The fundamental issue here is that maintaining security is expensive, and it is cheaper to just deal with occasional hacks. The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It is not that expensive. It is a couple pennies per pull (of a credit report/file) for somebody seeking identity proofing to use knowledge based authentication (the usual “where did you live, are these trade lines you?”). It is $1.50-$2.00 per proofing attempt with the government credential using ID.me or stripe identity. The problem is that no one is incentivized to slightly increases costs to reduce fraud because the burden falls on consumers instead, and credit reporting agencies don’t want to see their moat and revenue stream cannabalized. Bit of a public good Innovator’s Dilemma.
TLDR A better national digital identity story makes this problem go away.
(responsible for customer IAM including identity proofing at a fintech, doing some lift for Login.gov independently as a citizen activist)
I would imagine that most of the data for the ID checks based on public records (where did a person live; own a car/house/boat; ...) are trivially handleable.
Just takes one person to leak the database, which is probably only a few TB compressed) for all of the US and fits on a single HDD/SDD.
I would be surprised if these DBs aren't already sold on the darknet. And this DB doesn't have to be super up to date b/c security questions often go back years.
Interpreting the DB should be easy to hardcode but even easier handled with an LLM.
So the protection afforded by these checks is IMO at best nominal.
I think we should be asking how to design the procedure for when someone calls and claims they forgot everything and lost everything. An attacker can always call in and say this, and we'll need to call in and say this if we've been attacked.
My opinion: we should be able to visit a government office, get our picture and fingerprints matched, and then we can reset our email/password/2fa right there.
More importantly, they can require you provide a government ID and perform a liveness selfie check. This is the gold standard for remote identity proofing. Onboarding secure authenticators is best practice to bind digital identity to IRL identity when proofing occurs and identity assurance is high.
This might be somewhat true (it's certainly more expensive than not having security) but when your entire business is around making assurances based on people's identities, you'd assume that they'd put more effort into making their services secure. And if it's too expensive to do it securely, then maybe we should start to question whether such a service should even exist and deserves to store a lot of personal and private information.
>The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It's notable this issue (verification by SSN) doesn't affect GDPR-land - the GDPR has fines of up to 4% of global turnover.
>malicious incompetence by everyone in the Experian security chain
How do we know it's malicious and not just regular incompetence? Hanlon's razor and all.
My question was related to this quote:
>the GDPR has fines of up to 4% of global turnover.
I was asking what GDPR has fines on. Does it have fines for incompetence? snthd claimed that "this issue (verification by SSN) doesn't affect GDPR-land" saying GDPR-land somehow prevents this with a specific fine. I'm wondering what the specific fine is that GDPR-land has that prevents this issue.
Of course, we aren’t the customers for these spying companies. But it is surprising that the total lack of security isn’t a deal-breaker for their actual customers. I mean if you can basically impersonate anybody using this service, what is the point of using it?
These accounts aren’t for the people who pay Experian money. Companies pay Experian money to access information about individuals; the only reason Experian even allows accounts for individuals is because they are mandated by law to allow things like credit freezes and the annual credit report. If they weren’t required, they wouldn’t do it at all. They have zero incentive to improve the experience or the security of it.
Even the term "identity theft" needs to go. My identity wasn't stolen! I'm still the same person. The bank got tricked by a scammers and somehow the bank tries to make that my fault.
Edit: Imagine this the other way around! Grandma gets scammed by someone pretending to be her bank. So the bank's identity got stolen. So now the real bank needs to fix it, provide more proof of identity to all customers and jump through all kinds of hoops to not owe grandma crazy amounts of money.
Yes! I’ve been saying this for years. The whole framing is a victim blaming dodge, when the two bad actors are the crooks and whoever made the loan with insufficient ID.
I think the point that's trying to be made is, the traditionally recognized 'victim' is not the actual victim. The person whose "identity" was "stolen" is not a victim, the bank is. What was stolen was money--from the bank. But, we've designed our system, laws, contracts, etc such that the third party who was not involved at all has all responsibility of cleaning up the mess shoved onto them
I think you're imagining the ID thief going to the bank and withdrawing your money from your bank account (which probably happens too). I also think your analogy of a "friend" isn't right... you are the bank's PAYING customer... you pay them to secure your money and only give it to you! If they fail to provide the service they're offering to you... seems like they ought to be responsible for their failure.
But another, more common scenario here is that I convince the bank that I'm you and get a credit card or loan from the bank. Now the bank is knocking on YOUR door asking you to pay them back for the cash they handed to some random person... but they're the ones who messed up by giving cash to a random person and not verifying that they are who they say they are!
You aren't really involved... the bank messed up by going "Oh you say you're Bob? Okay here you go!" Why is it your fault that they failed to accurately verify the identity of the person they gave THEIR money to? You didn't play any role in them deciding who to give their money, nor in their ID verification procedures.
> I think you're imagining the ID thief going to the bank and withdrawing your money from your bank account (which probably happens too).
No, I'm imagining a scenario where the things used to identify me to service providers is taken by someone.
> I also think your analogy of a "friend" isn't right...
I didn't mention a friend.
> you are the bank's PAYING customer... you pay them to secure your money and only give it to you!
I agree, but as per my analogy, the car's owner has had their car stolen.
> If they fail to provide the service they're offering to you... seems like they ought to be responsible for their failure.
As per my analogy, I'm not saying that the car shouldn't have been secured, nor that the storage provider shouldn't make the situation right via insurance etc. Only that the car owner is the one who is a victim of car theft.
> You aren't really involved... the bank messed up by going "Oh you say you're Bob? Okay here you go!" Why is it your fault that they failed to accurately verify the identity of the person they gave THEIR money to? You didn't play any role in them deciding who to give their money, nor in their ID verification procedures.
The bank being at fault doesn't mean the victim's identity wasn't stolen.
All of these objections seem to assume that if someone has something stolen, it was their fault. That's not true, and that assertion is what I'm objecting to.
It isn't blaming the victim. I think they meant something else but worded it that way. What they meant was 'redefining the victim'. The victim is the bank, who got defrauded. They then call it 'identity theft' instead of 'bank fraud'.
I think it is a reasonable inference given the context and the description and that it makes sense to think of it like 'victim blaming' because mixing common parlance with legal terminology often results in similar confusions (for instance breaking and entering is a legal term which does not have to involve breaking anything, and assault in common use means physical contact but legally it does not have to).
In any case if it meant literally 'blaming the victim' it makes no sense at all, so either we give the benefit of assuming the poster is able to make coherent statements or we don't.
it's not about blame, it's about responsibility. "identity theft" implies that your identity is a thing that can be stolen from you, and you need to be responsible for preventing it from being stolen.
instutions should be respomsible for protecting themselves from fraud, they shouldn't need me to protect them from my identity being used in an unauthorized way.
If identity theft were to get so common that the data became statistically unreliable, we would be long past the point that even Congress would feel compelled to do something about it.
There’s no such thing as identity theft, it is impossible to steal an identity, the person still has their identity. It is impersonation. The victim is the entity that has fallen for the impersonation (likely a bank, etc), the perpetrator is the one who did the impersonation, and the impersonated person is just some uninvolved third party.
I know it is pedantic but it is important to keep in mind because dumping the need to seek redress on the uninvolved third party is ridiculous, so we shouldn’t use language that plays into that point of view.
It’s identity fraud frankly. Hold consumers harmless and put the burden on the industry (if you did not have an high identity assurance you’re on the hook for costs and losses) and this problem evaporates. Also outlaw credit monitoring and identity theft insurance.
This is from That Mitchell and Webb Sound, a radio show they did. The BBC don’t tend to region-lock audio, so you should be able to listen at https://www.bbc.co.uk/programmes/b007lqrh (or using the BBC Sounds app).
