew wrote:
| would you be indifferent to whether your employer paid
| you at the end of a pay period versus six months later?
| dmos62 wrote:
| Fair point.
| xwdv wrote:
| That's why you've never felt that way.
| dmos62 wrote:
| I don't know what you mean.
| unityByFreedom wrote:
| I don't think I sidestepped it. People use credit to
| better themselves because they can. Maybe you are asking
| why more capital is available to lend and I think that's
| a good question.
| kilroy123 wrote:
| I wish more people realized this.
| petters wrote:
| It's the same in Sweden. The laws are very beneficial for
| cc holders.
|
| If you buy something with a cc and the company for snow
| reason later does not fulfill it's obligations, the bank is
| liable. If you paid with cash or a debit card, you're on
| your own.
| distances wrote:
| From what I've seen, it's still different in the US. If
| you dispute a payment, in the US the bank apparently
| sides with you most of the time. In Europe bank sides
| with you only if it was a clear case of not receiving the
| service/goods, otherwise it's usually considered a valid
| transaction.
| efdee wrote:
| Not sure why you think that is particular to the USA.
| Credit cards in every country I know work this way.
| rtpg wrote:
| > That is why you can mindlessly give one to wait staff at
| a restaurant who will disappear with it for an extended
| amount of time, while in any other country that would be
| unimaginable
|
| What are you talking about? You do realize that credit
| cards exist everywhere at this point? You think that when
| someone pays by card in other parts of the world they
| maintain constant eye contact with their card, lest the
| person... skim the largely visible number?
| edent wrote:
| Err... yes. That's exactly how they work in the UK - and
| most other countries I've visited.
|
| The waiter comes to your table, presents you with the
| EPOS or tablet. You take it and either tap your card, or
| insert it and type your PIN. Then you hand the terminal
| back to the waiter.
|
| The card never leaves your hand.
| intellirogue wrote:
| Exactly. I can't even imagine how the US system is meant
| to work with something like Apple Pay. I don't carry my
| physical card, there's no need to when it is in my phone.
| [deleted]
| gher-shyu3i wrote:
| This is how the usurious banking system gets you. People
| continue to cry about the wealth gap, yet they don't want to
| fix the problems right under their noses.
| thepasswordis wrote:
| Do you only pay for things like a car or a house using cash?
| Or what about if you are applying for a loan to start a
| business? Is it all just a 100% cash based society?
| ncallaway wrote:
| Financing has existed as a concept _far far far_ longer
| than "credit bureaus" have existed as a concept.
|
| Financing can absolutely exist without a centralized credit
| rating system / data privacy nightmare.
| [deleted]
| Nition wrote:
| The options aren't just cash or credit. Debit cards are
| commonly used: https://en.wikipedia.org/wiki/Debit_card
| valzam wrote:
| My bank in Germany actually has a hybrid system: Any
| charges are on the card, not your account but you have to
| specifically apply for deferred payment. The default
| option is that they settle the credit balance with your
| checking account every month.
|
| Seems like a good system to me. You give people the
| "buffer" between your account and merchants but make it
| very hard for people to go into debt.
| anyfoo wrote:
| No, cars and houses are still common to finance, but those
| are obviously usually much rarer events and of some great
| magnitude. And given the usual lack of much of a "credit
| history", banks rather look at your income, assets, and
| other things.
|
| Business credits exist too of course, but I'd guess that
| the proportion of the population doing that is even less
| (and Germans are already much less likely to buy houses or
| apartments than people in the US).
|
| Of course if you did have a credit somewhere, and you
| defaulted/didn't pay, it's bad, and there is a credit
| bureau tracking that and more ("SchuFa").
| thepasswordis wrote:
| I think there might be some confusion happening here.
|
| Nearly every "basic" transaction (like buying coffee) is
| done with what might appear as a "credit card", but it is
| actually a debit card. Some people use "credit" for these
| daily sorts of purchase, but at least among the people I
| know, this is extremely rare.
| dexterdog wrote:
| You and I don't know the same people. I use a credit card
| for everything and pay it off at the end of the month. I
| know nobody who uses a debit card like that unless their
| credit cards are maxed out.
| devin wrote:
| Same. Debit cards carry a lot of risk that I can offload
| by using a credit card. If someone gets ahold of your
| debit card info, there is very little recourse once the
| money has left your bank. Not so with credit cards. In
| addition, credit cards carry a whole bunch of rewards
| (earning points you can redeem for travel or gift cards,
| cash back, upgraded status with airlines and hotels, no
| foreign transaction fees, and the list goes on) you can't
| get with debit cards.
| viraptor wrote:
| > If someone gets ahold of your debit card info, there is
| very little recourse once the money has left your bank.
|
| This gets repeated, but it's not true everywhere. Some
| banks may not care or maybe it's harder in some
| countries. But for example in the UK I could easily
| revert a few PSk the same day without issues. I'd love to
| read more about where the differences come from, but the
| blanket statement is not 100% correct.
| devin wrote:
| Once upon a time you didn't see co-branded
| Visa/Mastercard/etc. debit cards for local banks. In many
| cases you still don't. If you have access to a co-branded
| debit card you're often afforded many of the same
| protections as credit card users. However, you still miss
| out on other, additional benefits, like building your
| credit and getting access to rewards.
|
| It always depends, so do your own research, but as far as
| I understand, it is still considered decent general
| advice to tell people to prefer credit cards over debit
| cards. They will build credit, earn rewards, have
| excellent consumer protection from fraud, increase the
| distance between their purchases and the cash in their
| bank account, and so on.
| allset_ wrote:
| It's true in the US. If someone manages to steal your
| debit card data and your PIN, all the banks say "well
| your PIN was used, so it must have been you" and you're
| SOL.
| karakot wrote:
| It probably depends, my debit card got skimmed and they
| got $500 from it (max daily cash limit). The bank
| returned my money no question asked.
| devin wrote:
| Yes, the limit is often the difference. Multiply your
| $500 by 10 and I'm curious how a small to mid-size credit
| union treats it. If it's a cobranded card, it's one
| thing. If it's a "Friendly Bank of Central Virginia"
| debit card, you may have less luck.
| craftinator wrote:
| > credit cards carry a whole bunch of rewards
|
| This sentence is the epitome of marketing brainwashing in
| the US. Not trying to single you out, as we all suffer it
| to different degrees here, but this sentence kind of puts
| it in such a nice little box.
|
| What's a reward? What actions warrant such gifts? Why
| don't they just give you money instead of "points"? At
| any point, does the gameification of debt strike any of
| us as one of the most abhorrent MBA ideas in history?
| It's right up there on the list, sitting below indentured
| servitude and for-profit prisons.
| dexterdog wrote:
| My card has always had cash back. I always pay it off so
| I don't care what the interest rate is. If somebody
| steals my debit card I can bounce checks. If somebody
| steals my credit card I might hit my limit, but they'll
| give it all back.
| cyberlurker wrote:
| They mostly do cash back as an option these days. The
| sinister part is we pay more to cover the transaction
| cost. But if you aren't using a credit card to get points
| you're only hurting yourself. (Unless the biz has a cash
| deal)
| tharkun__ wrote:
| Then 'it worked'. That's the whole point of credit cards.
| They're trying to dissociate the buying and the paying
| such that it's easily possible to 'overbuy' and slip into
| the credit card hell of perpetually trying to pay it off.
|
| The closer you are to 'living pay check to pay check' the
| easier it is to get you into this. And I suppose for some
| people it takes multiple larger purchases to get you into
| it. Popular culture, TV shows, Twitter nowadays etc.
| don't help and 'legitimatize' it (everyone's talking
| about it that way, so everyone must be doing it that way,
| so it's OK to do it that way).
|
| You might be good at "paying it off at the end of the
| month". A lot of people easily slip into credit card hell
| that way, because they _can't_ pay it off at the end of
| the month, because they didn't realize how much of their
| credit they should really be using. Credit card says you
| have $2000? Let's spend $2000. At the end of the month I
| only have $1500 left in my account? Oh crap!
|
| Personally I pay it off in sort of regular intervals,
| since it's all right there in my online banking. I've
| never waited for a "credit card bill", even when they
| still sent them to me in actual dead tree form.
| Ayesh wrote:
| It's just being financially responsible.
|
| I use my credit card for the purchase buffer the other
| mentioned, and I've set it to the exact amount is taken
| from my bank account on the due date.
|
| I also track my expenses and categorize it, so I have a
| clear idea what's happening in the budget.
| elyobo wrote:
| I pay it off in full when it's due, and have done almost
| without fail for years. In two cases I stuffed up (paid
| the previous month's bill instead on one, can't recall
| the other), in both cases I hit them up and they ended up
| refunding my interest anyway.
