[HN Gopher] It's still easy for anyone to become you at Experian
___________________________________________________________________
It's still easy for anyone to become you at Experian
Author : todsacerdoti
Score : 773 points
Date : 2023-11-11 18:05 UTC (1 days ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| arciini wrote:
| Given there are 3 credit bureaus, is there a way to avoid having
| a credit score at one of the credit bureaus? I think that's a way
| that we as consumers could try to increase competition in the
| field.
|
| I did some Googling and it didn't seem like there's an easy
| option.
| ssgodderidge wrote:
| I feel like this has to happen. They operate like a private
| utility company, with little to no other options.
|
| Imagine if they were like password manager apps? We could
| evaluate all of them, choose what we wanted, and migrate
| whenever something happened.
| djbusby wrote:
| Businesses report data to them. So, you'd have to avoid
| businesses that report to one. But, they all report to
| multiple.
| paulddraper wrote:
| As a consumer? No
|
| As a business? Sure, report to the ones you want to
| atrettel wrote:
| There is no way to opt out of credit reporting. Lenders report
| the information to the credit bureaus, typically all three of
| the big ones, so if you want no information reported, simply
| close all your credit cards and loans, etc. and place credit
| freezes on your credit reports.
|
| I don't think that "increased competition" will work here. We
| are not customers of the credit bureaus. We are the product.
| The customers are lenders and other people who need your
| information. From the lenders' perspective, this is all working
| out fine, largely because the onus for "identity theft" is
| placed on members of the public as individuals rather than on
| lenders to accurately verify applicants' identities before
| extending credit. As many people have pointed out before,
| "identity theft" is a misnomer designed to pass the buck onto
| individuals. Ideally, it should be the lenders' responsibility
| to prevent criminals from misusing your information and to make
| things right whenever a criminal tries to use your information
| fraudulently, but right now the onus is placed on individuals.
|
| A better solution would be to have higher standards for
| identity verification by lenders. That would shift the burden
| onto lenders to actually verify people's identity before
| extending credit. Some lenders actually do a pretty good job of
| verifying people's identities before extending credit in my
| experience, while others just seem to accept the information
| given uncritically (as far as I can tell!). High industry-wide
| standards should help solve this (either voluntarily or
| mandated by law).
| ISL wrote:
| A statutory fine of $50k per compromised account would get
| the attention of the credit bureaus. (It might drive them out
| of business, but it sure would get their attention.)
| LoganDark wrote:
| $50k seems at least four or five orders of magnitude too
| low to be of any concern to them
| dghlsakjg wrote:
| $50k per record affected, not per occurrence.
| MikeDelta wrote:
| And legal conequences for the board members.
| foob wrote:
| For reference, Equifax leaked the personal information of
| 147 million people (myself included). Multiplying that by
| $50k is over 7 trillion dollars. In actuality, they were
| ordered to pay up to $700 million in total which works out
| to about $4-5 per person. I agree with you, but the gap
| between what you propose and the status quo is staggering.
| precommunicator wrote:
| So yeah, in this case Equifax would go bankrupt and other
| companies would get very valuable lesson to spend more
| money at security side of things. I see no issue here.
| ClimaxGravely wrote:
| I don't want to get ahead of myself but currently that
| seems to be having an effect on Vancouver AirBnB's as we're
| starting to see craigslist posts like these : https://www.r
| eddit.com/r/vancouver/comments/17t6tes/posted_o...
| IggleSniggle wrote:
| The problem is that we are not the consumers. They receive
| _our_ data from all the companies we do business with. You
| would have to figure out on a case by case basis all ties
| relating to the credit bureau. Probably if you never got a
| credit card and never took out a loan, you would be somewhat
| protected from their "research."
| WarOnPrivacy wrote:
| > is there a way to avoid having a credit score at one of the
| credit bureaus?
|
| Without it (also without a sufficiently high number), most
| avenues to housing are cut off
| cco wrote:
| Plaid just started a Credit Reporting Agency (what Experian et
| al are). First company to attempt to compete in the space
| seriously in a long time.
| theonemind wrote:
| Experian reminds me of enshittification, except it never had any
| interest in providing actual value to the general public to
| betray, so started off one step further along the process in a
| way.
|
| No individual in a personal capacity ever wanted to do business
| with Experian, like they wanted to buy an iPhone or something.
| You're introduced to the unpleasant fact of its existence at some
| point. They don't have anything you want, you're the product from
| the start, and you don't have to walk into their net, you're
| probably _born_ in it.
| nonrandomstring wrote:
| We're amidst the proliferation of a class of entity that Joe
| average doesn't quite have the political vocabulary or tools to
| deal with yet;
|
| Things that deal in _you_.
|
| They make money from you, indirectly.
|
| You have no business or social relation with them.
|
| You didn't vote for them.
|
| They have immense power to harm you.
|
| You have no recourse.
|
| You may not even know they exist.
|
| Until recently this was the preserve of a few government
| agencies that had a very narrow focus on a few "persons of
| interest". Today it is every dime store startup in "big data",
| search, spammers, social network, and the entire grubby, yellow
| maggoty underbelly of "surveillance capitalism" and all the
| mushrooms that grow on it.
|
| So far the promised "benefits" of this have never materialised.
| Will we be able to keep pretending "nobody cares" as public
| awareness, and governments' will to enact legislation grows? At
| some point surely "credit agencies" and their ilk will
| essentially be outlawed under a dozen different digital rights
| acts.
| city41 wrote:
| Every time I log into experian.com, I am greeted with an offer
| to "upgrade" my account for $0.00. At the top is small text
| that says "Try Experian CreditWorks(sm) Premium for 7 days for
| free, then pay just $24.99 each month+. You may cancel anytime
| if not satisfied."
|
| First of all, $25/month for an Experian product? I can't
| possibly fathom how anything they provide can be worth even
| 1/100th of that. That price just absolutely blows my mind.
|
| But worst of all, they proudly say it is $0.00 and have the pay
| button the most prominent. How many people get roped into this?
| They are just slime all the way down.
| notfed wrote:
| Why is it legal for a credit bureau to us charge money to
| monitor their potential mismanagement of our credit? It's
| literally blackmail.
| bee_rider wrote:
| Of course, we aren't the customers for these spying companies.
| But it is surprising that the total lack of security isn't a
| deal-breaker for their actual customers. I mean if you can
| basically impersonate anybody using this service, what is the
| point of using it?
| nyokodo wrote:
| > what is the point of using it?
|
| Plausible deniability allowing them to push as much significant
| risk of identity theft onto consumers instead of themselves
| where it should be.
| ajmurmann wrote:
| Even the term "identity theft" needs to go. My identity
| wasn't stolen! I'm still the same person. The bank got
| tricked by a scammers and somehow the bank tries to make that
| my fault.
|
| Edit: Imagine this the other way around! Grandma gets scammed
| by someone pretending to be her bank. So the bank's identity
| got stolen. So now the real bank needs to fix it, provide
| more proof of identity to all customers and jump through all
| kinds of hoops to not owe grandma crazy amounts of money.
| earthboundkid wrote:
| Yes! I've been saying this for years. The whole framing is
| a victim blaming dodge, when the two bad actors are the
| crooks and whoever made the loan with insufficient ID.
| DoctorOW wrote:
| It always reminds me of this classic Mitchell and Webb
| sketch about the subject.
|
| https://www.youtube.com/watch?v=CS9ptA3Ya9E
| robertlagrant wrote:
| Why do you think that calling something theft blames the
| victim of the theft?
| Eisenstein wrote:
| It isn't blaming the victim. I think they meant something
| else but worded it that way. What they meant was
| 'redefining the victim'. The victim is the bank, who got
| defrauded. They then call it 'identity theft' instead of
| 'bank fraud'.
| notatoad wrote:
| it's not about blame, it's about responsibility.
| "identity theft" implies that your identity is a thing
| that can be stolen from you, and you need to be
| responsible for preventing it from being stolen.
|
| instutions should be respomsible for protecting
| themselves from fraud, they shouldn't need me to protect
| them from my identity being used in an unauthorized way.
| mixdup wrote:
| I think the point that's trying to be made is, the
| traditionally recognized 'victim' is not the actual
| victim. The person whose "identity" was "stolen" is not a
| victim, the bank is. What was stolen was money--from the
| bank. But, we've designed our system, laws, contracts,
| etc such that the third party who was not involved at all
| has all responsibility of cleaning up the mess shoved
| onto them
| civilized wrote:
| If identity theft were to get so common that the data became
| statistically unreliable, we would be long past the point that
| even Congress would feel compelled to do something about it.
| godzillabrennus wrote:
| You give Congress too much credit.
| bee_rider wrote:
| There's no such thing as identity theft, it is impossible to
| steal an identity, the person still has their identity. It is
| impersonation. The victim is the entity that has fallen for
| the impersonation (likely a bank, etc), the perpetrator is
| the one who did the impersonation, and the impersonated
| person is just some uninvolved third party.
|
| I know it is pedantic but it is important to keep in mind
| because dumping the need to seek redress on the uninvolved
| third party is ridiculous, so we shouldn't use language that
| plays into that point of view.
| alistairSH wrote:
| 100% agree, except the impersonated person is impacted when
| their credit score eventually gets screwed and they can no
| longer get loans themselves. So, in that regard, they are
| also a victim.
| bee_rider wrote:
| Although I think it is more accurate to call them a
| victim of something like slander by the credit agency, in
| that case. I mean, I'm not sure exactly what the laws are
| around slander, I wouldn't be surprised if there was some
| cutout for cases in which the person actually believed
| the lies they were repeating, but if an organization
| represents itself as an expert in people's
| trustworthiness it obviously has a heightened
| responsibility to verify what it is repeating.
| jdsully wrote:
| Credit reporting agencies have immunity from slander
| claims unless you can prove malice.
| marcosdumay wrote:
| So you've found the problem. If they are immune from the
| crime, they won't stop practicing it.
| NoMoreNicksLeft wrote:
| My understanding is that in most cases, slander/libel is
| never a crime anyway.
|
| It's merely a tort (wrong). It never rises to the level
| of a crime. The few instances/places where slander is a
| crime in the US (historically or otherwise) are very
| problematic and subject to abuse.