100% agree, except the impersonated person is impacted when their credit score eventually gets screwed and they can no longer get loans themselves. So, in that regard, they are also a victim.
Although I think it is more accurate to call them a victim of something like slander by the credit agency, in that case. I mean, I’m not sure exactly what the laws are around slander, I wouldn’t be surprised if there was some cutout for cases in which the person actually believed the lies they were repeating, but if an organization represents itself as an expert in people’s trustworthiness it obviously has a heightened responsibility to verify what it is repeating.
My understanding is that in most cases, slander/libel is never a crime anyway.
It's merely a tort (wrong). It never rises to the level of a crime. The few instances/places where slander is a crime in the US (historically or otherwise) are very problematic and subject to abuse.
Perhaps this specific kind of slander should be criminal, but it might be the only kind that should be. Not only would you need to justify that philosophically, but somehow convince legislators to make it that way (at the federal level, I should think).
I don’t think it is that tricky philosophically; they are representing themselves as experts on a topic so, they have a responsibility to ensure that they have a professional level of competence in it. Just like doctors and civil engineers.
Agreed that getting legislators to do anything about it will be a pain, though.
Don't forget compensating the injured party for any consequential losses. Which in this case might be a house or the income from a good job. See how fast they clean up their act if they can be held responsible for six or seven figures of damages every time they make a serious mistake.
Would them ignoring a few certified letters asking them to contact you to correct slanderous significant errors in your information be enough to show malice?
The point is that the impersonated person shouldn't have these fraudulent items reported on their credit. That's the crux of how the responsibility of cleaning up this mess is absolutely on the wrong person
I completely agree. But if I recall correctly, they've set up the law so that if they get duped, you're on the hook for whatever they got duped into giving the impersonator. That's the biggest problem.
Tell me you're Bank of America and I'll give you a thousand dollars. You disappear into the night and I'll go get my thousand dollars back from the real Bank of America. Is that how the law is setup? (Honestly, making a website that looks like a legit Bank of America website is about as difficult as getting someone's SSN.)
The banks aren't the only victims. The person has had their credit rating damaged, and may even be on the hook for fraudulent charges made in their name.
Libel is an intentional act. Agencies are not intentionally reporting false information. Banks may be reporting false information, but even they are unaware until the fraud has been discovered, by which time information they thought was true has already been reported.
I'm pretty sure the OP was meaning that there's little point for the businesses that make use of the credit bureaus, if they can't be sure the bureau is accurate, rather than that consumers might be better off opting out (even if they could).
Stepping back, and looking at the situation as a whole: the real problem is a lack of privacy laws. Banks, businesses and employers should be prohibited from sharing your personal information with third parties.
I live in Switzerland, where this is the case. Even the government doesn't get this information. If the government thinks you're cheating on your taxes, they have to use warrants and follow the same procedures as for any other crime.
The only financial records accessible are records of legal debt collection actions ("Betreibungen"). Before offering someone credit, you can find out if other people had to sue them to collect.
Yet, even with so little information - without credit reporting agencies - everything works just fine.
FWIW, due to international pressure (things like FATCA), Swiss law was changed so that banks do report on international customers.
It definitely worked great for a lot of dictators, tax cheats and the sort… I think Switzerland is a great example of why complete privacy isn’t fair on ordinary taxpayers - it allows the ultra-rich to hide what they owe
I'm an American living in Switzerland for over 10 years, and this was definitely my impression as well. But that isn't really the case anymore here - you can no longer have anonymous (i.e. only numbered) accounts, and Switzerland is no longer a preferred locations for dirty money.
FACTA would only apply to Americans and permanent residents right? It isn’t hard to imagine that America is a good place for non-Americans to stash money, but that trick really wouldn’t work for Americans themselves. For example, the Canadian and American housing markets have been a good place to launder dirty or gray Chinese money into real estate.
> A South Dakotan trust changes all that: it protects assets from claims from ex-spouses, disgruntled business partners, creditors, litigious clients and pretty much anyone else. It won’t protect you from criminal prosecution, but it does prevent information on your assets from leaking out in a way that might spark interest from the police. And it shields your wealth from the government, since South Dakota has no income tax, no inheritance tax and no capital gains tax.
Those are trusts with assets and have no relationship to a record of credit events which is what the original post is about. Not to say that the SD laws aren't troubling - they just have little to with eachother.
As far as I am aware, Switzerland had always cooperated with law enforcement requests. Even before FATCA, if your government thought you were cheating on your taxes, all they had to do was present a warrant.
That said, yes, dictators and such were - and are - a problem. They aren't going to prosecute themselves, after all.
By the way, one of the top places unsavory types stash their cash is the US. FATCA is a one way street: US banks don't provide information on their international customers.
> As far as I am aware, Switzerland had always cooperated with law enforcement requests. Even before FATCA, if your government thought you were cheating on your taxes, all they had to do was present a warrant.
The problem was - and this rightfully pissed off a lot of countries - that Switzerland makes a distinction between tax evasion (you "forget" to mention those 5'000 franks extra income) and tax fraud, where you actually cook the books.
Tax evasion is not considered a crime and if you're caught you get fined and pay back taxes. Tax fraud is a crime and may land you ion jail.
So, in case of simple tax evasion a third country may not get the information requested since this is not a crime in both countries, which is a requirement for this.
With the automatic information exchange with other countries Switzerland is no more a prime destination to hide your illicit gains.
Additionally the “international pressure” the OP alludes to is since Swiss banks were the banks of choice international crime, including whichever activity you think might be most heinous.
Prior to 1913 the IRS didn't exist. The US seemed to do just fine before then. Tarrifs are the best way for the government to raise revenues. Especially when you are doing business with hostile countries like China. Please do educate yourself on US history before making such comments about privacy.
There's an easy way to do that: pass a law exempting Social Security Numbers from all identity theft and fraud laws.
Make it completely legal and tort-free to lie about social security numbers anytime, anywhere, except when dealing directly with the government (i.e. filing your taxes).
It was creating for the purpose of tracking an individual's account by the Social Security Administration. It later became a de facto identifier and, even worse, is many times abused as a form of authentication, but it was never designed to be either.
As a result, we have processes that ask for or require a social security number that aren't even related to the purpose for which it was created: Health care, loans, debt collection.
Notably, some citizens of certain religious sects, like the Amish, do not have social security numbers.
> some citizens of certain religious sects, like the Amish, do not have social security numbers.
Fun story: many years ago, I worked on some consumer tax prep software. Specifically because of the Amish, the SSN field was optional. Imagine that - an Amish person using tax prep software.
It should always be optional as not everyone using tax prep software will actually be a citizen of the country where they're paying tax or registered with said country's social welfare system. I found navigating bureaucracy a nightmare when I first moved to the UK because so many systems were set up to require a National Insurance (Social Security) number which I wasn't able to get until after I started paying tax. Notably I was denied a bank account until I complained about it on Twitter.
I’m no Amish expert but I lived near them for a while and it seems to be more about how they choose to lead their lives and there’s a (fuzzy) line between ownership and usage of technology. I’d bet many would be quite fine with using tax software on someone else’s computer. They’ll also use a contractor’s power tools, ride in someone else’s car, own flashlights, etc.
Some Amish/Mennonite sects have exceptions for business, so I'll sometimes see them with cell phones. Tax software would probably fall under that exception. Honestly, I'm more amazed any company spent time catering to such a small portion of the market.
The same way they do for people who aren’t from the US?
Some combination of name, address, birthdate, etc.
But the problem isn’t using the SSN as a semi-unique ID. It’s using it for that and also assuming it’s secret. SSN shouldn’t be any more secret than name or address (and shouldn’t be used to unlock or access accounts).
> But the problem isn’t using the SSN as a semi-unique ID. It’s using it for that and also assuming it’s secret. SSN shouldn’t be any more secret than name or address (and shouldn’t be used to unlock or access accounts).
