Hacker News new | past | comments | ask | show | jobs | submit login
Experian Sold Consumer Data to ID Theft Service (krebsonsecurity.com)
310 points by cylo on Oct 21, 2013 | hide | past | favorite | 79 comments



I did a double take when I saw this because I've been in contact with Equifax recently because I started receiving SPAM form a non-existent email address that I shared with them.

I have a Catch-all address setup on my Domain so that I can give every site I interact with their own custom email address. In this case it was equifax.com@mydomain.com. Since the email address doesn't exist, and they're the only company I've shared it with, they're the only ones with a record of it's existence.

When I emailed them asking if they'd had a security breach or if they were selling email addresses they responded saying they would opt me out of marking emails. When I responded with the context and header info of the emails I received and asked if this was in fact from them things turned. About an hour later I got a response, the tone had changed significantly and they indicated that the incident had been escalated to their security department and that they would be in contact with me as their investigation progressed.

I can say this has been the best response to the dozens of emails I've sent to companies about the same issue. The worst was Best Buy whose response was something along the lines of "Eat Dk, we do what we want."


I do the same thing (using unique email addresses) and over the years several such addresses have been aquired by spammers one way or another. Until recently, it was mainly smaller sites and businesses that this happened with. But I was quite surprised when I started getting spam at the unique address I gave to Dropbox.


I'm always disappointed when I receive SPAM from large online companies like that. SPAM on non-profit emails or from small businesses that probably use Outlook are no surprise but large IT related companies are disappointed.

I was pleasantly amused when I got an email from my congress man asking my specifically about my email address and wanting to know what was going on. We had a nice back and forth conversation about it and I had a greater appreciation for him as a result because I knew that a human was actually reading my emails. More than that, he was looking at the email address.


Heh, same. The excuses I get from companies are hilarious. In my case they're just the domain, but encoded and obfuscated. The company will claim anything to get out of it, that my account was compromised, all the way to someone guessing it.

Irritatingly, when I signed up for the utilities at my apartment I used a single address "utilities@domain.com" for simplicity. One of my three suppliers leaked my details with that address, and they all deny it. Took less than a week from moving in to getting penis pump advertisements at that address.


I worked for an Equifax subsidiary for a time, and I can vouch that at least there they took security very seriously, and always worked with the best practices.

The downside was that changes were veery slow to implement :)


that's not exactly a difficult email address to guess, I would think that in this case (specifically this case) equifax would have a very good claim that it wasn't them that leaked it. If instead you had used a hash or something unguessable then you might have a case, but I could easily go and sign up to my favorite nigerian viagra supplier with all the usual suspects facebook@yourdomain.com, airbnb@yourdomain.com... and you'd go right on blaming the facebook, airbnb, etc.


This is a classic case of engineering a solution to a problem that doesn't exist.

The first question you have to ask your self is for what reason would anyone choose to do that? Shits-and-giggles and malice against me personally are about the only legitimate reasons someone would do that.

Spammers wouldn't want my dummy addresses in their list, and harvesters who sell emails to spammers wouldn't either because I could easily invalidate swaths of their lists by disabling my catch-all giving them a bad reputation.

I mainly do this to see how my email address gets around. If and when I contact a company about my email address receiving SPAM, I don't name and shame in any public capacity. Its of little consequence how they respond because the damage is done, its not like they can undo the SPAM.


Agreed--this is why I append a few random characters to the end of my catchalls when I set them up. Not a hash or anything, but the likelihood of someone guessing a few characters blindly hit on the keyboard is low.


Very interesting story. Do let us know how it turns out.


This Dilbert comic is 100% apt today: http://dilbert.com/strips/comic/2010-10-14/


Perfect.


Except there's actually no such thing as "identity theft" - it's a mere figment of the credit industry's (tracking industry's) fantasy in which they're omniscient, and an attempt to slowly push the responsibility for bank fraud onto uninvolved third parties. In reality, some would-be bank fraudsters got ahold of some non-secret information.


I agree. Identity theft is just a particular method of fraud with a name that mitigates the responsibility of the institutions that enabled the fraudsters.

I don't know if it is one one of those terms that was invented by one of those PR agencies that invented terms like "climate change" to mitigate the visceral impact of "global warming."[1] But it certainly has ended up as a term that obfuscates the responsibility of banks to stop treating public information like passwords.

