[HN Gopher] It's still easy for anyone to become you at Experian
___________________________________________________________________
It's still easy for anyone to become you at Experian
Author : todsacerdoti
Score : 313 points
Date : 2023-11-11 18:05 UTC (4 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| arciini wrote:
| Given there are 3 credit bureaus, is there a way to avoid having
| a credit score at one of the credit bureaus? I think that's a way
| that we as consumers could try to increase competition in the
| field.
|
| I did some Googling and it didn't seem like there's an easy
| option.
| ssgodderidge wrote:
| I feel like this has to happen. They operate like a private
| utility company, with little to no other options.
|
| Imagine if they were like password manager apps? We could
| evaluate all of them, choose what we wanted, and migrate
| whenever something happened.
| djbusby wrote:
| Businesses report data to them. So, you'd have to avoid
| businesses that report to one. But, they all report to
| multiple.
| paulddraper wrote:
| As a consumer? No
|
| As a business? Sure, report to the ones you want to
| atrettel wrote:
| There is no way to opt out of credit reporting. Lenders report
| the information to the credit bureaus, typically all three of
| the big ones, so if you want no information reported, simply
| close all your credit cards and loans, etc. and place credit
| freezes on your credit reports.
|
| I don't think that "increased competition" will work here. We
| are not customers of the credit bureaus. We are the product.
| The customers are lenders and other people who need your
| information. From the lenders' perspective, this is all working
| out fine, largely because the onus for "identity theft" is
| placed on members of the public as individuals rather than on
| lenders to accurately verify applicants' identities before
| extending credit. As many people have pointed out before,
| "identity theft" is a misnomer designed to pass the buck onto
| individuals. Ideally, it should be the lenders' responsibility
| to prevent criminals from misusing your information and to make
| things right whenever a criminal tries to use your information
| fraudulently, but right now the onus is placed on individuals.
|
| A better solution would be to have higher standards for
| identity verification by lenders. That would shift the burden
| onto lenders to actually verify people's identity before
| extending credit. Some lenders actually do a pretty good job of
| verifying people's identities before extending credit in my
| experience, while others just seem to accept the information
| given uncritically (as far as I can tell!). High industry-wide
| standards should help solve this (either voluntarily or
| mandated by law).
| ISL wrote:
| A statutory fine of $50k per compromised account would get
| the attention of the credit bureaus. (It might drive them out
| of business, but it sure would get their attention.)
| LoganDark wrote:
| $50k seems at least four or five orders of magnitude too
| low to be of any concern to them
| dghlsakjg wrote:
| $50k per record affected, not per occurrence.
| IggleSniggle wrote:
| The problem is that we are not the consumers. They receive
| _our_ data from all the companies we do business with. You
| would have to figure out on a case by case basis all ties
| relating to the credit bureau. Probably if you never got a
| credit card and never took out a loan, you would be somewhat
| protected from their "research."
| WarOnPrivacy wrote:
| > is there a way to avoid having a credit score at one of the
| credit bureaus?
|
| Without it (also without a sufficiently high number), most
| avenues to housing are cut off
| cco wrote:
| Plaid just started a Credit Reporting Agency (what Experian et
| al are). First company to attempt to compete in the space
| seriously in a long time.
| theonemind wrote:
| Experian reminds me of enshittification, except it never had any
| interest in providing actual value to the general public to
| betray, so started off one step further along the process in a
| way.
|
| No individual in a personal capacity ever wanted to do business
| with Experian, like they wanted to buy an iPhone or something.
| You're introduced to the unpleasant fact of its existence at some
| point. They don't have anything you want, you're the product from
| the start, and you don't have to walk into their net, you're
| probably _born_ in it.
| nonrandomstring wrote:
| We're amidst the proliferation of a class of entity that Joe
| average doesn't quite have the political vocabulary or tools to
| deal with yet;
|
| Things that deal in _you_.
|
| They make money from you, indirectly.
|
| You have no business or social relation with them.
|
| You didn't vote for them.
|
| They have immense power to harm you.
|
| You have no recourse.
|
| You may not even know they exist.
|
| Until recently this was the preserve of a few government
| agencies that had a very narrow focus on a few "persons of
| interest". Today it is every dime store startup in "big data",
| search, spammers, social network, and the entire grubby, yellow
| maggoty underbelly of "surveillance capitalism" and all the
| mushrooms that grow on it.