Of course. Shouldn't it be trivial to sue any institution that uses SSN as a way to confirm your identity?
It is treated like a secret, so if you come to know someone else’s Social Security number (thanks to a thriving black market you can buy up plenty of them) that’s enough for lenders to start giving you money and then chasing down that other person to pay them back. Are you starting to see an issue yet?
Well that's another thing, I don't see why would you need to get rid of SSNs. You just need to add another layer that will confirm that you're the "owner" of your SSN. Seems pretty easy to do?
Agreed, except that nobody has done it. So SSN is your username and password anyways, despite everyone* knowing they’re all public knowledge at this point
Some people (especially older women) don't know their own SSN, just their husbands'. If they never had a job, there wasn't much use for an SSN. And if their spouse passed away, they always had to use the deceased's SSN to collect survivor's benefits (or whatever it's called).
I've seen it more than once when working with health records: two people have the exact same SSN, but different sex. If I need to match records, I'll use SSN and birthdate, knowing even that's not immune to errors.
It's a terrible way to uniquely identify a person; it was never designed as such. For instance, there aren't nearly enough of them – they get re-issued all the time.
Additionally, because the Social Security Administration only issues an SSN if you are eligible to pay into and eventually receive Social Security, there are some legal temporary residents of the US that are not eligible and do not get an SSN.
While the government says that an SSN is not necessary to open a bank or credit card account, all the ones that I’ve encountered require it to proceed with the application, and the government doesn’t do any enforcement of that.
Do you know how Swiss financial privacy and credit reporting laws compare with countries in the EU?
> Around 36 percent of the Swiss own their homes or apartments, the lowest rate in the West and well below the 70 percent average in the European Union, and the 67 percent in the United States. [1]
I’m sure there are many factors, but I would be less willing to finance someone’s large purchase without more information about their creditworthiness.
This is very true. The company that I am at, not going to mention name but just going to say its FAANG, buys data from this company and uses it to allow for better tracking and graph building when we receive experian cookies. The USA does not care about its peoples privacy even though it constantly says that it does lol. If they cracked down on the privacy laws I feel that bank accounts will get affected since in the top 500 of stocks big tech sits on top.
I'm seeing this for the first time given I'm not from the US, but its reach seems limited
https://resist.bot/petitions
In Germany there is Campact for example which usually crosses 200K signatures per petition, if something like this doesn't exist in the US then I think someone with money should create it or promote an existing solution like OpenPetition to enough recurring signers
I'm not sure what you mean by limited reach, but for added context: Resist Bot is an automated service that can be used to contact elected officials in the U.S. Believe it or not, some elected officials actually pay attention to what their constituents say when writing to them.
Given there are 3 credit bureaus, is there a way to avoid having a credit score at one of the credit bureaus? I think that's a way that we as consumers could try to increase competition in the field.
I did some Googling and it didn't seem like there's an easy option.
There is no way to opt out of credit reporting. Lenders report the information to the credit bureaus, typically all three of the big ones, so if you want no information reported, simply close all your credit cards and loans, etc. and place credit freezes on your credit reports.
I don't think that "increased competition" will work here. We are not customers of the credit bureaus. We are the product. The customers are lenders and other people who need your information. From the lenders' perspective, this is all working out fine, largely because the onus for "identity theft" is placed on members of the public as individuals rather than on lenders to accurately verify applicants' identities before extending credit. As many people have pointed out before, "identity theft" is a misnomer designed to pass the buck onto individuals. Ideally, it should be the lenders' responsibility to prevent criminals from misusing your information and to make things right whenever a criminal tries to use your information fraudulently, but right now the onus is placed on individuals.
A better solution would be to have higher standards for identity verification by lenders. That would shift the burden onto lenders to actually verify people's identity before extending credit. Some lenders actually do a pretty good job of verifying people's identities before extending credit in my experience, while others just seem to accept the information given uncritically (as far as I can tell!). High industry-wide standards should help solve this (either voluntarily or mandated by law).
A statutory fine of $50k per compromised account would get the attention of the credit bureaus. (It might drive them out of business, but it sure would get their attention.)
For reference, Equifax leaked the personal information of 147 million people (myself included). Multiplying that by $50k is over 7 trillion dollars. In actuality, they were ordered to pay up to $700 million in total which works out to about $4-5 per person. I agree with you, but the gap between what you propose and the status quo is staggering.
So yeah, in this case Equifax would go bankrupt and other companies would get very valuable lesson to spend more money at security side of things. I see no issue here.
The problem is that we are not the consumers. They receive our data from all the companies we do business with. You would have to figure out on a case by case basis all ties relating to the credit bureau. Probably if you never got a credit card and never took out a loan, you would be somewhat protected from their "research."
I tried to log into their website the other day to just get my profile set up and see what was going on in my account. Their site was so broken, I couldn't even get logged in. How is anyone going to become me if I can't even become myself?
To become you, I just have to go through the channels that Experian customers use. You were not using the channels that Experian customers use. You were using the channel that Experian liabilities use.
Maybe this is why for the past few weeks I am receiving countless emails from major retailers like Casas Bahia or Americanas and even Magazine Luiza with purchase confirmation listing several smartphones and notebooks whose invoice bare my name and cpf.
I tried contacting every retailer. Only Magazine Luiza seem to have acknowledged the fraud and issued a warning but to no avail, as I am still receiving invoices from them.
I contacted the local police and issued a boletim de ocorrência (which I am not quite sure how to translate) that describes the problem and how I was unable to apply countermeasures.
I am expecting fallout from this. I am really anxious about this whole situation and how I am utterly powerless in protecting my identity.
I've been on a similar situation once, this is what I did, and I think you're on the right path.
> I tried contacting every retailer.
Try to reach out to the ombudsman (ouvidoria) and explain your case. Even if they don't actually solve the problem, you documented that you tried to friendly resolve the issue.
> I am expecting fallout from this.
Very worst case scenario, the retailers will send the fraudulent invoices to collection agencies and might report you to the credit bureaus. Don't ever pay any cent toward this fraudulent debt. Don't negotiate. The only option is the debt going away as it is fraudulent. It's their money that's on the hook and paying it shifts the responsibilities to you.
Once it hits the credit bureaus, as you already have a Boletim de Ocorrência, and proof of contacting the companies (protocol numbers + dates), i.e. documentation, sue them and ask for damages. It's a simple and common suit that both the credit bureaus and the retailers will want to settle. Make them pay for your time. They don't have any proof that it was your person that made those transactions.
> I am utterly powerless in protecting my identity.
Yeah, but the thing is, if the retailers, banks, credit cards, etc. really wanted to avoid fraud, every purchase/subscription would require the same level of protection as a real estate transaction. Everything signed, in-person meetings, upfront payments, banks, lawyers, notaries, cryptographic signatures (hey, we have e-CPF and nobody uses it!). But as you see, 100% fraud avoidance means friction, and no sane retail business likes friction. It's a business decision on their end. They accept risk so they can take your money easier.
If it’s a purchase using Credit Card, absolutely zero chance of going to collections. That’s not how it works. There’s no legal footing for collections and they are not in the habit of creating legal headaches for themselves.
If however it’s a credit purchase (personal loan, crediário, etc) then it might go to collections, then this advice works.
Online purchases though are 80% credit card and 15% Pix/Boleto so it’s unlikely they got a loan just to buy stuff. If they can get a loan, they’ll get the cash itself and run.
Edit: on a Credit Card transaction the burden of evidence is on the merchant. THEY have to prove it was you.
Tell this to MercadoPago. Once I did a chargeback on a fraudulent gift card purchase and months later they sent this debt to collections - they didn't report it to the credit agencies, though. It resolved pretty fast once I escalated the issue to the ombudsman.