|
| The points for regular spend, the sign up bonuses, and
| the interest savings (the average balance on my card ends
| up saving me interest on my mortgage) put me well ahead.
|
| Credit cards are a solid because many (most?) people use
| them poorly, but it's certainly possible to use them
| wisely.
| throwawayboise wrote:
| Young people with no credit history can get debit cards
| if they open bank accounts. I'm not really sure it helps
| their credit score but it's convenient. The first real
| credit card a young person gets will have a very low
| limit, maybe only a few hundred dollars, so they are not
| all that useful at first other than to start establishing
| a credit history.
| matttb wrote:
| Debit cards do not help credit score. If your score is
| too low or non-existent you often have to get a 'secured'
| credit card which means you have a limit (often it's
| still a low limit which I don't understand), and that
| limit is how much cash you let the company hold for you.
| It doesn't seem any different to me than having a bank
| account + debit card. When you're done using a 'secured'
| card you get your initial money back
| anyfoo wrote:
| That does not match my experience at all, even before
| coming here. Credit cards, as far as I could see, are
| actually credit cards most of the time, and I have been
| explicitly told that I should start "building credit" by
| paying as much with a "real" credit card as possible.
|
| "Credit card bills" also seem to be a regular part of
| everyday conversation here, in sitcoms, on Twitter...
| astura wrote:
| >I have been explicitly told that I should start
| "building credit" by paying as much with a "real" credit
| card as possible.
|
| You've been somewhat misinformed. You build credit by
| obtaining the credit line and just having it available
| for a long time, not by using it "as much as possible."
| Actually purchasing items with your credit card is not
| required.[1]
|
| In fact, "maxing out" your credit cards (when your bill
| closes using 85%+ of your limit) actually can reduce your
| score (but only for the month(s) your cards are "maxed
| out.")
|
| FICO scores aren't a black box, they publish exactly what
| they take into account - https://www.myfico.com/credit-
| education/whats-in-your-credit...
|
| [1] with the caveat that some credit card issuers will
| close dormant accounts after a couple years.
| Nextgrid wrote:
| In the UK, there is no such thing as FICO. The "score"
| the credit bureaus tell you is completely made up and is
| designed to encourage you to check back regularly so you
| can see and "engage" with the "offers" (aka ads/spam)
| next to it. It will vary by a dozen points every month or
| so.
|
| Lenders get a raw copy of your report when you apply for
| credit, which contains things like credit account history
| (max limit, % of limit used, late payments if any, etc)
| and then run their own scoring algorithm on it. Those are
| black boxes.
|
| In the UK, getting a credit card and using it regularly
| seems to be the common advice for building credit, which
| makes sense considering the scoring algorithms themselves
| aren't public (and differ by lender).
| vngzs wrote:
| If I buy coffee, I buy it on a credit card. Every daily
| purchase uses a credit card. Why? I want a buffer between
| me and the purchaser. I don't want them to be able to
| take money from my bank.
|
| https://youtu.be/vsMydMDi3rI?t=2595
|
| Now, if I shop online, I used to put it on a credit card.
| Now I generate a virtual debit card using an online
| service and pay with that. The logic is the same.
| anyfoo wrote:
| That is actually the one thing I grant credit cards to be
| superior in. Back before I moved here, I was traveling
| with friends to the US. We knew credit cards were
| prevalent in the US, so I got a "normal" credit card from
| my bank, and one of my friends got a debit type credit
| card.
|
| We later got some fraudulent charges on it, which got
| resolved for either of us, but for me the money was never
| gone (I had not paid the bill yet), while for my friend
| it took a while to get the money back on their account.
|
| Another fun difference: When during our trip, waiters and
| cashiers would not just take the credit card, but _walk
| away with it_ , we were horrified. In Germany, you never
| give your card away to anyone. You stick it in a terminal
| and type in your PIN.
| setr wrote:
| > That is actually the one thing I grant credit cards to
| be superior in
|
| I mean, it's basically their only purpose in life (if you
| use it for the other purpose to purchase things ahead of
| your paycheck, that you don't have the cash for already,
| you're going to get yourself in trouble -- 20% interest
| _hurts_)
| Semaphor wrote:
| > I mean, it's basically their only purpose in life
|
| Cash back/miles is another one.
| skeletal88 wrote:
| Does not exist in europe, because they come from insane
| fees charged from merchants and the fees are regulated
| here to be lower than in the us.
| maccard wrote:
| Amex offers 1.25% cashback, and they also have rewards
| cards that provide "points" which are redeemable on most
| major airline/hotel rewards programs. In practice Amex is
| almost universally accepted (I make 1-2 transactions a
| month that aren't on my Amex, but almost never a big
| ticket purchase).
|
| For the cases that amex isn't accepted, all the major
| airline groups have a rewards card too (although BA's is
| an Amex), and most of the supermarkets have cashback
| cards in the 0.75-1% range.
| Semaphor wrote:
| Yup. I'm in Germany and I get cash back points on my
| Amex. Same experience that it's very rare not being able
| to use it, I carry a Mastercard for that case.
| throwawayboise wrote:
| Yes, the European/Canadian way to do credit cards at a
| restaurant is nice. The card never leaves your posession.
| I wish that would get adopted here, but restaurants will
| resist having to buy the handheld devices. I like
| restaurants where you get the bill at the table but pay
| at a desk near the front door, avoiding the problem of
| handing your card to the waiter.
| drdec wrote:
| Many "family" restaurants in the in my area of the US
| have tablets at the table which allows you to pay your
| bill when you are ready to leave with a credit/debit card
| with no interaction with the server required.
|
| Family restaurant means a chain like Applebees for those
| unfamiliar with the term.
|
| The tablets are also a revenue-generating device as you
| can play games on them for a fee. They also have surveys
| so you can give feedback on the service, this has become
| somewhat controversial (see
| https://www.eater.com/2018/6/22/17492528/tablets-
| restaurants...).
| wholinator2 wrote:
| Yes, I believe ive seen those terminals at applebees and
| chili's
| astura wrote:
| >Some people use "credit" for these daily sorts of
| purchase, but at least among the people I know, this is
| extremely rare.
|
| Really depends.
|
| If you know mostly college students, and younger, lower
| income people, yeah, most are paying with debit.
|
| If your circle is high income and older, then it's mostly
| credit. Especially people who do frequent business
| travel.
| ticviking wrote:
| The US is abnormally obsessed about credit and
| creditworthiness.
|
| In most nations the debt to income ratio for these things
| is also much stricter than in the USA, since they don't
| expect everyone to have 10k in credit card debt and 50k in
| student loans.
| frockington1 wrote:
| Its amazingly easy to not have those debts, and most
| people I run into do not. The problem is the people who
| do are very vocal about it and it's impossible to inform
| them that they may be spending more than they can afford
| klyrs wrote:
| Consumerism. You wouldn't believe the crap, and the
| volume of the crap, that Americans buy. Saying that
| completely red-handedly.
| BeetleB wrote:
| Last car I bought - the dealer would allow me to put only
| $3500 via a CC. The remaining balance was via cash/money
| order/bank check/whatever.
| JCM9 wrote:
| Many people in the US use credit cards like "charge cards"
| and pay them off each month. I've never carried a balance on
| a CC but still use them for nearly all purchases. If
| something goes wrong a CC give the consumer a lot more
| leverage than say a debit card. I once had a bad experience
| with a merchant where they overcharged me and refused to fix
| it. One phone call to the credit card company had their
| payment revoked and that was the end of it. Now they have to
| deal with the CC company on why they are treating CC
| company's consumers poorly vs me random consumer that's not
| happy with them.
|
| I get that the flip side is the above can suck for businesses
| if consumers file bogus complaints but as a consumer I'm
| going to take advantage of every tool at my disposal. If I
| had paid with a debit card it would have been a big mess to
| fix.
| zacharycohn wrote:
| You don't have to pay immediately to avoid interest. They
| aggregate all your bills within a given 30-day billing
| period, then you have 30 days from _that_ date to pay.
| Interest only begins to get accrued after that last deadline.
|
| If you wanted to, you could have the credit card companies
| float you a purchase for almost 60 days without interest if
| you timed your charge and the payment right.
| anyfoo wrote:
| Thanks, I understand that. Paying "immediately" was partly
| hyperbole, partly that I wouldn't forget about it when I
| started out. I've gotten accustomed to it now.
| dataflow wrote:
| Btw, for people who aren't living paycheck-to-paycheck,
| the interest accrual isn't the real issue to worry about.
| Imagine: if you spend $300 in a month, and miss your
| payment by a whole month once in a while, even at a crazy
| 20% APR, you'll have to pay $5. Unless you only have a
| few dollars to your name, it's probably not going to
| suddenly break you.