|
| So far the promised "benefits" of this have never materialised.
| Will we be able to keep pretending "nobody cares" as public
| awareness, and governments' will to enact legislation grows? At
| some point surely "credit agencies" and their ilk will
| essentially be outlawed under a dozen different digital rights
| acts.
| city41 wrote:
| Every time I log into experian.com, I am greeted with an offer
| to "upgrade" my account for $0.00. At the top is small text
| that says "Try Experian CreditWorks(sm) Premium for 7 days for
| free, then pay just $24.99 each month+. You may cancel anytime
| if not satisfied."
|
| First of all, $25/month for an Experian product? I can't
| possibly fathom how anything they provide can be worth even
| 1/100th of that. That price just absolutely blows my mind.
|
| But worst of all, they proudly say it is $0.00 and have the pay
| button the most prominent. How many people get roped into this?
| They are just slime all the way down.
| bee_rider wrote:
| Of course, we aren't the customers for these spying companies.
| But it is surprising that the total lack of security isn't a
| deal-breaker for their actual customers. I mean if you can
| basically impersonate anybody using this service, what is the
| point of using it?
| nyokodo wrote:
| > what is the point of using it?
|
| Plausible deniability allowing them to push as much significant
| risk of identity theft onto consumers instead of themselves
| where it should be.
| ajmurmann wrote:
| Even the term "identity theft" needs to go. My identity
| wasn't stolen! I'm still the same person. The bank got
| tricked by a scammers and somehow the bank tries to make that
| my fault.
|
| Edit: Imagine this the other way around! Grandma gets scammed
| by someone pretending to be her bank. So the bank's identity
| got stolen. So now the real bank needs to fix it, provide
| more proof of identity to all customers and jump through all
| kinds of hoops to not owe grandma crazy amounts of money.
| earthboundkid wrote:
| Yes! I've been saying this for years. The whole framing is
| a victim blaming dodge, when the two bad actors are the
| crooks and whoever made the loan with insufficient ID.
| DoctorOW wrote:
| It always reminds me of this classic Mitchell and Webb
| sketch about the subject.
|
| https://www.youtube.com/watch?v=CS9ptA3Ya9E
| civilized wrote:
| If identity theft were to get so common that the data became
| statistically unreliable, we would be long past the point that
| even Congress would feel compelled to do something about it.
| godzillabrennus wrote:
| You give Congress too much credit.
| bee_rider wrote:
| There's no such thing as identity theft, it is impossible to
| steal an identity, the person still has their identity. It is
| impersonation. The victim is the entity that has fallen for
| the impersonation (likely a bank, etc), the perpetrator is
| the one who did the impersonation, and the impersonated
| person is just some uninvolved third party.
|
| I know it is pedantic but it is important to keep in mind
| because dumping the need to seek redress on the uninvolved
| third party is ridiculous, so we shouldn't use language that
| plays into that point of view.
| alistairSH wrote:
| 100% agree, except the impersonated person is impacted when
| their credit score eventually gets screwed and they can no
| longer get loans themselves. So, in that regard, they are
| also a victim.
| bee_rider wrote:
| Although I think it is more accurate to call them a
| victim of something like slander by the credit agency, in
| that case. I mean, I'm not sure exactly what the laws are
| around slander, I wouldn't be surprised if there was some
| cutout for cases in which the person actually believed
| the lies they were repeating, but if an organization
| represents itself as an expert in people's
| trustworthiness it obviously has a heightened
| responsibility to verify what it is repeating.
| jdsully wrote:
| Credit reporting agencies have immunity from slander
| claims unless you can prove malice.
| marcosdumay wrote:
| So you've found the problem. If they are immune from the
| crime, they won't stop practicing it.
| nick222226 wrote:
| Would them ignoring a few certified letters asking them
| to contact you to correct slanderous significant errors
| in your information be enough to show malice?
| colejohnson66 wrote:
| That's what a dispute is. It's required by the FCRA.
| usea wrote:
| The impersonated person is impacted because the credit
| agency is lying about them to other people.
| toomuchtodo wrote:
| It's identity fraud frankly. Hold consumers harmless and
| put the burden on the industry (if you did not have an high
| identity assurance you're on the hook for costs and losses)
| and this problem evaporates. Also outlaw credit monitoring
| and identity theft insurance.