Stolen ID from one person (ID, name, sometimes using the real person’s email and phone, sometimes creating fake yet similar emails like wildrhythms2@yahoo.com), someone else’s stole credit card number, and a drop address to receive and reship (sometimes deliver direct to the purchaser of the fraud item).
Typically the item is resold for half the price and it’s spoken for. It’s not like they buy to resell later. If they make the fraud they already have a buyer
I have no idea. There are, however, many official invoices (notas fiscais) being issue in my name. I believe there might also be fraudulent credit cards issued in my name that ate being used, or something like that, which would explain the physical retailers not questioning the purchase. That is why I am expecting fallout from this.
You can check any credit card issued on your name in Banco Central’s Registrato page[0]. Credit card, loans, etc.
However, HIGHLY unlikely they issue a card in your name and purchase stuff in your name online. If they have a card with them, they’ll go to physical stores and leave with the product with them immediately.
Typically (as I said above) they have purchased a stolen CC number online and are using it until it gets blocked or run out of balance/limit.
In any case, there’s zero fallout for you, the victim. These retailers are used to this (0,5% of transactions turn into fraud), so they’ll eventually figure out it’s fraud and they know it wasn’t you. They know you’re a victim too.
> I believe there might also be fraudulent credit cards issued in my name that ate being used
As tmcz26 said, it's very unlikely they issued a card on your name, but if that happened, contact the bank's ombudsman AND report it to the Central Bank, as they failed the KYC process.
Something similar happened to me once. You need a valid CPF number (something like a ssn) to create an account on most webshops in Brazil, so fraudsters will use stolen ones. They then proceed to purchase stuff with stolen CCs
Well I am from the fraud remuneration department of Brazil and know the person who pays out compensation for these crimes. Simply send me all your personal information and credit card details and I’ll make sure you get your appropriate payout.
Excuse me, you're calling me a scammer? I suggest you click on my username and see that it is a very legitimate account, with twice the karma as you to boot. I think you're more likely to be the one scamming! Don't listen to 'Aeolun, everyone!
Look, you are literally posting on the internet, on an anonymous account, that if someone sends you their personal details and credit card info everything will be taken care of.
Your first reaction should absolutely be that it’s a scam, and only then further evaluate if it might possibly be true because this is HN.
I could have potentially used the word ‘looks like’, but it’s just a matter of degree.
I think the individual you’re replying to may be lying about their identity to make a point (re: the first individual asking a stranger to send them financial info) :)
In most contexts, providing false information about someone in a way that harms them is slander or libel. I think we need to revisit whether credit reporting deserves to be exempted from that, and under what circumstances.
Absolutely. We should be able to successfully sue credit rating agencies for monetary damages if they tell a lender false information about us and it causes us to not get a loan or have a higher rate than is warranted. It should not matter whether they know it’s false. The harm happens regardless of whether they were negligent or malicious.
This sets a dangerous precedent. If you won, it would apply to all defamation/libel/slander cases, not just credit reporting agencies. News agencies could be sued for saying anything about someone if it later turned out to be false. Defamation laws are already on the brink of unconstitutionality.
This doesn't seem like a bad thing. If I say something untrue about you, and that causes you to suffer damages, you should be able to come after you for those damages, regardless of whether I am a credit rating agency, a journalist, or a regular joe.
If I said to your employer, "I'm pretty sure judge2020 is a wanted criminal," and they actually fired you over it, you should be able to successfully sue me for lost wages (or if you sued your company, they should in turn be able to go after me).
Actually, the way they work is "x company told me y person has <this account> with <these details>". For non-celebrities, it is only defamation if it amounts to at least negligence in verifying these facts - i.e. negligent only if they have reasonable knowledge to believe the information is false. When you report to the bureaus that an account is fraudulent, that is effectively giving them notice that the account in question is not actually yours, and by removing it from your report, it's relieving them of the liability of spreading such defaming information in the future.
I’ve received two data breach notices in the past week, one from my healthcare provider and the other from the bank that holds my mortgage.
In both instances they said to lock my credit, and provide free credit monitoring for a year.
I find this egregiously insufficient to the point where I think we need more regulation in this space. They should provide lifelong credit monitoring and full insurance on any financial fraud that now occurs on my behalf, as well as immediate presumptive financial compensation.
That aside, the root cause here is that identity in the U.S. is a dumpster fire. We have no distinction between unique identifier (SSN) and secret (also SSN). Every other security question is just another version of the same factor type (something you know) which is easily accessible to scammers.
There is quite literally no agreed upon way to prove you are who you say you are.
We need DMVs to begin issuing IDs that are physical with digital capabilities, like credit cards. We need the equivalent of Apple/Android Pay for identity online. We need to mandate that banks support digital IDs. And we need strict enforcement for people who misuse a digital ID.
I believe that the consequence of ignoring this problem is at least tens of billions of dollars in GDP annually lost to fraud. And perhaps more importantly, it’s an insidious erosion of our status as a country of laws.
> We need DMVs to begin issuing IDs that are physical with digital capabilities
The problem is that there is a very vocal segment that views such things as "government overreach" through to the literal mark of the devil.
And then there are the challenges of issuing them. There are states (the same states, typically, who shut down voting locations in working class areas and defund their DMVs) who will fight tooth and nail about having to implement this in a way that is free to all.
You've put forth an utter straw man. I am rationally against making government verification of identity stronger precisely because the existing identity systems have been pervasively abused with essentially no recourse. After there is a US equivalent of the GDPR that lets me prevent the surveillance industry, including the traditional financial surveillance industry, from unilaterally creating dossiers about me, then we can talk about better implementations of identity verification. Until then, that dumpster fire is the main thing holding back the surveillance industry from pushing identity verification for ever more routine things like opening online accounts or buying groceries.
> You've put forth an utter straw man. I am rationally against making government verification of identity stronger precisely because the existing identity systems have been pervasively abused with essentially no recourse.
There's absolutely no straw man. Among other reasons, things like this are exactly why there is opposition in some segments.
You've literally argued "You're making a strawman by describing what I think!" You're against it because overreach and abuse. I say a segment is against it because of reasons including that. Maybe less of a hair trigger is needed.
> There's absolutely no straw man. Among other reasons, things like this are exactly why there is opposition in some segments.
Sure, technically there is a sliver of actual people out there worried about "mark of the devil". I'd still say it's a straw man to use that to characterize general opposition.
> You've literally argued "You're making a strawman by describing what I think!"
Uh, not at all. I accept that the government wants to be able to identify citizens. I'm not calling this government overreach. What I have a problem with is the ongoing failure to pass any corresponding laws that prohibit companies from abusing these identification systems to build limitless privately-owned completely-unaccountable surveillance databases. These abuses need to be stopped first, rather than brushing off the problems we're already suffering and giving even more to the surveillance industry.
As I said, pass a US GDPR that gives me the right to opt out of most of the surveillance industry, lets me drastically curtail and audit the parts I don't completely opt out of, and make sure any new types of identity attestation are still refutable in the legal system, and I am generally on board with stronger identification through something like a smart card.
> We need DMVs to begin issuing IDs that are physical with digital capabilities, like credit cards. We need the equivalent of Apple/Android Pay for identity online. We need to mandate that banks support digital IDs. And we need strict enforcement for people who misuse a digital ID.
And how will all this magically work online? Answer: you'll have to provide whatever digital secret gives you access, just the way you provide your SSN now. Which means your digital secret will be in all the same online places where your SSN is now, vulnerable to the same kind of hacking. How does this fix anything?
> Which means your digital secret will be in all the same online places where your SSN is now, vulnerable to the same kind of hacking. How does this fix anything?
Loads of ways to do digital attestation but they all involve some 3rd party being the trusted source of truth. Typically this would be the DMV or other government branch and at this point a few red flags start to go off: dmv isn't known for it's competence and I'm not really thrilled about them getting hit to confirm my identity for pornhub.