|
| The real issue, I think, is the impact on your credit
| history for _missing a payment entirely_ , i.e. not
| paying the minimum amount due. Even if it's $1, you need
| to pay all of it. That's the real penalty to worry about.
| conductr wrote:
| The not paycheck to paycheck people I know, myself
| included, charge everything they can and put the credit
| card on auto pay for full balance. So in my case at
| least, your $300 is more like $10,000 monthly. I'd be
| pretty mad if something happened and I owed $100+ of
| interest but like you said, not as mad as having the late
| payment show up on my credit history
|
| Should mention I make ~$300 a month in cash back by doing
| this and that's my main motivation. I actually hate the
| idea of cash back as I realize it just adds cost to the
| system but I'm just one dude and the world has spoken on
| the matter so I may as well get what I can out of it.
| bena wrote:
| It's kind of messed up because it's like a permanent
| discount at every store you shop at because you have
| enough money to not be paycheck to paycheck.
|
| It costs more to be poor.
| CaptainZapp wrote:
| > It costs more to be poor.
|
| That's definitely true. Time to reintroduce Scalzi's take
| on the subject:
|
| https://whatever.scalzi.com/2005/09/03/being-poor/
| cyberlurker wrote:
| I think about this all the time with so many things in
| life. Same with employer tax incentives, like a free
| metro pass/tax deductible contributions towards
| commuting. I'm actually paying less to take the subway
| than someone making minimum wage. It doesn't seem right.
|
| I take full advantage of all the credit card benefits
| though, as I think everyone should if they can.
| conductr wrote:
| It's absolutely true. In many ways. Although in this
| case, a poor person could reap the same benefits. The
| only requirement would be good credit and
| payments/financial discipline. I know those things are
| generally inversely correlated but just wanted to point
| out you don't have to be wealthy to get a cash back
| credit card.
| Macha wrote:
| See also the Sam Vimes boots theory of socioeconomic
| unfairness (from Men at Arms, 1993):
|
| > The reason that the rich were so rich, Vimes reasoned,
| was because they managed to spend less money.
|
| > Take boots, for example. He earned thirty-eight dollars
| a month plus allowances. A really good pair of leather
| boots cost fifty dollars. But an affordable pair of
| boots, which were sort of OK for a season or two and then
| leaked like hell when the cardboard gave out, cost about
| ten dollars. Those were the kind of boots Vimes always
| bought, and wore until the soles were so thin that he
| could tell where he was in Ankh-Morpork on a foggy night
| by the feel of the cobbles.
|
| > But the thing was that good boots lasted for years and
| years. A man who could afford fifty dollars had a pair of
| boots that'd still be keeping his feet dry in ten years'
| time, while the poor man who could only afford cheap
| boots would have spent a hundred dollars on boots in the
| same time and would still have wet feet.
| fshbbdssbbgdd wrote:
| This is true, it's a good system for engineers and travel
| hackers but bad for the common person. The credit card
| processors are raking in fees, though. It also provides
| lots of opportunities for what is essentially legal low-
| level embezzlement for anyone who can expense things to
| their employer (especially folks who travel on their
| dime). Way too comfortable a system for anyone to change
| it.
| conductr wrote:
| Speaking of that. I like to look for loopholes /
| arbitrage opportunities within.
|
| Once upon a time, when cash back ran benefits were in the
| 6% range. I bought prepaid visas from a retail store. And
| ran them through some merchant account. About $50K went
| in a circle every day and I kept the spread of almost 4%
| if I recall. I had to pull some other accounting tricks
| to make sure it did not accrue tax liability in the
| process but it was actually fairly impressive once I hit
| a certain volume I knew I tripped the alarm with the
| credit card issuer. They changed their entire card
| benefits in a way that was obviously related to blocking
| the activity I was doing.
| lozaning wrote:
| The best manufactured spend used to just be buying money
| at face value and with free shipping from the US Mint.
| Too bad the mint got wise to that and now there's a
| premium + shipping.
| [deleted]
| zacharycohn wrote:
| I have met many people who actually don't understand it
| and think interest starts accruing the moment you swipe!
| Important to be accurate.
| garyrob wrote:
| " Freezes don't appear to work - they usually say that I don't
| have an active freeze whenever I go to lift one. Or their
| website is down entirely. Or they won't let me get to the
| freeze section without clicking no on their paid monitoring
| services 8 times. " It might be worth mentioning that I've had
| to temporarily lift freezes from all 3 bureaus a number of
| times and nothing like this has ever happened to me. I've never
| had any trouble or needed to pay anything.
| drunner wrote:
| Equifax drives me insane. I can't manage my own freeze with
| them because they can't validate who I am over the phone (none
| of other bureaus had a problem).
|
| Instead, I have spent 6+ hours on the phone with them over the
| last 3 months. I have faxed the requested information 3 times
| and mailed it once and nothing has been resolved. I've given
| up. I recently had to have my credit checked for home purchase
| and I simply told the lenders that I would not be working with
| them if they could not use Experian or Transunion to verify my
| credit.
|
| The most insanely infuriating thing about all of is was that
| when Equifax got hacked, I immediately froze my wife's and my
| own credit with Equifax. At the time, they required you to
| create a unique 16 digit key to manage your freeze. They have
| apparently done away with that, so even though I own the key
| and can give it to them, it means nothing to them. My wifes
| account has no issues.
|
| My account will be frozen for life at Equifax, I don't care to
| waste any more time with them and I the credit system in the US
| with a passion.
| PascLeRasc wrote:
| I have the same issue, PINs are never recognized. They can't
| find me when I call in either. I've been able to unfreeze
| from the iOS app, but that's only because it asks for
| basically zero information to do so.
| judge2020 wrote:
| This all stems from the right to privacy and right to control
| your data, and the overall lack thereof in the United States.
| All that the credit beuraus do is collect information from
| various sources about people.
| ikiris wrote:
| You aren't the customer, you're the product.
| thepasswordis wrote:
| You could accomplish this by just never applying for credit of
| any kind, couldn't you? In this way, these agencies might have
| a file about somebody with your name, but it won't really be
| relevant to you in any way.
| athms wrote:
| Any query with an SSN/ITIN that doesn't exist will create a
| report for that number. Different names using the same
| SSN/ITIN are listed as aliases.
|
| Credit reports are queried for many reasons, not only loans.
| AlotOfReading wrote:
| Even if you never open a line of credit in your life, the
| contents of that record will still affect your ability to
| rent apartments, get jobs, and even have utilities in your
| name.
| teeray wrote:
| Also the lack of records will also impact those things
| cheriot wrote:
| Until someone else applies for credit with your identity.
| anyfoo wrote:
| Please tell me that's not actually possible?
| iczero wrote:
| Identity theft!
| artificial wrote:
| Bank fraud. :)
| magicalhippo wrote:
| Obligatory https://www.youtube.com/watch?v=CS9ptA3Ya9E
| ropans808 wrote:
| That's kind of what identity theft is, and it is
| distressingly possible.
| judge2020 wrote:
| Assuming someone knows your name, address, and SSN
| (something which isn't meant to be secret - the SSA even
| printed 'not for identification' on the cards for a
| while), they can apply for credit cards in your name as
| they often require no other form of identification. The
| U.S. doesn't have a national login system for identity
| verification or anything so there's not much that could
| be done here from the security aspect besides creating a
| federal credit beurau or a federal ID system (or if
| login.gov allowed third-party companies to use it).
| mint2 wrote:
| It is possible and it happens. This what ppl mean when
| they talk about identity theft.
| cortesoft wrote:
| But if you never use credit, having your credit hurt by
| this wouldn't matter.
| athms wrote:
| Anytime you open an account at a financial institution
| for a savings, checking, or retirement account, they will
| get a credit report. Employers are increasingly requiring
| a credit report before handing out job offers. Every
| landlord is going to require a certain credit score
| before accepting your application.
|
| You don't need worry about your credit if you use cash
| and store it in a coffee tin, couch surf, and work under
| the table.
| colonelpopcorn wrote:
| In lieu of an actual identity system, credit reporting is
| probably a necessary evil. Or at least an evil inevitability.
| willhinsa wrote:
| That is one way to be able to solve the problem, but the most
| direct way to solve the problem of credit scams is to put the
| onus on the bank who opened up the account incorrectly to
| assume responsibility for the debt, not on the person whose
| details were spoofed to create the account.
|
| This is quite humorously illustrated by a "That Mitchell and
| Webb Sound" skit: https://www.youtube.com/watch?v=CS9ptA3Ya9E
| npsimons wrote:
| > but the most direct way to solve the problem of credit
| scams is to put the onus on the bank who opened up the
| account incorrectly to assume responsibility for the debt,
| not on the person whose details were spoofed to create the
| account.