| kagakuninja wrote:
| The banks aren't the only victims. The person has had their
| credit rating damaged, and may even be on the hook for
| fraudulent charges made in their name.
| rzzzt wrote:
| A classic Mitchell & Webb sketch:
| https://youtu.be/-c57WKxeELY
| civilized wrote:
| I completely agree. But if I recall correctly, they've set
| up the law so that if they get duped, you're on the hook
| for whatever they got duped into giving the impersonator.
| That's the biggest problem.
| Buttons840 wrote:
| Tell me you're Bank of America and I'll give you a
| thousand dollars. You disappear into the night and I'll
| go get my thousand dollars back from the real Bank of
| America. Is that how the law is setup? (Honestly, making
| a website that looks like a legit Bank of America website
| is about as difficult as getting someone's SSN.)
| vinni2 wrote:
| > what is the point of using it?
|
| can you opt out? is there even a choice at all? where i live I
| can't opt out of Experian or other credit rating services.
| pkulak wrote:
| Just buy a bunch of stuff and don't pay for it. It'll be the
| same result, but you'll have more things.
| andrewaylett wrote:
| The actual customers can, consumers can't though.
|
| I'm pretty sure the OP was meaning that there's little point
| for the businesses that make use of the credit bureaus, if
| they can't be sure the bureau is accurate, rather than that
| consumers might be better off opting out (even if they
| could).
| cortesoft wrote:
| These accounts aren't for the people who pay Experian money.
| Companies pay Experian money to access information about
| individuals; the only reason Experian even allows accounts for
| individuals is because they are mandated by law to allow things
| like credit freezes and the annual credit report. If they
| weren't required, they wouldn't do it at all. They have zero
| incentive to improve the experience or the security of it.
| breadwinner wrote:
| The fundamental issue here is that maintaining security is
| expensive, and it is cheaper to just deal with occasional hacks.
| The only solution is to make hacks extremely expensive to the
| companies that get hacked -- through fines as well as lawsuits by
| victims of identity theft.
| toomuchtodo wrote:
| It is not that expensive. It is a couple pennies per pull (of a
| credit report/file) for somebody seeking identity proofing to
| use knowledge based authentication (the usual "where did you
| live, are these trade lines you?"). It is $1.50-$2.00 per
| proofing attempt with the government credential using ID.me or
| stripe identity. The problem is that no one is incentivized to
| slightly increases costs to reduce fraud because the burden
| falls on consumers instead, and credit reporting agencies don't
| want to see their moat and revenue stream cannabalized. Bit of
| a public good Innovator's Dilemma.
|
| TLDR A better national digital identity story makes this
| problem go away.
|
| (responsible for customer IAM including identity proofing at a
| fintech, doing some lift for Login.gov independently as a
| citizen activist)
| xmprt wrote:
| > maintaining security is expensive
|
| This might be somewhat true (it's certainly more expensive than
| not having security) but when your entire business is around
| making assurances based on people's identities, you'd assume
| that they'd put more effort into making their services secure.
| And if it's too expensive to do it securely, then maybe we
| should start to question whether such a service should even
| exist and deserves to store a lot of personal and private
| information.
| snthd wrote:
| >The only solution is to make hacks extremely expensive to the
| companies that get hacked -- through fines as well as lawsuits
| by victims of identity theft.
|
| It's notable this issue (verification by SSN) doesn't affect
| GDPR-land - the GDPR has fines of up to 4% of global turnover.
| pests wrote:
| How does Equifax or TransUnion handle the case where someone else
| creates the account before you do?
|
| You try to sign up correctly, then it emails the fake persons
| email for permission? How does that make any sense.
|
| "Hello scammer, John Doe would like to access his Equifax
| account. Do you want to give him permission?"
|
| I agree the Experian way is not good either, but how is the above
| handled?
| Lacerda69 wrote:
| Do you need to sign up for any of these services? Sounds
| horrible all around to me (not from the US)
| WarOnPrivacy wrote:
| > Do you need to sign up for any of these services? (not from
| the US)
|
| They already have the well-shared data that determines much
| of your life. Signing up is so you can glimpse it too.
| mike503 wrote:
| They should be suspended from being able to do business with this
| kind of bs and their track record. I wonder if any of this
| violates people's FCRA rights, in which case that's a lot of
| fines.