This is a REALLY hard problem to solve unless you take a "privacy must be sacrificed for the greater good" mentality.
I think computers need a card reader (like a credit card reader) to read the card. Or you can use your phone to read it wirelessly via NFC.
One neat thing about systems like this is that the card itself can perform a cryptographic computation that proves its own "ID", without communicating its private key to the connected computer/phone. So even if your computer was compromised, the ID card connected to it still can't be copied. The card is simple enough that there is less attack surface (as compared to an entire computer), so it's much less likely be be hacked, even if it's connected to a hacked device. Though mistakes do happen, since no system is perfect. So if a vulnerability is discovered, new cards might need to be issued.
Granted, an attacker on your computer (controlling it remotely) could just wait until you log in to your bank via smartcard and then quickly pull all your money out... you need a more complex solution to fix that problem (like cryptocurrency hardware wallets use; they have a little screen that shows the proposed transaction, and you have to physically push a button to confirm it, and then it does another cryptographic operation to authorize that particular transaction).
However, the smart card system does prevent an attacker from simply buying a database dump of email addresses, passwords, SSNs, etc. and using that to get into your bank account.
What the heck, I signed up for an account at the advice of the article just so someone else can't register and looks like they automatically signed me up for a digital checking account. I never wanted this
There needs to be a better alternative to credit reports. They only exist because banks and lenders could no longer discriminate on race directly, so they created a roundabout way to discriminate based on "credit score", which happened to be worse for the people the wanted to exclude in the first place.
I recommend to everyone to use a email alias at gmail or a similar service, different once for every site, instead of your actual email, as the login to Amazon and other services. That way the attackers can't guess your actual login, let alone your password.
How is Experian not sued out of existence for their total failure to protect their customers? I just don’t understand what law allows organizations that compromise large portions of entire societies to continue.
One of the best ways to affect this is to make complaints to the CFPB. They are the regulatory body that is responsible for making sure the credit bureaus aren’t harming consumers
But why can't people successfully sue for libel/slander/defamation by individuals when they give false damaging information about the individual to creditors?
They didn't even ask me to verify my phone number when I entered it. Anyone with my SSN and phone number from an all-too-common data breach could easily pretend to be me and unfreeze my credit file.
This sorta happened to me, except as soon as I got an email from Experian that my email address had been changed, I got to work talking to customer service to get back in. The CS rep had “no record” of anything out of the ordinary happening, just a regular email address changed “initiated” by me, when instead it was this brain dead system they have where anyone with the relevant SSN and security question info can register your account anew with a different email.
Once I got back in I saw credit pulls and immediately contacted the companies to figure out the car dealership in question, then called them to let them know that they should under no circumstances sell that car.
The worst part of such an experience is that once you've reported a case of fraud on your credit report, if you at a later date want to open a new bank/credit/whatever account somewhere then you have to jump through ridiculous hoops, or will simply be denied outright because they won't believe that you're who you are since your PII was flagged in the past.
Because like always, the punishment for the rich playing games with our lives is a negligible fine 1/10000th the profit they make selling your information to anyone with a buck.
Same exact thing happened to me. I only dealt with the various credit agencies and Ford. And I had to make a police report to my local PD despite the crime occurring at a dealership across the country — the officer was very kind, and made clear that they would do literally nothing other than produce the case number I needed for the credit agencies.
I wonder if Ford in particular is more susceptible?
In any event, I’ve no idea whether a law enforcement eventually looked into it. But the sense I got was no one was going to do a damn thing.
(Oh and Progressive, because they got insurance for the vehicle in my name and also didn’t pay that. But it was 1000x less dollars, literally, so when I told the debt collector “lol not mine” they just went away).
Yeah, afaik, most Police won't do anything with this. My spouse's id was used to rent an Oakland luxury appartment in 2021, along with opening a credit union account and trying to open an amex. Thankfully amex called to check because there was already an account opened, and we were able to get the credit union account closed before it was usable, but the apartment complex seemed unable to do anything and Oakland PD didn't do anything other than acknowledge the report, they wouldn't return calls from our local PD either. IdentityTheft.gov is also a black hole.
Credit freezes are a joke, because if you have a person's credit report, you have enough information to cancel the freeze, even if you can't temporarily thaw it. Still, maybe it's better than nothing, so might as well. But it's then a pain if you need to interact with the credit system; some of the bureaux have such poor systems that your accounts will regularly not work; anyway, credit issuers don't tend to tell you what bureau they'll pull from until after they pull, so may as well unlock the big 3 before you do anything; and batch all your credit increase requests together.
> How does Equifax or TransUnion handle the case where someone else creates the account before you
I can speak for Experian. If you already registered the account, and someone else knows your SSN and the answers to the credit bureau security questions, then _they_ get to register your account. You as the person who originally registered will get an email that your email address changed.
Supposedly the thinking is that they want to make it impossible for someone to truly be locked out of accessing their own Experian account, so they just let you do these stealth registrations as long as you can answer all the security questions. Clearly they need a better solution.
Experian reminds me of enshittification, except it never had any interest in providing actual value to the general public to betray, so started off one step further along the process in a way.
No individual in a personal capacity ever wanted to do business with Experian, like they wanted to buy an iPhone or something. You're introduced to the unpleasant fact of its existence at some point. They don't have anything you want, you're the product from the start, and you don't have to walk into their net, you're probably born in it.
Every time I log into experian.com, I am greeted with an offer to "upgrade" my account for $0.00. At the top is small text that says "Try Experian CreditWorks℠ Premium for 7 days for free, then pay just $24.99 each month†. You may cancel anytime if not satisfied."
First of all, $25/month for an Experian product? I can't possibly fathom how anything they provide can be worth even 1/100th of that. That price just absolutely blows my mind.
But worst of all, they proudly say it is $0.00 and have the pay button the most prominent. How many people get roped into this? They are just slime all the way down.
We're amidst the proliferation of a class of entity that Joe average
doesn't quite have the political vocabulary or tools to deal with yet;
Things that deal in you.
They make money from you, indirectly.
You have no business or social relation with them.
You didn't vote for them.
They have immense power to harm you.
You have no recourse.
You may not even know they exist.
Until recently this was the preserve of a few government agencies that
had a very narrow focus on a few "persons of interest". Today it is
every dime store startup in "big data", search, spammers, social
network, and the entire grubby, yellow maggoty underbelly of
"surveillance capitalism" and all the mushrooms that grow on it.
So far the promised "benefits" of this have never materialised. Will
we be able to keep pretending "nobody cares" as public awareness, and
governments' will to enact legislation grows? At some point surely
"credit agencies" and their ilk will essentially be outlawed under a
dozen different digital rights acts.
This all goes back to the social security not being changeable and morphing from some thing to claim benefits with to it being your universal password.
In contrast, I lost my drivers license and in order to get a new one I had to go the DMV in person and put my thumb print on a biometric scanner which pulls up my picture for the DMV person to look at before they authorize the request. I can also file an affidavit of identity theft with a police report attached and they will give me a new license and A NEW DRIVERS LICENSE NUMBER. The federal government trying to shoehorn an unconstitutional universal identity system into social security is the source of all this nonsense.
I was somewhat surprised to find that when I got my driver's licence at 39, it was the same number as the non-driving ID card I got issued at 18. So at least Arizona doesn't seem to be eager to hand out new numbers.
They won't hand out new numbers unless someone has actually used your drivers license fraudulently and you've filed a police report. Seems reasonable enough.
This happened to me and I ended up calling them to get them to reset my email. It hinged on me answering security questions correctly. Which btw, some of these were also wrong since my identity thief changed some addresses on my credit report. What a fucking mess
They should be suspended from being able to do business with this kind of bs and their track record. I wonder if any of this violates people's FCRA rights, in which case that's a lot of fines.