|
| This. "Identity theft" shouldn't be a term. There's already a
| term for what's happening, it's called fraud, and it's
| perpetrated on the banks without involving the person whose
| identity was "stolen." Consumers shouldn't have to deal with
| the fallout from banks' fuckups, especially given the
| resources banks have available to avoid said fuckups.
| paxys wrote:
| Completely agree with this. Credit freezes don't work because
| credit reporting agencies have never been in the business of
| identity verification or protection. Whoever grants the line
| of credit should be doing the due diligence on whether the
| right person is in front of them or not, but they would
| rather pad their numbers and shift blame to someone else.
| closeparen wrote:
| Reputation is a pretty fundamental component of existence in a
| human civilization. The specific implementation leaves a lot to
| be desired, but the underlying structure - people will talk
| behind your back about your behavior when deciding how much to
| trust you - is not going anywhere.
| AdamHede wrote:
| I am a part of a small but passionate group in Denmark, who
| advocates for giving everyone an account in the national bank
| at birth.
|
| This account would be able to attach a featureless debit card
| (using our national standard payment system "DanKort"), and
| have the same interest rate as the national Bank (so for now,
| slightly negative).
|
| Employees of the national bank is already able to get accounts
| like this. So there is precedence.
|
| This is obviously not a particular attractive not sophisticated
| "product", but it is awfully hard to hurt yourself with, and
| will have all the functionality that allows you to function in
| a modern society.
|
| Make banking a choice, and force the banks to make sufficiently
| attractive products to convince me to participate willingly.
| mijamo wrote:
| The ECB is working on something like that actually.
| runeks wrote:
| > Make banking a choice [...]
|
| How does "giving everyone an account in the national bank at
| birth" correspond to making a choice? How about, instead, you
| give people the option to open an account with the national
| bank? That sounds more like a choice.
| alephu5 wrote:
| DiEM25 advocate for this and it's a great idea. I hope it
| happens in Denmark and that the rest of the world follows
| suit.
| sdoering wrote:
| No I know were the idea in Yannis Varoufakis' new books
| "Another Now" originated. Or were he proposed it as he is
| part of DiEM25.
|
| Actually quite some interesting thoughts within this book.
| tobiasSoftware wrote:
| What really upset me was when my wife immigrated, she did so
| just before Trump passed some new immigration laws. Those laws
| would have required her to submit her credit scores as part of
| the paperwork for immigration. The idea that in order to
| immigrate you have to tell the government information from
| three private companies is just insane in my opinion. This last
| week has solidified this opinion as a year and a half later she
| still can't get info from them, I can't imagine what they would
| say just after moving here.
| dylan604 wrote:
| To me, the title is overly wordy: "Experian is still a joke"
| dredmorbius wrote:
| The punch line is the public, unfortunately.
| jfrunyon wrote:
| > A security freeze essentially blocks any potential creditors
| from being able to view your credit file, unless you
| affirmatively unfreeze or thaw your file beforehand.
|
| I feel pretty sure they can probably pinky-promise that they
| really are inquiring about the right person and still do at least
| a soft inquiry.
| willhinsa wrote:
| Credit scams and identity theft are a problem for us because
| right now the banks don't have to pay any cost of those mistakes.
| The most direct way to solve the problem of credit scams and
| identity theft is to put the onus on the bank who opened up the
| account incorrectly to assume responsibility for the debt, not on
| the person whose account details were spoofed to create the
| account.
|
| This is quite humorously illustrated by a "That Mitchell and Webb
| Sound" skit: https://www.youtube.com/watch?v=CS9ptA3Ya9E
| TrackerFF wrote:
| Here in Norway, we have this system called BankID - it's a
| signing system where you can sign documents, and it tends to
| work great. These days, you can pretty much sign _any_
| documents, no mater how important, via the BankID
| authentication system. It's obviously also 2FA.
|
| But still, it does manage to get abused. Unfaithful relatives /
| spouses / colleagues / etc. can manage to get hold of your
| password and device, take out loans or buy stuff, and you're
| 100% in the jam for it. We get cases from time to time where
| people are basically held accountable for hundreds of thousands
| in credit/consumer debt, because someone used their signatures
| to take out those loans. And probably 99 / 100 times, they lose
| in court, against the banks.
|
| The banks will argue that if they were held responsible for
| such actions, the modern fast-tracked system would halt to a
| grind. It'd be like in the old days where you needed to show up
| in person, with all your financials, and carefully go through
| everything just to get a small-ish loan.
| allset_ wrote:
| Seems like the ideal use case for a hardware-backed token to
| be issued to each citizen to hold a private key and use MFA
| (PIN) to unlock that.
| Ekaros wrote:
| The auth systems in nordics are step down from that, but it
| still doesn't help if that is stolen or your spouse steals
| it, takes look at pin and so on. It is really hard to fight
| against this sort of access.
| second--shift wrote:
| Hello, a friendly correction if I may. In English 'grind' and
| 'halt' can function as both nouns and verbs - the common
| colloquialism is 'grind to a halt' where grind is the verb
| and halt is the end state.
|
| In response to your comment, I think that the Norwegian
| system is inferior in the respect of the end-consumer having
| the final responsibility. I think that if the bank had final
| responsibility for any credit fraud, the fast-tracked system
| would hiccup perhaps, but not grind to a halt. Fintech is
| evolving rapidly and a new innovation could satisfy both fast
| banking and keep incentives correctly aligned between banks
| <-> consumers.
| Buttons840 wrote:
| It's important to realize that the credit monitoring services you
| can buy are provided by the credit companies.
|
| The same company, which may at times make false claims about you,
| is in possession of a service / technology they claim can detect
| those false claims.
|
| Why is it not libel when these companies make false claims about
| me? Especially when they advertise that they have the ability to
| detect such false claims? "Pay us and we will not make false
| claims about you" they say. "Pay us and we'll double check with
| you before making claims we believe to be suspicious about you."
| economusty wrote:
| They don't make the claims, they provide a database where
| others can record claims. The difference is important.
| temporallobe wrote:
| This is like how those horrible antivirus programs for Windows
| would constantly warn you that you might have viruses and nag
| you to subscribe to and pay for their services or your system
| could be at _serious_ risk. I always thought these companies
| made at least some of the viruses themselves in an effort to
| self-perpetuate.
| olliej wrote:
| I would call it extortion: pay for our service or we'll screw
| up your life
| fedorareis wrote:
| Disclaimer, I work at TransUnion but the following is based on
| my experience as a consumer.
|
| Since I'm seeing a lot of confusion about how credit reporting
| is done and how credit monitoring services work let me break it
| down a bit. Let's say you are getting a new credit card with
| Chase Bank. When you apply for that credit card Chase does a
| hard inquiry on your credit report to decide if you are
| elligible for that card and what credit limit they are going to
| give you. If they then issue you a card they then report to the
| credit bureaus that you opened a new line of credit with them
| and the limit on that line of credit.
|
| If you have credit monitoring you would get 2 notifications.
| You would get a notification that a hard inquiry was made on
| your credit report and a second saying a new line of credit was
| issued to you. The point of credit monitoring isn't for the
| bureau to catch mistakes but for you to be aware of activity
| that could negatively impact your credit score. The bureau has
| no way of knowing if something was legitimate or not since they
| only have the information that was reported to them. Credit
| monitoring does however let you know something major happened
| to your credit which means you now have the ability to respond
| to that knowledge.
|
| There are 2 important things to remember, all 3 credit bureaus
| are legally required to give you 1 free credit report per year
| at your request. You can get it online from
| https://www.annualcreditreport.com/index.action or the FTC has
| instructions https://www.consumer.ftc.gov/articles/0155-free-
| credit-repor... if you want to request it by mail. I have heard
| a lot of people suggest that consumers should space out
| requesting the 3 free credit reports so they get one about
| every 4 months and use that as a form of credit monitoring. It
| isn't completely fullproof since lenders aren't required to
| report to all bureaus so something could show up on only 1
| report and not the other 2. The second important thing to know
| is that bureaus are legally required to allow consumers to
| dispute items on their credit report. The FTC has a sample
| dispute letter you can use to file a dispute, but some if not
| all of the bureaus have ways to file disputes online. As
| someone else in this thread mentioned these disputes generally
| require some sort of evidence that the reported item is
| incorrect.
|
| So say I get a credit monitoring alert that says my address has
| changed because some creditor reported my information
| incorrectly. Regardless of any other steps I should get that
| resolved with the creditor because it will probably keep
| causing issues. But I could then file a dispute with the credit
| bureau(s) saying that the address is incorrect which would
| probably require a bill or something to prove my current
| address (similar to how some state DMVs prove you are a
| resident).