| latchkey wrote:
| I tried to log into their website the other day to just get my
| profile set up and see what was going on in my account. Their
| site was so broken, I couldn't even get logged in. How is anyone
| going to become me if I can't even become myself?
| Buttons840 wrote:
| To become you, I just have to go through the channels that
| Experian customers use. You were not using the channels that
| Experian customers use. You were using the channel that
| Experian liabilities use.
| cynicauliflower wrote:
| My Experian was hijacked, unfrozen, and used to get a $100k loan
| from Ford Credit. Took me ages to clean up. Bastards.
| WarOnPrivacy wrote:
| > used to get a $100k loan from Ford Credit
|
| This sounds like it was used to get a vehicle - which are
| fairly trackable things. How did the ordeal unfold and
| conclude?
| fordholes wrote:
| Same _exact_ thing happened to me. I only dealt with the
| various credit agencies and Ford. And I had to make a police
| report to my local PD despite the crime occurring at a
| dealership across the country -- the officer was very kind,
| and made clear that they would do _literally nothing_ other
| than produce the case number I needed for the credit
| agencies.
|
| I wonder if Ford in particular is more susceptible?
|
| In any event, I've no idea whether a law enforcement
| eventually looked into it. But the sense I got was no one was
| going to do a damn thing.
|
| (Oh and Progressive, because they got insurance for the
| vehicle in my name and also didn't pay that. But it was 1000x
| less dollars, literally, so when I told the debt collector
| "lol not mine" they just went away).
| xienze wrote:
| This sorta happened to me, except as soon as I got an email
| from Experian that my email address had been changed, I got to
| work talking to customer service to get back in. The CS rep had
| "no record" of anything out of the ordinary happening, just a
| regular email address changed "initiated" by me, when instead
| it was this brain dead system they have where anyone with the
| relevant SSN and security question info can register your
| account anew with a different email.
|
| Once I got back in I saw credit pulls and immediately contacted
| the companies to figure out the car dealership in question,
| then called them to let them know that they should under no
| circumstances sell that car.
| NikolaNovak wrote:
| I am still livid on a weekly basis when some strangers create an
| account for a service using my email address (non-maliciously,
| usually); I get a "verification" email; and I can only choose
| "YES, Please verify", or ignore at my peril.
|
| From tiny little mom-and-pop shops, to FAANG giants, nobody is
| giving me the opportunity to say "NO that's NOT me!". And though
| it's a "verification" email, typically account is usable and vast
| majority of functionality is allowed even without verification.
| So I get to vicariously and angrily "enjoy" the follow-up emails
| and updates while the users gamble, purchase, sell, review,
| invest, write, game et cetera using my email address.
|
| Boo to this, I tell ya, boo!
| surfpel wrote:
| Have you tried to reset the password and delete the account?
| xyst wrote:
| Malicious compliance
| arbuge wrote:
| Or just leave it open to (presumably) prevent its future use.
| throwaway54_56 wrote:
| I get these every so often and I'm curious what you mean my
| ignore at your own peril. My approach has been to ignore it and
| assume they will realize their mistake and reregister.
| throwaway914 wrote:
| OP said so: The functionality of the account is usually
| partially or mostly available to an unverified email.
| throwaway54_56 wrote:
| Yes, but I don't understand what problem that poses for
| him. After he verifies the incorrect email address, they
| have full functionality.
| barkerja wrote:
| Given it is your email that is being used, that should allow
| for you to take over the account(s)? I'd submit a password
| reset, change the password, then just allow the account to live
| a dormant life.
|
| That of course doesn't make it any less annoying, but it would
| at least stop an actor from using an account that is associated
| to your email.
| callalex wrote:
| Be careful, in the USA that is still a violation of the CFAA
| and US courts have proven themselves to be technically
| incompetent time and time again. People have been sent to
| prison under CFAA for using the "view source" button that's
| available in every web browser.
| l33t7332273 wrote:
| Which case did someone go to prison for viewing the page's
| source?
| jetbalsa wrote:
| I think they are talking about this case, it was thrown
| out.
|
| https://www.theregister.com/2022/02/15/missouri_html_hack
| ing...