[1] https://en.wikipedia.org/wiki/Frank_Luntz


I think 'climate change' is generally used now because 'global warming' implies the entire globe will become warmer, when in fact some areas, due to complex interactions, will actually become cooler. That, combined with the political posturing (on both sides), has made it useful to use a more general term. IMHO.


I think this is relevant: it's a sketch from the show "Mitchell and Webb about identity theft.

http://www.youtube.com/watch?v=CS9ptA3Ya9E


The UK police[0] define identity theft as when personal details are stolen and identity fraud as when those details are used to commit fraud.

http://www.actionfraud.police.uk/fraud_protection/identity_f...


Comanies that facilitate identity-based services should be charged as accomplices then, as well as receiving stolen goods.


I wonder if you could mount a class-action lawsuit against multiple financial institutions on behalf of all the "identity theft victims".


Well, is it fair to say that the credit system in the US is fued up? Oligopoly of 3 agencies have pretty much entire control of your fate. Yes Fate. Purchasing power means cash and since credit = cash these companies control the cash that you have at disposal. Which means your FATE. Its insanely difficult to pierce oligopolistic structures and Cartels because of obvious reasons. But some day some startup needs to tackle this. The system works for most but doesn't work for many.


Yes absolutely. I currently cannot buy a house despite having a six-figure income for 4 years, money in savings, and having no debt save my student loan. All because of bad decisions I made in years past.


Actual bad decisions you made in the past are a valid reason not to risk underwriting a large loan to you. There are valid criticisms of the credit agencies, but that doesn't seem like one of them.

If you want a mortgage and you feel you have a convincing reason a bank should risk entrusting you with their money despite a bad credit history, try an in-person appointment with a lender at a local credit union. Be prepared to show your bank statements, several years of tax returns, and if you're self-employed, a signed letter from your business's accountant about the health of your cash flow. You'll definitely need enough cash on hand for a downpayment of at least 30% the house's value; good strategy even if it weren't required.

If you really want to look credit-worthy, use that six figure income to pay off those student loans before you take on an even larger debt obligation.


I don't disagree with you–but it can be frustrating to know you've improved both your responsibility and your earning power yet only be judged by the past.

For example, I've paid cash for the last 5 cars our family has purchased over the last 6 years. Why doesn't my ability to do that apply to my credit-worthiness? Small things like that annoy me about the agencies/system.

Also, the median home price where we live is $500-600K (depending on the city/neighborhood). 30% of that is quite a down-payment.


> For example, I've paid cash for the last 5 cars our family has purchased over the last 6 years. Why doesn't my ability to do that apply to my credit-worthiness?

Because paying cash once for something is the opposite of proving credit-worthiness. You haven't proven an ability to uphold your end of a long-term agreement.

If you want to improve your credit, finance those cars. Make payments for about 6 months and then pay them off. You pay a little extra in interest, but you get another credit entry which is in good standing.

On an unrelated note, you can almost always negotiate a better price on your car (in the US) if you finance and then pay the loan off.


There are better (less expensive) ways to build credit than car loans.

While I don't remember the name, my wife and I built credit getting some sort of secured loan from our local credit union. The process was something along the lines of making an account with them, putting $X into the account, and then getting a 6 or 12 month loan from them for the same $X dollars at a really low interest rate. Overall I think we paid $30 to $50 dollars over that period in interest.


>Because paying cash once for something is the opposite of proving credit-worthiness. You haven't proven an ability to uphold your end of a long-term agreement.

This is absolutely true under the current system. But, I think the parent is actually questioning the rationale behind the current system.

I agree to some extent. Accruing, then using significant cash-on-hand to make multiple large purchases should speak more than it currently does to the customer's financial responsibility and/or wherewithal. It's also potentially evidence of his/her earning ability. All of these should contribute more to the determination of a person's "credit-worthiness".

The current system is punitive for those who generally don't like debt, but recognize its necessity for large purchases (i.e. especially for homes). Debt elimination/avoidance is a sound and oft-recommended personal financial practice, which should show sound financial judgement. Why is there a penalty for subscribing to it?

Of course the credit-reporting bureaus profit tremendously by upholding the current system as it is. Their biggest customers as well as their source of information/power are the creditors themselves.