| toomuchtodo wrote:
| The answer is, of course, regulation. To fix this will require
| more regulation. Contact your Congressional representatives.
| [1] The CFPB can enforce upgraded financial services policy in
| this regard once the legislation is enacted. Complaining to
| them today about this specific security failing is also likely
| helpful [2].
|
| Freezes and thaws are free. Your credit report, and any scoring
| mechanisms (FICO), should be available to consumers at any time
| free of charge. Credit monitoring products should be outlawed.
| Failures to safeguard citizen data (Equifax) or to promptly
| remove inaccurate data should incur steep financial penalties.
|
| [1] https://www.govtrack.us/congress/members ("Use GovTrack to
| find out who represents you in Congress, what bills they have
| sponsored, and how they voted.")
|
| [2] https://www.consumerfinance.gov/complaint/
| mdm12 wrote:
| Speaking of regulation, Biden apparently expressed interest
| in a federal credit bureau under the CFPB
| https://finance.yahoo.com/news/biden-wants-shut-down-
| credit-...
| toomuchtodo wrote:
| Cautiously optimistic. Having had to advocate for folks who
| were flagged by CAIVRS [1] (from an FHA mortgage
| foreclosure), I would support such a mechanism if it had
| robust transparency around its operation and exception
| handling mechanisms for those caught at the edges of the
| gears (which CAIRVRS, an existing federal credit and debt
| default data system, does not).
|
| Any solution must suck less than current government and
| private credit reporting agency systems.
|
| [1] https://www.hud.gov/program_offices/housing/sfh/caivrs
| ("The Credit Alert Verification Reporting System (CAIVRS)
| is a Federal interagency database that contains the
| following: Delinquent debt information from the Departments
| of Housing and Urban Development, Agriculture, Education,
| and Veterans Affairs and the Small Business
| Administration.")
|
| Sidenote: The above systems is ripe for overhaul by the US
| Digital Service. It is a pathetically old mainframe system
| with limited operational hours (and takes federal holidays
| off), when it could be a PostgreSQL database (or similar
| relational db) with an API.
| chrischen wrote:
| While I'm neither opposed nor in favor, a federal credit
| system is very similar in concept to China's social credit
| system.
| YeBanKo wrote:
| I have complained multiple times, their seemed to be
| listening, but it does not seem like the "urgency" reached
| the boiling point.
|
| Furthermore, adding more regulations and more requirement
| fixes issue short term, but does not address it long term.
| Even if regulations you suggested are enacted, I am afraid
| that it won't take long until they are misused, abused and
| misinterpret again.
|
| Rather than adding more requirements or stipulating more
| penalties and burdening regulators with defining right
| security protocols and mechanisms, it should be reworked into
| something that allows more competition and more control and
| forces bad actors fail fast and be replaced. Also it should
| be actionable at the consumer level.
|
| My ideas are: 1. CRA must explicitly get permission from a
| person to keep their financial history. 2. Consumer has a
| right to "be forgotten by an agency" and the agency must
| abide within, lets say, 30-60 days. Also a said agency is
| required to send the customer or another agency of consumer
| choosing an authenticated copy of existing credit history.
| Similar to phone number porting. 3. Collateral. CRA must
| maintain a collateral fund to be used to pay penalties to
| consumer in case their information gets stolen. The size of
| the fund is a function of number of consumers the agency is
| keeping history for.
|
| It does make it harder for new players to enter the market,
| but on the other hand: - they have something to risk -
| security evolves, and consumer pressures would make CRA
| evolve their system as well. If a CRA uses md5 to hash
| password, get hacked, first, they will loose money in their
| collateral fund, second, consumers will leave them and they
| essentially be out of business.
| tialaramex wrote:
| The reason these consumer credit monitoring services came
| into existence is interesting and, I assume, public
| knowledge, but I only learned about it when I worked for
| them.
|
| Once upon a time governments in places with credit reference
| agencies (so particularly the UK and US for this story)
| noticed that this is a lot of power with not very much
| responsibility and they ought to fix that. So what they said
| was, you must let people see this data you know about them,
| for a small statutory fee. No option, that's what you have to
| do now if you want to stay in business.
|
| This actually _terrified_ the CRAs, because they imagined
| everybody is going to send off their fee, and it costs _more_
| for this enormous unwieldy corporation to respond than they
| 're allowed to charge, so if everybody does this the company
| goes bankrupt.
|
| But internally at Experian somebody says - Aha! The law
| doesn't require us to explain what the credit data means. So
| if you pay your fee you will get stuff that's incomprehsible
| to lay people not because we're deliberately obfuscating it,
| but because to _us_ maybe "day 60 late ratio" has an obvious
| and very specific meaning but to a consumer it's noise.
| Obviously an expert could write a book about how to decode
| the statutory report, but we can instead offer a product that
| costs _more_ than this fee but includes friendly explanations
| and translation. If we set the pricing right on this product,
| we make a profit while also warding off the statutory reports
| we dread.
|
| And that project actually worked. As of ten years ago lots of
| people worried about their credit would cheerfully _pay_ a
| CRA money to find out what the problem was. The division
| doing that grew enormously within Experian and other CRAs
| copied this idea.
|
| In fact popular culture made things that didn't exist in one
| country (e.g. the numeric FICO score from the US) part of
| what consumers expected to learn in other countries, and so
| Experian UK actually has (or had when I worked for them)
| people who make up the formula for an arbitrary score number,
| even though creditors in the UK don't use this - so it's as
| meaningless as your Hacker News "karma" score.
|
| Then somebody had another bright idea, what if we give this
| product which apparently people value, away for free, and
| then for a fee attach it to credit _offers_ like new credit
| cards? We funnel card companies the exact customer profile
| they were looking for, they save acquisition costs, the
| customer gets the new credit they wanted, everybody is happy
| and we 're richer. So that's what happens today.
| g051051 wrote:
| Equifax was doing this back in 2000 (including "Sentinel
| Credit Monitoring): https://web.archive.org/web/20000301171
| 229/http://www.econsu...
|
| Checked your credit lately?
|
| IMMEDIATELY view the information contained in your file
|
| Get it straight from the source
|
| View information that is already available to lenders,
| insurance companies and prospective employers.
|
| Secure on-line access for 30 days
|
| Easy to read, "navigable" format
|
| Only $8.00!!
| mulmen wrote:
| IANAL so maybe this is hyperbolic but it smells like extortion
| to me.
| vkou wrote:
| It's not extortion, because the credit agencies don't want
| anything from you.
|
| If you could fix a bad credit score by wiring Experian $50,
| _that_ would be extortion.
| zeusk wrote:
| which is essentially what's happening here?
|
| Something they know is potentially dubious is negatively
| affecting your score but you need to subscribe to their
| service to have it actively reviewed.
| vkou wrote:
| You can get a credit report for free from them, and they
| don't charge you anything to contest an incorrect claim
| against you.
|
| This is a cost center for them, not a profit center.
| Their core business would be compromised if you could
| just bribe them to fix your credit score.
| mulmen wrote:
| Ok but can't you do exactly that? And how is it different
| if by paying for "credit monitoring" they make fewer
| "mistakes"?
|
| Isn't that just a protection racket?
|
| "Nice credit score, it would be a shame if something
| happened to it."
| artificialLimbs wrote:
| You can actually just file disputes and they will often
| drop the negative items. This doesn't cost anything. So I
| heard ~
| mulmen wrote:
| Ok but why do I have to do that at all? And again, if I
| pay them then I can have my time back? Still feels wrong.
| tialaramex wrote:
| No. You can give the CRA money, and they will take it,
| gladly, but this doesn't change the credit data they hold
| about you, which says (for example) that you skipped out
| on all the utility bills at a place you owned 18 months
| ago.
|
| I've sat in on calls from consumers to a CRA when I
| worked there. The typical thrust of the call is that the
| caller believes they are a good person and so the records
| of them doing stuff creditors won't approve of should be
| purged, the CS agent explains that they can purge
| anything _if_ the consumer sends them proof it is wrong,
| for example if the record says somebody went to County
| Court and secured a judgement against them for PS800 then
| a letter from the court saying "Whoops, our bad, we
| wrote Michael Smith, 43 from Leicester in this judgement
| but we meant somebody else entirely" will get that erased
| from their record. But just calling and moaning about how
| you really wanted to buy a new car but your credit is bad
| doesn't change anything.
|
| I didn't see any sign there was a way to short cut any of
| this by paying for credit reports. I guess if you don't
| _remember_ all the times you didn 't pay your bills then
| a web site that lists them is handy? But that seems like
| that's on you.