| fragmede wrote:
| > Governor Parson's office maintained that Renaud had
| unlawfully hacked the school website: "The hacking of
| Missouri teachers' personally identifiable information
| was a clear violation of Section 569.095, RSMo, which the
| state takes seriously. The state did its part by
| investigating and presenting its findings to the Cole
| County Prosecutor, who has elected not to press charges,
| as is his prerogative."
|
| It wasn't thrown out by a judge. The governor still
| maintains that the reporter "hacked" and violated state
| law but the prosecutor's office declined to pursue the
| case.
| Izkata wrote:
| Doesn't exactly work when they use your email to create an
| Apple iCloud account. It needed the actual iPhone it was
| connected to to complete the reset, I think I ended up
| getting it into a weird unusable state where neither of us
| could log in.
| elif wrote:
| For Experian accounts, doing a password reset requires an SMS
| or phone call code.
|
| The only mechanism you have to alert the person usurping your
| email identity that there is an issue is to trigger the phone
| call verification 3 times per day, preferably around 4am.
|
| If you call the phone support, it will give you robots until
| playing a pre-recorded message telling you to physically mail
| a legal request including copies of your ID etc.
| toomuchtodo wrote:
| File an FTC and CFPB compliant. Only regulators will light
| a fire. Experian isn't going to do _anything_ due to
| consumer complaints, as the consumer 's credit file is the
| product. Let someone from Compliance have to email the
| product owner about it, and the complaint starts the clock
| ticking.
|
| https://reportfraud.ftc.gov/
|
| https://www.consumerfinance.gov/complaint/
|
| https://www.youtube.com/watch?v=9CWbc6pekd8&t=1310s ("We
| have a complaint database, we collect information, and are
| always eager for information" -- FTC Chair Lina Khan at Y
| Combinator)
| cirrus3 wrote:
| Do you have an example of what your email address is? Is it
| like "john@gmail.com" or "mike@hotmail.com" or something? Seems
| pretty crazy that someone chooses it randomly every week. Have
| you considered getting your own domain for your email to make
| this probably go away? Obviously changing addresses is painful,
| but living your life with a common email seems worse.
| eddd-ddde wrote:
| I thought the same thing, in my whole life I have gotten
| exactly ZERO of this events.
| jen729w wrote:
| I'll chip in as john.<reasonably common surname>@icloud.com.
|
| I still get email from AT&T for John Notreallyme who I
| believe is in his 80s and lives in Montana. He signed up in-
| store and I got emailed _all_ of his details.
|
| I got the first email that asked me to confirm my email
| address. Obviously I did not do that.
|
| It makes no difference. I don't know why they bothered.
| temp111123 wrote:
| Mine is first.last@gmail.com.
|
| I get tons of email intended for the other "first last"s in
| this world.
|
| Most memorable are an employment offer as an environmental
| engineer in New Zealand, the results of an environmental
| survey for some commercial real estate development in
| Houston, TX, and bankruptcy papers from an attorney in
| British Columbia, CA.
| flatline wrote:
| Mine is first initial, somewhat-uncommon last name at
| gmail.com. Address acquired during the public beta back in
| 2004.
|
| I regularly get reminders for dental visits in Oklahoma,
| purchase orders for machinery in Germany, and course
| registrations for some person who works in my industry and
| was easily searchable online.
|
| It is not so intrusive to be problematic, and is mildly
| interesting.
| macintux wrote:
| I've made a few online "acquaintances" over the years as
| I've figured out the real email addresses for the people
| for whom I receive email at iCloud. We check in each time I
| forward something to them.
| cantSpellSober wrote:
| > _non-maliciously, usually_
|
| Don't be too quick to assume this. Likely the email account is
| one of many spammers gathered from a data breach.
|
| Reset the password. I even change the username to "spam" or
| something too, poison as much of the associated data as I can.
| PITA I know, it happens to me regularly.
| callalex wrote:
| I have had spotty success forwarding the confirmation email to
| security@{wherever the mail came from} explaining the
| situation. When that fails, you can look up the WHOIS
| information for their mail sending provider and contact their
| abuse@ inbox as well.
