[HN Gopher] Hackers can use credit bureaus to dox nearly anyone ...
___________________________________________________________________
Hackers can use credit bureaus to dox nearly anyone in America
Author : kmfrk
Score : 402 points
Date : 2023-08-22 13:48 UTC (9 hours ago)
(HTM) web link (www.404media.co)
(TXT) w3m dump (www.404media.co)
| tennisflyi wrote:
| What information do they need to supply in the Telegram group?
|
| Edit: Name and state.
| lr1970 wrote:
| Wrong approach. Person's identity and authentication should not
| be based on the immutable and public information like social
| security number, driver's license number, address history, etc.
| There are many ways such information can leak and when it does
| its stays there forever. We need a proper digital ID,
| certification and conflict resolution mechanisms. It would not be
| cheap but the alternatives are costlier in the long run.
| tim333 wrote:
| In practice for recent bank and brokerage account opening they
| seem to have moved to take a pic of your passport and then take
| a selfie or vid of you holding said passport. Bit of a pain but
| quite hard to hack. Of course it doesn't work if you don't have
| a passport or comparable ID.
| everdrive wrote:
| I don't disagree, but if we build a digital ID the free
| internet will finally be permanently dead.
| heikkilevanto wrote:
| Not sure. Here in Denmark we have a digital id called "MitId"
| (my id). It is used for all kinds of official stuff, from
| looking at your prescriptions to signing real estate deals.
| But not for posting comments on random websites etc.
| all2 wrote:
| We have something similar in the US, actually. It's a
| Federal standard that states have been asked (told) to
| adhere to called REAL ID [0]. Hysterically, it was
| conceived by and pushed by the Ministry of Peace.
|
| [0] https://www.dhs.gov/real-id
| Horffupolde wrote:
| [flagged]
| Ylpertnodi wrote:
| As I have taught my children: there are so many cameras
| around you are always being watched, or can be traced through
| cameras. As for the "free internet", I told my kids it's
| already fucking dead.
| mrguyorama wrote:
| The free internet died the second that Google bought
| doubleclick.
| mptest wrote:
| Don't zero knowledge maths give us a mechanism in theory to
| theoretically guarantee privacy and verity?
|
| In practice, I agree with your conclusion as the likely
| course of action.
| xp84 wrote:
| 100% possible technically, and some countries may have/may
| already have had success in this area. Sadly, at least
| according to our popular narrative, America was founded on
| the principle of extreme distrust of the government.
| Combine that with mass ignorance and a technological
| solution to these issues becomes impossible politically.
|
| We only even have SSL because no governments needed to be
| convinced to approve of it, and the list of operating
| system and browser vendors is so short that it became
| possible to essentially self-organize a set of generally-
| trusted root certificates.
| mptest wrote:
| Agree re struggling with implementation.. Zero knowledge
| stuff seems impossible on the surface so explaining it to
| political folks is extremely difficult as I have first
| hand experience with. "Guaranteeing I've paid my taxes
| without revealing anything else about my finances" tends
| to get them to listen up long enough for me to explain it
| to them most of the time though.
|
| Re govt distrust, not uniformly. As my older leftist
| friends remind me they grew up in a time were they
| thought anything was possible for their government to do,
| with enough protest they could get the civil rights act,
| the voting act, the infrastructure spending , etc with
| all their dreams on the horizon. Then a few people got a
| little too loud about ending poverty and other more
| ""radical"" progressive stuff and got killed for it. But
| it is possible, we've just been beat down for 50 years by
| neoliberal austerity politics.
|
| Very interesting stuff re SSL. Any book recommendations
| you might have on the history of stuff like that? How
| security standards manifested and became adopted? from
| https to aes to pgp I vaguely know about all these things
| but would love to read more. I thoroughly enjoyed chip
| wars and master switch and stuff in that vein.
| NelsonMinar wrote:
| Save you a click: the secret weapon is paying a criminal on a
| Telegram group $15 to dox someone. The article is mostly about
| where the doxxing services are getting their data, which changes.
| TransUnion's TLOxp is a popular service right now.
| ajhurliman wrote:
| I feel like this is a dismissive response to the article, as if
| there were some sort of "gotcha" clickbait going on. I perceive
| it to have delivered exactly what the headline promised:
| Doxxing (and worse) for sale using lightly regulated lookup
| tools provided by credit bureaus.
|
| Was there something that diminutives these claims?
| bonestamp2 wrote:
| Some of the "people finder" type websites have most of the data
| they mentioned for free. I assume they source it from the
| credit bureaus because it had the same mistakes that I
| sometimes get asked to confirm when a financial institution is
| trying to verify my identity.
|
| It's good to google yourself a couple times/year and file a
| request for those sites to remove you. Most of them do it
| fairly quickly.
| kanary wrote:
| If you want to be more aggressive, you can pay a service like
| Kanary that Googles you, submits removal requests, and then
| does a deeper search across data brokers and people search
| sites and submits removal requests as well.
|
| It's unfortunate, but useful if keeping your info off these
| sites is important for safety/security. We're advocating for
| the CFPB to tighten regulation so this isn't such a challenge
| for people (and companies).
|
| If interested in the technical challenges of scaling this,
| we're also hiring.
| IntToDouble wrote:
| +1 for Kanary.
|
| The amount of time/effort/rage that goes into dealing with
| a stolen identity makes paying for this a no-brainer.
| adolph wrote:
| https://www.tlo.com/about-us
|
| _TLOxp is the latest version of the game-changing technology
| that ushered in the science of data fusion_ Who
| Uses TLOxp Collections TLOxp for Legal
| Professionals General Counsel TLOxp for Licensed
| Investigators Financial Services TLOxp for
| Insurance Corporate Risk Investigative Reporters
| TLOxp for Law Enforcement State, Local, and Federal
| Government Asset Recovery and Repossession
| nbaugh1 wrote:
| Wait, you mean the data that any random company can access when
| I apply for a credit card or job is also available to other
| people with money but don't care if I agree to it first?
| Eisenstein wrote:
| The article says that people pretend to be private
| investigators and the data companies don't confirm except
| 'remotely'.
| alasdair_ wrote:
| Why should private investigators be allowed this
| information at all? As the name implies they are private
| individuals.
| [deleted]
| toomuchtodo wrote:
| File a complaint with the FTC and CFPB.
|
| https://www.consumerfinance.gov/about-
| us/newsroom/remarks-of...
|
| https://www.jdsupra.com/legalnews/the-consumer-financial-
| pro...
|
| https://www.consumerfinance.gov/about-us/blog/we-are-
| extendi...
| alistairSH wrote:
| From the article... TU (and the other credit bureaus)
| decided your PII can be sold without much regulation.
| Despite laws that require credit reports to have tighter
| controls. They just say "it's not a credit report; it's
| just PII" and _poof_ they 're magically in the clear.
| anigbrowl wrote:
| Because PIs are nominally regulated. It's a popular
| career with ex-cops who have investigative skills but are
| over the physical danger aspect of dealing with crime.
| sidewndr46 wrote:
| How else are credit bureaus going to make money other
| than selling this data?
| littlestymaar wrote:
| Please tell me this is sarcasm
| godelski wrote:
| I'm pretty confident that the parent is using sarcasm and
| fake surprise to illustrate how the point should be rather
| obvious that just any old person can get a credit report on
| another person because in reality the credit companies
| wouldn't have the capacity to validate the credentials of
| someone requesting the data without creating other
| significant disturbances such as making it nearly
| impossible to start a company. But this feels like a lot
| more words and doesn't actually convey as much as what you
| get when you have to internalize the rhetoric.
|
| Honest question, is sarcasm dead?
| Eisenstein wrote:
| In text sarcasm generally works best when it is either
| appropriate for the setting or it is blatantly obvious.
| If one employs it otherwise then being treated seriously
| should be expected. When in doubt many will opt to treat
| it as genuine since reacting to a serious comment as if
| it were sarcasm comes across as condescending.
| hedora wrote:
| That whole industry needs to be banned. Courts should record loan
| defaults, and make that information available to creditors.
| Nothing else should be in the report.
|
| Lenders already require independent verification of income and
| (for mortgages) monthly expenses.
|
| The rest of the information that's in your report and that is
| used to compute your credit score seems to be there to force
| people to get credit cards and to perpetuate systemic racism.
| [deleted]
| rejectfinite wrote:
| [dead]
| hsuduebc2 wrote:
| What a dystopia. I guess I never appreciated GDPR as it deserve.
| tptacek wrote:
| Drivers license ID numbers in many states are almost public:
| they're deterministically generated from basic personal
| information. You therefore can't use a drivers license ID number
| as a secure identifier anyways.
| FireBeyond wrote:
| > they're deterministically generated from basic personal
| information
|
| This used to be true, including in my state (Washington), but
| as of the last few years, I believe all states upon renewal of
| licenses now give you a non-deterministic license number.
| tptacek wrote:
| It's been a minute (I think I renew this year) but my driver
| license ID is still soundex-encoded.
| hanniabu wrote:
| They also provide social security numbers.
|
| What really sucks is you can't practice good hygiene and
| preemptively update your SSN periodically. You have to wait
| until your identity is stolen first.
| jhoelzel wrote:
| IMHO this is only going to get worse from here. There are piles
| of data that simply have not been categorized because noone cared
| enough about it. now a good llm will do that for you.
| m3kw9 wrote:
| Make doxxing punishable by huge fines
| ransackdev wrote:
| "Punishable by fine means legal for a price"
| dghughes wrote:
| Time in jail or prison puts more fear in people than a fine
| even a big fine.
| willsoon wrote:
| No if you have reading well your Machiavelli.
| hairofadog wrote:
| It's definitely worth taking the time to set up a credit freeze
| with the three big agencies (Experian, TransUnion, Equifax).
| Initially setting it up is a pain in the butt and is rage-
| inducing, as you have to provide a bunch of personal data when
| the whole problem in the first place is that they're careless
| with your data.
|
| However, once you've got it set up, it's very easy to freeze and
| unfreeze them. Just keep all the URLs, usernames, and passwords
| in a secure note somewhere, and any time you need to apply for
| credit, unfreeze them for a day or a week.
|
| I used to have all sorts of identity theft problems (people
| taking out credit in my name) but freezing my credit has solved
| it.
|
| Experian: https://www.experian.com/freeze/center.html
|
| TransUnion: https://www.transunion.com/credit-freeze
|
| Equifax: https://www.equifax.com/personal/credit-report-
| services/cred...