|
| I actually had reports from all the big CRAs in my
| country, and the best ones (with the most comprehensive
| coverage, so, Experian, who also happened to be my
| employer at the time) basically just say this guy seems
| to pay for some basic utillities and he pays on time. And
| that's it. The worst ones are like "This guy exists, and
| we don't have good data so _shrug_ ".
|
| The best way to begin "fixing" your credit? Which all of
| these companies will recommend, but it's no big secret at
| all? Register to vote.
|
| Creditors prefer to lend to people who actually exist.
| Governments don't want people who don't exist voting. So
| register to vote and immediately confidence that you're
| actually a real person, with a postal address, shoots up.
|
| The next step is easy for me but apparently lots of
| people find it almost impossible. Pay bills! Got a phone?
| Agree to pay the phone company to use the phone and
| then... actually pay them for it. Again, your credit
| worthiness shoots up because creditors want to get paid,
| and showing you have some idea how to actually do that
| part is a good sign.
|
| Now, if you're trying to persuade somebody to lend you
| Ferrari 488 money on a Fiat Uno income, those two basic
| tips won't get you there. You're going to need to learn
| how to manage exactly the right levels of debt, what's
| recorded and what isn't, lots of tricks. But I assure you
| that you aren't going to learn that stuff by paying a
| CRA, because it's like learning how to clip out of bounds
| in a video game, the designers of the game don't even
| understand it well.
| jfrunyon wrote:
| The problem is that the credit bureaus can and regularly
| do make mistakes, or the creditors reporting data to them
| do, and when $shady_business says someone owes him
| thousands of dollars despite said debt not existing, or
| when someone steals your identity because the credit
| bureau has laughable security, the burden of proof is on
| the accused.
| mulmen wrote:
| I only skimmed this comment but it doesn't seem to do
| anything to address the fact that CRAs do make mistakes
| on credit scores and if you pay for "credit monitoring"
| they will catch those mistakes.
| tialaramex wrote:
| > if you pay for "credit monitoring" they will catch
| those mistakes.
|
| If you suppose that paying for credit monitoring will
| _cause_ them to catch mistakes somehow, you 'd need to
| show that.
|
| If your assumption is that the CRAs don't care about
| mistakes unless you're paying them you need to think
| again, the value the CRAs had before any of this existed
| was that they could give a lender valuable intelligence
| about whether you might pay them. Lenders pay them for
| that, if the intelligence is often bogus the lender is
| wasting their money.
| mulmen wrote:
| > If you suppose that paying for credit monitoring will
| cause them to catch mistakes somehow, you'd need to show
| that.
|
| Is that not the value proposition of credit monitoring?
| tialaramex wrote:
| No. The proposition is, we'll show you the data we have.
|
| Which is the exact same as what the law already requires
| (if you ask, free once per year in the US I believe) them
| to do, but of course the law doesn't require a snazzy web
| site with animated dials and explanatory videos.
|
| If you're the sort of person who found it easier to get a
| few hours of exercise every week once they had a device
| telling them "You've only done 14 minutes of exercise
| today. That's not on track", then a credit monitoring
| service might be just the thing you need to actually pay
| off those cards on time and get your credit back into
| shape. But if you didn't buy that Fitbit, but did the
| same exercises, you'd get just as fit - and if you didn't
| buy credit monitoring but looked after your credit you'd
| find it easier to qualify for more credit.
|
| So, having the monitoring might cause _you_ to catch
| mistakes somebody made, and if you do you can inform them
| of the problem and they 'll fix it (if you have
| documentary evidence) but it doesn't really change their
| actions compared to people who don't buy monitoring.
|
| If you're thinking, wait, then why do they give you free
| credit monitoring when a big company loses your data? The
| answer is, because CRAs had existing sales people in
| those big companies, and when the big companies wanted to
| buy something to give peace of mind to people whose data
| they'd lost, "free credit monitoring" was on offer.
| Selling them something that actually helps is trickier,
| and what does it really mean exactly to actually help
| anyway?
|
| I worked on a product like that, but it wasn't an easy
| sell. And for most users it seems _exactly_ like it doesn
| 't do anything. Like owning a Carbon Monoxide alarm. It
| seems to be working, but it doesn't actually go off,
| because you don't actually have a Carbon Monoxide leak,
| so... It's unclear what the online equivalent of the
| reassuring "I have power and am working" LED is, let
| alone the "Push to test" button. But outfits like
| Experian are aware that some kind of actual "Do bad guys
| actually have my stolen data and if so what do they
| have?" service is a better fit for those "data loss =>
| free credit report" scenarios which is why they acquired
| the company I worked for when we were doing this.
| [deleted]
| johnmaguire wrote:
| I think racketeering might be closer? From Wikipedia:
|
| > Originally and often still specifically, racketeering
| refers to an organized criminal act in which the perpetrators
| fraudulently offer a service that will not be put into
| effect, offer a service to solve a nonexistent problem, or
| offer a service that solves a problem that would not exist
| without the racket.
| EGreg wrote:
| Funny, I just called to put a Fraud Alert on my credit report. I
| encourage everyone to do it - so this way reputable lenders are
| supposed to call you when they're trying to open an account in
| your name. An attacker would have to port your SIM card as
| well...
|
| However, all the information I was providing to set the alert, or
| remove it, is the exact information that any lender would receive
| on their application. The system if so horribly broken security-
| wise, I am shocked there aren't more accounts being opened left
| and right by people who got them from applications emailed to
| thousands of lenders over the years.
| sfink wrote:
| Note that a Fraud Alert expires after a year, so you need to
| keep renewing it.
| YeBanKo wrote:
| > I encourage everyone to do it - so this way reputable lenders
| are supposed to call you when they're trying to open an account
| in your name.
|
| Reputable lender is something like an honest car salesman.
| Often consumers deal with middlemen and brokers that aren't
| bearing the cost of fraudulent transaction.
|
| Isn't it what partially what caused financial crisis of 2008?
| Loans were given to people with no income and one, two or even
| three existing mortgages. Everyone's incentive was to earn the
| commission and sell it further misrepresenting low grade bonds
| as high grade.
| EGreg wrote:
| Well, I think the fair consumer reporting act (FCRA)
| criminalizes the act of opening an account in someone else's
| name without their permission and having done absolutely no
| due diligence. Maybe it's not criminal but you wouldn't be
| able to actually get them to pay the debt later.
|
| Am I wrong?
| YeBanKo wrote:
| I am not sure what penalties are for such negligence, but
| in any case such fraud happens and a burden to correct or
| monitor is on the consumer.
| RcouF1uZ4gsC wrote:
| > and were surprised to find that just one of the five multiple-
| guess questions they were asked after entering their address,
| Social Security Number and date of birth had anything to do with
| information only the credit bureau might know.
|
| And a lot more than the credit bureau know those two pieces of
| information.
|
| Honestly, the US really needs a government run public key ID
| service. The government in providing passports and drivers'
| licenses is already doing identity verification. If along with
| your passport they would allow you to register a public key that
| people could use to verify your identity, it would be a huge
| help.
| dylan604 wrote:
| Passports are federal while driver licenses are issued through
| the state. If you're suggesting that the public key be linked
| to a passport, then I'm guessing quite a few states will oppose
| that on "state's rights" standing.
| dataflow wrote:
| How about having the states run ID services?
| dylan604 wrote:
| They already do this. Most common is the drivers license.
| If you don't need to drive, there is still a state ID that
| can be issued.
| dataflow wrote:
| I meant a digital ID. For verifying with these services.
| mikestew wrote:
| No, it will be opposed because of an American aversion to a
| national ID. I would argue that a passport is the same thing,
| but a passport is optional in the U. S.
| 0xbadcafebee wrote:
| The REAL ID is a mix of both state and federal. It is
| "optional", except that they won't let you fly or enter a
| government building without one.
| https://en.wikipedia.org/wiki/Real_ID_Act
|
| _" Starting October 1, 2021 (originally scheduled for
| October 1, 2020 but was postponed a year due to a global
| coronavirus pandemic[6]), every air traveler will need a
| REAL ID-compliant license or another acceptable form of
| identification (such as a U.S. passport, U.S. passport
| card, U.S. military card, or DHS trusted traveler card,
| e.g. Global Entry, NEXUS, SENTRI, FAST) for domestic air
| travel."_
|
| Apparently the government is gravely concerned that
| terrorists might fly from Boise to Twin Falls, so we need
| to make them generate at least 3 to 4 forged documents, to
| force them to get the _super duper secure_ drivers license.
| dylan604 wrote:
| So why does it need to be federal? Make it a responsibilty
| of the states. Either way, it will be mismanaged, so might
| as well make it as complicated as possible by having 50+
| mismanaged things.