|
| Perhaps this specific kind of slander should be criminal,
| but it might be the only kind that should be. Not only
| would you need to justify that philosophically, but
| somehow convince legislators to make it that way (at the
| federal level, I should think).
|
| It'd be a tough journey.
| marcosdumay wrote:
| Well, ok. There's no need to make it a literal crime.
| Those companies just need to be responsible for
| correcting the damage they cause.
| Silhouette wrote:
| Don't forget compensating the injured party for any
| consequential losses. Which in this case might be a house
| or the income from a good job. See how fast they clean up
| their act if they can be held responsible for six or
| seven figures of damages every time they make a serious
| mistake.
| bee_rider wrote:
| I don't think it is that tricky philosophically; they are
| representing themselves as experts on a topic so, they
| have a responsibility to ensure that they have a
| professional level of competence in it. Just like doctors
| and civil engineers.
|
| Agreed that getting legislators to do anything about it
| will be a pain, though.
| nick222226 wrote:
| Would them ignoring a few certified letters asking them
| to contact you to correct slanderous significant errors
| in your information be enough to show malice?
| colejohnson66 wrote:
| That's what a dispute is. It's required by the FCRA.
| usea wrote:
| The impersonated person is impacted because the credit
| agency is lying about them to other people.
| mixdup wrote:
| The point is that the impersonated person shouldn't have
| these fraudulent items reported on their credit. That's
| the crux of how the responsibility of cleaning up this
| mess is absolutely on the wrong person
| toomuchtodo wrote:
| It's identity fraud frankly. Hold consumers harmless and
| put the burden on the industry (if you did not have an high
| identity assurance you're on the hook for costs and losses)
| and this problem evaporates. Also outlaw credit monitoring
| and identity theft insurance.
| kagakuninja wrote:
| The banks aren't the only victims. The person has had their
| credit rating damaged, and may even be on the hook for
| fraudulent charges made in their name.
| 9991 wrote:
| > The person has had their credit rating damaged
|
| This is called libel. This person is a victim of a crime
| the credit reporting agency committed.
| nulbyte wrote:
| Libel is an intentional act. Agencies are not
| intentionally reporting false information. Banks may be
| reporting false information, but even they are unaware
| until the fraud has been discovered, by which time
| information they thought was true has already been
| reported.
| rzzzt wrote:
| A classic Mitchell & Webb sketch:
| https://youtu.be/-c57WKxeELY
| ClimaxGravely wrote:
| Thank you for that, I'm actively looking to see how I can
| watch this show now.
| robin_reala wrote:
| This is from That Mitchell and Webb Sound, a radio show
| they did. The BBC don't tend to region-lock audio, so you
| should be able to listen at
| https://www.bbc.co.uk/programmes/b007lqrh (or using the
| BBC Sounds app).
| civilized wrote:
| I completely agree. But if I recall correctly, they've set
| up the law so that if they get duped, you're on the hook
| for whatever they got duped into giving the impersonator.
| That's the biggest problem.
| Buttons840 wrote:
| Tell me you're Bank of America and I'll give you a
| thousand dollars. You disappear into the night and I'll
| go get my thousand dollars back from the real Bank of
| America. Is that how the law is setup? (Honestly, making
| a website that looks like a legit Bank of America website
| is about as difficult as getting someone's SSN.)
| vinni2 wrote:
| > what is the point of using it?
|
| can you opt out? is there even a choice at all? where i live I
| can't opt out of Experian or other credit rating services.
| pkulak wrote:
| Just buy a bunch of stuff and don't pay for it. It'll be the
| same result, but you'll have more things.
| andrewaylett wrote:
| The actual customers can, consumers can't though.
|
| I'm pretty sure the OP was meaning that there's little point
| for the businesses that make use of the credit bureaus, if
| they can't be sure the bureau is accurate, rather than that
| consumers might be better off opting out (even if they
| could).
| cortesoft wrote:
| These accounts aren't for the people who pay Experian money.
| Companies pay Experian money to access information about
| individuals; the only reason Experian even allows accounts for
| individuals is because they are mandated by law to allow things
| like credit freezes and the annual credit report. If they
| weren't required, they wouldn't do it at all. They have zero
| incentive to improve the experience or the security of it.
| caminante wrote:
| _> Companies pay Experian money to access information about
| individuals_
|
| And your firm pays Experian/Equifax/etc. to GIVE information
| about you, e.g., automated employment verification.
| drewmol wrote:
| And Experian pays your company for the data through
| programs like The Work Number
| moneywoes wrote:
| someone shoudl be able to freeze their work number to
| preven this correct? or am I thinking of something else
| heavyset_go wrote:
| And your employer feeds their payroll into Experian and its
| partners so it can then resell that information.
| plagiarist wrote:
| We need a HIPAA for personal data.
| breadwinner wrote:
| The fundamental issue here is that maintaining security is
| expensive, and it is cheaper to just deal with occasional hacks.
| The only solution is to make hacks extremely expensive to the
| companies that get hacked -- through fines as well as lawsuits by
| victims of identity theft.
| toomuchtodo wrote:
| It is not that expensive. It is a couple pennies per pull (of a
| credit report/file) for somebody seeking identity proofing to
| use knowledge based authentication (the usual "where did you
| live, are these trade lines you?"). It is $1.50-$2.00 per
| proofing attempt with the government credential using ID.me or
| stripe identity. The problem is that no one is incentivized to
| slightly increases costs to reduce fraud because the burden
| falls on consumers instead, and credit reporting agencies don't
| want to see their moat and revenue stream cannabalized. Bit of
| a public good Innovator's Dilemma.
|
| TLDR A better national digital identity story makes this
| problem go away.
|
| (responsible for customer IAM including identity proofing at a
| fintech, doing some lift for Login.gov independently as a
| citizen activist)
| golem14 wrote:
| I would imagine that most of the data for the ID checks based
| on public records (where did a person live; own a
| car/house/boat; ...) are trivially handleable.
|
| Just takes one person to leak the database, which is probably
| only a few TB compressed) for all of the US and fits on a
| single HDD/SDD.
|
| I would be surprised if these DBs aren't already sold on the
| darknet. And this DB doesn't have to be super up to date b/c
| security questions often go back years.
|
| Interpreting the DB should be easy to hardcode but even
| easier handled with an LLM.
|
| So the protection afforded by these checks is IMO at best
| nominal.
| everybodyknows wrote:
| ID.me supports hardware 2FA, including Yubikey.
| toomuchtodo wrote:
| More importantly, they can require you provide a government
| ID and perform a liveness selfie check. This is the gold
| standard for remote identity proofing. Onboarding secure
| authenticators is best practice to bind digital identity to
| IRL identity when proofing occurs and identity assurance is
| high.
| notfed wrote:
| I think we should be asking _how to design the procedure
| for when someone calls and claims they forgot everything
| and lost everything_. An attacker can always call in and
| say this, and we 'll need to call in and say this if we've
| been attacked.
|
| My opinion: we should be able to visit a government office,
| get our picture and fingerprints matched, and then we can
| reset our email/password/2fa right there.
| xmprt wrote:
| > maintaining security is expensive
|
| This might be somewhat true (it's certainly more expensive than
| not having security) but when your entire business is around
| making assurances based on people's identities, you'd assume
| that they'd put more effort into making their services secure.
| And if it's too expensive to do it securely, then maybe we
| should start to question whether such a service should even
| exist and deserves to store a lot of personal and private
| information.
| snthd wrote:
| >The only solution is to make hacks extremely expensive to the
| companies that get hacked -- through fines as well as lawsuits
| by victims of identity theft.
|
| It's notable this issue (verification by SSN) doesn't affect
| GDPR-land - the GDPR has fines of up to 4% of global turnover.
| Thorrez wrote:
| Fines for what? For getting hacked?
| xvector wrote:
| This isn't a "hack," this is pure almost malicious
| incompetence by everyone in the Experian security chain,
| straight up to the CISO herself.
|
| They should absolutely be fined and punished harshly even
| beyond that. If SBF can go to prison, so can the CISO of
| Experian.
| Thorrez wrote:
| >malicious incompetence by everyone in the Experian
| security chain
|
| How do we know it's malicious and not just regular
| incompetence? Hanlon's razor and all.
|
| My question was related to this quote:
|
| >the GDPR has fines of up to 4% of global turnover.
|
| I was asking what GDPR has fines on. Does it have fines
| for incompetence? snthd claimed that "this issue
| (verification by SSN) doesn't affect GDPR-land" saying
| GDPR-land somehow prevents this with a specific fine. I'm
| wondering what the specific fine is that GDPR-land has
| that prevents this issue.
| pests wrote:
| How does Equifax or TransUnion handle the case where someone else
| creates the account before you do?
|
| You try to sign up correctly, then it emails the fake persons
| email for permission? How does that make any sense.
|
| "Hello scammer, John Doe would like to access his Equifax
| account. Do you want to give him permission?"
|
| I agree the Experian way is not good either, but how is the above
| handled?
| Lacerda69 wrote:
| Do you need to sign up for any of these services? Sounds
| horrible all around to me (not from the US)
| WarOnPrivacy wrote:
| > Do you need to sign up for any of these services? (not from
| the US)
|
| They already have the well-shared data that determines much
| of your life. Signing up is so you can glimpse it too.
| xienze wrote:
| > How does Equifax or TransUnion handle the case where someone
| else creates the account before you
|
| I can speak for Experian. If you already registered the
| account, and someone else knows your SSN and the answers to the
| credit bureau security questions, then _they_ get to register
| your account. You as the person who originally registered will
| get an email that your email address changed.
|
| Supposedly the thinking is that they want to make it impossible
| for someone to truly be locked out of accessing their own
| Experian account, so they just let you do these stealth
| registrations as long as you can answer all the security
| questions. Clearly they need a better solution.
| pests wrote:
| Thank you yes but isn't this the topic of the article we're
| commenting on?
| mike503 wrote:
| They should be suspended from being able to do business with this
| kind of bs and their track record. I wonder if any of this
| violates people's FCRA rights, in which case that's a lot of
| fines.
| latchkey wrote:
| I tried to log into their website the other day to just get my
| profile set up and see what was going on in my account. Their
| site was so broken, I couldn't even get logged in. How is anyone
| going to become me if I can't even become myself?