|
| I truly hate these companies but holding my nose and going
| through the process was worthwhile and I'd recommend it to
| anyone.
| alfon wrote:
| Would a credit freeze prevent data brokers also accessing the
| credit header?
| [deleted]
| StillBored wrote:
| As a long time freeze user, it seems literally every time I go
| to unfreeze the process has changed at one of them and it can't
| be unlocked with the username +password I setup. The last time
| was because I didn't log in for 3 years, meant that the account
| was locked without a bunch of additional validation. Sometimes
| the validation is just knowing the usual historical address/etc
| info they ask when you initially set it up (which seems
| insecure itself), or its more involved.
|
| So, give it time, when you least expect it, they will take 60
| days to validate something about your account before allowing
| you to unfreeze it.
| mymac wrote:
| It is pretty wild that people can take out credit in your name
| without the issuer of the credit doing their dd, and then it
| causes _you_ trouble afterwards. They should be fined massively
| for every time that this happens.
| emodendroket wrote:
| This is the magic of reconceptualizing fraud as "identity
| theft" in the first place.
| franga2000 wrote:
| There's a pretty funny sketch about that:
| https://youtube.com/watch?v=CS9ptA3Ya9E
| samstave wrote:
| Before I actually had kids was the first .com bust... I was
| unemployed as were many in bay area and I filed for
| unemployment or medical (i cant recall now) but I was told
| that I was ineligible for benefits because I had a bunch of
| unpaid child support and other debts in Los Angeles... (never
| lived there, no kids at time, avoid LA all my life)
|
| It took me months to prove that I wasa childless,
| 20-something dork in bay area...
|
| nightmare - but any "credit" agency is scum
| Loughla wrote:
| Not to be that guy, but I have one better.
|
| My nephew is now 20. When he was 5 we gifted him some cash
| in a savings account (to teach him about money stuff). We
| were immediately served notice that he was overdue on two
| mortgages. It took three years to get that straightened out
| (and find out that his ss# was already compromised).
|
| What a mess. What kind of an agency would see the ss#for a
| literal child and just think, yep, this is fine.
| bell-cot wrote:
| Sounds kinda similar to a former coworker ~2 decades ago.
| Tried to get a mortgage, rejected, he obtained his credit
| file...and ~80% of the stuff in "his" credit report was
| for similar-named people (mostly living in the same part
| of the U.S.). Report said that he had purchased a house
| at age 5, based on the well-paid job he got at Ford Motor
| Co. at age 4, etc., etc.
| jimt1234 wrote:
| It's pretty much impossible to get your _free_ annual
| credit report these days. It used to be relatively
| painless, but now you get slammed with ads for credit
| monitoring or whatever useless products. Or, the website
| just doesn 't work, redirect to a page telling you to
| send a letter to some rando PO box.
|
| I used to get my _free_ credit report every year, but I
| stopped, which I 'm sure is exactly what these scumbags
| want.
| toomuchtodo wrote:
| LexisNexis Risk reported two inaccurate judgements in my
| risk report, preventing me from getting a mortgage in my
| name for almost a decade. It was finally settled in a
| class action, and I received a check for $625. I wish a
| terrible time to the individuals who were directly
| involved at LexisNexis, because someone, somewhere
| decided to just not care about their data hygiene because
| there was no incentive to.
|
| https://www.lienandjudgmentdisputes.com/lang/en/
| swozey wrote:
| I had this come up when I was buying a house.
|
| I have a very common name and some guy 20-30 years older
| than me had past due child support. I also have no kids.
| This was my first house purchase so I was completely
| ignorant of the process. What blew my mind is that before
| verifying whether or not that was me, they informed the
| sellers of it. I forget the process I went through to prove
| it wasn't me, I probably just showed them the guys age vs
| mine or something. That was wild though, like, the sellers
| could've just cancelled the sale right there if they didn't
| want to sell to a supposedly deadbeat dad. I couldn't
| believe they informed the sellers.
|
| Buying a house is awful. Telling someone all of my finances
| and everything else when I already have an approved
| mortgage. Ugh. I did have a worse experience SELLING that
| house though, if you can imagine.
| rolobio wrote:
| Agreed. It is astounding to me that a private company can
| accuse me of a crime with no proof that I did it, and then
| the government will enforce that without question. You would
| think they would need fingerprints or something to prove that
| a particular person did something.
| Aerroon wrote:
| How close does such an accusation come to defamation?
| [deleted]
| 1kurac wrote:
| One lawsuit away.
| Rygian wrote:
| Why is it not the default?
| oxygen_crisis wrote:
| Obligatory rant against the "Identity Theft" deception promoted
| by banks.
|
| The victims of fraud in these cases are the banks, not you.
|
| You still have your identity. The banks/creditors gave their
| money (not yours) to a criminal through their own neglect.
|
| It's an unconscionable fantasy that you as an individual are
| the victim in these situations when you had no involvement
| whatsoever.
|
| Laws need to be updated to reflect this reality. Banks will
| continue to act haphazardly so long as they are allowed to pass
| the bill for their own carelessness onto innocent people.
|
| Awareness should be spread by disavowing the entire "identity
| theft" deceit any time it comes up in a public forum.
|
| Highly relevant Mitchell and Webb radio skit:
|
| https://www.youtube.com/watch?v=CS9ptA3Ya9E
| YVoyiatzis wrote:
| Often, bankers themselves are the fraudsters.
| zamadatix wrote:
| You build up a reputation for being a reliable borrower of
| debts or a good/clean societal record and someone steals that
| identity to abuse it and leave you with the baggage. You
| report "Identity Theft" to regain that identity and
| reputation, not on behalf of the money banks lost to
| fraudsters, hence the name.
|
| There are plenty of things wrong with the current credit
| identity system, the name of identity theft is either not one
| of them at all or near the bottom of the list.
| oxygen_crisis wrote:
| > someone steals that identity
|
| This is exactly the fantasy that we need to dispel, not
| rationalize.
|
| Nobody steals your identity. You always have your identity,
| and nobody else ever does. Your identity is not the few
| pieces of trivia a criminal can easily discover about you.
|
| The criminal never takes or has your identity. The bank is
| simply neglecting to correctly identify someone.
|
| > steals that identity to abuse it
|
| Criminals are not abusing your identity, they are abusing
| the banks' careless failure to correctly identify people.
|
| > to abuse it and leave you with the baggage
|
| The criminal is not leaving you with the baggage, the bank
| is. They use willfully inept processes, because they have
| tricked you into believing you should bear the
| responsibility for the consequences of their own hubris.
| GauntletWizard wrote:
| You're confusing two concepts that share a word: Your
| identity in the sense of self worth and personal ideals,
| and other people's view of you, your identity to them -
| Their interpretation of the former, to some extent, but
| also their judgements on your trustworthiness.
|
| It's the latter that's being stolen. It's a crime against
| both you and your friends and creditors.
| dragonwriter wrote:
| What is stolen is information relied on for
| authentication, but using "identity" with that meaning is
| common, even in technology.
|
| That is, after all, what an "identity provider" actually
| provides.
| zamadatix wrote:
| Having your identity stolen and having your identity
| permanently removed are not identical actions. If I use a
| keylogger to grab your passwords and impersonate you in
| emails, forums, and so on then your identity is stolen,
| it's in use by someone else instead of you without
| consent for a period of time. This does not mean your
| identity has been removed from you permanently. This also
| does not mean your identity was always in your control
| just because the sites should have done more verification
| to see if it was you. It was still stolen but the fraud
| wasn't caught, and the lost money due to fraud falls
| between the criminal and 3rd party regardless independent
| of your identity being fraudulently used. Keep in mind
| that's how it is today, if your identity is stolen it is
| already the bank that eats the loss due to fraudulent
| lending.
|
| If you still disagree please try to make an argument
| without mentioning banks. Identity theft covers a lot
| more than banking fraud so the explanation shouldn't
| explain how you want the term to be changed to something
| which focuses solely on banks.
|
| The processes in place do suck. That has nothing to do
| with the name of the crime though.
| s__s wrote:
| Identity can't be stolen. You can be impersonated. I
| think the point they're making is that it's not the
| victims fault if someone is impersonating them. I would
| agree. It makes zero sense for the victim of
| impersonation to be held accountable in any way for the
| actions of the criminal.
| zamadatix wrote:
| There is just more than a singular definition of identity
| in English and one of them can't be stolen while several
| others can. Impersonation is one way of stealing one of
| those definitions identity theft refers to. This doesn't
| mean the definition of identity is simultaneously
| violated.
|
| The victim of impersonation isn't held accountable for
| the action of the criminal, particularly with banks.
| That's precisely what identity theft laws protect. I'm in
| favor of making that process even easier for the victim
| wherever possible but changing the name is not that.
| jfengel wrote:
| _If you still disagree please try to make an argument
| without mentioning banks._
|
| I don't think it's possible to avoid mentioning the
| banks. They are the ones committing the harm against you.
|
| They are a stand-in for numerous other institutions who
| abuse you. You can take the name "bank" to mean any
| organization who is defrauded, and then abuses you to
| obtain repayment for that fraud.
|
| I think it's important to recognize that this is a two-
| step process. The middle-man in this procedure is
| crucial, because they are the ones with a lot of power to
| use the legal system against you. If they were somebody
| other than a bank or other significant corporation, you'd
| be able to say, "No, I'm not the John Smith you gave
| money to. Go away and find that person." The imbalance
| makes it necessary to define the argument in terms of
| banks and similar institutions.
| zamadatix wrote:
| Criminal identity theft is one class of examples. An
| example scenario from this class is someone passes your
| identifiers off as theirs while committing a crime.
| Nobody was defrauded, no money exchanged, but you'll
| still want to report identity theft.
|
| Claiming identity theft is precisely the process to
| notify the bank (or others) they cannot legally abuse you
| to get repayment for that fraud or you are not
| responsible for those crimes or whatever occured on your
| behalf. Under identity theft laws they are responsible
| for the loss due to fraud, not you. The same as credit
| card companies. The legal system is used but as much by
| you saying "I didn't buy that house, clear my records and
| eat the losses" as by the bank initially saying "this
| person didn't pay their loan". To not involve the legal
| system by both parties just opens up an even worse can of
| worms of fraud.
|
| One thing I do agree on is that anything that can
| reasonably be done to make the process easier on the
| victim of identity theft should be as the process is too
| hard on them right now. Probably more fines to most
| middlemen to increase the cost further beyond their
| losses. I just don't think changing the name of the crime
| has anything to do with that kind of improvement.