| mikestew wrote:
| _Make it a responsibilty of the states._
|
| I'd go find links on RealID, and the resistance to that,
| but it should be an easy query away. RealID made it the
| responsibility of the states, and people still didn't
| want it. As I understand it, mainly because it was just a
| proxy for a federal ID.
| esrauch wrote:
| NY wouldn't give me a RealId since I don't have a
| physical SS card even though I have a passport and birth
| certificate. So it seems like the system is kind of
| broken.
| scott00 wrote:
| The government PKI actually almost exists already.
|
| Passports have an rfid chip inside them that does something
| like receive a challenge and respond with a signature over a
| hash of the passports biographical data combined with the
| challenge, along with the public key corresponding to the
| signing key, and a certificate signed by a government key to
| confirm the signing key is legit.
|
| The government public keys are published, so anybody can verify
| that someone who claims to have possession of a particular
| passport really does. The weak point is that as far as I can
| tell the revocation list is not public, so you can't distiguish
| between a stolen and not stolen passport.
| aneutron wrote:
| Not necessarily. The chain of trust doesn't require such a
| drastic deployment.
|
| In Europe, it's common place to be able to subscribe to loans,
| or similar contracts online. However, the legislation is VERY
| strict about requiring very tough MFA-authentication.
|
| Say for example you would want to subscribe to a new credit
| card. You would either have to go personally to do it (which
| means they can verify your identity), or you can do it from
| your Online portal. HOWEVER, if you choose to do entirely
| online, you HAVE to use your phone as a 2nd factor to authorize
| the operation.
|
| I'm not saying there's no identity theft. There absolutely is.
| But they are extremely strict about authenticating each and
| every (considerable) move.
|
| I guess what I'm trying to say is, a PKI for the US. government
| is not necessary (in fact, given the time and resistance it
| took to deploy SECURE ID, I'd say it's dead in the waters right
| now), and would only require legislators not in the bed with
| credit card companies, to setup and enforce strict rules for
| authenticating orders / proceedings.
| exabrial wrote:
| I'm still waiting for the $150 Experian owes me for leaking my
| private info all over the internet, after hiring a music theory
| major as their chief information security officer. Luckily all
| the lawyers in the case are now driving Lamborghinis.
| lr4444lr wrote:
| If they mean that the InfoSec is a joke, okay fair enough, but a
| credit freeze itself is not a joke: it shifts more of the
| liability to the credit bureaus for allowing your record to be
| pulled, of in fact that does happen by a scammer. And they notify
| your device if you set up MFA.
| myrandomcomment wrote:
| When possible fill out the list of security questions with
| nonsense that you keep a record of/or understand the pattern of
| answers to. "What's your favorite sport?" "Potato".
|
| I fill them out, screenshot the form and keep that screenshot in
| an encrypted file that I keep backups of. Not even text
| searchable that way.
|
| Also completely ridiculous I have to do any of this.
| milofeynman wrote:
| I just generate my security questions as multiple random words
| in my password manager. I used to just do random passwords but
| I had to spell the random password with symbols etc over the
| phone a few times and quit that
| myrandomcomment wrote:
| Okay ready .. A & @ , c T a 1 7 nine.
|
| Ah what?
| tristanb wrote:
| It's so incredibly frustrating as a victim of identity theft to
| have these fucktards give away my information without any form of
| care. I wish I had the means to sue them into oblivion.
| sneak wrote:
| It's important to remember that you aren't the victim of
| identity fraud: the banks are.
|
| The reframing of the banks being defrauded as the problem/theft
| of the "identity" of the name mentioned by the criminal when
| defrauding the bank is a pretty creative and slimy way of a
| bank de-risking themselves.
| matsemann wrote:
| Yes! A thousand times yes!
|
| Someone didn't steal my identity. Someone took money from you
| claiming to be me. That's a you problem, not a me problem.
| rwmj wrote:
| > Someone took money from you and you didn't properly check
| who they were.
| tristanb wrote:
| Wonderful theoretically - but I wasted weeks of time trying
| to get them to even acknowledge a problem. I've called a bank
| informed someone opened a line of credit pretending to be me,
| and been told they will get back to me, whilst letting the
| debt grow. There is no sense of urgency. Its such a broken
| system.
| SocksCanClose wrote:
| so my buddy just built this: https://www.veradan.com
| mcalabr wrote:
| Thanks for the shout-out! I am one of the founders building
| veradan. For all the problems they still have, credit freezes
| are a huge step in the right direction. We all deserve better
| than this. I would love to talk more with anyone interested!
| screamingninja wrote:
| > so my buddy just built this: https://www.veradan.com
|
| > We help you store all your financial data, including your
| free credit reports, in your secure vault. When you control
| your data it's easy to make the right credit decisions and get
| access to the best offers.
|
| I think they meant that they want to store "a copy of" all my
| financial data. That's one more copy. How do I control my data
| in this scenario?
| mcalabr wrote:
| The credit freeze stops the agencies from sharing your credit
| report until you remove the freeze. We think this is a lot
| more control than you have without a freeze! This, and having
| a local copy of your data are both important steps we can all
| take now on the path to bigger changes.
| hbcondo714 wrote:
| Would anyone here be able to share their experience with freezing
| their children's credit? We wanted to do this when our kids were
| born but when reviewing each credit bureau's website, they are
| all asking to mail paper copies of SSN and birth certificates for
| each child in addition to the parents' SSN and birth certificates
| too. There doesn't appear to be any way to freeze a minor's
| credit online.
| hbcondo714 wrote:
| Answering my own question:
|
| Children Credit Freeze Pages:
|
| * Equifax -
| https://assets.equifax.com/assets/personal/Minor_Freeze_Requ...
|
| * Experian - https://www.experian.com/freeze/form-minor-
| freeze.html
|
| * TransUnion - https://www.transunion.com/credit-freeze
|
| Source: https://www.nytimes.com/2018/12/28/your-money/credit-
| freeze-...
| coolspot wrote:
| You don't need to. No one will give your toddler a credit line.
| iudqnolq wrote:
| Do you know that, or are you assuming? Asking because I don't
| know if it's an issue but some basic google searches suggests
| it is.
|
| > Minors are attractive targets for identity theft. Because
| they're young, they have clean credit reports, and most don't
| discover the theft until they reach adulthood.
|
| https://www.buzzfeednews.com/article/leticiamiranda/what-
| hap...
| lhnz wrote:
| > The best part about this lax authentication process is >
| that one can enter any email address to retrieve the > PIN
| -- it doesn't need to be tied to an existing account > at
| Equifax. Also, when the PIN is retrieved, Equifax >
| doesn't bother notifying any other email addresses >
| already on file for that consumer.
|
| Hang on, so the attacker doesn't even need to break into
| somebody's email account first, they can just guess the questions
| and put in their own email address?! This is insane.
| Jaygles wrote:
| The days of confirming a person's identity by testing their
| knowledge on the person's metadata are long past (if they ever
| existed in the first place).
|
| I don't know what the best solution to this will look like, or
| if society will ever try to implement one. A lot of people are
| against having a Federal ID. A private solution will have its
| own set of problems.
|
| The good news is, its the responsibility of the place that's
| issuing the credit to do due diligence of confirming an
| identity. If someone steals your private details and gets
| approved for a line of credit using them, life will suck for a
| bit while you sort it out, but you'll never actually owe that
| money (no matter what the debt collectors tell you).
| toomuchtodo wrote:
| > I don't know what the best solution to this will look like,
| or if society will ever try to implement one.
|
| https://billhunt.dev/blog/2020/12/18/federal-policy-
| recs/#4-... ("Federal IT Policy Recommendations: 2021-2024,
| 4. Solve Identity Once and for All")
|
| (disclosure: I am not Bill, just running with their
| recommendations)
| Jaygles wrote:
| Thanks for linking me to this. From a high level it sounds
| pretty reasonable. The private sector likely wouldn't be
| able to implement an in-person verifying service at a
| national scale.
| ShroudedNight wrote:
| This sounds like it would be well suited to being
| provided by the postal service
| davchana wrote:
| Using USPS's normal services, mailing etc, is difficult
| for me at least now because of hours. Its ooen from 8:30
| to 5:00 on weekdays, & I have to run in my lunch to get
| something done, or otherwise have to wait for saturday.
| Would love it to shift an hour morning or evening, like 7
| to 4, or 9 to 6 or something. With this suggested in-
| person verification, it will be more important than ever.
| bildung wrote:
| This an option the German postal service provides. It
| works quite well. There are different levels of identity
| verfication available, and employees are able to complete
| the lower levels at your door.
|
| An personal example I had a few years ago was signing a
| cellphone contract online. The postal employee delivered
| the sim card after verifying my identiy at the door (you
| can't get phone contracts without ID around here).