| Buttons840 wrote:
| To become you, I just have to go through the channels that
| Experian customers use. You were not using the channels that
| Experian customers use. You were using the channel that
| Experian liabilities use.
| cynicauliflower wrote:
| My Experian was hijacked, unfrozen, and used to get a $100k loan
| from Ford Credit. Took me ages to clean up. Bastards.
| WarOnPrivacy wrote:
| > used to get a $100k loan from Ford Credit
|
| This sounds like it was used to get a vehicle - which are
| fairly trackable things. How did the ordeal unfold and
| conclude?
| fordholes wrote:
| Same _exact_ thing happened to me. I only dealt with the
| various credit agencies and Ford. And I had to make a police
| report to my local PD despite the crime occurring at a
| dealership across the country -- the officer was very kind,
| and made clear that they would do _literally nothing_ other
| than produce the case number I needed for the credit
| agencies.
|
| I wonder if Ford in particular is more susceptible?
|
| In any event, I've no idea whether a law enforcement
| eventually looked into it. But the sense I got was no one was
| going to do a damn thing.
|
| (Oh and Progressive, because they got insurance for the
| vehicle in my name and also didn't pay that. But it was 1000x
| less dollars, literally, so when I told the debt collector
| "lol not mine" they just went away).
| toast0 wrote:
| Yeah, afaik, most Police won't do anything with this. My
| spouse's id was used to rent an Oakland luxury appartment
| in 2021, along with opening a credit union account and
| trying to open an amex. Thankfully amex called to check
| because there was already an account opened, and we were
| able to get the credit union account closed before it was
| usable, but the apartment complex seemed unable to do
| anything and Oakland PD didn't do anything other than
| acknowledge the report, they wouldn't return calls from our
| local PD either. IdentityTheft.gov is also a black hole.
|
| Credit freezes are a joke, because if you have a person's
| credit report, you have enough information to cancel the
| freeze, even if you can't temporarily thaw it. Still, maybe
| it's better than nothing, so might as well. But it's then a
| pain if you need to interact with the credit system; some
| of the bureaux have such poor systems that your accounts
| will regularly not work; anyway, credit issuers don't tend
| to tell you what bureau they'll pull from until after they
| pull, so may as well unlock the big 3 before you do
| anything; and batch all your credit increase requests
| together.
| jandrese wrote:
| Most likely the perpetrator immediately sold the vehicle,
| leaving yet another victim in their wake.
| xienze wrote:
| This sorta happened to me, except as soon as I got an email
| from Experian that my email address had been changed, I got to
| work talking to customer service to get back in. The CS rep had
| "no record" of anything out of the ordinary happening, just a
| regular email address changed "initiated" by me, when instead
| it was this brain dead system they have where anyone with the
| relevant SSN and security question info can register your
| account anew with a different email.
|
| Once I got back in I saw credit pulls and immediately contacted
| the companies to figure out the car dealership in question,
| then called them to let them know that they should under no
| circumstances sell that car.
| schleck8 wrote:
| Not a lawyer but this just screams legal action. Their systems
| clearly aren't sufficiently secure to prevent large scale fraud
| craigmccaskill wrote:
| There have been a couple of class actions, doesn't seem to
| have changed the outcome though.
| mptest wrote:
| Because like always, the punishment for the rich playing
| games with our lives is a negligible fine 1/10000th the
| profit they make selling your information to anyone with a
| buck.
| Aeolun wrote:
| I mean, the last time the settlement was like $27 per
| person in the suit?
|
| And the form to _get_ that settlement meant giving some
| random authority more personal information than these
| companies even have.
|
| I would keep going too.
| whoopdedo wrote:
| The worst part of such an experience is that once you've
| reported a case of fraud on your credit report, if you at a
| later date want to open a new bank/credit/whatever account
| somewhere then you have to jump through ridiculous hoops, or
| will simply be denied outright because they won't believe that
| you're who you are since your PII was flagged in the past.
| notfed wrote:
| Sounds great, I how do I sign up for this ahead of time?
| NikolaNovak wrote:
| I am still livid on a weekly basis when some strangers create an
| account for a service using my email address (non-maliciously,
| usually); I get a "verification" email; and I can only choose
| "YES, Please verify", or ignore at my peril.
|
| From tiny little mom-and-pop shops, to FAANG giants, nobody is
| giving me the opportunity to say "NO that's NOT me!". And though
| it's a "verification" email, typically account is usable and vast
| majority of functionality is allowed even without verification.
| So I get to vicariously and angrily "enjoy" the follow-up emails
| and updates while the users gamble, purchase, sell, review,
| invest, write, game et cetera using my email address.
|
| Boo to this, I tell ya, boo!
| surfpel wrote:
| Have you tried to reset the password and delete the account?
| xyst wrote:
| Malicious compliance
| arbuge wrote:
| Or just leave it open to (presumably) prevent its future use.
| throwaway54_56 wrote:
| I get these every so often and I'm curious what you mean my
| ignore at your own peril. My approach has been to ignore it and
| assume they will realize their mistake and reregister.
| throwaway914 wrote:
| OP said so: The functionality of the account is usually
| partially or mostly available to an unverified email.
| throwaway54_56 wrote:
| Yes, but I don't understand what problem that poses for
| him. After he verifies the incorrect email address, they
| have full functionality.
| NikolaNovak wrote:
| There's any number of risk scenarios, assign likelihood as
| you will :
|
| * owner of account doesn't pay, service sells the debt to
| collection agency, and they come after you because it matches
| your email and profile.
|
| * owner of account subscribes to something unsavoury or does
| something illicit, which is now traceable to you
|
| * given email is a big part of the incredibly ridiculous and
| overly pervasive tracking economy and profiling of the
| interwebs, your profile will now be even more annoying then
| before and be associated with things you don't want them to
| be.
|
| Etc. Or just, to your point, one day they'll realize their
| mistake and be mad at YOU (because people aren't generally
| good at taking responsibility :) and now it's a thing.
|
| I should mention I have a dozen email accounts of various
| degrees of protectiveness. Thia happens, annoyingly, to my
| most private address that I have never ever once used for
| business or signed up for anything, only for friends and
| family. So among everything else I'm peeved that my pristine
| email and identity is being polutted by other crap.
|
| And again... The reason this frustrates me, is this
| should.not.be.and.issue in any sane world. If you're sending
| verification email it should have a No option. Anything else
| is grossly neglible or evil or both.
| NikolaNovak wrote:
| To make it less general and more specific
|
| Over years, I've received peoples private medical bills;
| been subscribed to dating sites of various degrees of
| sketchiness; my email has been used to register with
| government agencies in countries of various degrees of
| sketchiness too; signed up for gaming, gambling, Crypto,
| banking, nft, investing, and so on - many things where my
| comfort level for mistakes and mistaken identity and
| Confusion and incorrect systems of record, is lower than
| "some kiddie signed me up for blizzard.net" :-/
| barkerja wrote:
| Given it is your email that is being used, that should allow
| for you to take over the account(s)? I'd submit a password
| reset, change the password, then just allow the account to live
| a dormant life.
|
| That of course doesn't make it any less annoying, but it would
| at least stop an actor from using an account that is associated
| to your email.
| callalex wrote:
| Be careful, in the USA that is still a violation of the CFAA
| and US courts have proven themselves to be technically
| incompetent time and time again. People have been sent to
| prison under CFAA for using the "view source" button that's
| available in every web browser.
| l33t7332273 wrote:
| Which case did someone go to prison for viewing the page's
| source?
| jetbalsa wrote:
| I think they are talking about this case, it was thrown
| out.
|
| https://www.theregister.com/2022/02/15/missouri_html_hack
| ing...
| fragmede wrote:
| > Governor Parson's office maintained that Renaud had
| unlawfully hacked the school website: "The hacking of
| Missouri teachers' personally identifiable information
| was a clear violation of Section 569.095, RSMo, which the
| state takes seriously. The state did its part by
| investigating and presenting its findings to the Cole
| County Prosecutor, who has elected not to press charges,
| as is his prerogative."
|
| It wasn't thrown out by a judge. The governor still
| maintains that the reporter "hacked" and violated state
| law but the prosecutor's office declined to pursue the
| case.
| l33t7332273 wrote:
| My understanding of the law is that a judge would throw
| out the case as well
| Izkata wrote:
| Doesn't exactly work when they use your email to create an
| Apple iCloud account. It needed the actual iPhone it was
| connected to to complete the reset, I think I ended up
| getting it into a weird unusable state where neither of us
| could log in.
| elif wrote:
| For Experian accounts, doing a password reset requires an SMS
| or phone call code.
|
| The only mechanism you have to alert the person usurping your
| email identity that there is an issue is to trigger the phone
| call verification 3 times per day, preferably around 4am.
|
| If you call the phone support, it will give you robots until
| playing a pre-recorded message telling you to physically mail
| a legal request including copies of your ID etc.
| toomuchtodo wrote:
| File an FTC and CFPB compliant. Only regulators will light
| a fire. Experian isn't going to do _anything_ due to
| consumer complaints, as the consumer 's credit file is the
| product. Let someone from Compliance have to email the
| product owner about it, and the complaint starts the clock
| ticking.
|
| https://reportfraud.ftc.gov/
|
| https://www.consumerfinance.gov/complaint/
|
| https://www.youtube.com/watch?v=9CWbc6pekd8&t=1310s ("We
| have a complaint database, we collect information, and are
| always eager for information" -- FTC Chair Lina Khan at Y
| Combinator)
| NikolaNovak wrote:
| I've been tempted. But
|
| 1. That exposes me to MORE involvement with this service, not
| less, and potentially legal culpability. Risk may be small
| but impact is large and benefit is neglible, so math doesn't
| work out for me.
|
| 2. It requires MORE effort on my part. For a poor design and
| error made by not me.
|
| If it were once every 5 years, maybe.
|
| When it's weekly, it's just an annoyance.
|
| Sometimes when I'm really angry, I just write to their gdpr
| or compliance officer with a stern better and links to
| various sections of the law and their obligations. Doesn't
| accomplish much but makes me feel better :-)
|
| But overall, it's a systemic issue, and given we are on
| hacker news, I'd say it's OUR systemic issue caused by us :-/
| cirrus3 wrote:
| Do you have an example of what your email address is? Is it
| like "john@gmail.com" or "mike@hotmail.com" or something? Seems
| pretty crazy that someone chooses it randomly every week. Have
| you considered getting your own domain for your email to make
| this probably go away? Obviously changing addresses is painful,
| but living your life with a common email seems worse.