| wildrhythms wrote:
| I was receiving somebody's water bill in my email addressed to
| someone in the Netherlands (apparently with a similar name). It
| contained their address, full name, details of their water
| bill... The email was in Dutch and I used Google Translate to
| make sense of it. It came from a no-reply so I couldn't just
| reply and say 'wrong customer', and there was no customer
| support email address to be found. I had to go to the company
| website and hunt down some kind of feedback form and begged
| them to fix this customer's email address. Eventually I stopped
| receiving the emails. I guess that company never even verifies
| email addresses. The company is called Oasen in case you're
| wondering, name and shame.
| radiojosh wrote:
| I had a positively hilarious interaction when somebody with my
| name used my personal email address for their retirement fund
| provider. I received an invitation to a zoom meeting addressed
| to my personal email account and their work email account. So I
| went ahead and joined the meeting in progress.
|
| I sat silently for a bit while the financial advisor finished
| his talking point. Then I spoke up. I don't remember exactly
| what I said but the other guy with my name sat there with a
| scared / dumbfounded expression on his face while the financial
| advisor calmly asked me to leave.
|
| I told him I would leave as soon as they promised to remove my
| email address.
| tomesco wrote:
| Lyft likely cost customers' funds though a poor process like
| this in the past.
|
| One could create an account, hail rides and add their own
| payment method while still being associated with someone else's
| email. Ride recipes would then be sent to someone else's email
| where the receiving party could add or increase a tip through
| an unauthenticated link and have it charged to the riders
| credit card.
| Magnets wrote:
| I have an early/obvious gmail account and get around 3 messages
| per day from unauthorised signups to legit sites. facebook and
| google (as recovery account) are the only ones that allow you
| to de-link your address from an account
| supertofu wrote:
| I frequently get emails intended for someone who has my same
| email handle, but with the extension "@googlemail.com" instead
| of "@gmail.com".
|
| I know a lot about them. I know their shipping address in the
| UK. I know that they order inexpensive club attire, online
| Dominoe's delivery, and have a specific gym membership.
|
| I am shocked that Google offers no way to disentangle my email
| address from this person's. A more malicious person than I
| could easily take advantage of all of this personal
| information.
| vultour wrote:
| Was there a period where you could register those separately?
| My old google account receives emails for both domains.
| esquivalience wrote:
| My understanding was that the two domains are equivalent. The
| following sites seem to confirm my understanding. Are you
| sure it isn't you?
|
| https://support.google.com/mail/thread/125577450/gmail-
| and-g...
|
| https://www.quora.com/What-is-the-difference-between-
| gmail.c...
|
| https://www.gmass.co/blog/domains-gmail-com-googlemail-
| com-a...
| baz00 wrote:
| I can beat that on annoyance level at least. I still get postal
| junk mail for Mr Qwe Rty after I put it in a test form when I
| was a contractor in 2005. This got onto a database somewhere
| and was sold to someone and I just get junk mail galore!
| ge96 wrote:
| I've been getting mail that is a variation of my name, wondering
| if someone used my identity damn. I did put some lock thing on my
| credit so it's harder to open new accounts, forget what it's
| called.
|
| I have stuff like credit wise, karma, etc... have not seen
| weird/unknown accounts so hopefully I'm good.
| Covzire wrote:
| I'd like to see Experian shut down at this point to send a
| message to the rest.
| csharpminor wrote:
| I've received two data breach notices in the past week, one from
| my healthcare provider and the other from the bank that holds my
| mortgage.
|
| In both instances they said to lock my credit, and provide free
| credit monitoring for a year.
|
| I find this egregiously insufficient to the point where I think
| we need more regulation in this space. They should provide
| lifelong credit monitoring and full insurance on any financial
| fraud that now occurs on my behalf, as well as immediate
| presumptive financial compensation.
|
| That aside, the root cause here is that identity in the U.S. is a
| dumpster fire. We have no distinction between unique identifier
| (SSN) and secret (also SSN). Every other security question is
| just another version of the same factor type (something you know)
| which is easily accessible to scammers.
|
| There is quite literally no agreed upon way to prove you are who
| you say you are.
|
| We need DMVs to begin issuing IDs that are physical with digital
| capabilities, like credit cards. We need the equivalent of
| Apple/Android Pay for identity online. We need to mandate that
| banks support digital IDs. And we need strict enforcement for
| people who misuse a digital ID.
|
| I believe that the consequence of ignoring this problem is at
| least tens of billions of dollars in GDP annually lost to fraud.
| And perhaps more importantly, it's an insidious erosion of our
| status as a country of laws.