|
| For the higher levels one has to go to the postal office,
| and it includes a bit more paperwork. These are only used
| for higher sums, mine was for a bigger leasing contract
| for my company.
| nightski wrote:
| You don't have to answer the questions legitimately. As long
| as you are able to remember the answers, that is all that
| matters.
| u801e wrote:
| > I don't know what the best solution to this will look like
|
| Changing the law to require that banks prove beyond a
| reasonable doubt that they entered into a contract with you.
| The burden should be on the bank/creditor to prove that they
| extended a line of credit to you. It shouldn't be up to you
| to prove that you didn't.
|
| I mean, imagine if you could hold any company liable for
| fraud if you received a phishing email that appeared to be
| from them.
| hakfoo wrote:
| I believe it needs to be a person-to-person interaction.
|
| You want a line of credit? You have to go into a physical
| location, get photographed, maybe a fingerprint scan.
| Ideally, we centralize the data.
|
| This serves several goals: 1) It provides a huge resource
| bank for fraud detection. On the small scale, you can flip
| the records to law enforcement as soon as someone says that
| their identity was stolen. On a big scale, you could
| identify serial fraudsters-- if the same guy applies at 12
| banks under 12 names, a red flag needs to go off as soon as
| he steps into bank No. 13.
|
| 2) It makes applying for credit a serious, conscious thing
| that discourages frivolous use. The Klarna/Affirm style
| "instant credit" disappears. I think there are many people
| who will be better with their money just because of the
| shame of going into a bank and admitting they need another
| credit line.
|
| 3) You have an opportunity for direct intervention.
| Applying for credit may be a crisis signal-- maybe te guy
| taking your picture has some basic training and guidance to
| ask "are you undergoing financial abuse by a spouse?" or
| "you know that you're buying into a classic 419 scam?"
| Terr_ wrote:
| Indeed, it's an incentive problem. Banks create shitty
| systems because when their systems fail someone else
| suffers.
|
| Even the phrase "identity theft" is a misleading attempt to
| shift the blame, as humorously depicted in this Mitchell &
| Webb comedy sketch:
| https://www.youtube.com/watch?v=CS9ptA3Ya9E
| TedDoesntTalk wrote:
| Thx for that video.... it's great!
| kminehart wrote:
| Security questions in general are a farce. I've started
| generating random passwords for answers and storing them in my
| password manager. that at least helps me feel slightly more
| secure about how ridiculous security questions are.
| astura wrote:
| These "security questions" that Experian is asking aren't
| questions you previously given answers to, they are questions
| that are generated based on what they know about you based on
| your credit report and data from other databases. They might
| ask you about loans you have or had, people and phone numbers
| you are "associated" with, places you've lived, cars you've
| insured, etc.
| JumpCrisscross wrote:
| > _generating random passwords for answers and storing them
| in my password manager_
|
| My friend did this. We made a bet. I called his bank and,
| when challenged for the answers, laughed and said I'd mashed
| my keyboard and that it's all gibberish. I got through and
| won a free drink.
| pabs3 wrote:
| I wonder if a diceware/xkcd passphrase would work better.
| teeray wrote:
| I did this and once they made me read it out: "three-four-
| echo-alpha-two-zulu..." At the end, I felt like I just gave
| them the world's longest taxi clearance.
| strogonoff wrote:
| This must have been a major hassle, but your metaphor
| painted such a picture it cracked me up. Maybe it was a
| controller who had a major personal beef with some
| particular pilot.
| ncallaway wrote:
| I generate random 2-4 word phrases instead of random
| passwords specifically for this reason.
| senkora wrote:
| The key is to generate incorrect answers that are
| reasonable matches to the question.
|
| Like if they ask for a city, then give a city. If they ask
| for a name, give a name. Etc.
| karakot wrote:
| Yeah, and then you have 50 places with all different
| question where you give incorrect answers lol. Good luck
| trying to recall it. IMO these questions are the worst.
| throwawayboise wrote:
| You put the answers into your password manager for that
| account. If your password manager doesn't have at least
| some kind of encrypted "notes" field for each account,
| get a better one that does.
| karakot wrote:
| I do, it still sucks.
| dboreham wrote:
| But not your favorite city. Very clever!
| the_svd_doctor wrote:
| Exactly. This is the right answer to the problem. Random
| digits are a bad idea for the reason noted above.
| kminehart wrote:
| i was just thinking about this after I posted this. To be
| fair there's probably plenty of ways to smooth talk a
| customer representative. Most of these conversations end up
| emailing you a link to reset your password anyways, I would
| hope.
| justupvoting wrote:
| This implies the cs agent was able to view the password in
| plain text.
|
| Yikes.
|
| Big bank?
| thaumasiotes wrote:
| This is an intended part of the design of _security
| questions_. They function like passwords, but they are
| not conceived of as being passwords.
|
| If the bank wasn't able to view the answers in plain
| text, the security questions would not be able to serve
| their intended purpose.
| ncallaway wrote:
| Security questions are typically stored with a reversible
| encryption so they can be used by CS agents.
|
| Security questions are not a password.
| MereInterest wrote:
| Which is why security questions are a horrible idea. What
| good does it do to have your nicely salted and hashed
| password when the answers to the security questions are
| available in plain text and get you access to the
| account.
| tinus_hn wrote:
| They are just equivalent to a password, as knowing the
| answers allows you to reset the password.
| jeff303 wrote:
| There's one particular company that always asks for these
| on the phone, and unfortunately I have to call them
| somewhat regularly. "Yes, my grandma's name is
| 7lIMkcblbatQ7wXrmamTHc". Interestingly, they always
| maintain a poker face/tone throughout this process.
| Aeolun wrote:
| I'm using answers that are deliberately (but consistently)
| incorrect.
| CarVac wrote:
| I call them "insecurity questions" because they just render
| accounts less secure.
| hnick wrote:
| Then you'll love what United Airlines used to do (still
| does?), which had me selecting answers from a dropdown list.
| Too bad if your 'favourite sport' isn't listed!
| thatguy0900 wrote:
| That wouldn't work with these, experien uses its own
| information about you to generate the questions and answers
| DistressedDrone wrote:
| This is possibly the worst implementation of a terrible
| idea.
| fedorareis wrote:
| Disclaimer, I work for TransUnion. The following thoughts
| are my own.
|
| The theory behind this implementation is that probably no
| one other than you knows what the amount of the mortgage
| you took out in 1999 is or the size of the car loan you
| took out in 2015. So in theory it confirms that you are
| the person who the credit report belongs to. In practice
| it gets tricky because there are plenty of people who
| have super boring credit files (e.g. they only have a
| credit card and have never had a loan). With that kind of
| user you end up in the situation where the questions
| either ask about information that can probably be gleaned
| from public records or the answers end up being "none of
| the above." For those users specifically it is a pretty
| useless solution. I remember signing up for Credit
| Monitoring and thinking that anyone with a passing
| knowledge of my life could answer the questions.
|
| It turns out that verifying that someone is who they say
| they are without needing to see a valid ID is a hard
| problem to solve.
|
| Is it a great solution no, but before data breaches
| became so common it was a somewhat reasonable solution.
| In today's world though I would agree that it is a pretty
| terrible solution, but I don't know how you would solve
| that without requiring notarization from a trusted third
| party that the person is for sure who they say they are.
| GoOnThenDoTell wrote:
| It's almost like we need ID check kiosks around the
| country that generate 1time passwords for providers that
| have no branch offices
| KirillPanov wrote:
| Until fake kiosks start appearing.
|
| There's a reason they tell you to never use an ATM at
| DEFCON...
| tinus_hn wrote:
| What would these do? Fake check your ID? Give you a fake
| password?
| prussian wrote:
| ID Kiosk skimming or shimming perhaps. Some kind of MitM
| DistressedDrone wrote:
| They are pretty much unacceptable according to 2017 NIST
| standards, and pretty much impossible to use correctly in the
| banks' use case.
| jfrunyon wrote:
| That helps when you set the security questions yourself,
| which is not the case here. The security questions these
| companies ask you are data from your credit file (like your
| past addresses and creditors).
| void_mint wrote:
| One of the three's PINs are automatically set, just as the date
| string from when you froze your credit. Legitimately something
| like 20191218. You could relatively easily guess them.
|
| One of the three removed the freeze by me just calling and
| asking, never providing a PIN.
|
| One of the three was alright. I set the PIN to something of my
| choosing. I had to call, provide all my info and then the PIN
| to remove it.
|
| The state of credit freezing across the three big companies is
| an absolute joke.
___________________________________________________________________
(page generated 2021-04-27 23:02 UTC)