| eddd-ddde wrote:
| I thought the same thing, in my whole life I have gotten
| exactly ZERO of this events.
| jen729w wrote:
| I'll chip in as john.<reasonably common surname>@icloud.com.
|
| I still get email from AT&T for John Notreallyme who I
| believe is in his 80s and lives in Montana. He signed up in-
| store and I got emailed _all_ of his details.
|
| I got the first email that asked me to confirm my email
| address. Obviously I did not do that.
|
| It makes no difference. I don't know why they bothered.
| temp111123 wrote:
| Mine is first.last@gmail.com.
|
| I get tons of email intended for the other "first last"s in
| this world.
|
| Most memorable are an employment offer as an environmental
| engineer in New Zealand, the results of an environmental
| survey for some commercial real estate development in
| Houston, TX, and bankruptcy papers from an attorney in
| British Columbia, CA.
| flatline wrote:
| Mine is first initial, somewhat-uncommon last name at
| gmail.com. Address acquired during the public beta back in
| 2004.
|
| I regularly get reminders for dental visits in Oklahoma,
| purchase orders for machinery in Germany, and course
| registrations for some person who works in my industry and
| was easily searchable online.
|
| It is not so intrusive to be problematic, and is mildly
| interesting.
| macintux wrote:
| I've made a few online "acquaintances" over the years as
| I've figured out the real email addresses for the people
| for whom I receive email at iCloud. We check in each time I
| forward something to them.
| rft wrote:
| It can be fun to figure out how to contact your
| "acquaintances" the first time this happens. You can't
| really email them, can you?
|
| I had it when someone (or likely his partner) with the
| same (somewhat uncommon!) firstname.lastname@gmail.com
| used my email. I started digging and it turned out we
| both were/are PhD students, just totally different
| fields. Must have something to do with the name. I was
| happy that via the faculty site I found his "real" email.
| Nearly send him a really weird post card, I had only his
| postal address...
| macintux wrote:
| It wasn't as hard as I expected. In one case, I found her
| last name on an email and it had an additional letter, so
| I just modified the address to match her name (we were
| both first initial/last name).
|
| In the other case I must have simply experimented with
| first initial/middle initial/last name, and that worked.
|
| One is a minister in the Boston area, so it's not hard to
| recognize her inbound emails.
| cantSpellSober wrote:
| > _non-maliciously, usually_
|
| Don't be too quick to assume this. Likely the email account is
| one of many spammers gathered from a data breach.
|
| Reset the password. I even change the username to "spam" or
| something too, poison as much of the associated data as I can.
| PITA I know, it happens to me regularly.
| callalex wrote:
| I have had spotty success forwarding the confirmation email to
| security@{wherever the mail came from} explaining the
| situation. When that fails, you can look up the WHOIS
| information for their mail sending provider and contact their
| abuse@ inbox as well.
| wildrhythms wrote:
| I was receiving somebody's water bill in my email addressed to
| someone in the Netherlands (apparently with a similar name). It
| contained their address, full name, details of their water
| bill... The email was in Dutch and I used Google Translate to
| make sense of it. It came from a no-reply so I couldn't just
| reply and say 'wrong customer', and there was no customer
| support email address to be found. I had to go to the company
| website and hunt down some kind of feedback form and begged
| them to fix this customer's email address. Eventually I stopped
| receiving the emails. I guess that company never even verifies
| email addresses. The company is called Oasen in case you're
| wondering, name and shame.
| notahacker wrote:
| Vietnam Airlines once sent me someone's airline ticket, about
| 48 hours before they were due to fly (and about 10 years
| after the only time I ever flew with them). Their name wasn't
| even remotely similar to mine and their email can't have been
| either. At least that one appeared to be human error so
| there's a chance that my email pointing out the mistake was
| read by a human that was actually able to sort it out.
| radiojosh wrote:
| I had a positively hilarious interaction when somebody with my
| name used my personal email address for their retirement fund
| provider. I received an invitation to a zoom meeting addressed
| to my personal email account and their work email account. So I
| went ahead and joined the meeting in progress.
|
| I sat silently for a bit while the financial advisor finished
| his talking point. Then I spoke up. I don't remember exactly
| what I said but the other guy with my name sat there with a
| scared / dumbfounded expression on his face while the financial
| advisor calmly asked me to leave.
|
| I told him I would leave as soon as they promised to remove my
| email address.
| tomesco wrote:
| Lyft likely cost customers' funds though a poor process like
| this in the past.
|
| One could create an account, hail rides and add their own
| payment method while still being associated with someone else's
| email. Ride recipes would then be sent to someone else's email
| where the receiving party could add or increase a tip through
| an unauthenticated link and have it charged to the riders
| credit card.
| Magnets wrote:
| I have an early/obvious gmail account and get around 3 messages
| per day from unauthorised signups to legit sites. facebook and
| google (as recovery account) are the only ones that allow you
| to de-link your address from an account
| supertofu wrote:
| I frequently get emails intended for someone who has my same
| email handle, but with the extension "@googlemail.com" instead
| of "@gmail.com".
|
| I know a lot about them. I know their shipping address in the
| UK. I know that they order inexpensive club attire, online
| Dominoe's delivery, and have a specific gym membership.
|
| I am shocked that Google offers no way to disentangle my email
| address from this person's. A more malicious person than I
| could easily take advantage of all of this personal
| information.
| vultour wrote:
| Was there a period where you could register those separately?
| My old google account receives emails for both domains.
| supertofu wrote:
| There must have been, else I wouldn't be in this situation.
| notahacker wrote:
| Or they could just have a similar gmail address they
| frequently get wrong (or that looks like yours when
| written in the terrible handwriting they fill in forms
| with)
|
| There's probably a single digit number of people with my
| initial and surname in the world, and I _still_ get order
| confirmations for one of them, car promotions for another
| and am on some sort of targeted B2B spam list for a third
| to my Gmail address in that format. I quite like the
| order confirmations tbf, most of them are for a fish and
| chip shop I actually used to get food at when I was a kid
| and my grandparents lived nearby so they 're oddly
| nostalgic
| supertofu wrote:
| it's the exact same email, only with "googlemail.com" as
| the extension.
| esquivalience wrote:
| My understanding was that the two domains are equivalent. The
| following sites seem to confirm my understanding. Are you
| sure it isn't you?
|
| https://support.google.com/mail/thread/125577450/gmail-
| and-g...
|
| https://www.quora.com/What-is-the-difference-between-
| gmail.c...
|
| https://www.gmass.co/blog/domains-gmail-com-googlemail-
| com-a...
| supertofu wrote:
| I'm pretty sure I don't have an alter ego who lives in the
| UK ;) The shipping address and accounts opened by this
| person are very obviously not mine.
|
| I live in NY.
| baz00 wrote:
| I can beat that on annoyance level at least. I still get postal
| junk mail for Mr Qwe Rty after I put it in a test form when I
| was a contractor in 2005. This got onto a database somewhere
| and was sold to someone and I just get junk mail galore!
| ge96 wrote:
| I've been getting mail that is a variation of my name, wondering
| if someone used my identity damn. I did put some lock thing on my
| credit so it's harder to open new accounts, forget what it's
| called.
|
| I have stuff like credit wise, karma, etc... have not seen
| weird/unknown accounts so hopefully I'm good.
| Covzire wrote:
| I'd like to see Experian shut down at this point to send a
| message to the rest.
| csharpminor wrote:
| I've received two data breach notices in the past week, one from
| my healthcare provider and the other from the bank that holds my
| mortgage.
|
| In both instances they said to lock my credit, and provide free
| credit monitoring for a year.
|
| I find this egregiously insufficient to the point where I think
| we need more regulation in this space. They should provide
| lifelong credit monitoring and full insurance on any financial
| fraud that now occurs on my behalf, as well as immediate
| presumptive financial compensation.
|
| That aside, the root cause here is that identity in the U.S. is a
| dumpster fire. We have no distinction between unique identifier
| (SSN) and secret (also SSN). Every other security question is
| just another version of the same factor type (something you know)
| which is easily accessible to scammers.
|
| There is quite literally no agreed upon way to prove you are who
| you say you are.
|
| We need DMVs to begin issuing IDs that are physical with digital
| capabilities, like credit cards. We need the equivalent of
| Apple/Android Pay for identity online. We need to mandate that
| banks support digital IDs. And we need strict enforcement for
| people who misuse a digital ID.
|
| I believe that the consequence of ignoring this problem is at
| least tens of billions of dollars in GDP annually lost to fraud.
| And perhaps more importantly, it's an insidious erosion of our
| status as a country of laws.
| FireBeyond wrote:
| > We need DMVs to begin issuing IDs that are physical with
| digital capabilities
|
| The problem is that there is a very vocal segment that views
| such things as "government overreach" through to the literal
| mark of the devil.
|
| And then there are the challenges of issuing them. There are
| states (the same states, typically, who shut down voting
| locations in working class areas and defund their DMVs) who
| will fight tooth and nail about having to implement this in a
| way that is free to all.
| DenisM wrote:
| OTOH some other states should be able to do it. They just
| need to agree on a standard and then motivate creditors to
| make use of this standard.
| fragmede wrote:
| Real ID is whole 'nother can'o'worms
| mindslight wrote:
| You've put forth an utter straw man. I am rationally against
| making government verification of identity stronger precisely
| because the existing identity systems have been pervasively
| abused with essentially no recourse. After there is a US
| equivalent of the GDPR that lets me prevent the surveillance
| industry, including the traditional financial surveillance
| industry, from unilaterally creating dossiers about me, then
| we can talk about better implementations of identity
| verification. Until then, that dumpster fire is the main
| thing holding back the surveillance industry from pushing
| identity verification for ever more routine things like
| opening online accounts or buying groceries.
| stackskipton wrote:
| Feds could also do it using Passport card and DoD does it
| with CAC cards so Federal government knows how to do this.