The best outcome is to have minor fraud (someone tried and failed to open an account in your name, or your name+address appears in a data dump somewhere) occur because then you can register a fraud alert and credit freeze in all the agencies which stops a lot of nonsense (random junk mail, risk of actual fraudulent accounts getting established) for a year or so by enforcing extra authentication steps.
I wish I could put a permanent fraud alert on my credit accounts, but would probably have to hire a lawyer or something.
Correct me if I’m wrong, but I’ve signed up for all 3 bureaus and enabled the credit freeze. My understanding, and experience years later, is that it is still frozen. I had to unfreeze a specific one last year for an auto loan.
Is there something else I’m missing that’s only temporary?
The fraud alert adds a requirement that potential lenders call a phone number added to the credit file to authorize new loans/accounts, making it significantly less likely that fraud can take place.
I understand that, I’m curious if reporting fraud activity helps prevent that in some way like the parent comment seems to suggest, if only for a year.
I think a tit for tat system could help. Anyone which views your info should also allow you to view theirs. Regardless if you work for some legitimized cause or not. This should be codified into law and should be punishable via a fine/debt which could not be canceled(gov loans, taxes).
Our legal system typically isn't built around vengeance.
And if Experian knew who was viewing our info inappropriately, they'd know it's not us -- and stop it. Instead their lame system assumes that anyone who has minimal information about us _is_ us.
I've been getting mail that is a variation of my name, wondering if someone used my identity damn. I did put some lock thing on my credit so it's harder to open new accounts, forget what it's called.
I have stuff like credit wise, karma, etc... have not seen weird/unknown accounts so hopefully I'm good.
The fact that we haven't nationalized credit reporting absolutely baffles me. These companies have so much power over our lives, are completely unaccountable, and are so incredibly incompetent.
The whole credit rating system as it is in the US seems complete ass-backwards to me. It basically encourages people to go into debt to build a history of paying it back in time.
Here in the Netherlands it works exactly the opposite: the best 'rating' is to not be in the system at all. When you get a loan, the amount and monthly payments are registered. This registration is removed once you have paid back the loan.
When you ask your bank for a loan, they basically look at two things: how much is your income and how much are your current financial obligations (i.e. existing loans). Cost of living is subtracted from your monthly income, as well as the monthly payments of your existing loans (from the national debt registry). What's left is how much (additional) monthly payment you can afford. If the monthly payment for your newly requested loan is above this number it will be refused.
As such there is no such thing as a good or bad rating, only what you can and cannot afford.
> It basically encourages people to go into debt to build a history of paying it back in time.
How do you propose a third party can establish your ability AND desire to pay back a loan, i.e., determine how much risk there is in lending to you?
> As such there is no such thing as a good or bad rating, only what you can and cannot afford.
This is a completely naive line of thinking. Maybe you CAN afford a loan, but WILL you pay it back? Ah, you might say, the bank will remember that and refuse to loan you money next time. Congratulations, you've invented a system of credit worthiness.
> How do you propose a third party can establish your ability AND desire to pay back a loan
Ability is simply by asking for a recent payslip. For things like mortgages they usually ask for a signed statement from the employer as well (they declare that if employee continues to function as (s)he has been they have no intention to end their employment).
Desire doesn’t really factor into it. If you don’t pay your debt they will get their money one way or the other. Personal bankruptcy is not a thing over here, you cannot walk away from debt.
> Maybe you CAN afford a loan, but WILL you pay it back?
Of course you will, you have little choice. Worst case they get a judge to simply take it out of your paycheck.
I still don't understand. Of course getting a judge to take it out of your paycheck is possible in America too. But preferably before a bank loans you money, they want to determine whether they can rely on you paying back on your own or whether there's a high likelihood they will get a judge involved? What if the bank doesn't want the hassle of involving a judge? How do you even measure the probability of needing to get a judge involved? Then it's back to credit scores.
Obviously it’s a last resort. The point is that someone who can afford to pay and doesn’t is very uncommon as this would cause a lot of trouble for the person in question.
Then you might as well say that in the first comment. In the U.S. banks certainly already look at your income to make sure you can afford to pay. Credit scores just measure willingness to pay. And before AutoPay became popular, they also measure whether a person can consistently take care of their own affairs and remember to pay.
We have those too, but that's not exactly the same. Say you have a mortgage with a variable interest rate. A repeated scheduled transaction won't work because the amount can be different each month. Same goes for things like energy bills if you have a flex-contract where you pay the actual amount used each month. In my case they will just take whatever amount is due out of my bank account each month.
Makes a lot of sense to me. Are people penalized in some way for a history of mis-spending their money? For example, an individual who could afford a loan in theory, but gambles away all their money at a casino and misses loan payments.
Someone fiscally responsible enough to never need a loan in the first place (either because of higher income or simply from living in more humble needs) will have a lower credit score than someone who did need a loan. That's weird.
There are a million things broken about the American credit reporting system, but I'm going to try to make a case for one very specific part of it:
> how much is your income and how much are your current financial obligations
This doesn't work if your income doesn't show up in the government's system. For example, if your income comes from illegal activity. Crime is bad and you shouldn't do it, but crime is an economy and some people really don't have a better option. If your income comes from criminal activity, getting boxed out of the consumer financial system isn't helping you towards any avenue where crime is no longer the best option.
> This doesn't work if your income doesn't show up in the government's system. For example, if your income comes from illegal activity.
It's not a government system. Banks will typically ask for a payslip.
> For example, if your income comes from illegal activity.
You think banks are going to give you a loan if your income is from criminal activity? That's cute. Banks are required to report suspicious activity and the last thing they want is even the appearance of being involved in money laundering. It's a problem for certain professions, like sex workers (which is a perfectly legal occupation here) as they mostly get paid in cash and often deposit large amounts of it they are an obvious channel for money laundering and as such they have a hard time just getting a bank account, never mind getting a loan.
> It's not a government system. Banks will typically ask for a payslip.
I admit to misunderstanding but I fail to see how this diminishes my point.
> You think banks are going to give you a loan if your income is from criminal activity? That's cute.
That's exactly what I'm saying. The above approach systemically blackballs anyone who lacks a better avenue to a reliable income.
That's a failure that exists in both the American system and the Danish one. My point is this: In the American one, it's a byproduct of AML law, which could easily be changed to allow banks to ignore small-time cases (with conditions, of course). In the Danish system, the blocker is inbuilt - it can't be regulated away without fundamental changes to the design of the system. Adding a "proceeds from criminal activity" box doesn't work great. Ask Al Capone.
Petty criminals don't pose enough of a threat to society for it to be worthwhile to block them out of basic, low-risk financial services like checking accounts and debit-backed credit cards. Barring them from those services doesn't discourage the illegal activity. It does more to lock them into their current socioeconomic status.
Years ago I worked in the industry and I totally agree. Fair Isaac in particular has enormous power as basically the only source of models people use, and they are very opaque.
Yes and then people claim the social credit scoring system in china is a dystopian hellscape. I happen to think it’s far less dystopian that privately run financial credit reporting agencies.
Right, so as a solution to them having: too much power over our lives, being unaccountable and incompetent. Is:
Giving the backing of the state over their actions. Move from being accountable to government to _being_ the government. And the competency of giant public bureaucracies!
God this is so frustrating. I saw multiple ads today on TV for Experian's debit card. Wool over the eyes and a brand grab for "the Experian promise" or whatever it was
I’m guessing this will continue to happen until, I dunno, some the execs at Experian continually have their accounts compromised in the same way again and again.