Of course the credit-reporting bureaus profit tremendously by upholding the current system as it is.

This doesn't seem to follow. The credit bureau has incorrectly identified a responsible person and denied them a loan. No loan = no interest payments. How do they or the bank profit? People who deal solely in cash are the worst kind of (non) customer for the financial industry. Wouldn't the banks prefer (and pay for) accurate ratings over inaccurate ratings?


If that denied person then goes off to build a credit profile by engaging in a series of other credit transactions, then the value of that customer grows tremendously for the credit bureau. Each debt becomes a part of his/her profile that can then be sold and re-sold. And each transaction generates revenue for the bureau as prospective new creditors pull the customer's credit. It's a self-serving system that benefits both the creditors and the bureaus. From the bureau's perspective, this is far more profitable than taking into consideration other factors to get just one loan decision "right".

And, this is the how we've been trained to "build credit", as evidenced by the grandparent's standard advice to improve credit by financing cars and paying them off over the months vs. paying in cash. This is how things work currently, and most people understand and follow that program, which suits the bureaus quite well.

>Wouldn't the banks prefer (and pay for) accurate ratings over inaccurate ratings?

This is not to say that the current approach is wholly inaccurate. It certainly can be one way to measure worthiness. I'm just saying that there are other approaches that are overlooked and, as it happens, the credit bureaus don't have much incentive to pursue those other approaches.


You're assuming that "credit-worthiness" == "financial responsibility", but they're not the same thing, because "credit" as it's used in our current economy is not the same as "credit" as you would think of it just using ordinary common sense.

When you get a loan for a car or a house or pretty much anything else, the bank is lending you money it doesn't actually have. (This is called "fractional-reserve banking" in order to confuse the uninitiated into thinking it is something abstruse, when it's actually very simple: I've just defined it in one sentence.) The cash that gets paid to the seller when you close on the loan is created on the spot (ultimately it comes from the Federal Reserve, at least in the US, which can print money on demand--actually it doesn't even have to "print" it since it's just electronic entries in accounting databases); it doesn't come from the bank's vaults.

So the bank doesn't really care whether or not you can pay back the loan; it makes its money on the "processing fees" at closing. The loan payments you make are going to third parties (in many cases, the bank sells your loan to a third party almost as soon as it's created), who are spreading the risk of default much more widely. (If you ask, "what happens when that risk isn't spread widely enough?", the answer is that you get an economic meltdown such as the one that happened in 2008.) But since the primary lender is making money on fees, it considers people "credit worthy" who generate fees: i.e., who take on debt. It does not like people who pay cash because that creates no debt and hence no fees.


>You're assuming that "credit-worthiness" == "financial responsibility"

No. I am saying that it doesn't, but should to a larger degree.

>This is called "fractional-reserve banking"

Yeah, I'm pretty well familiar with our banking system. No need for the Dr. Evil-style "laser" air quotes. It's not germane to this discussion in any event, as defaulted loans aren't good for the bank.

>So the bank doesn't really care whether or not you can pay back the loan;

Not true. Many banks/lenders actually service most of their non-real estate loans vs. selling them. Also, to the extent that they do sell loans, they care about credit-worthiness because higher quality loans fetch a higher price.

>(If you ask, "what happens when that risk isn't spread widely enough?", the answer is that you get an economic meltdown such as the one that happened in 2008.)

This is incorrect. In some ways, the problem was that they "spread the risk" too much. That is, the same loans were re-packaged and sold multiple times, creating insane leverage through exotic instruments (derivatives, CDOs, etc.) of little-to-no-intrinsic value. Had we simply seen a series of defaults, the systemic threat would have been greatly reduced. It was the leverage that created the real crisis.


I am saying that it doesn't, but should to a larger degree.

Ok, fair enough. I agree that it should; but then again I don't think fractional reserve banking is as good an idea as most economists appear to think it is.

It's not germane to this discussion in any event

I think it is, because the fact that making loans causes money to be created on the spot means that loans are cheaper (in some cases, much cheaper) than they would otherwise be. That greatly reduces the incentive to increase one's financial responsibility. Also see below.

defaulted loans aren't good for the bank

They aren't if the bank still owns them and if the bank was booking them at an inflated value, yes.

Many banks/lenders actually service most of their non-real estate loans vs. selling them.