| pdonis wrote:
| _> We need DMVs to begin issuing IDs that are physical with
| digital capabilities, like credit cards. We need the equivalent
| of Apple /Android Pay for identity online. We need to mandate
| that banks support digital IDs. And we need strict enforcement
| for people who misuse a digital ID._
|
| And how will all this magically work online? Answer: you'll
| have to provide whatever digital secret gives you access, just
| the way you provide your SSN now. Which means your digital
| secret will be in all the same online places where your SSN is
| now, vulnerable to the same kind of hacking. How does this fix
| anything?
| baby_souffle wrote:
| > Which means your digital secret will be in all the same
| online places where your SSN is now, vulnerable to the same
| kind of hacking. How does this fix anything?
|
| Loads of ways to do digital attestation but they all involve
| some 3rd party being the trusted source of truth. Typically
| this would be the DMV or other government branch and at this
| point a few red flags start to go off: dmv isn't known for
| it's competence and I'm not really thrilled about them
| getting hit to confirm my identity for pornhub.
|
| This is a REALLY hard problem to solve unless you take a
| "privacy must be sacrificed for the greater good" mentality.
| gchamonlive wrote:
| Maybe this is why for the past few weeks I am receiving countless
| emails from major retailers like Casas Bahia or Americanas and
| even Magazine Luiza with purchase confirmation listing several
| smartphones and notebooks whose invoice bare my name and cpf.
|
| I tried contacting every retailer. Only Magazine Luiza seem to
| have acknowledged the fraud and issued a warning but to no avail,
| as I am still receiving invoices from them.
|
| I contacted the local police and issued a boletim de ocorrencia
| (which I am not quite sure how to translate) that describes the
| problem and how I was unable to apply countermeasures.
|
| I am expecting fallout from this. I am really anxious about this
| whole situation and how I am utterly powerless in protecting my
| identity.
| tmcz26 wrote:
| I'm in the fraud prevention space in Brazil and know the heads
| of fraud for all these retailers. If you like you can FWD the
| purchase receipts to zyzzyx26 at gmail dot com and I'll notify
| them.
|
| You personally won't have issues, financially or otherwise.
| Your email might get blocklisted for some time, and if you make
| new purchases you might want to use a new/secondary email, but
| otherwise no issues.
|
| A while ago someone used my CPF and Phone on Magalu and I'm
| still able to purchase there. I did report it to the head of
| fraud though :)
| saagarjha wrote:
| Well _I_ am from the fraud remuneration department of Brazil
| and know the person who pays out compensation for these
| crimes. Simply send me all your personal information and
| credit card details and I'll make sure you get your
| appropriate payout.
| drsnow wrote:
| What is your email sir
| saagarjha wrote:
| Not telling you. There are scammers everywhere
| Aeolun wrote:
| This is a scam.
| saagarjha wrote:
| Excuse me, you're calling me a scammer? I suggest you
| click on my username and see that it is a very legitimate
| account, with twice the karma as you to boot. I think
| you're more likely to be the one scamming! Don't listen
| to 'Aeolun, everyone!
| Aeolun wrote:
| Look, you are literally posting on the internet, on an
| anonymous account, that if someone sends you their
| personal details _and credit card info_ everything will
| be taken care of.
|
| Your first reaction should absolutely be that it's a
| scam, and only then further evaluate if it might possibly
| be true because this is HN.
|
| I could have potentially used the word 'looks like', but
| it's just a matter of degree.
| shredprez wrote:
| I think the individual you're replying to may be lying
| about their identity to make a point (re: the first
| individual asking a stranger to send them financial info)
| :)
| wildrhythms wrote:
| How does this fraud work? They buy the goods, and provide the
| seller some random individual's (your) identity?
| gchamonlive wrote:
| I have no idea. There are, however, many official invoices
| (notas fiscais) being issue in my name. I believe there might
| also be fraudulent credit cards issued in my name that ate
| being used, or something like that, which would explain the
| physical retailers not questioning the purchase. That is why
| I am expecting fallout from this.
| tmcz26 wrote:
| You can check any credit card issued on your name in Banco
| Central's Registrato page[0]. Credit card, loans, etc.
|
| However, HIGHLY unlikely they issue a card in your name and
| purchase stuff in your name online. If they have a card
| with them, they'll go to physical stores and leave with the
| product with them immediately.
|
| Typically (as I said above) they have purchased a stolen CC
| number online and are using it until it gets blocked or run
| out of balance/limit.
|
| In any case, there's zero fallout for you, the victim.
| These retailers are used to this (0,5% of transactions turn
| into fraud), so they'll eventually figure out it's fraud
| and they know it wasn't you. They know you're a victim too.
|
| [0] https://registrato.bcb.gov.br/registrato/
|
| Edit with the link
| rescbr wrote:
| > I believe there might also be fraudulent credit cards
| issued in my name that ate being used
|
| As tmcz26 said, it's very unlikely they issued a card on
| your name, but if that happened, contact the bank's
| ombudsman AND report it to the Central Bank, as they failed
| the KYC process.
| tmcz26 wrote:
| Stolen ID from one person (ID, name, sometimes using the real
| person's email and phone, sometimes creating fake yet similar
| emails like wildrhythms2@yahoo.com), someone else's stole
| credit card number, and a drop address to receive and reship
| (sometimes deliver direct to the purchaser of the fraud
| item).
|
| Typically the item is resold for half the price and it's
| spoken for. It's not like they buy to resell later. If they
| make the fraud they already have a buyer
| ciropantera wrote:
| Something similar happened to me once. You need a valid CPF
| number (something like a ssn) to create an account on most
| webshops in Brazil, so fraudsters will use stolen ones. They
| then proceed to purchase stuff with stolen CCs
| rescbr wrote:
| I've been on a similar situation once, this is what I did, and
| I think you're on the right path.
|
| > I tried contacting every retailer. Try to reach out to the
| ombudsman (ouvidoria) and explain your case. Even if they don't
| actually solve the problem, you documented that you tried to
| friendly resolve the issue.
|
| > I am expecting fallout from this.
|
| Very worst case scenario, the retailers will send the
| fraudulent invoices to collection agencies and might report you
| to the credit bureaus. _Don 't ever pay any cent toward this
| fraudulent debt. Don't negotiate. The only option is the debt
| going away as it is fraudulent._ It's their money that's on the
| hook and paying it shifts the responsibilities to you.
|
| Once it hits the credit bureaus, as you already have a Boletim
| de Ocorrencia, and proof of contacting the companies (protocol
| numbers + dates), i.e. documentation, sue them and ask for
| damages. It's a simple and common suit that both the credit
| bureaus and the retailers will want to settle. Make them pay
| for your time. They don't have any proof that it was your
| person that made those transactions.
|
| > I am utterly powerless in protecting my identity.
|
| Yeah, but the thing is, if the retailers, banks, credit cards,
| etc. really wanted to avoid fraud, every purchase/subscription
| would require the same level of protection as a real estate
| transaction. Everything signed, in-person meetings, upfront
| payments, banks, lawyers, notaries, cryptographic signatures
| (hey, we have e-CPF and nobody uses it!). But as you see, 100%
| fraud avoidance means friction, and no sane retail business
| likes friction. It's a business decision on their end. They
| accept risk so they can take your money easier.
| tmcz26 wrote:
| If it's a purchase using Credit Card, absolutely zero chance
| of going to collections. That's not how it works. There's no
| legal footing for collections and they are not in the habit
| of creating legal headaches for themselves.
|
| If however it's a credit purchase (personal loan, crediario,
| etc) then it might go to collections, then this advice works.
|
| Online purchases though are 80% credit card and 15%
| Pix/Boleto so it's unlikely they got a loan just to buy
| stuff. If they can get a loan, they'll get the cash itself
| and run.
|
| Edit: on a Credit Card transaction the burden of evidence is
| on the merchant. THEY have to prove it was you.
| rescbr wrote:
| Tell this to MercadoPago. Once I did a chargeback on a
| fraudulent gift card purchase and months later they sent
| this debt to collections - they didn't report it to the
| credit agencies, though. It resolved pretty fast once I
| escalated the issue to the ombudsman.
|
| There's no legal footing, but they will try.
| narrator wrote:
| This all goes back to the social security not being changeable
| and morphing from some thing to claim benefits with to it being
| your universal password.
|
| In contrast, I lost my drivers license and in order to get a new
| one I had to go the DMV in person and put my thumb print on a
| biometric scanner which pulls up my picture for the DMV person to
| look at before they authorize the request. I can also file an
| affidavit of identity theft with a police report attached and
| they will give me a new license and A NEW DRIVERS LICENSE NUMBER.
| The federal government trying to shoehorn an unconstitutional
| universal identity system into social security is the source of
| all this nonsense.
| hakfoo wrote:
| I was somewhat surprised to find that when I got my driver's
| licence at 39, it was the same number as the non-driving ID
| card I got issued at 18. So at least Arizona doesn't seem to be
| eager to hand out new numbers.
| narrator wrote:
| They won't hand out new numbers unless someone has actually
| used your drivers license fraudulently and you've filed a
| police report. Seems reasonable enough.
| hiatus wrote:
| > go the DMV in person and put my thumb print on a biometric
| scanner which pulls up my picture
|
| How does the state have your fingerprints on file?
| nilamo wrote:
| I still find it infuriating that the punitive settlement for
| giving away extremely sensitive information was only... $34.34
| per person impacted.
|
| Why even have laws or fines if they're so toothless?
| coldcode wrote:
| That's the point. Politicians get paid (donated, contributed,
| whatever) to vote businesses' laws to benefit the business, not
| you. Toothless laws make a good sound bite but do nothing to
| help you.
| happytiger wrote:
| How is Experian not sued out of existence for their total failure
| to protect their customers? I just don't understand what law
| allows organizations that compromise large portions of entire
| societies to continue.
| Implicated wrote:
| We're not the customer, we're the product.
| jessriedel wrote:
| But why can't people successfully sue for
| libel/slander/defamation by individuals when they give false
| damaging information about the individual to creditors?
| fedorareis wrote:
| Those types of suits generally hinge on proving malicious
| intent
| janalsncm wrote:
| Malicious intent is the standard for public figures. The
| vast majority of people in Experian's database are not
| public figures.