| FireBeyond wrote:
| > We need DMVs to begin issuing IDs that are physical with
| digital capabilities
|
| The problem is that there is a very vocal segment that views
| such things as "government overreach" through to the literal
| mark of the devil.
|
| And then there are the challenges of issuing them. There are
| states (the same states, typically, who shut down voting
| locations in working class areas and defund their DMVs) who
| will fight tooth and nail about having to implement this in a
| way that is free to all.
| DenisM wrote:
| OTOH some other states should be able to do it. They just
| need to agree on a standard and then motivate creditors to
| make use of this standard.
| fragmede wrote:
| Real ID is whole 'nother can'o'worms
| gchamonlive wrote:
| Maybe this is why for the past few weeks I am receiving countless
| emails from major retailers like Casas Bahia or Americanas and
| even Magazine Luiza with purchase confirmation listing several
| smartphones and notebooks whose invoice bare my name and cpf.
|
| I tried contacting every retailer. Only Magazine Luiza seem to
| have acknowledged the fraud and issued a warning but to no avail,
| as I am still receiving invoices from them.
|
| I contacted the local police and issued a boletim de ocorrencia
| (which I am not quite sure how to translate) that describes the
| problem and how I was unable to apply countermeasures.
|
| I am expecting fallout from this. I am really anxious about this
| whole situation and how I am utterly powerless in protecting my
| identity.
| tmcz26 wrote:
| I'm in the fraud prevention space in Brazil and know the heads
| of fraud for all these retailers. If you like you can FWD the
| purchase receipts to zyzzyx26 at gmail dot com and I'll notify
| them.
|
| You personally won't have issues, financially or otherwise.
| Your email might get blocklisted for some time, and if you make
| new purchases you might want to use a new/secondary email, but
| otherwise no issues.
|
| A while ago someone used my CPF and Phone on Magalu and I'm
| still able to purchase there. I did report it to the head of
| fraud though :)
| wildrhythms wrote:
| How does this fraud work? They buy the goods, and provide the
| seller some random individual's (your) identity?
| gchamonlive wrote:
| I have no idea. There are, however, many official invoices
| (notas fiscais) being issue in my name. I believe there might
| also be fraudulent credit cards issued in my name that ate
| being used, or something like that, which would explain the
| physical retailers not questioning the purchase. That is why
| I am expecting fallout from this.
| tmcz26 wrote:
| You can check any credit card issues on your name in Banco
| Central's Registrato page[0]. Credit card, loans, etc.
|
| However, HIGHLY unlikely they issue a card in your name and
| purchase stuff in your name online. If they have a card
| with them, they'll go to physical stores and leave with the
| product with them immediately.
|
| Typically (as I said above) they have purchased a stolen CC
| number online and are using it until it gets blocked or run
| out of balance/limit.
|
| In any case, there's zero fallout for you, the victim.
| These retailers are used to this (0,5% of transactions turn
| into fraud), so they'll eventually figure out it's fraud
| and they know it wasn't you. They know you're a victim too.
|
| [0] https://registrato.bcb.gov.br/registrato/
|
| Edit with the link
| rescbr wrote:
| > I believe there might also be fraudulent credit cards
| issued in my name that ate being used
|
| As tmcz26 said, it's very unlikely they issued a card on
| your name, but if that happened, contact the bank's
| ombudsman AND report it to the Central Bank, as they failed
| the KYC process.
| tmcz26 wrote:
| Stolen ID from one person (ID, name, sometimes using the real
| person's email and phone, sometimes creating fake yet similar
| emails like wildrhythms2@yahoo.com), someone else's stole
| credit card number, and a drop address to receive and reship
| (sometimes deliver direct to the purchaser of the fraud
| item).
|
| Typically the item is resold for half the price and it's
| spoken for. It's not like they buy to resell later. If they
| make the fraud they already have a buyer
| ciropantera wrote:
| Something similar happened to me once. You need a valid CPF
| number (something like a ssn) to create an account on most
| webshops in Brazil, so fraudsters will use stolen ones. They
| then proceed to purchase stuff with stolen CCs
| rescbr wrote:
| I've been on a similar situation once, this is what I did, and
| I think you're on the right path.
|
| > I tried contacting every retailer. Try to reach out to the
| ombudsman (ouvidoria) and explain your case. Even if they don't
| actually solve the problem, you documented that you tried to
| friendly resolve the issue.