Yes, I should have drawn a distinction between real estate loans and other loans.

to the extent that they do sell loans, they care about credit-worthiness because higher quality loans fetch a higher price.

They care about creditworthiness in the sense of ratings, yes; but I thought we agreed that that's not the same as actual financial responsibility, i.e., as whether the borrower can actually pay back the loan. See below.

In some ways, the problem was that they "spread the risk" too much.

They thought they were spreading the risk by re-packaging loans in all these creative ways, when they actually weren't. (This may be what you were referring to by putting "spread the risk" in scare-quotes. Note that I did not do that in my previous post.) Spreading risk means the risk of any one loan defaulting is independent of the risk of other loans defaulting. That turned out not to be true, because real estate was in a bubble, created by low interest rates and consequent cheap mortgages (and the fact that the money for the loans was being created out of thin air), and when the bubble popped, lots of loan defaults happened that were correlated, not independent.

Had we simply seen a series of defaults, the systemic threat would have been greatly reduced. It was the leverage that created the real crisis.

I agree that leverage greatly exacerbated the problem; but note that the leverage doesn't just come from the derivatives. It comes from fractional-reserve banking in general, i.e., from giving out more loans (up to 10 times as many with the current reserve requirement of 10%) than the actual supply of real savings justifies. That's going to create a bubble in whatever the loan vehicle du jour is, even if no other leveraging is present.


> Also, the median home price where we live is $500-600K (depending on the city/neighborhood). 30% of that is quite a down-payment.

You're talking about being entrusted with half a million dollars of someone else's money. That's a huge bet to make on you; it goes both ways. If you can't afford the down payment, then you can't afford to live in that neighborhood.

30% isn't an unusual downpayment, especially if you don't have perfect credit. With a smaller downpayment, the bank is in a position where you could default on the mortgage, they repossess the house, and because it's depreciated in value at all, get less money when they sell it than they paid the person who sold the house to "you" (to the bank, really) after foreclosure and closing costs.


Why is the house "depreciated in value at all" ? I don't understand that part.


You just lived through a recession in which tens of millions of homes depreciated in value during the terms of their loans. Depreciated means it lost value; the house is worth less than before. That, combined with a small downpayment, can result in a bank holding a foreclosed home which is worth less than the value of the mortgage on it.


Ah, I see. I thought your explanation was more general, not specific to the current economic situation. And since I learned as a kid that a house normally only get more value over time (I live in western europe) that was confusing me. Thanks for the clarification.


> I learned as a kid that a house normally only get more value over time

I think this is one of the reasons we got into this mess. People bought more house than they could afford thinking they would be able to sell it if they needed to and at least break even. Nobody was prepared for underwater mortgages because we all assumed houses only appreciate.


all structures depreciate, eventually it will fall down. It requires maintenance to keep the same value. This is one reason most people will tell you to never buy a condo. Land is finite and does not depreciate.


> Land is finite and does not depreciate.

The value of land can definitely depreciate. Perhaps not in [sub]urban areas so much, but in rural areas the value of land can be tied to things like timber, water, or mining. If I buy some acreage and extract timber/sand/gravel/etc, that land is going to have a lower resale value.

Or maybe I buy prime farmland and then crop the soil until it is dead.

Or instead of extracting stuff, I leave bad stuff behind (persistent pollution -- lead, mercury, etc).

For something more [sub]urban, consider the case where a new highway is built to route traffic around a city instead of through it, and a previously viable commercial location becomes worthless because the traffic count drops to near-zero.


If a 20-30% downpayment seems completely unrealistic, then you are probably not in area that you can afford. A home is like a car, in that nobody forces you to buy the Porsche, and you can always buy something in a cheaper area. A location with a median home value of 600k is definitely in the "Porsche" category of locations. Go find yourself a Camry.


Never said it was unrealistic–just meant it wouldn't happen immediately. By the time I have it available (2-3 years), my credit score will be improved too.

Also, our rent is very low here ($2K for a 4bd home on 1/3 acre in a great neighborhood). We just happen to be in an area where buying vs. renting is out of balance.

And your car analogy breaks down real fast. There are many more factors which can/do prevent people from moving to other cities.