| fedorareis wrote:
| One of the best ways to affect this is to make complaints to
| the CFPB. They are the regulatory body that is responsible for
| making sure the credit bureaus aren't harming consumers
| electrondood wrote:
| They didn't even ask me to verify my phone number when I
| entered it. Anyone with my SSN and phone number from an all-
| too-common data breach could easily pretend to be me and
| unfreeze my credit file.
|
| That's criminal-grade negligence.
| alexfoo wrote:
| I'm guessing this will continue to happen until, I dunno, some
| the execs at Experian continually have their accounts compromised
| in the same way again and again.
| InCityDreams wrote:
| The execs may be incompetent, they're probably not stupid,
| though- they don't use that shit.
| mulmen wrote:
| This isn't an opt-in service. It's a dragnet surveillance
| system. All it knows is slurping up data. Are there case
| statements all over the codebases to exclude the execs of
| three different companies and congress?
| rwestergren wrote:
| If you have any sort of Experian bureau activity, you're at
| risk by this issue whether you manage your profile with this
| site or not
| tiffanyg wrote:
| Yes, it sure would be a shame if, I dunno, some execs at
| Experian were to experience some of the same issues that so
| many others have - due to the existence and ... 'management' of
| _their own business_ ...
|
| Why, going through such trials, _ex opere operantis,_ might
| just sour a 'true believer' in the "invisible hand" on the
| whole _novus ordo seclorum._ *
|
| _Hahahhahahaha! Urghk, briefly part-swallowed my tongue from
| laughter, excuse me..._
|
| * As the undoubtedly distinguished graduates of Yale SOM, for
| example, might phrase it
| saulrh wrote:
| Unfortunately, the people in charge of these systems have
| enough money to hire people to do all of this crap for them.
| They don't do their own taxes, they don't open their own credit
| cards, they don't negotiate their own mortgages or car loans,
| nothing. They just tell their butler or financier or real
| estate agent or whatever "Go get me an X" and that other person
| deals with all the shit. Being the target of identity fraud
| just means they hire another gofer to deal with it full time
| for six months which costs them so little money, relative to
| their wealth, that's it's not even worth thinking about. And
| they're not even _using_ their own credit, most of the time,
| they 're using the "credit" of some shell corporation or
| limited liability corporation or trust or whatever other
| financial bullshit they hired a dozen lawyers to set up to
| commit tax fraud. So no, they experience _none_ of the shit
| they perpetrate.
| nathants wrote:
| i froze my credit across all providers a few years back. only
| experian failed with silly bugs. tried again just now and it
| worked. progress!
| dudul wrote:
| Did the same, but it looks like this security issue would allow
| someone to just unfreeze before taking a loan in your name.
| nathants wrote:
| true. one hopes they also improve their opsec over time.
| would it be better to not freeze?
| bozhark wrote:
| Bet they stole his information from setting up the Experian
| account to begin with.
| ycombinatornews wrote:
| There's a petition on resistbot now to get some legislative eyes
| on this issue
|
| https://resist.bot/petitions/PONADR
| schleck8 wrote:
| I'm seeing this for the first time given I'm not from the US,
| but its reach seems limited https://resist.bot/petitions
|
| In Germany there is Campact for example which usually crosses
| 200K signatures per petition, if something like this doesn't
| exist in the US then I think someone with money should create
| it or promote an existing solution like OpenPetition to enough
| recurring signers
|
| https://en.wikipedia.org/wiki/Campact
| nulbyte wrote:
| I'm not sure what you mean by limited reach, but for added
| context: Resist Bot is an automated service that can be used
| to contact elected officials in the U.S. Believe it or not,
| some elected officials actually pay attention to what their
| constituents say when writing to them.
| LetsGetTechnicl wrote:
| There needs to be a better alternative to credit reports. They
| only exist because banks and lenders could no longer discriminate
| on race directly, so they created a roundabout way to
| discriminate based on "credit score", which happened to be worse
| for the people the wanted to exclude in the first place.
| mrspurposefull wrote:
| Maybe it is designed like this on purpose.
| benlivengood wrote:
| The best outcome is to have minor fraud (someone tried and failed
| to open an account in your name, or your name+address appears in
| a data dump somewhere) occur because then you can register a
| fraud alert and credit freeze in all the agencies which stops a
| lot of nonsense (random junk mail, risk of actual fraudulent
| accounts getting established) for a year or so by enforcing extra
| authentication steps.
|
| I wish I could put a permanent fraud alert on my credit accounts,
| but would probably have to hire a lawyer or something.
| albroland wrote:
| Correct me if I'm wrong, but I've signed up for all 3 bureaus
| and enabled the credit freeze. My understanding, and experience
| years later, is that it is still frozen. I had to unfreeze a
| specific one last year for an auto loan.
|
| Is there something else I'm missing that's only temporary?
| fordholes wrote:
| If someone hijacks your account they can unfreeze your
| credit. It's easy to hijack accounts.
| albroland wrote:
| I understand that, I'm curious if reporting fraud activity
| helps prevent that in some way like the parent comment
| seems to suggest, if only for a year.
| benlivengood wrote:
| The fraud alert adds a requirement that potential lenders
| call a phone number added to the credit file to authorize new
| loans/accounts, making it significantly less likely that
| fraud can take place.
| albroland wrote:
| TIL! Ty, I'll keep this in mind next time my credit card
| number is inevitably compromised.
| eh_why_not wrote:
| Maybe naive question: if you never create an account on any of
| the credit bureau websites, would you be less likely to be an
| identity theft subject?
| firtoz wrote:
| You have a hidden credit record anyway, AFAIK. But I'm no
| expert.
| cute_boi wrote:
| I think as long as they can get name and date of birth they
| will have credit report.
| notfed wrote:
| Then as far as you know, someone else has already done it in
| your name.
| EGreg wrote:
| Not as easy on Fox News:
| https://www.youtube.com/watch?v=2p0J65FOIgQ
| EGreg wrote:
| It's not just Experian. We publish an article every couple years
| or so with the same content and just the names changed:
|
| https://qbix.com/blog/2021/01/25/no-way-to-prevent-this-says...
|
| https://qbix.com/blog/2023/06/12/no-way-to-prevent-this-says...
|
| And then of course there is this:
|
| SIM swapping - someone can just steal your SIM and then get into
| a lot of accounts
|
| https://www.bloomberg.com/news/features/2023-08-04/teen-game...
|
| Amazon - someone can just take over your account
|
| https://www.reddit.com/r/cybersecurity/comments/hsj4x8/my_am...
|
| Apple and Amazon together, they can take over ALL YOUR ACCOUNTS
| (the most terrifying read):
|
| https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...
|
| I recommend to _everyone_ to use a _email alias_ at gmail or a
| similar service, different once for every site, instead of your
| actual email, as the login to Amazon and other services. That way
| the attackers can 't guess your actual login, let alone your
| password.
| kahnclusions wrote:
| Also, enable the SIM lock on your SIM! This will help prevent
| someone from receiving verification codes if they stole your
| SIM card.
| itissid wrote:
| https://news.ycombinator.com/item?id=29834753 I was shocked to
| learn that last year about the level of detail they had.
|
| 1. All your mortgage, credit inquiries and bank account names
|
| 2. All your previous addesses and perevious employers
|
| 3. Your MONTHLY salary and combined comp per yer going back to
| 20XX when I came to the US.
|
| 4. Dates of employment per employer, bonus, overtime, RSU comp
|
| Does Experian and Transunion have that too, and can we block that
| as well?
| fnordpiglet wrote:
| Yes, and no. I would note that they are definitely not alone
| and are much better scrutinized than the other data vendors
| you've never heard of that have much more detailed and person
| data about you.
|
| The credit agencies however offer you a real and valuable
| service. Without credit history it's impossible to get credit.
| It's also harder to get jobs and to rent. So while it's creepy,
| at the very least you gain some demonstrable advantage and
| benefit.
|
| The data brokers and vendors however collect without your
| permission or knowledge, compile much deeper profiles of you as
| a human being and what you do and enjoy, along with these other
| details, and sell it for a profit you never get a share of.
|
| Perhaps one day we will have a functioning legislative branch
| and from it will come a real privacy bill. I'm hopeful it'll be
| better informed than the EU ones by taking lessons learned. But
| I hope for a lot of stuff, like world peace and cures for
| cancer.
| rileymat2 wrote:
| "The credit agencies however offer you a real and valuable
| service. Without credit history it's impossible to get
| credit."
|
| I think I generally agree that this is a reasonable service,
| however the main reason you can't get credit without a credit
| history is these services exist that can provide credit
| history to lenders. It is bizarre to think that loans would
| not exist without these services.
| judge2020 wrote:
| Loans did exist before credit, but it was almost always
| loans from friends/family or by providing a large down
| payment to the bank you wanted a loan from. You needed to
| be a known and upstanding member of the community to get a
| loan for anything substantial.
|
| And technically, you can get many loans today without a
| credit score. For example, there are bank statement
| mortgage loans, but they have caveats like:
|
| - you will go through manual underwriting and will likely
| need to show records of payment history on any existing
| debts, including utilities, insurance, rent, etc
|
| - They will likely need the contact information for each
| one of your previous debts to verify it manually
|
| - When they run a quote, you will typically be considered
| at the lowest credit score possible for that program -
| typically 620 for a conventional loan or 500 for FHA. This
| means you'll be getting the worst rate possible
|
| - You'll likely need a 20% down payment, depending on if
| any of the PMI automated underwriting systems even give you
| a quote with such a low "fake" credit score. The lender
| might ask for more of a down payment depending on their own
| risk assessment.
|
| - The lender (or whoever buys your loan) will report your
| new account to the bureaus, giving you a score.
| fnordpiglet wrote:
| Additionally, while it may suck, and maybe there is some
| other emergent reality that sucks less, we practically
| live in this one. Don't cut off your nose to spite your
| face.
| judge2020 wrote:
| Salary/compensation is not actually provided via your credit
| report to companies who perform a hard inquiry. If you look at
| your annualcreditreport, that's exactly the data the inquirer
| receives, and it just has your start date and company.
| fulladder wrote:
| > 3. Your MONTHLY salary and combined comp per yer going back
| to 20XX when I came to the US.
|
| You work at a big company. Your employer is choosing to sell
| this information to credit bureaus.
|
| I first learned about this practice in the mid-2000s. Like you,
| I was quite surprised, but they didn't have any data on my own
| income or assets yet, and I resolved never to work for an
| employer that would engage in this type of business practice.
|
| I think employers should be legally required to disclose and
| obtain written consent to sell your income data, but beyond
| that point, it's really on you to decide what employment
| arrangements you are willing or unwilling to accept. It's sad
| that you had to find out this way given how easy it would be
| for these employers to just disclose it upfront. I'd recommend
| looking for a different employer.
| itissid wrote:
| FWIW
|
| 1. Freeze all your credit with experian, equifax and transunion
|
| 2. Opt out of them selling your info:
| https://consumerprivacy.experian.com/
| https://myprivacy.equifax.com/opt-in-opt-out/personal-info
| https://service.transunion.com/dss/ccpa_optout.page
| namrog84 wrote:
| Did this earlier this year. Its super easy to do. And recently
| had to temporarily unfreeze everything to open an account. Also
| very easy.
|
| All free. 1 of them tries to upsell hard but can do all for
| free. I think a law passed in 2019 ish forcing it to be free.
| dustingetz wrote:
| thanks i did this back in 2017 when the leaks happened and it
| was most definitely not easy and cost money, time to take a
| new look
| crazypyro wrote:
| The one that tries to upsell hard is so annoying, I can't be
| arsed to go find it right now, but the other two make it so
| easy, yet the one that tries to upsell, its like every other
| click takes you to a "input your credit card" screen....
| Seriously annoying.
|
| Just had to deal with this for the first time in the last two
| weeks when someone tried to open a fraudulent account in my
| name... Interestingly, this happens for the first time in my
| life 2 months after I had to write down all my personal
| information to get a 0% APR credit card from a jeweler
| store...
|
| It should be a default frozen system, not a default open
| system.
| AdamJacobMuller wrote:
| Its experian.
| rwestergren wrote:
| Experian allows unfreezing via their site in the article. If
| someone can easily recreate your account, they can unfreeze it
| which makes it pretty useless.
| squeegmeister wrote:
| Exactly
| xienze wrote:
| Yes, but if you have an account you'll at least get an email
| notifying you that your account's email address has changed
| (as a result of someone recreating your account). That's how
| I was tipped off to someone trying to buy a car in my name
| (by pulling on the thread of calling customer support asking
| wtf I got that email). So it's very useful to at least have
| an Experian account so you can know when someone is trying to
| go after you this way.
|
| Now granted, it's possible that the attacker won't change
| your email address first, in which case I'm not sure if you
| get an email stating that your credit was unfrozen. But it's
| likely they'll change it in order to make it harder for you
| to mitigate the damage in a timely manner.
| diyseguy wrote:
| Just tried this for equifax got this message. I live in
| Washington state.
|
| We've encountered an error Sorry, this service is not currently
| offered to residents of your state. If you need further
| assistance, you can call Consumer Care at 1-866-295-6801 during
| our regular business hours 9 A.M. to 9 P.M. ET Monday to
| Friday, and 9 A.M. to 6 P.M. ET Saturday and Sunday except
| holidays.
| kelnos wrote:
| I just tried to visit the Equifax link you provided, and I got
| an error page. Amazing.
|
| Oh man, actually looks like Equifax's entire website is down?
| Ouch.
| archon810 wrote:
| Thank you for the links, just submitted for all 3 with no
| issues.
| xvector wrote:
| This makes me feel pure rage. The execs should be thrown in
| prison and the keys should be thrown away with them. Punish this
| at the highest levels, severely. The government needs to make
| examples out of them.
|
| What even is the CISO doing? Sitting on her thumbs for a year?
| jackconsidine wrote:
| God this is so frustrating. I saw multiple ads today on TV for
| Experian's debit card. Wool over the eyes and a brand grab for
| "the Experian promise" or whatever it was
| tristanb wrote:
| I would pay so much money to make these companies go away.
| lyoshida wrote:
| hello
| gmerc wrote:
| That's why we need the threat of the corporate death penalty
| teeray wrote:
| And punishments that involve the personal freedom of the
| C-suite members.
| snisarenko wrote:
| Not a lawyer, but I wonder if Tortious interference Laws can be
| used by individuals to file civil lawsuits against credit
| reporting agencies ?
|
| In my head I am interpreting the law like this: Credit Reporting
| Company negligence "interferes" with a person being able to
| obtain a loan.
|
| [1] https://en.wikipedia.org/wiki/Tortious_interference
| krebsonsecurity wrote:
| https://www.ftc.gov/legal-library/browse/statutes/fair-credi...
|
| IANAL either, but it seems the losses suffered from ID fraud
| are only recoverable via this.
| dllthomas wrote:
| In most contexts, providing false information about someone in a
| way that harms them is slander or libel. I think we need to
| revisit whether credit reporting deserves to be exempted from
| that, and under what circumstances.
| ryandrake wrote:
| Absolutely. We should be able to successfully sue credit rating
| agencies for monetary damages if they tell a lender false
| information about us and it causes us to not get a loan or have
| a higher rate than is warranted. It should not matter whether
| they know it's false. The harm happens regardless of whether
| they were negligent or malicious.
| judge2020 wrote:
| This sets a dangerous precedent. If you won, it would apply
| to all defamation/libel/slander cases, not just credit
| reporting agencies. News agencies could be sued for saying
| anything about someone if it later turned out to be false.
| Defamation laws are already on the brink of
| unconstitutionality.
| ryandrake wrote:
| This doesn't seem like a bad thing. If I say something
| _untrue_ about you, and that causes you to suffer damages,
| you should be able to come after you for those damages,
| regardless of whether I am a credit rating agency, a
| journalist, or a regular joe.
|
| If I said to your employer, "I'm pretty sure judge2020 is a
| wanted criminal," and they actually fired you over it, you
| should be able to successfully sue me for lost wages (or if
| you sued your company, they should in turn be able to go
| after me).
| judge2020 wrote:
| Actually, the way they work is "x company told me y person has
| <this account> with <these details>". For non-celebrities, it
| is only defamation if it amounts to at least negligence in
| verifying these facts - i.e. negligent only if they have
| reasonable knowledge to believe the information is false. When
| you report to the bureaus that an account is fraudulent, that
| is effectively giving them notice that the account in question
| is not actually yours, and by removing it from your report,
| it's relieving them of the liability of spreading such defaming
| information in the future.
| bradley13 wrote:
| Stepping back, and looking at the situation as a whole: the real
| problem is a lack of privacy laws. Banks, businesses and
| employers should be prohibited from sharing your personal
| information with third parties.
|
| I live in Switzerland, where this is the case. Even the
| government doesn't get this information. If the government thinks
| you're cheating on your taxes, they have to use warrants and
| follow the same procedures as for any other crime.
|
| The only financial records accessible are records of legal debt
| collection actions ("Betreibungen"). Before offering someone
| credit, you can find out if other people had to sue them to
| collect.
|
| Yet, even with so little information - without credit reporting
| agencies - everything works just fine.
|
| FWIW, due to international pressure (things like FATCA), Swiss
| law was changed so that banks do report on international
| customers.
| namdnay wrote:
| "Everything works just fine"
|
| It definitely worked great for a lot of dictators, tax cheats
| and the sort... I think Switzerland is a great example of why
| complete privacy isn't fair on ordinary taxpayers - it allows
| the ultra-rich to hide what they owe
| emodendroket wrote:
| Additionally the "international pressure" the OP alludes to
| is since Swiss banks were the banks of choice international
| crime, including whichever activity you think might be most
| heinous.
| mise_en_place wrote:
| Prior to 1913 the IRS didn't exist. The US seemed to do just
| fine before then. Tarrifs are the best way for the government
| to raise revenues. Especially when you are doing business
| with hostile countries like China. Please do educate yourself
| on US history before making such comments about privacy.
| cmutel wrote:
| I'm an American living in Switzerland for over 10 years, and
| this was definitely my impression as well. But that isn't
| really the case anymore here - you can no longer have
| anonymous (i.e. only numbered) accounts, and Switzerland is
| no longer a preferred locations for dirty money.
|
| The ironic thing is that one of those new hot spots, in
| addition to the usual suspects like Cyprus, the Caribbean,
| etc., is the USA. See https://www.washingtonpost.com/business
| /interactive/2021/wyo... for some juicy details.
| stavros wrote:
| As far as I know, Cyprus complies with FATCA/CRS as much as
| anyone else (unless the "anyone else" is, as you say, the
| US).
| bradley13 wrote:
| As far as I am aware, Switzerland had always cooperated with
| law enforcement requests. Even before FATCA, if your
| government thought you were cheating on your taxes, all they
| had to do was present a warrant.
|
| That said, yes, dictators and such were - and are - a
| problem. They aren't going to prosecute themselves, after
| all.
|
| By the way, one of the top places unsavory types stash their
| cash is the US. FATCA is a one way street: US banks don't
| provide information on their international customers.
| robertlagrant wrote:
| It also makes the formation of dictatorships less likely.
| mattferderer wrote:
| South Dakota, USA has entered the chat.
|
| https://www.theguardian.com/world/2019/nov/14/the-great-
| amer...
|
| > A South Dakotan trust changes all that: it protects assets
| from claims from ex-spouses, disgruntled business partners,
| creditors, litigious clients and pretty much anyone else. It
| won't protect you from criminal prosecution, but it does
| prevent information on your assets from leaking out in a way
| that might spark interest from the police. And it shields
| your wealth from the government, since South Dakota has no
| income tax, no inheritance tax and no capital gains tax.
| tomcam wrote:
| You're behind the news. The USA pierced that privacy years
| ago.
| emodendroket wrote:
| I would say this problem would also be solved if we stopped
| pretending that a Social Security number was a serious
| substitute for secure national ID.
| crotchfire wrote:
| There's an easy way to do that: pass a law exempting Social
| Security Numbers from all identity theft and fraud laws.
|
| Make it completely legal and tort-free to lie about social
| security numbers anytime, anywhere, except when dealing
| directly with the government (i.e. filing your taxes).
|
| That'll stop them being used, and right quick.
| fkarg wrote:
| problem is: what to use instead? They don't really have an
| alternative, either
| whatshisface wrote:
| Businesses can come up with their own ID systems. Google
| doesn't need your SSN for a Gmail account for example.
| emodendroket wrote:
| Nor do you need to provide an identity that's not
| completely made up.
| michpoch wrote:
| What's the issue with SSN being an ID?
| nulbyte wrote:
| It was creating for the purpose of tracking an individual's
| account by the Social Security Administration. It later
| became a de facto identifier and, even worse, is many times
| abused as a form of authentication, but it was never
| designed to be either.
|
| As a result, we have processes that ask for or require a
| social security number that aren't even related to the
| purpose for which it was created: Health care, loans, debt
| collection.
|
| Notably, some citizens of certain religious sects, like the
| Amish, do not have social security numbers.
| michpoch wrote:
| It still sounds like a good way to uniquely identify a
| person? How else would an institution confirm that it's
| talking about the same person?
| WitCanStain wrote:
| It is used that way in Finland and a fair few other
| countries and works perfectly well.
| alistairSH wrote:
| The same way they do for people who aren't from the US?
|
| Some combination of name, address, birthdate, etc.
|
| But the problem isn't using the SSN as a semi-unique ID.
| It's using it for that and also assuming it's secret. SSN
| shouldn't be any more secret than name or address (and
| shouldn't be used to unlock or access accounts).
| michpoch wrote:
| > The same way they do for people who aren't from the US?
| Some combination of name, address, birthdate, etc.
|
| Plenty of countries have SSN-like numbers: https://en.wik
| ipedia.org/wiki/National_identification_number
|
| It's really not that special.
|
| > But the problem isn't using the SSN as a semi-unique
| ID. It's using it for that and also assuming it's secret.
| SSN shouldn't be any more secret than name or address
| (and shouldn't be used to unlock or access accounts).
|
| Of course. Shouldn't it be trivial to sue any institution
| that uses SSN as a way to confirm your identity?
| alistairSH wrote:
| _Shouldn 't it be trivial to sue any institution that
| uses SSN as a way to confirm your identity?_
|
| You'd think, yet here we are, with one of the big three
| credit agencies letting people steal/resteal accounts
| with nothing more than some public info.
| michpoch wrote:
| Isn't that like a classic American moment when you sue
| them and become a millionaire?
| alistairSH wrote:
| If only real life was like the movies. ;)
| noSyncCloud wrote:
| It's a terrible way to uniquely identify a person; it was
| never designed as such. For instance, there aren't nearly
| enough of them - they get re-issued all the time.
| emodendroket wrote:
| It is treated like a secret, so if you come to know
| someone else's Social Security number (thanks to a
| thriving black market you can buy up plenty of them)
| that's enough for lenders to start giving you money and
| then chasing down that other person to pay them back. Are
| you starting to see an issue yet?
| michpoch wrote:
| Well that's another thing, I don't see why would you need
| to get rid of SSNs. You just need to add another layer
| that will confirm that you're the "owner" of your SSN.
| Seems pretty easy to do?
| BytesAndGears wrote:
| Agreed, except that nobody has done it. So SSN is your
| username and password anyways, despite everyone* knowing
| they're all public knowledge at this point
|
| *: except judges and juries, apparently
| CWuestefeld wrote:
| > some citizens of certain religious sects, like the
| Amish, do not have social security numbers.
|
| Fun story: many years ago, I worked on some consumer tax
| prep software. Specifically because of the Amish, the SSN
| field was optional. Imagine that - an Amish person using
| tax prep software.
| xav0989 wrote:
| Additionally, because the Social Security Administration
| only issues an SSN if you are eligible to pay into and
| eventually receive Social Security, there are some legal
| temporary residents of the US that are not eligible and do
| not get an SSN.
|
| While the government says that an SSN is not necessary to
| open a bank or credit card account, all the ones that I've
| encountered require it to proceed with the application, and
| the government doesn't do any enforcement of that.
| rz2k wrote:
| Do you know how Swiss financial privacy and credit reporting
| laws compare with countries in the EU?
|
| > Around 36 percent of the Swiss own their homes or apartments,
| the lowest rate in the West and well below the 70 percent
| average in the European Union, and the 67 percent in the United
| States. [1]
|
| I'm sure there are many factors, but I would be less willing to
| finance someone's large purchase without more information about
| their creditworthiness.
|
| [1] https://www.nytimes.com/2023/11/06/realestate/zurich-
| switzer...
| squeegmeister wrote:
| This happened to me and I ended up calling them to get them to
| reset my email. It hinged on me answering security questions
| correctly. Which btw, some of these were also wrong since my
| identity thief changed some addresses on my credit report. What a
| fucking mess
| notfed wrote:
| What even is the next step if everything's been changed?
| munk-a wrote:
| The fact that we haven't nationalized credit reporting absolutely
| baffles me. These companies have so much power over our lives,
| are completely unaccountable, and are so incredibly incompetent.
| dools wrote:
| Yes and then people claim the social credit scoring system in
| china is a dystopian hellscape. I happen to think it's far less
| dystopian that privately run financial credit reporting
| agencies.
| lwhi wrote:
| I think social credit scoring is another level closer to
| hell.
| Aaargh20318 wrote:
| Isn't is pretty much the same thing in the US, where
| financial and social status are more or less equivalent
| anyway?
| lwhi wrote:
| Your score isn't affected if you jay walk, so no.
| jasonwatkinspdx wrote:
| Years ago I worked in the industry and I totally agree. Fair
| Isaac in particular has enormous power as basically the only
| source of models people use, and they are very opaque.
| silveraxe93 wrote:
| Right, so as a solution to them having: too much power over our
| lives, being unaccountable and incompetent. Is:
|
| Giving the backing of the state over their actions. Move from
| being accountable to government to _being_ the government. And
| the competency of giant public bureaucracies!
| Aaargh20318 wrote:
| The whole credit rating system as it is in the US seems
| complete ass-backwards to me. It basically encourages people to
| go into debt to build a history of paying it back in time.
|
| Here in the Netherlands it works exactly the opposite: the best
| 'rating' is to not be in the system at all. When you get a
| loan, the amount and monthly payments are registered. This
| registration is removed once you have paid back the loan.
|
| When you ask your bank for a loan, they basically look at two
| things: how much is your income and how much are your current
| financial obligations (i.e. existing loans). Cost of living is
| subtracted from your monthly income, as well as the monthly
| payments of your existing loans (from the national debt
| registry). What's left is how much (additional) monthly payment
| you can afford. If the monthly payment for your newly requested
| loan is above this number it will be refused.
|
| As such there is no such thing as a good or bad rating, only
| what you can and cannot afford.
| ryukoposting wrote:
| There are a million things broken about the American credit
| reporting system, but I'm going to try to make a case for one
| very specific part of it:
|
| > how much is your income and how much are your current
| financial obligations
|
| This doesn't work if your income doesn't show up in the
| government's system. For example, if your income comes from
| illegal activity. Crime is bad and you shouldn't do it, but
| crime is an economy and some people really don't have a
| better option. If your income comes from criminal activity,
| getting boxed out of the consumer financial system isn't
| helping you towards any avenue where crime is no longer the
| best option.
| Aaargh20318 wrote:
| > This doesn't work if your income doesn't show up in the
| government's system. For example, if your income comes from
| illegal activity.
|
| It's not a government system. Banks will typically ask for
| a payslip.
|
| > For example, if your income comes from illegal activity.
|
| You think banks are going to give you a loan if your income
| is from criminal activity? That's cute. Banks are required
| to report suspicious activity and the last thing they want
| is even the appearance of being involved in money
| laundering. It's a problem for certain professions, like
| sex workers (which is a perfectly legal occupation here) as
| they mostly get paid in cash and often deposit large
| amounts of it they are an obvious channel for money
| laundering and as such they have a hard time just getting a
| bank account, never mind getting a loan.
| xienze wrote:
| > It basically encourages people to go into debt to build a
| history of paying it back in time.
|
| How do you propose a third party can establish your ability
| AND desire to pay back a loan, i.e., determine how much risk
| there is in lending to you?
|
| > As such there is no such thing as a good or bad rating,
| only what you can and cannot afford.
|
| This is a completely naive line of thinking. Maybe you CAN
| afford a loan, but WILL you pay it back? Ah, you might say,
| the bank will remember that and refuse to loan you money next
| time. Congratulations, you've invented a system of credit
| worthiness.
| Aaargh20318 wrote:
| > How do you propose a third party can establish your
| ability AND desire to pay back a loan
|
| Ability is simply by asking for a recent payslip. For
| things like mortgages they usually ask for a signed
| statement from the employer as well (they declare that if
| employee continues to function as (s)he has been they have
| no intention to end their employment).
|
| Desire doesn't really factor into it. If you don't pay your
| debt they will get their money one way or the other.
| Personal bankruptcy is not a thing over here, you cannot
| walk away from debt.
|
| > Maybe you CAN afford a loan, but WILL you pay it back?
|
| Of course you will, you have little choice. Worst case they
| get a judge to simply take it out of your paycheck.
| jzl wrote:
| Yet another reminder that account recovery is the weakest link in
| the security chain for online accounts. Consider all the work
| going into new tech such as passkeys -- none of it matters if
| it's possible for janky account recovery techniques to punch a
| hole through flawless authentication standards. Unfortunately,
| companies have come to expect that a large number of their users
| cannot be expected to reliably store and retrieve their login
| credentials, whether in a password manager or their head.
| chris_wot wrote:
| Sounds like the beginnings of a class action.
| electrondood wrote:
| I noticed this as well... you didn't even need to verify the
| phone number you enter to sign up as someone else when I last
| checked.
|
| It's unbelievable
| ledgerific wrote:
| I think a tit for tat system could help. Anyone which views your
| info should also allow you to view theirs. Regardless if you work
| for some legitimized cause or not. This should be codified into
| law and should be punishable via a fine/debt which could not be
| canceled(gov loans, taxes).
| NegativeK wrote:
| Our legal system typically isn't built around vengeance.
|
| And if Experian knew who was viewing our info inappropriately,
| they'd know it's not us -- and stop it. Instead their lame
| system assumes that anyone who has minimal information about us
| _is_ us.
| zzzcsgo wrote:
| I locked my credit at all major credit agencies.... Not sure if
| it helps
___________________________________________________________________
(page generated 2023-11-12 23:00 UTC)