Unfortunately, the people in charge of these systems have enough money to hire people to do all of this crap for them. They don't do their own taxes, they don't open their own credit cards, they don't negotiate their own mortgages or car loans, nothing. They just tell their butler or financier or real estate agent or whatever "Go get me an X" and that other person deals with all the shit. Being the target of identity fraud just means they hire another gofer to deal with it full time for six months which costs them so little money, relative to their wealth, that's it's not even worth thinking about. And they're not even using their own credit, most of the time, they're using the "credit" of some shell corporation or limited liability corporation or trust or whatever other financial bullshit they hired a dozen lawyers to set up to commit tax fraud. So no, they experience none of the shit they perpetrate.
Yes, it sure would be a shame if, I dunno, some execs at Experian were to experience some of the same issues that so many others have - due to the existence and ... 'management' of their own business ...
Why, going through such trials, ex opere operantis, might just sour a 'true believer' in the "invisible hand" on the whole novus ordo seclorum.*
Hahahhahahaha! Urghk, briefly part-swallowed my tongue from laughter, excuse me...
* As the undoubtedly distinguished graduates of Yale SOM, for example, might phrase it
This isn’t an opt-in service. It’s a dragnet surveillance system. All it knows is slurping up data. Are there case statements all over the codebases to exclude the execs of three different companies and congress?
This makes me feel pure rage. The execs should be thrown in prison and the keys should be thrown away with them. Punish this at the highest levels, severely. The government needs to make examples out of them.
What even is the CISO doing? Sitting on her thumbs for a year?
That's the point. Politicians get paid (donated, contributed, whatever) to vote businesses' laws to benefit the business, not you. Toothless laws make a good sound bite but do nothing to help you.
Yet another reminder that account recovery is the weakest link in the security chain for online accounts. Consider all the work going into new tech such as passkeys -- none of it matters if it's possible for janky account recovery techniques to punch a hole through flawless authentication standards. Unfortunately, companies have come to expect that a large number of their users cannot be expected to reliably store and retrieve their login credentials, whether in a password manager or their head.
I am still livid on a weekly basis when some strangers create an account for a service using my email address (non-maliciously, usually); I get a "verification" email; and I can only choose "YES, Please verify", or ignore at my peril.
From tiny little mom-and-pop shops, to FAANG giants, nobody is giving me the opportunity to say "NO that's NOT me!". And though it's a "verification" email, typically account is usable and vast majority of functionality is allowed even without verification. So I get to vicariously and angrily "enjoy" the follow-up emails and updates while the users gamble, purchase, sell, review, invest, write, game et cetera using my email address.
I had a positively hilarious interaction when somebody with my name used my personal email address for their retirement fund provider. I received an invitation to a zoom meeting addressed to my personal email account and their work email account. So I went ahead and joined the meeting in progress.
I sat silently for a bit while the financial advisor finished his talking point. Then I spoke up. I don't remember exactly what I said but the other guy with my name sat there with a scared / dumbfounded expression on his face while the financial advisor calmly asked me to leave.
I told him I would leave as soon as they promised to remove my email address.
Given it is your email that is being used, that should allow for you to take over the account(s)? I'd submit a password reset, change the password, then just allow the account to live a dormant life.
That of course doesn't make it any less annoying, but it would at least stop an actor from using an account that is associated to your email.
For Experian accounts, doing a password reset requires an SMS or phone call code.
The only mechanism you have to alert the person usurping your email identity that there is an issue is to trigger the phone call verification 3 times per day, preferably around 4am.
If you call the phone support, it will give you robots until playing a pre-recorded message telling you to physically mail a legal request including copies of your ID etc.
File an FTC and CFPB compliant. Only regulators will light a fire. Experian isn't going to do anything due to consumer complaints, as the consumer's credit file is the product. Let someone from Compliance have to email the product owner about it, and the complaint starts the clock ticking.
Be careful, in the USA that is still a violation of the CFAA and US courts have proven themselves to be technically incompetent time and time again. People have been sent to prison under CFAA for using the “view source” button that’s available in every web browser.
> Governor Parson's office maintained that Renaud had unlawfully hacked the school website: "The hacking of Missouri teachers' personally identifiable information was a clear violation of Section 569.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative."
It wasn't thrown out by a judge. The governor still maintains that the reporter "hacked" and violated state law but the prosecutor's office declined to pursue the case.
Doesn't exactly work when they use your email to create an Apple iCloud account. It needed the actual iPhone it was connected to to complete the reset, I think I ended up getting it into a weird unusable state where neither of us could log in.
1. That exposes me to MORE involvement with this service, not less, and potentially legal culpability. Risk may be small but impact is large and benefit is neglible, so math doesn't work out for me.
2. It requires MORE effort on my part. For a poor design and error made by not me.
If it were once every 5 years, maybe.
When it's weekly, it's just an annoyance.
Sometimes when I'm really angry, I just write to their gdpr or compliance officer with a stern better and links to various sections of the law and their obligations. Doesn't accomplish much but makes me feel better :-)
But overall, it's a systemic issue, and given we are on hacker news, I'd say it's OUR systemic issue caused by us :-/
I was receiving somebody's water bill in my email addressed to someone in the Netherlands (apparently with a similar name). It contained their address, full name, details of their water bill... The email was in Dutch and I used Google Translate to make sense of it. It came from a no-reply so I couldn't just reply and say 'wrong customer', and there was no customer support email address to be found. I had to go to the company website and hunt down some kind of feedback form and begged them to fix this customer's email address. Eventually I stopped receiving the emails. I guess that company never even verifies email addresses. The company is called Oasen in case you're wondering, name and shame.
Vietnam Airlines once sent me someone's airline ticket, about 48 hours before they were due to fly (and about 10 years after the only time I ever flew with them). Their name wasn't even remotely similar to mine and their email can't have been either. At least that one appeared to be human error so there's a chance that my email pointing out the mistake was read by a human that was actually able to sort it out.
Don't be too quick to assume this. Likely the email account is one of many spammers gathered from a data breach.
Reset the password. I even change the username to "spam" or something too, poison as much of the associated data as I can. PITA I know, it happens to me regularly.
I frequently get emails intended for someone who has my same email handle, but with the extension "@googlemail.com" instead of "@gmail.com".
I know a lot about them. I know their shipping address in the UK. I know that they order inexpensive club attire, online Dominoe's delivery, and have a specific gym membership.
I am shocked that Google offers no way to disentangle my email address from this person's. A more malicious person than I could easily take advantage of all of this personal information.
Or they could just have a similar gmail address they frequently get wrong (or that looks like yours when written in the terrible handwriting they fill in forms with)
There's probably a single digit number of people with my initial and surname in the world, and I still get order confirmations for one of them, car promotions for another and am on some sort of targeted B2B spam list for a third to my Gmail address in that format. I quite like the order confirmations tbf, most of them are for a fish and chip shop I actually used to get food at when I was a kid and my grandparents lived nearby so they're oddly nostalgic
Nah, this person just doesn't know what their own email address is and types yours instead (yours with googlemail). This happens all the time and it really isn't something Google can do anything about.
Lyft likely cost customers' funds though a poor process like this in the past.
One could create an account, hail rides and add their own payment method while still being associated with someone else's email. Ride recipes would then be sent to someone else's email where the receiving party could add or increase a tip through an unauthenticated link and have it charged to the riders credit card.
I have had spotty success forwarding the confirmation email to security@{wherever the mail came from} explaining the situation. When that fails, you can look up the WHOIS information for their mail sending provider and contact their abuse@ inbox as well.
I can beat that on annoyance level at least. I still get postal junk mail for Mr Qwe Rty after I put it in a test form when I was a contractor in 2005. This got onto a database somewhere and was sold to someone and I just get junk mail galore!
I have an early/obvious gmail account and get around 3 messages per day from unauthorised signups to legit sites. facebook and google (as recovery account) are the only ones that allow you to de-link your address from an account
I get these every so often and I'm curious what you mean my ignore at your own peril. My approach has been to ignore it and assume they will realize their mistake and reregister.
There's any number of risk scenarios, assign likelihood as you will :
* owner of account doesn't pay, service sells the debt to collection agency, and they come after you because it matches your email and profile.
* owner of account subscribes to something unsavoury or does something illicit, which is now traceable to you
* given email is a big part of the incredibly ridiculous and overly pervasive tracking economy and profiling of the interwebs, your profile will now be even more annoying then before and be associated with things you don't want them to be.
Etc. Or just, to your point, one day they'll realize their mistake and be mad at YOU (because people aren't generally good at taking responsibility :) and now it's a thing.
I should mention I have a dozen email accounts of various degrees of protectiveness. Thia happens, annoyingly, to my most private address that I have never ever once used for business or signed up for anything, only for friends and family. So among everything else I'm peeved that my pristine email and identity is being polutted by other crap.
And again... The reason this frustrates me, is this should.not.be.and.issue in any sane world. If you're sending verification email it should have a No option. Anything else is grossly neglible or evil or both.
I understand the problems with people using your email to register for sites. My confusion was the claim that verifying the email for some random stranger causes fewer problems than ignoring the verification email.
Over years, I've received peoples private medical bills; been subscribed to dating sites of various degrees of sketchiness; my email has been used to register with government agencies in countries of various degrees of sketchiness too; signed up for gaming, gambling, Crypto, banking, nft, investing, and so on - many things where my comfort level for mistakes and mistaken identity and Confusion and incorrect systems of record, is lower than "some kiddie signed me up for blizzard.net" :-/
Do you have an example of what your email address is?
Is it like "john@gmail.com" or "mike@hotmail.com" or something?
Seems pretty crazy that someone chooses it randomly every week.
Have you considered getting your own domain for your email to make this probably go away? Obviously changing addresses is painful, but living your life with a common email seems worse.
I’ll chip in as john.<reasonably common surname>@icloud.com.
I still get email from AT&T for John Notreallyme who I believe is in his 80s and lives in Montana. He signed up in-store and I got emailed all of his details.
I got the first email that asked me to confirm my email address. Obviously I did not do that.
It makes no difference. I don’t know why they bothered.
Mine is first initial, somewhat-uncommon last name at gmail.com. Address acquired during the public beta back in 2004.
I regularly get reminders for dental visits in Oklahoma, purchase orders for machinery in Germany, and course registrations for some person who works in my industry and was easily searchable online.
It is not so intrusive to be problematic, and is mildly interesting.
I’ve made a few online “acquaintances” over the years as I’ve figured out the real email addresses for the people for whom I receive email at iCloud. We check in each time I forward something to them.
It can be fun to figure out how to contact your “acquaintances” the first time this happens. You can't really email them, can you?
I had it when someone (or likely his partner) with the same (somewhat uncommon!) firstname.lastname@gmail.com used my email. I started digging and it turned out we both were/are PhD students, just totally different fields. Must have something to do with the name. I was happy that via the faculty site I found his "real" email. Nearly send him a really weird post card, I had only his postal address...
It wasn't as hard as I expected. In one case, I found her last name on an email and it had an additional letter, so I just modified the address to match her name (we were both first initial/last name).
In the other case I must have simply experimented with first initial/middle initial/last name, and that worked.
One is a minister in the Boston area, so it's not hard to recognize her inbound emails.
I get tons of email intended for the other "first last"s in this world.
Most memorable are an employment offer as an environmental engineer in New Zealand, the results of an environmental survey for some commercial real estate development in Houston, TX, and bankruptcy papers from an attorney in British Columbia, CA.
Experian allows unfreezing via their site in the article. If someone can easily recreate your account, they can unfreeze it which makes it pretty useless.
Yes, but if you have an account you’ll at least get an email notifying you that your account’s email address has changed (as a result of someone recreating your account). That’s how I was tipped off to someone trying to buy a car in my name (by pulling on the thread of calling customer support asking wtf I got that email). So it’s very useful to at least have an Experian account so you can know when someone is trying to go after you this way.
Now granted, it’s possible that the attacker won’t change your email address first, in which case I’m not sure if you get an email stating that your credit was unfrozen. But it’s likely they’ll change it in order to make it harder for you to mitigate the damage in a timely manner.
The one that tries to upsell hard is so annoying, I can't be arsed to go find it right now, but the other two make it so easy, yet the one that tries to upsell, its like every other click takes you to a "input your credit card" screen.... Seriously annoying.
Just had to deal with this for the first time in the last two weeks when someone tried to open a fraudulent account in my name... Interestingly, this happens for the first time in my life 2 months after I had to write down all my personal information to get a 0% APR credit card from a jeweler store...
It should be a default frozen system, not a default open system.
Just tried this for equifax got this message. I live in Washington state.
We've encountered an error
Sorry, this service is not currently offered to residents of your state. If you need further assistance, you can call Consumer Care at 1-866-295-6801 during our regular business hours 9 A.M. to 9 P.M. ET Monday to Friday, and 9 A.M. to 6 P.M. ET Saturday and Sunday except holidays.
> 3. Your MONTHLY salary and combined comp per yer going back to 20XX when I came to the US.
You work at a big company. Your employer is choosing to sell this information to credit bureaus.
I first learned about this practice in the mid-2000s. Like you, I was quite surprised, but they didn't have any data on my own income or assets yet, and I resolved never to work for an employer that would engage in this type of business practice.
I think employers should be legally required to disclose and obtain written consent to sell your income data, but beyond that point, it's really on you to decide what employment arrangements you are willing or unwilling to accept. It's sad that you had to find out this way given how easy it would be for these employers to just disclose it upfront. I'd recommend looking for a different employer.
Yes, and no. I would note that they are definitely not alone and are much better scrutinized than the other data vendors you’ve never heard of that have much more detailed and person data about you.
The credit agencies however offer you a real and valuable service. Without credit history it’s impossible to get credit. It’s also harder to get jobs and to rent. So while it’s creepy, at the very least you gain some demonstrable advantage and benefit.
The data brokers and vendors however collect without your permission or knowledge, compile much deeper profiles of you as a human being and what you do and enjoy, along with these other details, and sell it for a profit you never get a share of.
Perhaps one day we will have a functioning legislative branch and from it will come a real privacy bill. I’m hopeful it’ll be better informed than the EU ones by taking lessons learned. But I hope for a lot of stuff, like world peace and cures for cancer.
“The credit agencies however offer you a real and valuable service. Without credit history it’s impossible to get credit.”
I think I generally agree that this is a reasonable service, however the main reason you can’t get credit without a credit history is these services exist that can provide credit history to lenders. It is bizarre to think that loans would not exist without these services.
Loans did exist before credit, but it was almost always loans from friends/family or by providing a large down payment to the bank you wanted a loan from. You needed to be a known and upstanding member of the community to get a loan for anything substantial.
And technically, you can get many loans today without a credit score. For example, there are bank statement mortgage loans, but they have caveats like:
- you will go through manual underwriting and will likely need to show records of payment history on any existing debts, including utilities, insurance, rent, etc
- They will likely need the contact information for each one of your previous debts to verify it manually
- When they run a quote, you will typically be considered at the lowest credit score possible for that program - typically 620 for a conventional loan or 500 for FHA. This means you'll be getting the worst rate possible
- You'll likely need a 20% down payment, depending on if any of the PMI automated underwriting systems even give you a quote with such a low "fake" credit score. The lender might ask for more of a down payment depending on their own risk assessment.
- The lender (or whoever buys your loan) will report your new account to the bureaus, giving you a score.
Additionally, while it may suck, and maybe there is some other emergent reality that sucks less, we practically live in this one. Don’t cut off your nose to spite your face.
Salary/compensation is not actually provided via your credit report to companies who perform a hard inquiry. If you look at your annualcreditreport, that's exactly the data the inquirer receives, and it just has your start date and company.