20% - 30% used to be the standard down payment for a mortgage. I'm not sure exactly when the %5%, 2%, and even no-money-down mortgages started, but they are a big part of why housing has been in such a mess the past decade. They sort of set the general expectation that you could buy a house with no personal sacrifice or investment, and thus made it easy for people to rationalize walking away when the payments became difficult to manage.


So you pay cash for everything, and somehow that demonstrates your ability to responsibly use credit?

Do you also assume that Mormons are experts on responsible social drinking?


I thought credit rating things only lasted 7 years. Are your credit transgressions more recent than that?


I'm pretty sure it's 7 years. After that they're suspose to remove the information. They don't really care though. You need to call and have it removed. Sometimes you need to really hassel them.

If you have old debt, some buyers of that old debt are fraudlently trying to make it look like new debt by filing it with credit agencies--fight it. It's all about statue of limitations.

Oh, I've noticed some of you are very protective of our credit system. I've always felt most credit cards are very unfair. No real control over your rate of interest has alwalys bothered me.

While, I'm on a rant. The Credit Agencies need some competition? It would be a great start up? A credit agency that actually looks at an individuals ability to pay back a loan.

It shouldn't be a crime to pay off your bills without using a credit card. Oh yes, they claim to look at utility bills, etc, but in order to get the really good credit terms they want to see you used high interest credit cards through out your life.

I'll never forget the look on my fathers face when he was refused a credit card, because he never saw the need to use credit until he was in his 60's. This was after paying off a morgage.


> A credit agency that actually looks at an individuals ability to pay back a loan.

The problem with that is that just because someone is able to pay back a loan doesn't mean they will.

I had a roommate in college that financially was able to pay off a credit card, but was just so irresponsible that he ignored it.


Most are, but (from what I understand) there are ways items can stay on for longer. For example, if your account is sold or resold to a collection agency, I believe the clock resets under the new creditor.


This is not accurate. The clock only "resets" if you take action on it. It can be resold every 6 months and unless you contact a creditor about the debt, nothing changes.

For small debts in the 4-6 year range it's usually fine to let them just fall off your report (although there's certainly a moral ambiguity there). Larger debts will almost always be litigated well before the 7-year mark, and entering into litigation does reset that clock.


This is what bankruptcy is for. If you really get underwater you file bankruptcy, your debts are discharged by the court, you pay cash for seven years, and start over. Just informally leaving unpaid debts outstanding is not a good idea.


Thanks cylo for the post. Sadly we can't seem to trust the credit agencies or Government agencies with data protection. We need a politician who will champion some sort of legal offence (Federal?) for digital data protection breaches whatever the industry/company (above anything that already exists) that will scare companies enough that they start taking digital identity seriously. Maybe that's a pipe dream but I get the sense after reading this article that regulators just don't carry a big enough stick or have too light a touch when punishing serious infractions.


Agreed and I'm somewhat supprised (UK peep here) that no data protection act is in place. UK had first version of the act in 1984 (oh the ironic choice of dates, govermental humour maybe).

With that I'm amazzed there is nothing in the USA, must be something beyond class action suits?


I think protecting data is a hopeless goal. The penalties need to be for fraud, and the responsibility for identity verification needs to be the creditors.

Hospital admissions and discharges used to be published every day in the paper. People used to have their social security number printed on their checks. Someone's birthday was a day of celebration, not a personal secret.

I want to get back to a place where routine facts about me do not need to be secret or something I worry about. The onus should be on anyone granting credit to verify that the person is who they claim to be, and it should take more than a few bits of public information to do that.


ams6110, I wish for a world where your quote "I want to get back to a place where routine facts about me do not need to be secret or something I worry about" were true.

However, pandora's box is open and we can never ever go back.

When you say, "The onus should be on anyone granting credit to verify that the person is who they claim to be" I couldn't agree more. This goes to the heart of my argument, you cannot trust those granting the credit. The invisible hand isn't working here. The only other option is to use fear to keep them in line... fear of a regulator that has teeth.


Having lived in the USA and the UK I've experienced the political contrasts. My gut feel is that the American political engagement, the way the media reports politics, and how people think as a result are to blame here.

So exactly what do I mean by that? Well for starters I believe that the American political structure doesn't lend itself easily to direct public scrutiny and transparency. I can't remember ever meeting an American politician except when it was in their best self interest... surprise, surprise right around election time. Barriers are set up making it difficult to get face-time with a Senator or a Governor. By comparison MPs (British Members of Parliament) are obliged to have open constituency meetings where a member of the public can arrange to speak to their MP face to face.