| oxygen_crisis wrote:
| > identity, noun, The condition of being a certain person
| or thing.
|
| Someone who steals my passwords can impersonate me, they
| can not become me. Someone who tricks people into
| thinking they are me is still not me. An account is not
| an identity.
|
| My online accounts are not me, and I am not my online
| accounts.
| zamadatix wrote:
| There are many dictionary definitions of identity. Take
| Merriam-Webster:
|
| "1a: the distinguishing character or personality of an
| individual
|
| 2: the condition of being the same with something
| described or asserted
|
| 3a: sameness of essential or generic character in
| different instances"
|
| Or the Cambridge dictionary:
|
| "a person's name and other facts about who they are:"
|
| Of course, you're always welcome to intentionally pick
| the incorrect context (going back to Merriam-Webster):
|
| "4: an equation that is satisfied for all values of the
| symbols"
|
| And just as easily rant the name of the crime has nothing
| to do with math so it needs to be renamed.
| vineyardmike wrote:
| I mostly agree with you that banks are hiding their
| victim status but I think your framing is too intense.
| The magical idea of identity as an intangible self isn't
| helpful.
|
| It is bank fraud _and imitation_ with the intent to abuse
| the reputation of the person imitated. It should be
| illegal to imitate you when it negatively hurts you. It's
| illegal to imitate police and doctors etc because it uses
| their reputations for fraudulent means. This is the same
| thing.
|
| Banks are the financially defrauded victims in this
| situation, but the victims are also individuals _because
| banks passed the reputational risk of fraud to the
| customers_. If your credit score is hurt and you need to
| hire lawyers to fix it or you get denied for a mortgage
| (or just a good rate), you've experienced tangible harm.
|
| Banks know they experience harm here. They plan for it.
| It's baked into the prices and financial statements. Read
| the essays by Patrick McKenzie, he'll argue that fraud is
| intentionally tolerated. They know that the consumer
| won't be expected pay once the fraud is discovered.
| That's not their goal, and they're not being deceitful
| here.
|
| You can argue if this system is overall good or bad, but
| it almost certainly has led to cheaper credit for
| everyone. Outsourcing credit worthiness to a magic
| national number (or 3) is cheaper than every credit union
| assessing risk themselves, with less knowledge.
| ifyoubuildit wrote:
| > It is bank fraud and imitation with the intent to abuse
| the reputation of the person imitated. It should be
| illegal to imitate you when it negatively hurts you.
|
| I think the argument is that the hurt is generated by the
| bank. Why isn't it the bank's responsibility to have
| their shit together and not do that?
| oxygen_crisis wrote:
| > the victims are also individuals because banks passed
| the reputational risk of fraud to the customers
|
| In that case I am not a victim of the fraudster, I am a
| victim of the bank.
|
| The banks do not have sufficient incentive to improve
| their identification methods, so long as we tolerate the
| concept that we bear any responsibility for a transaction
| that involves only themselves and a fraudster who knows
| the answers to a few trivia questions about me.
| krupan wrote:
| You are not wrong at all. There is a certain level of
| fraud tolerated by banks so that they can more easily
| make loans to people. It's the classic security vs.
| convenience trade-off.
|
| Two big problems are:
|
| 1. If you happen to be one of the victims of the fraud,
| it hurts! Sometimes a lot! A lot more than it hurts the
| bank.
|
| 2. If you don't like the level of (in)security that the
| banks have chosen, what other options do you have? Right
| now I don't know, I think maybe Bitcoin is your best bet?
| emodendroket wrote:
| Even if I pretend for a minute to seriously believe
| Bitcoin is less susceptible to fraud, using a different
| financial product doesn't help since the entire fraud
| takes place without your participation.
| failbuffer wrote:
| If you want to sell this idea you _at least_ need to have a
| name for it.
| xboxnolifes wrote:
| Fraud. It's called fraud. Someone is defrauding the bank.
| The bank is the victim. However, the _person_ whose
| identity was referenced by the criminal has nothing to do
| with the interaction. The criminal did not steal an
| identity. They stole money from a bank through fraud.
| bigmofo wrote:
| Lets take this one step farther, call it identity fraud
| and not just fraud; otherwise, identity theft will
| probably be with us.
| TheFreim wrote:
| I've never taken on any debt in my life, would I still need to
| do this or an I fine since I've never initialized anything in
| the first place?
| hairofadog wrote:
| That's a really good question that I don't know the answer
| to. I would guess that they have a file on you somehow -
| Utility bills? Landlords checking your credit? But I'm not
| confident enough to know what would be the best thing to do
| in that scenario.
| ohthatsnotright wrote:
| In the US utilities are normally yet another credit
| reporting agency: https://www.consumerfinance.gov/consumer-
| tools/credit-report...
| gumby wrote:
| Like FB, LinkedIn etc the credit bureaux maintain a file on
| everyone they come across. So they likely have a file on you
| regardless.
|
| In addition, in the US these files are used for other
| purposes than taking out a loan, for example renting an
| apartment, for some jobs, etc.
|
| I recommend building up a credit history even if you don't
| need it now. You might later. There are plenty of articles on
| the web about how to start, basically getting a credit card
| (perhaps secured) and slowly building up your credit.
|
| I am lucky enough to be a cash buyer. I tried to rent a house
| for a year a few months ago but my credit rating was not good
| enough. I have a couple of credit cards which I pay off every
| month (so good, my credit utilization is low) but by the
| rating companys' POV there wasn't enough to go on: not enough
| accounts, and no accounts apart from the CCs: no mortgage, no
| car payments etc. The fact that I'm a homeowner doesn't
| appear in the report.
| tylercrompton wrote:
| It doesn't matter that you don't take on debt. The point is
| to protect yourself from unscrupulous individuals who want
| you to take on debt on their behalf.
| [deleted]
| ccorcos wrote:
| Do you have a credit card? That is technically debt.
|
| If someone has your information, they can open a credit card
| under your name and max it out. Or even more common, they'll
| get a car loan under your name. Since loans are furnished at
| the end of the day, they'll often get 2 or 3 car loans in the
| same day.
| dogman144 wrote:
| Full stop, yes you should freeze.
|
| Issue isn't if you have debt or not. Credit rating agencies
| start tracking very early, and what they'll track for you is
| basically "no data/low credit score."
|
| That doesn't mean you're not in the system, or more
| importantly - doesn't mean qn attacker can't take out debt in
| your name.
|
| A freeze is the only thing that stops this for you and your
| kids. I hate that it works this way but such is life.
| whimsicalism wrote:
| > I've never taken on any debt in my life
|
| Why not? Do you ever anticipate getting a mortgage? If yes,
| then you probably should be.
| ChrisMarshallNY wrote:
| Sadly, if they are under 35, they may never have the
| chance. Home ownership seems to be going the way of the
| Dodo.
|
| But credit scores are used for apartment rentals, and even
| employment.
| PaulDavisThe1st wrote:
| > if they are under 35, they may never have the chance.
| Home ownership seems to be going the way of the Dodo.
|
| This is false.
|
| Millenials are trailing previous generations a little,
| but > 50% of them now own homes:
|
| https://rentalhousingjournal.com/more-than-50-percent-of-
| mil...
| deprecative wrote:
| Anecdotal though it is most millennials I know that have
| houses only have them because they were inherited rather
| than purchased outright.
| delecti wrote:
| Also anecdotal, none of the millennials homeowners I know
| inherited them, but all are software developers.
| PaulDavisThe1st wrote:
| See also:
|
| "Most US millennials finally own homes - and it's not
| thanks to their parents"
|
| https://www.theguardian.com/us-
| news/2023/aug/17/millennial-h...
| ChrisMarshallNY wrote:
| Depends. These massive investment corporations are buying
| up houses like crazy.
|
| I have a friend that works for one, and he's making a
| _lot_ of money.
|
| They come in, overbid, pay cash, and frequently spiff the
| agents (in a legal way).
|
| Then they gut the place, and turn it into a pretty decent
| rental.
| SketchySeaBeast wrote:
| Hmm, given the average age of a millenial is ~33 the
| statistic and the claim (exaggerated as it is) don't
| necessarily need to be totally out of alignment.
| PaulDavisThe1st wrote:
| The primary problem with this claim as it usually
| presented is that it tends to ignore that earlier
| generations did not go from kindergarten to home
| ownership in a year: you grow up with your parents'
| generation's condition as "normal" when it actually
| represents 30-50 years of "accumulation".
|
| So yeah, 10 years ago, very, very few millenials owned a
| home. But that was true for 23 year old boomers too.
| datavirtue wrote:
| It's worse for renters. Any arbitrary thing could cause
| them to be denied for a rental. Good luck fishing out
| what that is at each rental company/landlord.
| mhardcastle wrote:
| Somebody using your social security number and other
| information would be able to apply for credit. As soon as
| they do that, the bureau(s) called by the lender would have a
| file on "you".
|
| The federal government requires that all three major bureaus
| (Experian, Equifax, TransUnion) provide you one credit report
| each per year, for free. You can request it here, the
| official source for these mandated free reports:
|
| https://www.annualcreditreport.com/index.action
| somehnguy wrote:
| Yes, still worthwhile. The bureaus collect all sorts of
| information and attach it to you regardless of whether the
| information is even correctly attributed. A freeze might
| prevent some of that nonsense.
|
| I had a difficult time getting loans to go to college many
| years ago. Come to find out my credit was through the floor
| due to all 3 agencies misattributing dozens of pages of bad
| loans to me starting when I was only a toddler. The middle
| initials & socials were 1 character off each, but it all
| still went to my name.
|
| Unfortunately I didn't have the knowledge to freeze my credit
| when I was 3 years old - my fault, I should have known I
| would later suffer the consequences of my inaction.
| samstave wrote:
| You have to be the dumbest toddler I have ever met!
|
| -
|
| We need a financial revolution (which is what OWS was all
| about -- and you know how they responded to that -
| especially in SFO.... "people are mad at the FED!, so must
| remove all planter boxes in front of the SF FED and install
| giant granite bollards and update our lifting stop gate at
| the entrance - and we have to get our fed workers to stop
| bragging about their $30,000 a month bonuses loudly on BART
| (yes this is an actual thing)
| thesis wrote:
| Many people don't know this but you also need to set up a
| freeze at https://nctue.com/consumers/
|
| I had to deal fraudsters getting cell phones and also
| electricity to their apartment.
|
| Setting a freeze up here solved it.
| windexh8er wrote:
| Thank you for this, I had no idea this was a thing. Out of
| curiosity how did you find out about this?
| darth_avocado wrote:
| Credit bureaus should be illegal. You can't opt out of them and
| they take no responsibility in protecting you. How is it that
| every tech company has to abide by all kinds of rules re: PII,
| but they get to do whatever they like?
| theptip wrote:
| We need to strengthen consumer data protection. GDPR has some
| good ideas; no collecting PII without permission, consumers
| have the right to revoke/delete, and the key piece for this
| thread is the requirement for the Controller to have a contract
| with any Subprocessors to enforce the right to deletion
| transitively (and inform data subjects of the list of
| Subprocessors with which their data is being shared).
|
| CCPA was in the right direction, but AFAICT it explicitly
| carved out exemptions for credit bureaus.
|
| We need to tighten the screws on these businesses; the only way
| we'll see improvement here is if we hold them liable for
| damages and breaches. Right now they have very little incentive
| to care for this data, and all the incentive to try and
| monetize it as much as possible.
| runjake wrote:
| Lobbying.
|
| https://www.opensecrets.org/federal-lobbying/clients/summary...
| lotsofpulp wrote:
| It is a public subsidy to lenders so they can profit from lower
| costs of not having to do proper due diligence.
|
| If a lender claims you borrowed money, and they cannot
| conclusively prove it was you, it should be their problem and
| their problem alone.
|
| The fact that you have to prove you did not borrow money
| because a lender says your social security number was inputted
| into a form is a travesty.
| tptacek wrote:
| The credit bureaus replaced a much simpler system of "denying
| most Black families credit at all".
| decremental wrote:
| [dead]
| mindslight wrote:
| Yes, big business is adept at using any sort of progress as
| an opportunity for promulgating authoritarian frameworks to
| increase their centralized power. We could have had a world
| where racial discrimination was prohibited _and_ financial
| surveillance bureaus were illegal. Instead they 're just
| slowly remaking that stratified society in terms of
| information processing formalisms rather than by ad hoc
| skin color.
| tptacek wrote:
| You said "yes" and then a series of words that were more
| reasonably related to what Neil Peart says in Rush lyrics
| than anything I said.
| mindslight wrote:
| Well HN doesn't support MIDI and even if it did I can't
| play the drums.
| lotsofpulp wrote:
| Yes, there is nothing wrong with keeping a record of how
| well people pay their debts, as long as they are also doing
| proper due diligence to ensure their record keeping is
| accurate instead of laying the responsibility at the feet
| of the public.
| mattnewton wrote:
| "identity theft" is the biggest pr win since "jaywalking".
| Nothing has been stolen from me, I am still me. Someone
| claiming to have my credit history took money from a lender
| and they believed them.
| bombcar wrote:
| And somehow it's _your problem_.
| darth_avocado wrote:
| Identity theft is private companies not doing their jobs.
| Pretty much no other country has this problem because in
| order to get credit, you need to prove who you are by
| providing supporting documentation which is not easy to
| forge and it is the responsibility of the lender to verify
| the documentation. And if they don't, it's their problem,
| not yours.
| nottorp wrote:
| Also, in most other countries the government provides
| identity verification.
|
| In the form of government issued IDs and lately some
| governments even provide something digital.
|
| The US government doesn't provide that.
| pc86 wrote:
| I'm sorry? Every single state in the US has government-
| provided identification.
| nottorp wrote:
| Why doesn't anyone check it then?
| alistairSH wrote:
| Even with RealID, state-issued IDs aren't intended to be
| general proof of ID. It's pretty weird - they're ok for
| domestic travel and entering federal facilities, so you'd
| think they were a good general purpose ID, but they
| explicitly aren't that.
| landemva wrote:
| > they're ok for domestic travel
|
| No ID is required for domestic travel, even at big
| airports. Just be pleasant and explain that you misplaced
| it. I have misplaced ID several times, and only once I
| signed a piece of paper which roughly said that I am I
| because I say so.
| FireBeyond wrote:
| For now. Though that can has been kicked down the road,
| the latest drop dead date is May 7, 2025:
|
| > On May 7, 2025, U.S. travelers must be REAL ID
| compliant to board domestic flights and access certain
| federal facilities.
|
| Source: https://www.dhs.gov/real-id
| ghaff wrote:
| I was utterly shocked 5 or 6 years ago when I _somehow_
| managed to lose my driver 's license between my curbside
| dropoff and the airport door. To this day no idea what
| happened.
|
| Normally, I'd have had my backup travel ID/credit
| card/cash kit but, hey, this was a last minute couple
| night trip so I went light.
|
| Figured that was that. But as it turned out really wasn't
| a major issue much to my surprise.
|
| What _was_ an issue was getting checked into the hotel I
| had been able to find for the event near the airport
| (Travelodge). I even had a photo company security badge,
| credit cards, etc. Eventually they let me, with great
| reluctance pay cash, which fortunately fleabag was cheap
| enough that my withdrawal limit covered. Thought I was
| going to have to call SV friends and find somewhere to
| sleep--or at least pay some ridiculous amount for the
| last room at some hotel where I belonged to their loyalty
| program. But TSA was actually not a real issue.
| landemva wrote:
| Thanks for that link to a bureaucrat website. Where is
| the law? Unconstitutional laws and regulations are on the
| books until someone is harmed and challenges it in court.
| nottorp wrote:
| So from the outside, it basically looks like this
| identity theft problem is self inflicted.
| NoZebra120vClip wrote:
| Heh heh heh, I take it that you've never been through a
| Border Patrol checkpoint which wasn't at the border.
|
| They checkpoint all the thoroughfares near Mexico and I
| reminded my Spanish fiancee to carry her passport as we
| traveled domestically, and I was completely correct.
| landemva wrote:
| What were you correct about? Non-Americans are in the
| country by permission, not by right. Americans who
| consent are on their knees.
| elashri wrote:
| I think they are still better than my birth date, my
| mother middle name and whatever this SSN is. Which is
| basically something that I am barely the only person to
| know.
| munk-a wrote:
| None of it is mandatory - there are plenty of people in
| the US without any government provided identification and
| it costs money to acquire such an ID.
|
| The only one you can't really dodge is a birth
| certificate.
| darth_avocado wrote:
| And a birth certificate, a passport, a marriage
| certificate etc. to name a few others.
| landemva wrote:
| Marriage license is voluntary. Read your State law about
| powers of clerk of court (or whoever issues that license
| in your State). And consider what benefit you get by
| paying for that license, or if you can stand on your own
| feet without asking for a permission slip license.
| Everything you listed is voluntary, at least in USA.
| FireBeyond wrote:
| > Everything you listed is voluntary, at least in USA.
|
| That isn't true:
|
| > What Happens If You Don't Register a Birth?
|
| > By law, newborns must be registered within 10 days of
| their birth.
|
| > In terms of legality, not registering the birth of a
| child is a violation of the law and a punishable crime.
| Depending on the state, the parents may be fined, charged
| with imprisonment, or have to face other legal
| consequences.
| landemva wrote:
| Which law in which State? How would they know for home
| birth, and would they arrest the baby?
|
| There are administrative rules all over the 50 States.
| Most don't apply to typical Americans but nobody knows
| that or they don't care because 'merica#1.
| munk-a wrote:
| Yea, but that's specifically the only one that isn't
| optional. Almost all other forms of ID are voluntary as
| long as you understand that voluntary means you accept
| not participating in some privileged activities (like
| driving a car on a road for a drivers license).
|
| The US is actually insane about how little identification
| they require from residents and also not great about how
| expensive it can be to acquire certain forms of ID.
| lotsofpulp wrote:
| Not to mention the federal US government provides
| passports.
| xahrepap wrote:
| Right. The fact that they've somehow managed to make me the
| victim when I _wasn 't even involved_ is maddening.
|
| The bank/lender/etc is the victim here. But somehow I have
| to take the fall. Well, next time they should ask me before
| lending money to "me".
| FFP999 wrote:
| [dead]
| Mordisquitos wrote:
| > The fact that they've somehow managed to make me the
| victim when I wasn't even involved is maddening.
|
| > The bank/lender/etc is the victim here.
|
| Actually you _are_ the victim: you are a victim of the
| bank /lender/etc and _they_ should be liable to
| compensate you with punitive damages for your any
| negative consequences to you.
|
| If the bank or lender considers this unfair, let them try
| to recoup the cost of compensating you by suing the
| alleged fraudster who they claim "stole your identity" --
| but not before they compensate _you_ first.
| SAI_Peregrinus wrote:
| And then the lender sent a statement to a the credit
| agencies stating that you'd taken money from them (libel),
| and those agencies believed the libel and re-published it
| (more libel), causing financial damage to you (inability to
| borrow money).
|
| You are the victim of libel by the banks & credit agencies.
| They're the victims of fraud by the person(s) they lent the
| money to. There's no need (other than to protect the banks
| & credit agencies) to bundle both crimes together, call
| them "identity theft", and blame it on the individual
| victim!
| janalsncm wrote:
| Identity theft is a crime meant to reframe lack of due
| diligence as a problem of an unrelated third party.
|
| https://youtu.be/CS9ptA3Ya9E?si=2bpxWKWXDM4vn0iz
| hn_throwaway_99 wrote:
| I know it's popular to hate on credit bureaus. And I totally
| agree they've been horrible stewards of personal data, and they
| have some messed up incentives (e.g. pushing all their "credit
| monitoring" products - it's like making money off the problem
| you created), and I think there is a fair debate whether they
| should be public entities.
|
| Still, people rarely consider the very valuable service they
| provide: without them, credit would be _much_ more expensive in
| this country, or not offered at all. Want to see what a world
| without credit bureaus looks like? Go to a 3rd world country
| where everything is paid for in cash. This is not a good thing
| - it doesn 't mean that everyone in these 3rd world countries
| are great savers while those in the first world live beyond
| their means. In means these 3rd world countries don't have
| institutions that can help to ensure trust between lenders and
| borrowers. As distasteful as it may feel sometimes, credit
| bureaus help ensure that trust by giving histories of the
| likelihood of someone's ability to repay a loan.
|
| Again, to emphasize, this is not to say there are myriad
| problems with the way credit bureaus are currently run. It _is_
| saying the the primary service they provide (credit histories
| for individuals) is a good thing for society.
| Mordisquitos wrote:
| You would be surprised how many 1st world countries operate
| just fine while having no such thing as individual credit
| ratings by credit bureaus.
| staringback wrote:
| You still have a credit rating, it just isn't being shown
| to you.
| Mordisquitos wrote:
| If you count _" there is no record of this person making
| a late payment or defaulting on a debt"_ as a credit
| rating then sure, I do have one.
|
| Other than that, the only other information a lender will
| use to decide whether to grant me a loan and under which
| conditions will be information that they will ask me to
| provide, such as age, proof of employment situation, and
| my last 3 payslips.
| hn_throwaway_99 wrote:
| I mean, not really. Here is an overview of how things work
| in some different countries: https://finmasters.com/what-
| countries-have-credit-scores/
|
| Absolutely, there are significant differences, and some are
| quite similar to us (Canada and the UK) others differ more
| significantly (France and Spain). But they all essentially
| have ways to record any black marks from your payment
| history and use that to determine your credit worthiness
| for new loan applications.
|
| This is exactly what I meant in my first paragraph - yes,
| it's absolutely the case that the US implementation has
| tons of problems, and I think it's fine to say these should
| be public or quasi-public entities (e.g. only the the
| country's central bank has this info, like in France), but
| in general, all of these countries use some sort of
| analogous system to credit bureaus to determine your
| relative risk profile.
| rrrrrrrrrrrryan wrote:
| I always thought they were pseudo-government entities, or at
| the very least a heavily regulated, government-anointed big
| three.
|
| But after a quick Google right now, it looks like they're just
| random private companies that get to do whatever they want
| because they have such strong established relationships with
| our major financial institutions.
| kamarg wrote:
| Oh there's way more than just the big three too. For
| instance, many online payday lending companies run a credit
| check through alternative credit bureaus. There's quite a few
| of these types of niche credit tracking companies that most
| people never run across.
| paul7986 wrote:
| [dead]
| standardUser wrote:
| The cat has been out of the bag for a while. We need legal
| changes to how personal information is used _after_ it has been
| acquired. It doesn 't make sense any longer for it to be so easy
| to open lines of credit or otherwise apply stolen info.
| Joeri wrote:
| Other countries have national ID cards that must be presented
| to get credit. If there is no universal and secure way to prove
| you are you then identity can always be stolen. No amount of
| duct taping the credit system can fix that.
| standardUser wrote:
| Printing a physical ID for everyone seems like an outdated
| solution. I'd sooner support biometric hardware on every
| connected device.
| Sohcahtoa82 wrote:
| > I'd sooner support biometric hardware on every connected
| device.
|
| Ah yes, biometrics, the password that you can't change and
| you leave behind everywhere you go and on everything you
| touch.
|
| Cloning a fingerprint is _trivial_. They 're not secure.
| mcdonje wrote:
| "It's not a data breach if you collect money from the criminals
| for the data. Then it's a service offering."
|
| - Credit bureaus
| jedberg wrote:
| Just a reminder to never give private info to someone who calls
| you, even if they seem to have a lot of your private data already
| to "prove they are legit".
|
| Always call back on a number _you_ look up, not one that they
| give you.
| yieldcrv wrote:
| This has nothing to do with that
|
| Everyone is vulnerable to what this article is about
| jedberg wrote:
| The reason it is relevant is because after the scammer gets
| your details, they call you and say they are they bank and
| need to verify some information, and then you trust them
| because they seem to have details that only the bank should
| have.
|
| Then you confirm the scammer got good info.
| rfonseca wrote:
| Also, don't call from the same phone you received the call on,
| _if on a landline_. One time (I can 't find the reference)
| scammers called from the bank, suggested the person called back
| to the number on their credit card. The person hung up, picked
| up, and the scammers had held the line, played a fake dial
| tone, and had someone else "pick up".
| IIsi50MHz wrote:
| In USA telephones, unless you timetravel to "party lines"
| (when sets of local numbers had the same line, so picking up
| while a call was in use allowed people to listen or join in),
| hanging up any one end of a line disconnects the call the
| departing user from the call.
|
| If the described scam happened, in should have required a
| simultaneous fault in the phone system. Or more likley, the
| scammer played a recorded sound of a disconnect+dialtone,
| which could tricker the target into dialing.
| aidenn0 wrote:
| This is incorrect at least on Bell Atlantic's (and then
| Verizon's) network in the late 90s. Since there is no
| double-billing on landlines in the US, the person
| initiating the call is the only one that can immediately
| terminate a call to a landline. There's a timeout for the
| reverse direction, but it at least used to be fairly long.
|
| Someone pulled a trick where they took advantage of this.
| Had a friend call and keep the line open. Then claim that
| you have the entire phone book memorized. To prove it, ask
| someone to name a random name, punch in 7 digits and hand
| it off to the person who named it. They ask for the name
| and your friend says "yes that's me" (or "they're not home
| now if the gender mismatches).
| techsupporter wrote:
| > There's a timeout for the reverse direction, but it at
| least used to be fairly long.
|
| This brings up one of those cultural things: ever noticed
| how in movies and TV shows from the 80s and 90s, if the
| caller hung up, the person called immediately got a dial
| tone?
|
| It's a trope that prop wranglers, set designers, and
| writers picked up because the telephone company around
| Los Angeles (Pacific Bell) had switches that would reset
| the line state for the destionation back to "ready for
| call", which meant dial tone, when the origin side
| disconnected. If the destination side disconnected, the
| origin would only be disconnected after approximately 20
| seconds.
|
| Almost all other exchanges would put the destination--
| after the origin disconnects--into an off-hook-but-not-
| ready and then, after 10 or so seconds, play the "if
| you'd like to make a call, please hang up and try again"
| recording, then Special Information Tones, then a rapid
| busy.
|
| Yet because the service in and around LA is what a lot of
| people in the TV and movie business experienced, it is
| what got baked into those productions.
| aidenn0 wrote:
| > rapid busy
|
| I was a rather violent sleeper when I was young and would
| occasionally knock the phone off the hook while sleeping.
| Then I woke up to the fairly loud rapid busy sound.
| Hadn't thought about that a while.
| NoZebra120vClip wrote:
| IIRC, the originating party's on-hook will immediately
| disconnect the call, while if the receiving party goes on-
| hook, there is a short but significant delay before
| disconnect is finalized.
|
| This may have something to do with service offerings such
| as call-waiting and 3-way, which depend on detecting a
| "flash" signal.
| toast0 wrote:
| The time required for a good hangup might vary a little bit
| from exchange to exchange. I recall occasionally being able
| to transfer to different handsets hanging up one before
| picking up the other. But not to the extent reported in
| some anecdotes where one end can hold the call open
| indefinitely.
| jjnoakes wrote:
| This is definitely true. I remember being able to quickly
| press and release the hangup button on a single phone and
| if I was quick enough the other person would remain on
| the line. I don't recall exactly where the threshold was,
| but I believe it was around a half a second or so.
| eep_social wrote:
| Rapidly pressing and releasing the hang up button
| simulates pulse (as opposed to tone) dialing used by
| rotary phones.
| ThinkingGuy wrote:
| I remember being able to hang up the phone in one room,
| run to the next room, and pick up the phone and continue
| the conversation. My friends and I did this on several
| occasions. This was in the Atlanta area, in the late
| 1980s.
| dudul wrote:
| What? Where do phones work like that? Isn't it enough for one
| party to hang up for the call to be over?
| ralferoo wrote:
| They used to operate this way in the UK - the line would
| stay occupied until the call initiator hung up. We used to
| play with this when I was a kid, but I've not had a
| landline since early 2000s, so I've no idea if this
| survived the transition to digital exchanges. TBH I doubt
| it, and I know lots of people complained about it, because
| it was really annoying if someone who'd called you hadn't
| hung up properly as then you couldn't make any further
| calls yourself.
| Mordisquitos wrote:
| I believe that potential exploit only work(s|ed) in the UK
| telephone network, and maybe those of countries developed in
| parallel using similar technology. Either way, it is a zero-
| cost precaution so you might as well do it just in case.
| nickstinemates wrote:
| Who answers phone calls, let alone from unknown numbers, these
| days?
| jedberg wrote:
| I do. I have to. I get lots of important calls from numbers
| that I don't know. I have a call screener but the scammers
| play along with that.
|
| I'd say anyone who is involved in anything outside of work
| probably has to answer phone calls.
| ghaff wrote:
| It's not very practical for a lot of people to decide that
| they just won't be available by phone.
| ralferoo wrote:
| I keep my phone on silent 24/7 except for the very rare
| occasions when I'm expecting a call I don't want to miss.
|
| Sometimes I notice the screen when someone calls,
| otherwise I call back when I next notice the phone,
| usually within an hour. If they're busy then, I just send
| a message instead.
| boring_twenties wrote:
| I'm "involved" in plenty outside of work, with an active
| social life, including regularly meeting new people,
| volunteering, and more.
|
| I can't remember the last time I got a legitimate phone
| call _except_ from work. It 's been several years at the
| very least.
| rootusrootus wrote:
| I do. My mom is terminally ill with cancer and most all of
| the caregivers, physical therapy, palliative care, pharmacy,
| oncologist, etc still use good old telephone calls to
| communicate. Sometimes it comes from a predictable number I
| can put in my contacts list, but not always. So I turned off
| the call blocking on my phone so I don't miss important
| calls.
| digging wrote:
| I have a lot of medical appointments these days and it's a
| nightmare how many offices insist on communicating over the
| phone, calling from a different number than the original one
| I found. All phone calls must be considered personal attacks
| until proven otherwise.
| NoZebra120vClip wrote:
| My new insurance company cajoled me into "opting in" to
| their SMS spam for a $100 gift card, but evidently I didn't
| even need to consent to voice spam.
|
| Thankfully, their CID is "Unknown/Unknown" and my spamblock
| sends it direct to voicemail.
| politician wrote:
| "...the target's credit header. This is personal information that
| the credit bureaus Experian, Equifax, and TransUnion have on most
| adults in America via their credit cards. Through a complex web
| of agreements and purchases, that data trickles down from the
| credit bureaus to other companies who offer it to debt
| collectors, insurance companies, and law enforcement."
|
| ...
|
| ""Of all the entities that are the root cause of this data, "the
| credit bureaus are number one," Shavell added. "They are the ones
| that should be subject to the strictest compliance and ultimately
| be held to a higher privacy standard by the federal government
| and by state governments than they are being," he said."
|
| TLDR: People are using social engineering attacks to gain access
| to data brokers' tools that tap credit bureaus' profiles of
| everyone. There are no incentives for the companies in this
| supply chain to perform adequate due diligence before granting
| access to the data.
| WorldMaker wrote:
| It isn't even social engineering because the credit bureaus are
| for-profit entities and want to sell any data they have to the
| highest bidder. Right now, the cost of a (subset of a) single
| user's data on the competitive market between the three
| terrible companies is roughly as low as $15.
|
| This isn't a "bug", it's a "feature" to these companies' profit
| models. It's maybe a bug in the American system that so much of
| this data is in the hands of for-profit companies running a
| race-to-the-bottom auction on it.
| FireBeyond wrote:
| It's even lower than that. It's $15 for a third party to
| purchase that information, and sell it to you at a profit to
| that middleman.
| throwawaaarrgh wrote:
| This stuff was apparent 20 years ago when PIs gave talks at
| hacker cons telling them all the legal ways you could get any
| information you ever wanted. If you Google around there are 500
| online services (public companies, not hackers) to dig up private
| info for a small fee. I guess somebody just finally made a bot to
| make it easier.
|
| Articles like this read to a hacker like an article that door
| locks aren't secure.
| dfxm12 wrote:
| On a tangential note, slightly less than 20 years ago I got a
| phone call from an ex of a girl I was seeing at the time
| telling me to back off. All he had to go on was my name and
| what college I went to. I asked him how he got my number, he
| said he used a service like you're describing. This has never
| been particularly hard for someone who was determined.
| ghaff wrote:
| A lot of the deep web stuff has gone behind $20 or so paywalls
| so I haven't looked in a while. But, yeah, even 20 years ago it
| was obvious that by knowing _very little_ about a person,
| especially if their name wasn 't very common, you could find a
| huge amount of information about them.
| cj wrote:
| I mean even whitepages.com surfaces and aggregates quite a bit
| of public data if you buy their $20 background check, and all
| you need is the person's phone number.
| gruez wrote:
| >A short while later, the bot spat out a file containing every
| address that person had ever lived at in the U.S., all the way
| back to their college dorm more than a decade earlier. The file
| included the names and birth years of their relatives. It listed
| the target's mobile phone numbers and provider, as well as
| personal email addresses. Finally, the file contained information
| from their drivers' license, including its unique identification
| number. All of that data cost $15 in Bitcoin. The bot sometimes
| offers the Social Security number too for $20.
|
| Other than SSN, I don't find most of the information listed very
| concerning. Addresses, phone numbers, emails are semi-public
| anyways, considering that you hand them out anytime you make a
| purchase online. I'm not sure what bad stuff you can do with a
| drivers license id. Date of birth/relatives seems like something
| that can be sourced from public records (eg. voter roll). I'd
| prefer it if there weren't a telegram bot that dispenses all this
| for $15, but it's not exactly super privileged either.
| rig666 wrote:
| >$15 per search
|
| What chumps, just use https://freepeoplesearch.com
|
| Ya it has ads but out of all the hundreds of "free" sites it has
| actually the most amount of free information.
| rootusrootus wrote:
| Egads what an awful user experience. Slow, lots of ads, dumb
| questions. Just use http://truepeoplesearch.com if you want to
| stalk someone. More information, no built-in delays to make you
| think they're doing something hard, etc.
| probably_wrong wrote:
| Speaking of awful user experience...
|
| > Sorry, you have been blocked
|
| > You are unable to access truepeoplesearch.com
|
| > Why have I been blocked?
|
| > This website is using a security service to protect itself
| from online attacks. The action you just performed triggered
| the security solution. There are several actions that could
| trigger this block including submitting a certain word or
| phrase, a SQL command or malformed data.
| JohnMakin wrote:
| credit data is quite a bit more detailed than that.
| bluetidepro wrote:
| Has anyone ever used that DeleteMe [1] service the article
| mentions? It's not very cheap, and I'm wondering the value or if
| anyone has any first hand 2 cents on using it?
|
| [1]: https://joindeleteme.com/
| icepat wrote:
| > Submit personal information for removal from search engines.
|
| This sounds very much like trusting a fox to guard the
| henhouse. When do they then do with the submitted personal
| information? Why should we trust that they will behave
| ethically with it? What happens if, and when, they have a data
| breach?
| hk__2 wrote:
| > This sounds very much like trusting a fox to guard the
| henhouse. When do they then do with the submitted personal
| information? Why should we trust that they will behave
| ethically with it? What happens if, and when, they have a
| data breach?
|
| They have no incentive to behave incorrectly as all their
| business is based on trust.
|
| https://help.joindeleteme.com/hc/en-
| us/articles/817118498523...
| j-bos wrote:
| Trust seems cheap when individuals often just close shop
| and move on.
| icepat wrote:
| Does not factor out data breaches. And "our business is
| based on trust" also has the caveat of "for now". What if
| they're bought out?
| hk__2 wrote:
| > Does not factor out data breaches. And "our business is
| based on trust" also has the caveat of "for now". What if
| they're bought out?
|
| Then nobody knows. "What if?" works for litterally
| anything anywhere and nobody can respond to all of them,
| so I'm not sure what you're expecting here.
| icepat wrote:
| I'm not expecting anything, I'm just pointing out that
| handing over personal data to have your personal data
| deleted may not be the most sound idea.
| j-bos wrote:
| Has anyone collected a list of data brokers to opt out
| yourself?
| lexlash wrote:
| I'd never heard of it but it certainly comes up often in the
| article. Feels like something DoNotPay will offer soon, if it
| doesn't already.
| shiftpgdn wrote:
| I had DeleteMe for a year. It was pretty good but for whatever
| reason "whitepages . com" would continue to publish all of my
| PII and even DeleteMe couldn't take care of it.
| arkadiyt wrote:
| I've been using it for a few years and am a happy customer.
| However - what deleteme does is remove you from "Spokeo"-type
| websites, it will do nothing to protect you against the issue
| in this article, which is people buying your data from the
| credit bureaus.
| bluetidepro wrote:
| I think the concept of "Remove yourself from all major data
| broker websites for 1 year." is what worries me, like do they
| just resubmit your info once you stop paying? Do I just have
| to pay for this until forever? haha Or do you think you could
| get away with paying for a year, then again in like 5-10
| years after you cancel the first year?
| slashdev wrote:
| They don't resubmit your data, but they'll stop actively
| removing it from websites where it gets published.
| bluetidepro wrote:
| I wonder how often or how fast it would get back on there
| once it stops being removed? Maybe with the typical life
| events that trigger it? Buying a house, new drivers
| license, etc. etc.
| freedomben wrote:
| Yes exactly. I don't know much about deleteme but I know
| a decent amount about the aggregation and reselling of
| data. Any time an event happens with some entity they
| will sell/contribute your information to a data
| aggregator which puts it everywhere. So if you buy a
| house or get a credit card or a loan, your info is back.
|
| If you want to be horrified, use a different email
| address for each service. I have a domain that I
| configured to forward to me, so for example if I got a
| loan through Hacker News Home Loans, I'd give them email
| "hackernewshomeloans@example.com" . Doesn't work for
| everything, but it is a good eye opener.
| NoZebra120vClip wrote:
| My credit monitoring services will search for an email
| address, but not for wildcards...
| freedomben wrote:
| That's quite unfortunate, it would probably be easy for
| them to add support for matching all domains, but I doubt
| anyone asks for that.
|
| IIWM I think the benefits outweigh the cons of dropping
| the monitoring, but others may have different
| situations/priorities.
| nkotov wrote:
| Not this one but there is a YC W22 company called Optery [1]
| that does something similar and it works really well.
|
| [1]: https://www.optery.com
| kanary wrote:
| We've written about the need for policy reform in the US.
| https://www.kanary.com/blog/privacy-protection-through-regul...
|
| And offer a deleteme-like service with broad coverage and an
| affordable rate for removals and monitoring. We received a
| grant from YC for our work in 2019.
|
| https://www.kanary.com/
| haswell wrote:
| I have not used DeleteMe, but I've used Optery [0], which does
| seem to at least reduce my information footprint.
|
| Consumer Reports also provides a free service called Permission
| Slip [1] that auto-submits opt-out requests for a variety of
| retailers/services as well as data brokers.
|
| It is difficult to tell how effective these services are, but
| if nothing else, I'd prefer to minimize my footprint as much as
| possible. I don't think this does much to help with the credit
| bureaus, though.
|
| We desperately need real privacy laws with teeth.
|
| - [0] https://www.optery.com/
|
| - [1] https://www.permissionslipcr.com/
| ImPostingOnHN wrote:
| is permission slip available as a service, vs an app?
|
| forcing users to install apps, which can harvest much more
| personal data, seems sketchy to me, especially for a service
| that's supposed to understand that the user doesn't want that
| haswell wrote:
| I've only interacted through the app so I'm not sure if
| there's a web interface. That said, the fact that this is a
| service by Consumer Reports carries some weight, and the
| privacy label in the App Store shows minimal information
| collected.
|
| I haven't combed through the privacy policy on their
| website, but the way I see it, I'm not _worse_ off by
| sharing a few bits of data with CR, and as far as I can
| tell, they're not doing obviously nefarious things.
| everdrive wrote:
| Interestingly, you actually never get signed up for these credit
| services until you get a credit card. So all the things people
| tell you "build credit" (eg: pay your bills on time, pay your
| rent, etc.) don't actually "do" anything. There's no credit score
| to attach to them, so they just go off into the ether. I built
| credit a bit late in life and it was a struggle to get started.
| At this point, I kind of wish I'd just avoided building credit
| altogether. I wouldn't be in any of these systems.
| stonogo wrote:
| This isn't the case. You get signed up for these credit
| services when anyone makes reports about you to them. This can
| be, for example, your landlord. Paying rent does not indeed
| affect a credit score, but credit scores are separate products
| from credit reports. You have a right to your credit report
| annually, but you have no right to know your FICO (or other
| such) credit score; they're proprietary products.
|
| Basically, these companies will build profiles on anyone whose
| information gets reported to them, even if those profiles do
| not include a credit score.
| soared wrote:
| Not having credit means you'll never get a mortgage, auto loan,
| etc.
| rthomas6 wrote:
| You can get a mortgage without a credit score. It is called
| manual underwriting.
| hoosieree wrote:
| Some lenders still do "manual underwriting" for mortgages.
|
| So instead of blindly trusting your credit score as the
| measure of your ability to repay a loan, a human looks at
| your situation - income, other debts, etc, and makes a
| judgement call. It's more paperwork and slower, but it
| definitely exists.
| gnicholas wrote:
| So if you don't anticipate needing a mortgage or car loan,
| could you get rid of credit cards and perhaps cut down your
| online footprint? The question is how you would pay for stuff
| -- are debit cards just as bad? Cash is being phased out at
| some stores so that's not always an option. I guess you could
| load up my Apple Pay straight from your bank and use that
| instead of a credit card?
| toast0 wrote:
| Debit cards are (typically) connected to a checking
| account, and most banks and credit unions use the credit
| reporting agency ChexSystems to check for a history of
| checking account infractions and report infractions there
| as well. However, accounts in good standing aren't
| typically reported. So once your account opening falls off
| the report, assuming you don't kite checks or overdraft,
| your report will be empty. I think overdrafts likely need
| to be frequent or left unresolved for a long enough time to
| get on your report too, but I'm not 100% sure.
|
| Some banks will run a credit report from other agencies
| while opening too, but if you don't ask for or refuse any
| credit cards offered, you should have an empty report from
| them, once everything falls off.
| gnicholas wrote:
| Interesting! So what you're giving up is the 2% cash
| back, and purchase protection that credit cards offer, in
| exchange for having privacy?
| toast0 wrote:
| Yeah, debit cards interchange is much lower as I
| understand it, so there's no room to give big rewards. I
| think purchase protection is, in theory, equivalent or
| close, but debit cards presume the transaction is good
| and hold your money, whereas credit cards are more of a
| review your bill and decide if you're going to pay.
|
| But if you don't want to have a credit profile, then you
| can't use credit.
| landemva wrote:
| At least one debit card kicks back 1%. Look around.
| [deleted]
| mindslight wrote:
| > _Senator Ron Wyden told 404 Media in a statement that "These
| companies have demonstrated that they can 't control who has
| access to their data products. The government needs to stop these
| companies from packaging and selling our personal information,
| and the senior executives that put profit over national security
| and Americans' safety should be punished accordingly."_
|
| I'm amazed that the _quote from a politician_ is the most even
| handed substantive part of this article. The rest of the article
| is essentially scaremongering a misguided narrative around
| "criminals" gaining access to surveillance databases, when the
| real problem is the uncontrollable and unaccountable surveillance
| databases existing in the first place. The US desperately needs a
| port of the GDPR to give us data subjects the rights to control
| and prevent dossiers being kept on us.
| brm wrote:
| I can use a couple free searches to dox nearly anyone in
| America...
| nuancebydefault wrote:
| When I read all this, I can't help but thinking that Europe is
| doing better in this respect. Policies like GDPR help to prevent
| such large scale personal data collection and hence abuse.
|
| Also, things like scores and rankings to get a loan/mortgage are
| not what I ever experienced. The procedure basically is, you take
| your last 3 salary slips and shop a few banks. You take the one
| with the lowest rent. Done. After all, you sign a document that
| states that the bank might sell your property if you do not pay
| off (for quite some months)
|
| Or do I see it wrong?
| yessen wrote:
| There is a website (blockshopper.com) that scrapes and indexes
| real estate transaction data from counties that publish it. It's
| easy and free to find someone's address and doxx them. Their
| policy says that they only remove your data if you are a target
| of harassment, under court order or law enforcement officer.
| josefresco wrote:
| I tried it, it has no data from my zip.
| kccqzy wrote:
| When I go to a free people search website (I usually use
| fastpeoplesearch.com) and search for myself, the only accurate
| information there is from real estate data (and USPS address
| changes). But reading the article, I have reason to believe
| that if we were to pay a people finder website, it could be
| having better data sources such as credit file header
| information.
| landemva wrote:
| Hmmm, so I should be doing USPS change of address every year
| or so to random apartments in various locales.
| nonameiguess wrote:
| This doesn't seem very comprehensive. As far as I'm aware,
| every county publishes this information. If I go to my own tax
| authority's website and search for myself, all of my property
| tax records come up. But if I enter in my name here, only one
| state shows up and whoever this is is not me. My name is pretty
| common, too, so this guy is definitely not the only US
| homeowner other than me who has this name.
| vGPU wrote:
| In general, property tax and ownership data is public. You can
| somewhat increase your privacy by purchasing property under a
| business name, but business formation documents are also public
| for the most part.
|
| For example, I can go to the website of my county's registrar
| and pull up the formation and renewal documentation of my LLC
| with just a last name.
|
| I don't think you can effectively hide ownership of property
| without a shell corporation. The Corporate Transparency Act
| passed in 2021 requires you to provide ownership records to the
| treasury but I believe that ownership of the corporation can
| stay anonymous to the general public.
| bombcar wrote:
| It's doable, but the general consensus seems to be it's not
| worth doing - anyone who wants to dox you for the purposes of
| legal matters will get it anyway, and that's the biggest
| reason it's usually discussed.
|
| If you're just trying to keep yourself off the Internet, just
| change your name to John Smith or Michael Jackson.
| tomwheeler wrote:
| At least in the US, it's very common to for major assets
| (especially real estate), owned by a trust.
|
| Although a trust is different from a corporation in many
| ways, they're similar in that they are both legal entities
| distinct from the people involved (and can both have their
| own tax ID numbers, also distinct from those people). They're
| primarily created for estate planning purposes, but public
| records will typically show only the name of the trust, not
| the people who live there.
| charcircuit wrote:
| Running background checks to dox people is a tale as old as time.
| hospitalJail wrote:
| Home address and phone number?!?! The horror! (Did people forget
| yellow pages existed?)
|
| I suppose email and SSN are yikes inducing but after a decade of
| having my email sold to the political parties, I don't treasure
| it. SSN? Haven't we moved beyond SSN for security purposes?
| pessimizer wrote:
| > Home address and phone number?!?! The horror! (Did people
| forget yellow pages existed?)
|
| Are you absolutely sure that people who had real concerns about
| their privacy and safety allowed their phone number and address
| to be published in the book? Also, it was the White Pages, btw.
| bArray wrote:
| I think that given all of this information, they could run a
| very convincing scam either against you, or a service you
| interact with.
|
| From what I can tell, SSN is still somehow considered a form of
| identification in the US.
|
| Edit: Commented too early.
| hospitalJail wrote:
| As much as WFH is a thing forever, whenever I do high stakes
| things, they require me to come in + show my drivers license.
|
| Seems like there are basically no exceptions when it comes to
| banking.
| ethanbond wrote:
| How might someone acquire a drivers license with your name
| on it? Having your SSN helps a lot!
| landemva wrote:
| > basically no exceptions when it comes to banking.
|
| That depends on your megabank. KYC and what staff will do
| over the phone is about relationships. I get things done
| over the phone at local credit unions and even mid-size
| regional banks. Banking and identity regulations allow a
| lot to happen, and your personal relationships make a
| difference.
|
| The back offices of mega-banks generally prevent personal
| service. Choose a different banker.
| msla wrote:
| > SSN? Haven't we moved beyond SSN for security purposes?
|
| No, the banks haven't, which means you haven't, bucko.
| shadowgovt wrote:
| Honestly, the shortest solution to these problems would be to
| reshape the law so that banks are 100% responsible for fraud.
| As in, if they open an account tied to somebody and it turns
| out to be tied to somebody else? 100% on them, the person who
| they were deceived into believing they were doing business
| with is fully protected by the law from any ramifications.
|
| Of course, this would completely change the risk model banks
| operate under and fundamentally reshape commerce as we know
| it. Thanks would become hypersensitive, all business would be
| conducted in person, banks would reserve the right to tie up
| your money for years if you couldn't prove who you were
| (think getting your Google account unlocked when Google
| suspects fraud, except now it's your money in the bank down
| the street...).
| landemva wrote:
| You haven't moved on because of your parents.
|
| SSN is voluntary. If parents would stop opting-in their
| babies into this data scheme, Americans could grow up without
| these numbers.
|
| After ominous threats about 'must choose name for baby' my
| wife and I left the hospital with our baby. Health insurer
| sent new member card with name 'baby girl' which worked great
| for all the follow-ups. And nobody from big government forced
| me to apply for SSN. We did get a passport (SSN on that
| application is optional) and travelled internationally before
| the first birthday.
|
| Most of this nonsense data collection is voluntary. More and
| more in life I say "No thank you" and move on. Many Americans
| get a warm blanket feeling by putting their children into
| voluntary data schemes.
| kccqzy wrote:
| The only thing you are achieving is to add extra paperwork
| and hassle to your daughter's future when she later has a
| job or opens a bank account.
| landemva wrote:
| We are allowing our children to make their own choices
| when they are adults. If they want to opt-in to SSN as
| adults, they will be able to do that. America is eager to
| let children choose everything including their gender, so
| why not preserve their SSN choice until they are an
| adult?
|
| Last week I opened yet another savings account with name
| roughly "baby girl trust" and the tax ID I got that
| morning from IRS website for the _trust_. New account
| setup was super easy because I had everything the credit
| union wanted for their back office.
|
| I luckily had a lot of free time and motivation to learn
| this stuff. Most Americans don't know and presume it is
| therefore not possible.
| msla wrote:
| > SSN is voluntary.
|
| "Voluntary" but required to live like a normal human being
| isn't very "voluntary" in reality.
|
| Get a job without an SSN.
| landemva wrote:
| Employer is required to verify citizen or immigration
| status. For an American with a passport, the passport
| works okay.
|
| Passport works great for ID all around, because it does
| not require SSN and does not have home address.
|
| Many things, like TSA (Soviet era) checkpoints don't
| actually require ID. People seemingly prefer to act like
| cattle and show IDs everywhere and voluntarily consent to
| full body scans. Then people complain that their bits of
| privacy got leaked. Of course it leaked, and you
| voluntarily consented.
| citrusynapse wrote:
| You are going to get a lot of people telling you that
| you're a libertarian nutjob. Even here, which touts itself
| as a bastion of internet privacy champions and "experts".
|
| But you, you're walking the walk. Asking the hard questions
| and accepting the consequences. There is only one way to
| make things change.
|
| Don't let any little pedants tell you "how your daughter is
| going to grow up", either. Or that they somehow know how
| she'll feel about you.
|
| FWIW: my kids have SSN's and that is just as dangerous as
| what you've chose.
| msla wrote:
| > You are going to get a lot of people telling you that
| you're a libertarian nutjob.
|
| No, just making life more difficult for his child, who
| has no say in the matter.
|
| Some people are bad at seeing children as humans, as
| opposed to appendages of the parent.
| landemva wrote:
| Yes, the big brain types sometimes get really pissed off
| when they find out they were tricked into voluntarily
| consenting into a bunch of stuff.
|
| When you get/renew passports, leave the SSN box blank. It
| will become second nature to ignore these data requests.
| karaterobot wrote:
| Are you willing to provide your address and phone number in
| this thread, then? My guess is "no", but why not? Might other
| people not want their home address and phone number made
| public?
| ehnto wrote:
| When this discussion comes up, I think some people forget the
| context is online fraud. The attacker likely has other
| information on you, so a lookup service that helps them
| stitch it together with your real name and number is not
| good. The yellow pages is not a lookup service like that, it
| can't connect you from other information to a name and phone
| number, so having a book of names unlinked to the data you
| have gets you nowhere.
| karaterobot wrote:
| People also forget (or may not know, since they post-date
| the use of print telephone directories) that you could opt
| out of being in the Yellow Pages. You can't do that with
| credit headers, or even, practically speaking, with credit
| cards.
| pessimizer wrote:
| They also forget that it was the White Pages for personal
| listings, and the Yellow Pages for business listings.
| karaterobot wrote:
| Fair point!
| landemva wrote:
| > or even, practically speaking, with credit cards.
|
| Yes you can opt out even with credit cards, and you can
| also do it for minor children in 5 easy steps: 1 clone
| your trust document 2 IRS.com and get TIN for trust 3
| open trust savings account at bank 4 put funds in account
| 5 get the bank's 'secured credit card' offer in which
| they lock the funds
|
| If you quibble that a secured credit card is not a real
| credit card, then just get the debit card.
| ballenf wrote:
| Every address you've lived at... frequently this plus a SSN is
| all you need to completely take over someone's identity.
| [deleted]
| lexlash wrote:
| There are other services which rely on this header's
| information for authentication (which of these addresses did
| you live at in 2021?) so for approximately $15, you can
| dramatically increase the effectiveness of an attack on those
| services.
|
| Unlisted numbers have been a white pages paid feature for a
| very long time. Very similar incentives in both directions
| compared to these headers, I'm sure. (Yellow pages were pay for
| inclusion, iirc.)
| OJFord wrote:
| The criticism here should be that the starting point is 'name &
| state' (wouldn't 'doxing' normally be determining name/identity
| or more from believed-anonymous online interactions?) but
| otherwise yes whatever you think of how important it is that is
| doxing?
|
| But it's more than you cherry-picked anyway:
|
| > The file included the names and birth years of their
| relatives. It listed the target's mobile phone numbers and
| provider, as well as personal email addresses. Finally, the
| file contained information from their drivers' license,
| including its unique identification number.
|
| Plus 'sometimes' Social Security Number as you said.
| michaelt wrote:
| _> "On the very rare occasion where we confirm misuse of TLOxp,
| we coordinate with law enforcement to help prosecute those
| responsible," TransUnion added._
|
| This is categorically false.
|
| I've had transunion hand my entire credit report over to hackers
| who had nothing but public information, and transunion
| _absolutely do not give a shit._
| nenaoki wrote:
| They even say so themselves; "on the very rare occasion where
| _we confirm_ misuse. "
|
| They're not saying anything about how much they care about or
| follow-up on confirmation.
| FFP999 wrote:
| I bet if there were meaningful consequences for sloppy custody
| of data (i.e. fines large enough to hurt, as opposed to the
| "LOL whoopsie doopsie have some free credit monitoring"
| nonsense), credit bureaus would clean up their act. I do not
| anticipate this happening anytime soon.
| tornato7 wrote:
| Free credit monitoring for a year, then ato-renews at
| $89.99/yr after that. Oh, and to sign up for credit
| monitoring you have to share even more personal data with
| them, but they pinky promise not to lose it this time.
| polygamous_bat wrote:
| Exactly, what reason do they have for being more careful if
| there's nothing to lose and everything to gain for them?
| hammock wrote:
| >transunion absolutely do not give a shit.
|
| I'm sure they would respond to a subpoena if you were willing
| to work with an attorney
| ansible wrote:
| The GP would need to see if they have ever used any
| Transunion service. There is probably a click-wrap agreement
| that you can't sue for basically any reason. Maybe it will go
| to arbitration, where they won't do squat for regular people.
| jstarfish wrote:
| Your grievance is misguided.
|
| Transunion _can 't_ do shit about some Belarusian teenager
| stealing your identity any more than anybody can indict them
| for deploying ransomware on government networks. The framework
| for prosecution of international cybercrime _does not exist._
|
| Domestically, Transunion absolutely will shut down access to
| data furnishers who do not vet employees, in cases where an
| employee is bored and looking up their exes and random
| celebrities. It is a violation of the FCRA and subjects the
| bureau and the furnisher to fines. The bored employee scenario
| usually just results in termination but if there are other
| factors at play like identity theft/fraud, law enforcement
| absolutely gets involved.
|
| This rogue employee scenario is the mechanic I'm guessing is
| being exploited here, only it seems crowdsourced to obfuscate
| attribution (so one person isn't making hundreds of fraudulent
| requests that gets them noticed).
|
| This stuff happens at Equifax all the time too. People are
| always trying to look up Donald Trump, athletes and rappers in
| misguided attempts to see how much money they have or where
| they live. (Celebs have taken to getting around this by buying
| properties in relatives' names.)
| michaelt wrote:
| _> Your grievance is misguided._
|
| I'm not sure what makes you think that, given you don't know
| any of the details involved.
|
| In my case, TransUnion received credit checks for me with
| dates of birth 1 Jan, 2 Jan, 3 Jan, 4 Jan and so on until
| they hit upon my date of birth, then a credit account was
| opened that same day, then later in the day a third party
| credit monitoring agency accessed my credit report and they
| were allowed to pass 'knowledge based authentication' using
| their knowledge of that credit account.
|
| I am completely sure TransUnion could have detected and
| foiled this incredibly obvious attack. I'm also completely
| sure they could have identified other victims of the same
| attackers and informed them, but they chose not to.
| cognaitiv wrote:
| KBA must die.
| ajmurmann wrote:
| TransUnion also has full control over what authentication
| mechanism they use. On the extreme end, they could require
| a Yubikey to be used. However, they deem the hassle to
| implement better auth not to be worth it while it's users
| who carry the cost of TransUnion's inability to properly
| authenticate people.
| mrguyorama wrote:
| They also see zero reason to spend even a dime on better
| security of processes when they saw that the entire
| company could be pwned and distributed on the dark web
| and you end up losing zero revenue, maybe a million bucks
| in a class action suit.
| NoZebra120vClip wrote:
| Are they vulnerable to SSPR Abuse? I'm having great fun
| reporting to Very Large Services and being rebuffed
| because they don't understand or care.
| gopher_space wrote:
| > I am completely sure TransUnion could have detected and
| foiled this incredibly obvious attack. I'm also completely
| sure they could have identified other victims of the same
| attackers and informed them, but they chose not to.
|
| It's entirely possible that nobody at TransUnion knows how
| to achieve this given the state of their databases' and/or
| staff. For example, maybe their system was set up before
| constraints were a thing and they stopped development once
| it started printing money, so the only person "working" on
| it does light maintenance as a portion of their other
| duties.
| martin8412 wrote:
| If they aren't responsible enough to handle the data, then
| they shouldn't have it in the first place. The end. Fine them
| out of existence if they hand over PII to random 3rd parties.
| alistairSH wrote:
| lolwut?
|
| The criminal made a false request for credit report. TU
| released the credit history without confirming ID. The bank
| relied on that credit report to extend credit.
|
| The problem is, as a whole, ruining the credit of a few
| thousand people/year (and making them jump through hoops to
| regain their ID) is less costly than clamping down. TU
| absolutely contributes to the problem; they just have no
| incentive to fix it.
| temac wrote:
| That kind of unbounded massive privacy violation would result
| in million EUR fines (if not dozen or hundreds of millions)
| under GDPR law. And it was already not possible at scale in
| major European countries before GDPR. What permit it to
| happen in the USA at scale, is that the baseline of
| protections is so low compared to Europe. Depending on the
| state it is getting better, but there is still this culture
| about making massive files on everybody about everything and
| then selling them to anybody who ask and pay. Such databases
| are often forbidden in Europe to begin with because we think
| of what could happen if they are misused.
|
| The notion that the fault would completely be on a
| "Belarusian teenager stealing your identity" and no
| responsibility whatsoever on people organising a system of
| massive private data collection in the first place, and then
| not even able to keep such data secure, is ludicrous. And
| even when you know that privacy invasion is attempted all the
| time you don't reach the conclusion that at the very least
| better securing the data would be needed, that task I'm not
| sure can be done by any "Belarusian teenager" - and that task
| has de-facto not be done by whoever is collecting and
| maintaining the private data that has leaked and is still
| leaking.
| Nextgrid wrote:
| > That kind of unbounded massive privacy violation would
| result in million EUR fines (if not dozen or hundreds of
| millions) under GDPR law
|
| No they wouldn't. GDPR enforcement is severely lacking and
| the regulators tasked with enforcing it are either
| incompetent or corrupt.
| hanniabu wrote:
| > Transunion can't do shit
|
| They can but they don't. There being no framework for
| prosecution doesn't mean it's impossible to not hand out data
| to anybody that asks with minimal info provided.
| gottorf wrote:
| If you have the means, perhaps a civil suit against TransUnion
| for their tortious actions is appropriate. Of course, it's a
| gigantic hassle.
| adolph wrote:
| Or "small claims" court:
|
| https://fairshake.com/transunion/how-to-sue/
| hdb7u73eyd wrote:
| [dead]
| cwkoss wrote:
| It can be true if they intentionally never confirm any or even
| investigate potential misuse
| tromp wrote:
| I hope you can coordinate with law enforcement to help
| prosecute those at TransUnion responsible...
| megabless123 wrote:
| law enforcement largely do not care either
| e40 wrote:
| _Largely_? They give absolutely zero shits.
| Consultant32452 wrote:
| They really enjoy laughing at you.
| dixie_land wrote:
| So in a sense they do care :)
| jmprspret wrote:
| Put some of their names into these services. Cops, feds.
| Lookup some high-profile court cases, see if you can get
| names of witnesses.
|
| Now let's see if they care.
| tiffanyg wrote:
| _" Well, they forced my hand, I'm going to call the
| police..."_
|
| https://youtu.be/lehmQ5mUveg?t=20s
___________________________________________________________________
(page generated 2023-08-22 23:01 UTC)