|
| > I am expecting fallout from this.
|
| Very worst case scenario, the retailers will send the
| fraudulent invoices to collection agencies and might report you
| to the credit bureaus. _Don 't ever pay any cent toward this
| fraudulent debt. Don't negotiate. The only option is the debt
| going away as it is fraudulent._ It's their money that's on the
| hook and paying it shifts the responsibilities to you.
|
| Once it hits the credit bureaus, as you already have a Boletim
| de Ocorrencia, and proof of contacting the companies (protocol
| numbers + dates), i.e. documentation, sue them and ask for
| damages. It's a simple and common suit that both the credit
| bureaus and the retailers will want to settle. Make them pay
| for your time. They don't have any proof that it was your
| person that made those transactions.
|
| > I am utterly powerless in protecting my identity.
|
| Yeah, but the thing is, if the retailers, banks, credit cards,
| etc. really wanted to avoid fraud, every purchase/subscription
| would require the same level of protection as a real estate
| transaction. Everything signed, in-person meetings, upfront
| payments, banks, lawyers, notaries, cryptographic signatures
| (hey, we have e-CPF and nobody uses it!). But as you see, 100%
| fraud avoidance means friction, and no sane retail business
| likes friction. It's a business decision on their end. They
| accept risk so they can take your money easier.
| narrator wrote:
| This all goes back to the social security not being changeable
| and morphing from some thing to claim benefits with to it being
| your universal password.
|
| In contrast, I lost my drivers license and in order to get a new
| one I had to go the DMV in person and put my thumb print on a
| biometric scanner which pulls up my picture for the DMV person to
| look at before they authorize the request. I can also file an
| affidavit of identity theft with a police report attached and
| they will give me a new license and A NEW DRIVERS LICENSE NUMBER.
| The federal government trying to shoehorn an unconstitutional
| universal identity system into social security is the source of
| all this nonsense.
| nilamo wrote:
| I still find it infuriating that the punitive settlement for
| giving away extremely sensitive information was only... $34.34
| per person impacted.
|
| Why even have laws or fines if they're so toothless?
| coldcode wrote:
| That's the point. Politicians get paid (donated, contributed,
| whatever) to vote businesses' laws to benefit the business, not
| you. Toothless laws make a good sound bite but do nothing to
| help you.
| happytiger wrote:
| How is Experian not sued out of existence for their total failure
| to protect their customers? I just don't understand what law
| allows organizations that compromise large portions of entire
| societies to continue.
| Implicated wrote:
| We're not the customer, we're the product.
| jessriedel wrote:
| But why can't people successfully sue for
| libel/slander/defamation by individuals when they give false
| damaging information about the individual to creditors?
| fedorareis wrote:
| Those types of suits generally hinge on proving malicious
| intent
| fedorareis wrote:
| One of the best ways to affect this is to make complaints to
| the CFPB. They are the regulatory body that is responsible for
| making sure the credit bureaus aren't harming consumers
| alexfoo wrote:
| I'm guessing this will continue to happen until, I dunno, some
| the execs at Experian continually have their accounts compromised
| in the same way again and again.
| InCityDreams wrote:
| The execs may be incompetent, they're probably not stupid,
| though- they don't use that shit.
| nathants wrote:
| i froze my credit across all providers a few years back. only
| experian failed with silly bugs. tried again just now and it
| worked. progress!
| dudul wrote:
| Did the same, but it looks like this security issue would allow
| someone to just unfreeze before taking a loan in your name.
| nathants wrote:
| true. one hopes they also improve their opsec over time.
| would it be better to not freeze?
| bozhark wrote:
| Bet they stole his information from setting up the Experian
| account to begin with.
| ycombinatornews wrote:
| There's a petition on resistbot now to get some legislative eyes
| on this issue
|
| https://resist.bot/petitions/PONADR
| LetsGetTechnicl wrote:
| There needs to be a better alternative to credit reports. They
| only exist because banks and lenders could no longer discriminate
| on race directly, so they created a roundabout way to
| discriminate based on "credit score", which happened to be worse
| for the people the wanted to exclude in the first place.
| mrspurposefull wrote:
| Maybe it is designed like this on purpose.
___________________________________________________________________
(page generated 2023-11-11 23:00 UTC)