British politicians just seem more willing to me to engage with 'Joe Public.' For example, it would be beyond belief to hear that the US Vice President or some Governor of some state has a weekly call in radio talk show slot, yet Deputy Prime Minister Nick Clegg (kind of like the British Vice President) and Mayor of London Boris Johnson (who is more like a US Governor than a city Mayor) have regular weekly radio slot on LBC (a call in radio talk show) where they calls from ordinary citizens and sometimes take some intense heat.

Also understanding American politics outside of the likes of Fox and others (or what I would say is the "TV political bubble") is difficult. Sure there are some amazing publications one can read. The likes of the The Wall Street Journal, The New York Times, Time, The Economist, and Foreign Policy all spring to mind. However these publications are not for everyone and definitely not read by the masses.

In comparison, the Sun and other tabloids, manage to break politics down into bite-sized blurbs that focus on the important parts for the everyman. I believe that this allows Brit Joe Public to be regularly informed on politics and therefore more engaged. So well much could be said about how bad tabloids are, I think they provide a valuable public service keeping people informed and from time to time crucifying the odd politician or goading them to action.

If there was maybe more public political engagement, more willingness for politicians to be accountable and less special interests on capital hill maybe the average citizen would understand why data protection is important and feel they have the leverage on politicians to enact it.


Sort of insinuates that ID theft is not meant to be a core focus of Experian.


> Sort of insinuates that ID theft is not meant to be a core focus of Experian.

The post is saying that a service that aids scammers purchased data from Experian.

Seeing the title, I initially thought it meant that Experian sold data to an ID Theft-prevention service, which would be less bad.


I read it the same way, but that would have been pretty bad in and of itself. Why should an ID theft prevention service have data on me unless I have a business relationship with them?


Going back a step, why should Experian have data on you?


And they can sell what they call the "header" of your credit report without regulation (such as the FCRA). This info includes your name, address, ssn and dob. Or at least it did when I bought it in the 90's to build a service to find dead-beat dads. I've heard they are more restrictive on the SSN, but I also would bet that's the #1 data element for the ID thefters.


I don't understand why the U.S. is so opposed to a nationwide ID, and yet obviously need one, and end up treating other documents less suited to the task as one.

Here in Uruguay (and almost everywhere else) we have a national ID number (Cédula de Identidad). It's not supposed to be secret (although it's not a great idea to divulge it freely).

http://en.wikipedia.org/wiki/National_identification_number


An SSN is quite a good ID in that it should uniquely identify WHO is being discussed but it is a lousy authenticator to prove you ARE the person being discussed. Unfortunately in the US it seems to be regarded as a shared secret (between you, every credit reference agency, significant portions of the government, every bank you use, every employer you have and significant numbers of people working for all those groups) that they then use as authentication. What is needed is a separate authentication process.


I don't see how a new id number will solve anything. We already have a de-facto national id number, the SSN.


Because a new ID number can have security measures.

The ID number in my country has photograph, fingerprints, signature, several security measures (difficult to fake). Not so easy to steal (of course there are forgeries, but identity theft becomes much harder)


Hold on, do you mean an ID number or an ID card? As far as I can tell, the Cédula de Identidad you mention is a card, not just a number. Numbers are pretty much always trivial to duplicate. Checking a physical document kind of requires a face-to-face transaction.


Sorry, I meant ID card, you are correct. And I agree that numbers are easy to duplicate.

I'm not from the U.S., but I've read a lot of criticism about the SSN, for example:

http://www.theverge.com/2012/9/26/3384416/social-security-nu...

"In 2009, researchers developed an algorithm that could guess an individual’s SSN with up to ten percent accuracy"

"SSNs have become available through data resellers, security breaches at various companies and government agencies, unsuspecting customer service representatives, and even public records, if you know where to look. SSNs can be bought in bulk for $1 each on private online forums, and a specific person’s SSN can reportedly be had for as little as $3.80."

I've also read about duplicates ("More than 20 million Americans have more than one SSN associated with their name."), the numbers running out (in the 2050s apparently), etc.

http://www.witn.com/home/headlines/111371029.html

The REAL ID act sounds like something closer to what we have:

http://en.wikipedia.org/wiki/REAL_ID_Act

Some other advantages (from an IT point of view): you can validate an ID number against a central database, and get a person's given names in a unique format. Our ID numbers have a check digit, so you can validate if the ID number has been correctly entered :)


Certainly SSN could be improved by making them harder to guess and adding check digits. Other than that, I don't see how any other number scheme is any better. Ultimately there is some number that is associated with you, and is therefore useful for identity theft. Since it has to be used by people and not just computers it'll have to be relatively short and thus easy to steal.

Multiple identifiers per person is a feature, not a bug. People get new SSNs when they want to change their identity (eg, witness protection programs), or because someone stole their old one. That need doesn't go away just because you have a new numbering system.


How else would credit history (and credit in general) work?


Voluntarily?

If you want to use credit, you have to let lenders collaborate to determine whether they're willing to lend to you, if that's their criteria for making decisions.

If you don't want to use credit, they get no special pass to store and use personal data about you.

I'm from Europe, where generally personal privacy gets more emphasis than it seems to in some places, notably the US. We have explicit laws about collecting and processing personal data, but certain organisations seem to get a free pass for no apparent reason. As this story demonstrates, the risks are still there.

That said, perhaps we shouldn't be too worried. The last time I paid a little real money to get hold of my personal credit report from one of these credit reporting organisations, it was so riddled with obvious errors, including more than a few wildly inaccurate data points, that I was on the phone to them for something like half an hour to get them to correct everything. At that point (I kid you not) the woman on the phone asked if I would be much longer because it was the end of the day and time for her to go home.


I'm convinced that those 'errors' on reports are actually phishing.

When I ordered my reports I paid with postal orders, so as not to leak any financial information back to the agencies. I'm glad I did so, as the details ( other than my mortgage ) were laughably incorrect.

I was on the verge of writing to correct them and then caught myself - that's exactly what they want, isn't it? So hopefully by now they've diverged even further from the truth.


Were they negative elements or just factually incorrect neutral/positive elements? Correct or not, if your credit report is pulled and there is wildly inaccurate (negative) information you can still be declined, and not many people know that you are entitled to a free report if you're declined based on what's in that report.


In my experience, most every place that declines you based on report data will send you a letter saying (in very general terms, but still) what criterion you failed, as well as the information about where to get your report.


Well for a start they could stop using your immutable SSN as both your username and password.

That's like your gmail password being your address, oh and by the way you can never change it.


... Because they are one of the three major credit-scoring agencies that maintain records on every person with a credit history?


Well, sure, that's a description of what they do, but it doesn't explain why they should have access to this information. In a marketplace, perhaps there doesn't really need to be a "why". But the same "why" should apply to Experian as it would to an ID Theft-Prevention service (the hypothetical thing that we were discussing in this comment thread, and the reason I asked this question in the first place).

That is, Experian's longevity and importance makes them more reputable. Their function as a business, certainly, is to collect, analyze, and repackage this data. But these things should not give them a free pass on the "why" question that greenyoda posed, if the question is going to be asked at all.


They said "should" not "would."


Experian is one of the big three credit reporting agencies; their databases are used to determine whether you qualify for a loan. They are your credit record...

So, yeah; this is pretty bad.


Do "underground" credit rating agencies exist? I don't mean credit rating agencies for carders and scammers, I mean agencies that track things they're not supposed to track. Agencies that keep the data on file for longer than they're supposed, keep track of how many times a particular ID asks for refunds, or to get their security deposit back, material like that.

It would have to be out of the Caribbean or some place with lax data privacy laws, and strict confidentiality laws.


There's a ton of those that are fully aboveboard, you just don't hear about them. One exists for return tracking, one exists for how many applications you've filed for credit cards, one exists for landlord/tenant court entries that saves them forever (they insist they aren't a CRA but under the law they clearly are) -- there's a ton of them other than the Big 3 and there's almost no effective regulation around them.


For those of you interested in learning how the cough scam cough system of credit scores works and how to maximize the system, here is a talk I have found very informative. It's a dirty business and industry...

http://www.youtube.com/watch?v=5gFDnQGr6WU


The world should calm down. Take a few years to review what we've done in last 50 years.


Yeah. Let's rent a holiday cottage with all of us and talk it though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: