Given it is your email that is being used, that should allow for you to take over the account(s)? I'd submit a password reset, change the password, then just allow the account to live a dormant life.
That of course doesn't make it any less annoying, but it would at least stop an actor from using an account that is associated to your email.
Be careful, in the USA that is still a violation of the CFAA and US courts have proven themselves to be technically incompetent time and time again. People have been sent to prison under CFAA for using the “view source” button that’s available in every web browser.
Which case did someone go to prison for viewing the page’s source?
I think they are talking about this case, it was thrown out.
https://www.theregister.com/2022/02/15/missouri_html_hacking...
Governor Parson's office maintained that Renaud had unlawfully hacked the school website: "The hacking of Missouri teachers' personally identifiable information was a clear violation of Section 569.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative."
It wasn't thrown out by a judge. The governor still maintains that the reporter "hacked" and violated state law but the prosecutor's office declined to pursue the case.
My understanding of the law is that a judge would throw out the case as well
For Experian accounts, doing a password reset requires an SMS or phone call code.
The only mechanism you have to alert the person usurping your email identity that there is an issue is to trigger the phone call verification 3 times per day, preferably around 4am.
If you call the phone support, it will give you robots until playing a pre-recorded message telling you to physically mail a legal request including copies of your ID etc.
File an FTC and CFPB compliant. Only regulators will light a fire. Experian isn't going to doanythingdue to consumer complaints, as the consumer's credit file is the product. Let someone from Compliance have to email the product owner about it, and the complaint starts the clock ticking.
https://www.consumerfinance.gov/complaint/
https://www.youtube.com/watch?v=9CWbc6pekd8&t=1310s("We have a complaint database, we collect information, and are always eager for information" -- FTC Chair Lina Khan at Y Combinator)
I've been tempted. But
1. That exposes me to MORE involvement with this service, not less, and potentially legal culpability. Risk may be small but impact is large and benefit is neglible, so math doesn't work out for me.
2. It requires MORE effort on my part. For a poor design and error made by not me.
If it were once every 5 years, maybe.
When it's weekly, it's just an annoyance.
Sometimes when I'm really angry, I just write to their gdpr or compliance officer with a stern better and links to various sections of the law and their obligations. Doesn't accomplish much but makes me feel better :-)
But overall, it's a systemic issue, and given we are on hacker news, I'd say it's OUR systemic issue caused by us :-/
Doesn't exactly work when they use your email to create an Apple iCloud account. It needed the actual iPhone it was connected to to complete the reset, I think I ended up getting it into a weird unusable state where neither of us could log in.
Do you have an example of what your email address is? Is it like "john@gmail.com" or "mike@hotmail.com" or something? Seems pretty crazy that someone chooses it randomly every week. Have you considered getting your own domain for your email to make this probably go away? Obviously changing addresses is painful, but living your life with a common email seems worse.
Mine is first initial, somewhat-uncommon last name at gmail.com. Address acquired during the public beta back in 2004.
I regularly get reminders for dental visits in Oklahoma, purchase orders for machinery in Germany, and course registrations for some person who works in my industry and was easily searchable online.
It is not so intrusive to be problematic, and is mildly interesting.
I’ve made a few online “acquaintances” over the years as I’ve figured out the real email addresses for the people for whom I receive email at iCloud. We check in each time I forward something to them.
It can be fun to figure out how to contact your “acquaintances” the first time this happens. You can't really email them, can you?
I had it when someone (or likely his partner) with the same (somewhat uncommon!) firstname.lastname@gmail.com used my email. I started digging and it turned out we both were/are PhD students, just totally different fields. Must have something to do with the name. I was happy that via the faculty site I found his "real" email. Nearly send him a really weird post card, I had only his postal address...
It wasn't as hard as I expected. In one case, I found her last name on an email and it had an additional letter, so I just modified the address to match her name (we were both first initial/last name).
In the other case I must have simply experimented with first initial/middle initial/last name, and that worked.
One is a minister in the Boston area, so it's not hard to recognize her inbound emails.
Mine is first.last@gmail.com.
I get tons of email intended for the other "first last"s in this world.
Most memorable are an employment offer as an environmental engineer in New Zealand, the results of an environmental survey for some commercial real estate development in Houston, TX, and bankruptcy papers from an attorney in British Columbia, CA.
I’ll chip in as john.<reasonably common surname>@icloud.com.
I still get email from AT&T for John Notreallyme who I believe is in his 80s and lives in Montana. He signed up in-store and I got emailedallof his details.
I got the first email that asked me to confirm my email address. Obviously I did not do that.
It makes no difference. I don’t know why they bothered.
I thought the same thing, in my whole life I have gotten exactly ZERO of this events.
I frequently get emails intended for someone who has my same email handle, but with the extension "@googlemail.com" instead of "@gmail.com".
I know a lot about them. I know their shipping address in the UK. I know that they order inexpensive club attire, online Dominoe's delivery, and have a specific gym membership.
I am shocked that Google offers no way to disentangle my email address from this person's. A more malicious person than I could easily take advantage of all of this personal information.
Was there a period where you could register those separately? My old google account receives emails for both domains.
There must have been, else I wouldn't be in this situation.
Or they could just have a similar gmail address they frequently get wrong (or that looks like yours when written in the terrible handwriting they fill in forms with)
There's probably a single digit number of people with my initial and surname in the world, and Istillget order confirmations for one of them, car promotions for another and am on some sort of targeted B2B spam list for a third to my Gmail address in that format. I quite like the order confirmations tbf, most of them are for a fish and chip shop I actually used to get food at when I was a kid and my grandparents lived nearby so they're oddly nostalgic
My understanding was that the two domains are equivalent. The following sites seem to confirm my understanding. Are you sure it isn't you?
https://support.google.com/mail/thread/125577450/gmail-and-g...
https://www.quora.com/What-is-the-difference-between-gmail.c...
https://www.gmass.co/blog/domains-gmail-com-googlemail-com-a...
I'm pretty sure I don't have an alter ego who lives in the UK ;) The shipping address and accounts opened by this person are very obviously not mine.
I live in NY.
I get these every so often and I'm curious what you mean my ignore at your own peril. My approach has been to ignore it and assume they will realize their mistake and reregister.
OP said so: The functionality of the account is usually partially or mostly available to an unverified email.
Yes, but I don't understand what problem that poses for him. After he verifies the incorrect email address, they have full functionality.
There's any number of risk scenarios, assign likelihood as you will :
* owner of account doesn't pay, service sells the debt to collection agency, and they come after you because it matches your email and profile.
* owner of account subscribes to something unsavoury or does something illicit, which is now traceable to you
* given email is a big part of the incredibly ridiculous and overly pervasive tracking economy and profiling of the interwebs, your profile will now be even more annoying then before and be associated with things you don't want them to be.
Etc. Or just, to your point, one day they'll realize their mistake and be mad at YOU (because people aren't generally good at taking responsibility :) and now it's a thing.
I should mention I have a dozen email accounts of various degrees of protectiveness. Thia happens, annoyingly, to my most private address that I have never ever once used for business or signed up for anything, only for friends and family. So among everything else I'm peeved that my pristine email and identity is being polutted by other crap.
And again... The reason this frustrates me, is this should.not.be.and.issue in any sane world. If you're sending verification email it should have a No option. Anything else is grossly neglible or evil or both.
To make it less general and more specific
Over years, I've received peoples private medical bills; been subscribed to dating sites of various degrees of sketchiness; my email has been used to register with government agencies in countries of various degrees of sketchiness too; signed up for gaming, gambling, Crypto, banking, nft, investing, and so on - many things where my comfort level for mistakes and mistaken identity and Confusion and incorrect systems of record, is lower than "some kiddie signed me up for blizzard.net" :-/
Have you tried to reset the password and delete the account?
Malicious compliance
Or just leave it open to (presumably) prevent its future use.
I was receiving somebody's water bill in my email addressed to someone in the Netherlands (apparently with a similar name). It contained their address, full name, details of their water bill... The email was in Dutch and I used Google Translate to make sense of it. It came from a no-reply so I couldn't just reply and say 'wrong customer', and there was no customer support email address to be found. I had to go to the company website and hunt down some kind of feedback form and begged them to fix this customer's email address. Eventually I stopped receiving the emails. I guess that company never even verifies email addresses. The company is called Oasen in case you're wondering, name and shame.
Vietnam Airlines once sent me someone's airline ticket, about 48 hours before they were due to fly (and about 10 years after the only time I ever flew with them). Their name wasn't even remotely similar to mine and their email can't have been either. At least that one appeared to be human error so there's a chance that my email pointing out the mistake was read by a human that was actually able to sort it out.
Lyft likely cost customers' funds though a poor process like this in the past.
One could create an account, hail rides and add their own payment method while still being associated with someone else's email. Ride recipes would then be sent to someone else's email where the receiving party could add or increase a tip through an unauthenticated link and have it charged to the riders credit card.
I had a positively hilarious interaction when somebody with my name used my personal email address for their retirement fund provider. I received an invitation to a zoom meeting addressed to my personal email account and their work email account. So I went ahead and joined the meeting in progress.
I sat silently for a bit while the financial advisor finished his talking point. Then I spoke up. I don't remember exactly what I said but the other guy with my name sat there with a scared / dumbfounded expression on his face while the financial advisor calmly asked me to leave.
I told him I would leave as soon as they promised to remove my email address.
non-maliciously, usually
Don't be too quick to assume this. Likely the email account is one of many spammers gathered from a data breach.
Reset the password. I even change the username to "spam" or something too, poison as much of the associated data as I can. PITA I know, it happens to me regularly.
I have had spotty success forwarding the confirmation email to security@{wherever the mail came from} explaining the situation. When that fails, you can look up the WHOIS information for their mail sending provider and contact their abuse@ inbox as well.
I can beat that on annoyance level at least. I still get postal junk mail for Mr Qwe Rty after I put it in a test form when I was a contractor in 2005. This got onto a database somewhere and was sold to someone and I just get junk mail galore!
I have an early/obvious gmail account and get around 3 messages per day from unauthorised signups to legit sites. facebook and google (as recovery account) are the only ones that allow you to de-link your address from an account
Of course, we aren’t the customers for these spying companies. But it is surprising that the total lack of security isn’t a deal-breaker for their actual customers. I mean if you can basically impersonate anybody using this service, what is the point of using it?
If identity theft were to get so common that the data became statistically unreliable, we would be long past the point that even Congress would feel compelled to do something about it.
There’s no such thing as identity theft, it is impossible to steal an identity, the person still has their identity. It is impersonation. The victim is the entity that has fallen for the impersonation (likely a bank, etc), the perpetrator is the one who did the impersonation, and the impersonated person is just some uninvolved third party.
I know it is pedantic but it is important to keep in mind because dumping the need to seek redress on the uninvolved third party is ridiculous, so we shouldn’t use language that plays into that point of view.
100% agree, except the impersonated person is impacted when their credit score eventually gets screwed and they can no longer get loans themselves. So, in that regard, they are also a victim.
Although I think it is more accurate to call them a victim of something like slander by the credit agency, in that case. I mean, I’m not sure exactly what the laws are around slander, I wouldn’t be surprised if there was some cutout for cases in which the person actually believed the lies they were repeating, but if an organization represents itself as an expert in people’s trustworthiness it obviously has a heightened responsibility to verify what it is repeating.
Credit reporting agencies have immunity from slander claims unless you can prove malice.
So you've found the problem. If they are immune from the crime, they won't stop practicing it.
My understanding is that in most cases, slander/libel is never a crime anyway.
It's merely a tort (wrong). It never rises to the level of a crime. The few instances/places where slander is a crime in the US (historically or otherwise) are very problematic and subject to abuse.
Perhaps this specific kind of slander should be criminal, but it might be the only kind that should be. Not only would you need to justify that philosophically, but somehow convince legislators to make it that way (at the federal level, I should think).
It'd be a tough journey.
Well, ok. There's no need to make it a literal crime. Those companies just need to be responsible for correcting the damage they cause.
Don't forget compensating the injured party for any consequential losses. Which in this case might be a house or the income from a good job. See how fast they clean up their act if they can be held responsible for six or seven figures of damages every time they make a serious mistake.
I don’t think it is that tricky philosophically; they are representing themselves as experts on a topic so, they have a responsibility to ensure that they have a professional level of competence in it. Just like doctors and civil engineers.
Agreed that getting legislators to do anything about it will be a pain, though.
Would them ignoring a few certified letters asking them to contact you to correct slanderous significant errors in your information be enough to show malice?
That’s what a dispute is. It’s required by the FCRA.
The impersonated person is impacted because the credit agency is lying about them to other people.
A classic Mitchell & Webb sketch:https://youtu.be/-c57WKxeELY
Thank you for that, I'm actively looking to see how I can watch this show now.
This is from That Mitchell and Webb Sound, a radio show they did. The BBC don’t tend to region-lock audio, so you should be able to listen athttps://www.bbc.co.uk/programmes/b007lqrh(or using the BBC Sounds app).
The banks aren't the only victims. The person has had their credit rating damaged, and may even be on the hook for fraudulent charges made in their name.
The person has had their credit rating damaged
This is called libel. This person is a victim of a crime the credit reporting agency committed.
Libel is an intentional act. Agencies are not intentionally reporting false information. Banks may be reporting false information, but even they are unaware until the fraud has been discovered, by which time information they thought was true has already been reported.
I completely agree. But if I recall correctly, they've set up the law so that if they get duped, you're on the hook for whatever they got duped into giving the impersonator. That's the biggest problem.
Tell me you're Bank of America and I'll give you a thousand dollars. You disappear into the night and I'll go get my thousand dollars back from the real Bank of America. Is that how the law is setup? (Honestly, making a website that looks like a legit Bank of America website is about as difficult as getting someone's SSN.)
It’s identity fraud frankly. Hold consumers harmless and put the burden on the industry (if you did not have an high identity assurance you’re on the hook for costs and losses) and this problem evaporates. Also outlaw credit monitoring and identity theft insurance.
You give Congress too much credit.
what is the point of using it?
Plausible deniability allowing them to push as much significant risk of identity theft onto consumers instead of themselves where it should be.
Even the term "identity theft" needs to go. My identity wasn't stolen! I'm still the same person. The bank got tricked by a scammers and somehow the bank tries to make that my fault.
Edit: Imagine this the other way around! Grandma gets scammed by someone pretending to be her bank. So the bank's identity got stolen. So now the real bank needs to fix it, provide more proof of identity to all customers and jump through all kinds of hoops to not owe grandma crazy amounts of money.
Why do you think that calling something theft blames the victim of the theft?
It isn't blaming the victim. I think they meant something else but worded it that way. What they meant was 'redefining the victim'. The victim is the bank, who got defrauded. They then call it 'identity theft' instead of 'bank fraud'.
Yes! I’ve been saying this for years. The whole framing is a victim blaming dodge, when the two bad actors are the crooks and whoever made the loan with insufficient ID.
It always reminds me of this classic Mitchell and Webb sketch about the subject.
These accounts aren’t for the people who pay Experian money. Companies pay Experian money to access information about individuals; the only reason Experian even allows accounts for individuals is because they are mandated by law to allow things like credit freezes and the annual credit report. If they weren’t required, they wouldn’t do it at all. They have zero incentive to improve the experience or the security of it.
> Companies pay Experian money to access information about individuals
And your firm pays Experian/Equifax/etc. to GIVE information about you, e.g., automated employment verification.
someone shoudl be able to freeze their work number to preven this correct? or am I thinking of something else
And your employer feeds their payroll into Experian and its partners so it can then resell that information.
And Experian pays your company for the data through programs like The Work Number
what is the point of using it?
can you opt out? is there even a choice at all? where i live I can’t opt out of Experian or other credit rating services.
Just buy a bunch of stuff and don’t pay for it. It’ll be the same result, but you’ll have more things.
The actual customers can, consumers can't though.
I'm pretty sure the OP was meaning that there's little point for the businesses that make use of the credit bureaus, if they can't be sure the bureau is accurate, rather than that consumers might be better off opting out (even if they could).
We need a HIPAA for personal data.
Stepping back, and looking at the situation as a whole: the real problem is a lack of privacy laws. Banks, businesses and employers should be prohibited from sharing your personal information with third parties.
I live in Switzerland, where this is the case. Even the government doesn't get this information. If the government thinks you're cheating on your taxes, they have to use warrants and follow the same procedures as for any other crime.
The only financial records accessible are records of legal debt collection actions ("Betreibungen"). Before offering someone credit, you can find out if other people had to sue them to collect.
Yet, even with so little information - without credit reporting agencies - everything works just fine.
FWIW, due to international pressure (things like FATCA), Swiss law was changed so that banks do report on international customers.
I would say this problem would also be solved if we stopped pretending that a Social Security number was a serious substitute for secure national ID.
What's the issue with SSN being an ID?
It was creating for the purpose of tracking an individual's account by the Social Security Administration. It later became a de facto identifier and, even worse, is many times abused as a form of authentication, but it was never designed to be either.
As a result, we have processes that ask for or require a social security number that aren't even related to the purpose for which it was created: Health care, loans, debt collection.
Notably, some citizens of certain religious sects, like the Amish, do not have social security numbers.
It still sounds like a good way to uniquely identify a person? How else would an institution confirm that it's talking about the same person?
It is treated like a secret, so if you come to know someone else’s Social Security number (thanks to a thriving black market you can buy up plenty of them) that’s enough for lenders to start giving you money and then chasing down that other person to pay them back. Are you starting to see an issue yet?
Well that's another thing, I don't see why would you need to get rid of SSNs. You just need to add another layer that will confirm that you're the "owner" of your SSN. Seems pretty easy to do?
The same way they do for people who aren’t from the US?
Some combination of name, address, birthdate, etc.
But the problem isn’t using the SSN as a semi-unique ID. It’s using it for that and also assuming it’s secret. SSN shouldn’t be any more secret than name or address (and shouldn’t be used to unlock or access accounts).
The same way they do for people who aren’t from the US? Some combination of name, address, birthdate, etc.
Plenty of countries have SSN-like numbers:https://en.wikipedia.org/wiki/National_identification_number
It's really not that special.
But the problem isn’t using the SSN as a semi-unique ID. It’s using it for that and also assuming it’s secret. SSN shouldn’t be any more secret than name or address (and shouldn’t be used to unlock or access accounts).
Of course. Shouldn't it be trivial to sue any institution that uses SSN as a way to confirm your identity?
It's a terrible way to uniquely identify a person; it was never designed as such. For instance, there aren't nearly enough of them – they get re-issued all the time.
It is used that way in Finland and a fair few other countries and works perfectly well.
Additionally, because the Social Security Administration only issues an SSN if you are eligible to pay into and eventually receive Social Security, there are some legal temporary residents of the US that are not eligible and do not get an SSN.
While the government says that an SSN is not necessary to open a bank or credit card account, all the ones that I’ve encountered require it to proceed with the application, and the government doesn’t do any enforcement of that.
There's an easy way to do that: pass a law exempting Social Security Numbers from all identity theft and fraud laws.
Make it completely legal and tort-free to lie about social security numbers anytime, anywhere, except when dealing directly with the government (i.e. filing your taxes).
That'll stop them being used, and right quick.
problem is: what to use instead? They don't really have an alternative, either
Businesses can come up with their own ID systems. Google doesn't need your SSN for a Gmail account for example.
Nor do you need to provide an identity that’s not completely made up.
“Everything works just fine”
It definitely worked great for a lot of dictators, tax cheats and the sort… I think Switzerland is a great example of why complete privacy isn’t fair on ordinary taxpayers - it allows the ultra-rich to hide what they owe
Prior to 1913 the IRS didn't exist. The US seemed to do just fine before then. Tarrifs are the best way for the government to raise revenues. Especially when you are doing business with hostile countries like China. Please do educate yourself on US history before making such comments about privacy.
Prior to your first birthday you used to shit yourself every few hours. What’s your point?
I'm an American living in Switzerland for over 10 years, and this was definitely my impression as well. But that isn't really the case anymore here - you can no longer have anonymous (i.e. only numbered) accounts, and Switzerland is no longer a preferred locations for dirty money.
The ironic thing is that one of those new hot spots, in addition to the usual suspects like Cyprus, the Caribbean, etc., is the USA. Seehttps://www.washingtonpost.com/business/interactive/2021/wyo...for some juicy details.
As far as I know, Cyprus complies with FATCA/CRS as much as anyone else (unless the "anyone else" is, as you say, the US).
It also makes the formation of dictatorships less likely.
South Dakota, USA has entered the chat.
https://www.theguardian.com/world/2019/nov/14/the-great-amer...
A South Dakotan trust changes all that: it protects assets from claims from ex-spouses, disgruntled business partners, creditors, litigious clients and pretty much anyone else. It won’t protect you from criminal prosecution, but it does prevent information on your assets from leaking out in a way that might spark interest from the police. And it shields your wealth from the government, since South Dakota has no income tax, no inheritance tax and no capital gains tax.
Additionally the “international pressure” the OP alludes to is since Swiss banks were the banks of choice international crime, including whichever activity you think might be most heinous.
As far as I am aware, Switzerland had always cooperated with law enforcement requests. Even before FATCA, if your government thought you were cheating on your taxes, all they had to do was present a warrant.
That said, yes, dictators and such were - and are - a problem. They aren't going to prosecute themselves, after all.
By the way, one of the top places unsavory types stash their cash is the US. FATCA is a one way street: US banks don't provide information on their international customers.
Do you know how Swiss financial privacy and credit reporting laws compare with countries in the EU?
Around 36 percent of the Swiss own their homes or apartments, the lowest rate in the West and well below the 70 percent average in the European Union, and the 67 percent in the United States. [1]
I’m sure there are many factors, but I would be less willing to finance someone’s large purchase without more information about their creditworthiness.
[1]https://www.nytimes.com/2023/11/06/realestate/zurich-switzer...
Maybe this is why for the past few weeks I am receiving countless emails from major retailers like Casas Bahia or Americanas and even Magazine Luiza with purchase confirmation listing several smartphones and notebooks whose invoice bare my name and cpf.
I tried contacting every retailer. Only Magazine Luiza seem to have acknowledged the fraud and issued a warning but to no avail, as I am still receiving invoices from them.
I contacted the local police and issued a boletim de ocorrência (which I am not quite sure how to translate) that describes the problem and how I was unable to apply countermeasures.
I am expecting fallout from this. I am really anxious about this whole situation and how I am utterly powerless in protecting my identity.
I’m in the fraud prevention space in Brazil and know the heads of fraud for all these retailers. If you like you can FWD the purchase receipts to zyzzyx26 at gmail dot com and I’ll notify them.
You personally won’t have issues, financially or otherwise. Your email might get blocklisted for some time, and if you make new purchases you might want to use a new/secondary email, but otherwise no issues.
A while ago someone used my CPF and Phone on Magalu and I’m still able to purchase there. I did report it to the head of fraud though :)
WellIam from the fraud remuneration department of Brazil and know the person who pays out compensation for these crimes. Simply send me all your personal information and credit card details and I’ll make sure you get your appropriate payout.
This is a scam.
Excuse me, you're calling me a scammer? I suggest you click on my username and see that it is a very legitimate account, with twice the karma as you to boot. I think you're more likely to be the one scamming! Don't listen to 'Aeolun, everyone!
Look, you are literally posting on the internet, on an anonymous account, that if someone sends you their personal detailsand credit card infoeverything will be taken care of.
Your first reaction should absolutely be that it’s a scam, and only then further evaluate if it might possibly be true because this is HN.
I could have potentially used the word ‘looks like’, but it’s just a matter of degree.
What is your email sir
Not telling you. There are scammers everywhere
How does this fraud work? They buy the goods, and provide the seller some random individual's (your) identity?
I have no idea. There are, however, many official invoices (notas fiscais) being issue in my name. I believe there might also be fraudulent credit cards issued in my name that ate being used, or something like that, which would explain the physical retailers not questioning the purchase. That is why I am expecting fallout from this.
You can check any credit card issued on your name in Banco Central’s Registrato page[0]. Credit card, loans, etc.
However, HIGHLY unlikely they issue a card in your name and purchase stuff in your name online. If they have a card with them, they’ll go to physical stores and leave with the product with them immediately.
Typically (as I said above) they have purchased a stolen CC number online and are using it until it gets blocked or run out of balance/limit.
In any case, there’s zero fallout for you, the victim. These retailers are used to this (0,5% of transactions turn into fraud), so they’ll eventually figure out it’s fraud and they know it wasn’t you. They know you’re a victim too.
[0]https://registrato.bcb.gov.br/registrato/
Edit with the link
I believe there might also be fraudulent credit cards issued in my name that ate being used
As tmcz26 said, it's very unlikely they issued a card on your name, but if that happened, contact the bank's ombudsman AND report it to the Central Bank, as they failed the KYC process.
Stolen ID from one person (ID, name, sometimes using the real person’s email and phone, sometimes creating fake yet similar emails like wildrhythms2@yahoo.com), someone else’s stole credit card number, and a drop address to receive and reship (sometimes deliver direct to the purchaser of the fraud item).
Typically the item is resold for half the price and it’s spoken for. It’s not like they buy to resell later. If they make the fraud they already have a buyer
Something similar happened to me once. You need a valid CPF number (something like a ssn) to create an account on most webshops in Brazil, so fraudsters will use stolen ones. They then proceed to purchase stuff with stolen CCs
I've been on a similar situation once, this is what I did, and I think you're on the right path.
I tried contacting every retailer. Try to reach out to the ombudsman (ouvidoria) and explain your case. Even if they don't actually solve the problem, you documented that you tried to friendly resolve the issue.
I am expecting fallout from this.
Very worst case scenario, the retailers will send the fraudulent invoices to collection agencies and might report you to the credit bureaus.Don't ever pay any cent toward this fraudulent debt. Don't negotiate. The only option is the debt going away as it is fraudulent.It's their money that's on the hook and paying it shifts the responsibilities to you.
Once it hits the credit bureaus, as you already have a Boletim de Ocorrência, and proof of contacting the companies (protocol numbers + dates), i.e. documentation, sue them and ask for damages. It's a simple and common suit that both the credit bureaus and the retailers will want to settle. Make them pay for your time. They don't have any proof that it was your person that made those transactions.
I am utterly powerless in protecting my identity.
Yeah, but the thing is, if the retailers, banks, credit cards, etc. really wanted to avoid fraud, every purchase/subscription would require the same level of protection as a real estate transaction. Everything signed, in-person meetings, upfront payments, banks, lawyers, notaries, cryptographic signatures (hey, we have e-CPF and nobody uses it!). But as you see, 100% fraud avoidance means friction, and no sane retail business likes friction. It's a business decision on their end. They accept risk so they can take your money easier.
If it’s a purchase using Credit Card, absolutely zero chance of going to collections. That’s not how it works. There’s no legal footing for collections and they are not in the habit of creating legal headaches for themselves.
If however it’s a credit purchase (personal loan, crediário, etc) then it might go to collections, then this advice works.
Online purchases though are 80% credit card and 15% Pix/Boleto so it’s unlikely they got a loan just to buy stuff. If they can get a loan, they’ll get the cash itself and run.
Edit: on a Credit Card transaction the burden of evidence is on the merchant. THEY have to prove it was you.
Tell this to MercadoPago. Once I did a chargeback on a fraudulent gift card purchase and months later they sent this debt to collections - they didn't report it to the credit agencies, though. It resolved pretty fast once I escalated the issue to the ombudsman.
There's no legal footing, but they will try.
Given there are 3 credit bureaus, is there a way to avoid having a credit score at one of the credit bureaus? I think that's a way that we as consumers could try to increase competition in the field.
I did some Googling and it didn't seem like there's an easy option.
There is no way to opt out of credit reporting. Lenders report the information to the credit bureaus, typically all three of the big ones, so if you want no information reported, simply close all your credit cards and loans, etc. and place credit freezes on your credit reports.
I don't think that "increased competition" will work here. We are not customers of the credit bureaus. We are the product. The customers are lenders and other people who need your information. From the lenders' perspective, this is all working out fine, largely because the onus for "identity theft" is placed on members of the public as individuals rather than on lenders to accurately verify applicants' identities before extending credit. As many people have pointed out before, "identity theft" is a misnomer designed to pass the buck onto individuals. Ideally, it should be the lenders' responsibility to prevent criminals from misusing your information and to make things right whenever a criminal tries to use your information fraudulently, but right now the onus is placed on individuals.
A better solution would be to have higher standards for identity verification by lenders. That would shift the burden onto lenders to actually verify people's identity before extending credit. Some lenders actually do a pretty good job of verifying people's identities before extending credit in my experience, while others just seem to accept the information given uncritically (as far as I can tell!). High industry-wide standards should help solve this (either voluntarily or mandated by law).
A statutory fine of $50k per compromised account would get the attention of the credit bureaus. (It might drive them out of business, but it sure would get their attention.)
$50k seems at least four or five orders of magnitude too low to be of any concern to them
$50k per record affected, not per occurrence.
And legal conequences for the board members.
For reference, Equifax leaked the personal information of 147 million people (myself included). Multiplying that by $50k is over 7 trillion dollars. In actuality, they were ordered to pay up to $700 million in total which works out to about $4-5 per person. I agree with you, but the gap between what you propose and the status quo is staggering.
So yeah, in this case Equifax would go bankrupt and other companies would get very valuable lesson to spend more money at security side of things. I see no issue here.
I don't want to get ahead of myself but currently that seems to be having an effect on Vancouver AirBnB's as we're starting to see craigslist posts like these :https://www.reddit.com/r/vancouver/comments/17t6tes/posted_o...
I feel like this has to happen. They operate like a private utility company, with little to no other options.
Imagine if they were like password manager apps? We could evaluate all of them, choose what we wanted, and migrate whenever something happened.
As a consumer? No
As a business? Sure, report to the ones you want to
Businesses report data to them. So, you'd have to avoid businesses that report to one. But, they all report to multiple.
Plaid just started a Credit Reporting Agency (what Experian et al are). First company to attempt to compete in the space seriously in a long time.
is there a way to avoid having a credit score at one of the credit bureaus?
Without it (also without a sufficiently high number), most avenues to housing are cut off
The problem is that we are not the consumers. They receiveourdata from all the companies we do business with. You would have to figure out on a case by case basis all ties relating to the credit bureau. Probably if you never got a credit card and never took out a loan, you would be somewhat protected from their "research."
My Experian was hijacked, unfrozen, and used to get a $100k loan from Ford Credit. Took me ages to clean up. Bastards.
Not a lawyer but this just screams legal action. Their systems clearly aren't sufficiently secure to prevent large scale fraud
There have been a couple of class actions, doesn't seem to have changed the outcome though.
Because like always, the punishment for the rich playing games with our lives is a negligible fine 1/10000th the profit they make selling your information to anyone with a buck.
I mean, the last time the settlement was like $27 per person in the suit?
And the form togetthat settlement meant giving some random authority more personal information than these companies even have.
I would keep going too.
used to get a $100k loan from Ford Credit
This sounds like it was used to get a vehicle - which are fairly trackable things. How did the ordeal unfold and conclude?
Sameexactthing happened to me. I only dealt with the various credit agencies and Ford. And I had to make a police report to my local PD despite the crime occurring at a dealership across the country — the officer was very kind, and made clear that they would doliterally nothingother than produce the case number I needed for the credit agencies.
I wonder if Ford in particular is more susceptible?
In any event, I’ve no idea whether a law enforcement eventually looked into it. But the sense I got was no one was going to do a damn thing.
(Oh and Progressive, because they got insurance for the vehicle in my name and also didn’t pay that. But it was 1000x less dollars, literally, so when I told the debt collector “lol not mine” they just went away).
Yeah, afaik, most Police won't do anything with this. My spouse's id was used to rent an Oakland luxury appartment in 2021, along with opening a credit union account and trying to open an amex. Thankfully amex called to check because there was already an account opened, and we were able to get the credit union account closed before it was usable, but the apartment complex seemed unable to do anything and Oakland PD didn't do anything other than acknowledge the report, they wouldn't return calls from our local PD either. IdentityTheft.gov is also a black hole.
Credit freezes are a joke, because if you have a person's credit report, you have enough information to cancel the freeze, even if you can't temporarily thaw it. Still, maybe it's better than nothing, so might as well. But it's then a pain if you need to interact with the credit system; some of the bureaux have such poor systems that your accounts will regularly not work; anyway, credit issuers don't tend to tell you what bureau they'll pull from until after they pull, so may as well unlock the big 3 before you do anything; and batch all your credit increase requests together.
Most likely the perpetrator immediately sold the vehicle, leaving yet another victim in their wake.
The worst part of such an experience is that once you've reported a case of fraud on your credit report, if you at a later date want to open a new bank/credit/whatever account somewhere then you have to jump through ridiculous hoops, or will simply be denied outright because they won't believe that you're who you are since your PII was flagged in the past.
Sounds great, I how do I sign up for this ahead of time?
This sorta happened to me, except as soon as I got an email from Experian that my email address had been changed, I got to work talking to customer service to get back in. The CS rep had “no record” of anything out of the ordinary happening, just a regular email address changed “initiated” by me, when instead it was this brain dead system they have where anyone with the relevant SSN and security question info can register your account anew with a different email.
Once I got back in I saw credit pulls and immediately contacted the companies to figure out the car dealership in question, then called them to let them know that they should under no circumstances sell that car.
The fact that we haven't nationalized credit reporting absolutely baffles me. These companies have so much power over our lives, are completely unaccountable, and are so incredibly incompetent.
Yes and then people claim the social credit scoring system in china is a dystopian hellscape. I happen to think it’s far less dystopian that privately run financial credit reporting agencies.
I think social credit scoring is another level closer to hell.
Isn't is pretty much the same thing in the US, where financial and social status are more or less equivalent anyway?
Your score isn't affected if you jay walk, so no.
The whole credit rating system as it is in the US seems complete ass-backwards to me. It basically encourages people to go into debt to build a history of paying it back in time.
Here in the Netherlands it works exactly the opposite: the best 'rating' is to not be in the system at all. When you get a loan, the amount and monthly payments are registered. This registration is removed once you have paid back the loan.
When you ask your bank for a loan, they basically look at two things: how much is your income and how much are your current financial obligations (i.e. existing loans). Cost of living is subtracted from your monthly income, as well as the monthly payments of your existing loans (from the national debt registry). What's left is how much (additional) monthly payment you can afford. If the monthly payment for your newly requested loan is above this number it will be refused.
As such there is no such thing as a good or bad rating, only what you can and cannot afford.
There are a million things broken about the American credit reporting system, but I'm going to try to make a case for one very specific part of it:
how much is your income and how much are your current financial obligations
This doesn't work if your income doesn't show up in the government's system. For example, if your income comes from illegal activity. Crime is bad and you shouldn't do it, but crime is an economy and some people really don't have a better option. If your income comes from criminal activity, getting boxed out of the consumer financial system isn't helping you towards any avenue where crime is no longer the best option.
This doesn't work if your income doesn't show up in the government's system. For example, if your income comes from illegal activity.
It's not a government system. Banks will typically ask for a payslip.
For example, if your income comes from illegal activity.
You think banks are going to give you a loan if your income is from criminal activity? That's cute. Banks are required to report suspicious activity and the last thing they want is even the appearance of being involved in money laundering. It's a problem for certain professions, like sex workers (which is a perfectly legal occupation here) as they mostly get paid in cash and often deposit large amounts of it they are an obvious channel for money laundering and as such they have a hard time just getting a bank account, never mind getting a loan.
It basically encourages people to go into debt to build a history of paying it back in time.
How do you propose a third party can establish your ability AND desire to pay back a loan, i.e., determine how much risk there is in lending to you?
As such there is no such thing as a good or bad rating, only what you can and cannot afford.
This is a completely naive line of thinking. Maybe you CAN afford a loan, but WILL you pay it back? Ah, you might say, the bank will remember that and refuse to loan you money next time. Congratulations, you've invented a system of credit worthiness.
Right, so as a solution to them having: too much power over our lives, being unaccountable and incompetent. Is:
Giving the backing of the state over their actions. Move from being accountable to government to _being_ the government. And the competency of giant public bureaucracies!
Years ago I worked in the industry and I totally agree. Fair Isaac in particular has enormous power as basically the only source of models people use, and they are very opaque.
FWIW
1. Freeze all your credit with experian, equifax and transunion
2. Opt out of them selling your info:https://consumerprivacy.experian.com/https://myprivacy.equifax.com/opt-in-opt-out/personal-infohttps://service.transunion.com/dss/ccpa_optout.page
Did this earlier this year. Its super easy to do. And recently had to temporarily unfreeze everything to open an account. Also very easy.
All free. 1 of them tries to upsell hard but can do all for free. I think a law passed in 2019 ish forcing it to be free.
The one that tries to upsell hard is so annoying, I can't be arsed to go find it right now, but the other two make it so easy, yet the one that tries to upsell, its like every other click takes you to a "input your credit card" screen.... Seriously annoying.
Just had to deal with this for the first time in the last two weeks when someone tried to open a fraudulent account in my name... Interestingly, this happens for the first time in my life 2 months after I had to write down all my personal information to get a 0% APR credit card from a jeweler store...
It should be a default frozen system, not a default open system.
Its experian.
thanks i did this back in 2017 when the leaks happened and it was most definitely not easy and cost money, time to take a new look
Experian allows unfreezing via their site in the article. If someone can easily recreate your account, they can unfreeze it which makes it pretty useless.
Yes, but if you have an account you’ll at least get an email notifying you that your account’s email address has changed (as a result of someone recreating your account). That’s how I was tipped off to someone trying to buy a car in my name (by pulling on the thread of calling customer support asking wtf I got that email). So it’s very useful to at least have an Experian account so you can know when someone is trying to go after you this way.
Now granted, it’s possible that the attacker won’t change your email address first, in which case I’m not sure if you get an email stating that your credit was unfrozen. But it’s likely they’ll change it in order to make it harder for you to mitigate the damage in a timely manner.
Exactly
I just tried to visit the Equifax link you provided, and I got an error page. Amazing.
Oh man, actually looks like Equifax's entire website is down? Ouch.
Just tried this for equifax got this message. I live in Washington state.
We've encountered an error Sorry, this service is not currently offered to residents of your state. If you need further assistance, you can call Consumer Care at 1-866-295-6801 during our regular business hours 9 A.M. to 9 P.M. ET Monday to Friday, and 9 A.M. to 6 P.M. ET Saturday and Sunday except holidays.
The fundamental issue here is that maintaining security is expensive, and it is cheaper to just deal with occasional hacks. The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It is not that expensive. It is a couple pennies per pull (of a credit report/file) for somebody seeking identity proofing to use knowledge based authentication (the usual “where did you live, are these trade lines you?”). It is $1.50-$2.00 per proofing attempt with the government credential using ID.me or stripe identity. The problem is that no one is incentivized to slightly increases costs to reduce fraud because the burden falls on consumers instead, and credit reporting agencies don’t want to see their moat and revenue stream cannabalized. Bit of a public good Innovator’s Dilemma.
TLDR A better national digital identity story makes this problem go away.
(responsible for customer IAM including identity proofing at a fintech, doing some lift for Login.gov independently as a citizen activist)
ID.me supports hardware 2FA, including Yubikey.
More importantly, they can require you provide a government ID and perform a liveness selfie check. This is the gold standard for remote identity proofing. Onboarding secure authenticators is best practice to bind digital identity to IRL identity when proofing occurs and identity assurance is high.
I think we should be askinghow to design the procedure for when someone calls and claims they forgot everything and lost everything. An attacker can always call in and say this, and we'll need to call in and say this if we've been attacked.
My opinion: we should be able to visit a government office, get our picture and fingerprints matched, and then we can reset our email/password/2fa right there.
I would imagine that most of the data for the ID checks based on public records (where did a person live; own a car/house/boat; ...) are trivially handleable.
Just takes one person to leak the database, which is probably only a few TB compressed) for all of the US and fits on a single HDD/SDD.
I would be surprised if these DBs aren't already sold on the darknet. And this DB doesn't have to be super up to date b/c security questions often go back years.
Interpreting the DB should be easy to hardcode but even easier handled with an LLM.
So the protection afforded by these checks is IMO at best nominal.
The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It's notable this issue (verification by SSN) doesn't affect GDPR-land - the GDPR has fines of up to 4% of global turnover.
Fines for what? For getting hacked?
This isn't a "hack," this is pure almost malicious incompetence by everyone in the Experian security chain, straight up to the CISO herself.
They should absolutely be fined and punished harshly even beyond that. If SBF can go to prison, so can the CISO of Experian.
maintaining security is expensive
This might be somewhat true (it's certainly more expensive than not having security) but when your entire business is around making assurances based on people's identities, you'd assume that they'd put more effort into making their services secure. And if it's too expensive to do it securely, then maybe we should start to question whether such a service should even exist and deserves to store a lot of personal and private information.
I’ve received two data breach notices in the past week, one from my healthcare provider and the other from the bank that holds my mortgage.
In both instances they said to lock my credit, and provide free credit monitoring for a year.
I find this egregiously insufficient to the point where I think we need more regulation in this space. They should provide lifelong credit monitoring and full insurance on any financial fraud that now occurs on my behalf, as well as immediate presumptive financial compensation.
That aside, the root cause here is that identity in the U.S. is a dumpster fire. We have no distinction between unique identifier (SSN) and secret (also SSN). Every other security question is just another version of the same factor type (something you know) which is easily accessible to scammers.
There is quite literally no agreed upon way to prove you are who you say you are.
We need DMVs to begin issuing IDs that are physical with digital capabilities, like credit cards. We need the equivalent of Apple/Android Pay for identity online. We need to mandate that banks support digital IDs. And we need strict enforcement for people who misuse a digital ID.
I believe that the consequence of ignoring this problem is at least tens of billions of dollars in GDP annually lost to fraud. And perhaps more importantly, it’s an insidious erosion of our status as a country of laws.
We need DMVs to begin issuing IDs that are physical with digital capabilities
The problem is that there is a very vocal segment that views such things as "government overreach" through to the literal mark of the devil.
And then there are the challenges of issuing them. There are states (the same states, typically, who shut down voting locations in working class areas and defund their DMVs) who will fight tooth and nail about having to implement this in a way that is free to all.
Feds could also do it using Passport card and DoD does it with CAC cards so Federal government knows how to do this.
You've put forth an utter straw man. I am rationally against making government verification of identity stronger precisely because the existing identity systems have been pervasively abused with essentially no recourse. After there is a US equivalent of the GDPR that lets me prevent the surveillance industry, including the traditional financial surveillance industry, from unilaterally creating dossiers about me, then we can talk about better implementations of identity verification. Until then, that dumpster fire is the main thing holding back the surveillance industry from pushing identity verification for ever more routine things like opening online accounts or buying groceries.
Real ID is whole 'nother can'o'worms
OTOH some other states should be able to do it. They just need to agree on a standard and then motivate creditors to make use of this standard.
> We need DMVs to begin issuing IDs that are physical with digital capabilities, like credit cards. We need the equivalent of Apple/Android Pay for identity online. We need to mandate that banks support digital IDs. And we need strict enforcement for people who misuse a digital ID.
And how will all this magically work online? Answer: you'll have to provide whatever digital secret gives you access, just the way you provide your SSN now. Which means your digital secret will be in all the same online places where your SSN is now, vulnerable to the same kind of hacking. How does this fix anything?
Which means your digital secret will be in all the same online places where your SSN is now, vulnerable to the same kind of hacking. How does this fix anything?
Loads of ways to do digital attestation but they all involve some 3rd party being the trusted source of truth. Typically this would be the DMV or other government branch and at this point a few red flags start to go off: dmv isn't known for it's competence and I'm not really thrilled about them getting hit to confirm my identity for pornhub.
This is a REALLY hard problem to solve unless you take a "privacy must be sacrificed for the greater good" mentality.
https://news.ycombinator.com/item?id=29834753I was shocked to learn that last year about the level of detail they had.
1. All your mortgage, credit inquiries and bank account names
2. All your previous addesses and perevious employers
3. Your MONTHLY salary and combined comp per yer going back to 20XX when I came to the US.
4. Dates of employment per employer, bonus, overtime, RSU comp
Does Experian and Transunion have that too, and can we block that as well?
Yes, and no. I would note that they are definitely not alone and are much better scrutinized than the other data vendors you’ve never heard of that have much more detailed and person data about you.
The credit agencies however offer you a real and valuable service. Without credit history it’s impossible to get credit. It’s also harder to get jobs and to rent. So while it’s creepy, at the very least you gain some demonstrable advantage and benefit.
The data brokers and vendors however collect without your permission or knowledge, compile much deeper profiles of you as a human being and what you do and enjoy, along with these other details, and sell it for a profit you never get a share of.
Perhaps one day we will have a functioning legislative branch and from it will come a real privacy bill. I’m hopeful it’ll be better informed than the EU ones by taking lessons learned. But I hope for a lot of stuff, like world peace and cures for cancer.
“The credit agencies however offer you a real and valuable service. Without credit history it’s impossible to get credit.”
I think I generally agree that this is a reasonable service, however the main reason you can’t get credit without a credit history is these services exist that can provide credit history to lenders. It is bizarre to think that loans would not exist without these services.
Loans did exist before credit, but it was almost always loans from friends/family or by providing a large down payment to the bank you wanted a loan from. You needed to be a known and upstanding member of the community to get a loan for anything substantial.
And technically, you can get many loans today without a credit score. For example, there are bank statement mortgage loans, but they have caveats like:
- you will go through manual underwriting and will likely need to show records of payment history on any existing debts, including utilities, insurance, rent, etc
- They will likely need the contact information for each one of your previous debts to verify it manually
- When they run a quote, you will typically be considered at the lowest credit score possible for that program - typically 620 for a conventional loan or 500 for FHA. This means you'll be getting the worst rate possible
- You'll likely need a 20% down payment, depending on if any of the PMI automated underwriting systems even give you a quote with such a low "fake" credit score. The lender might ask for more of a down payment depending on their own risk assessment.
- The lender (or whoever buys your loan) will report your new account to the bureaus, giving you a score.
Additionally, while it may suck, and maybe there is some other emergent reality that sucks less, we practically live in this one. Don’t cut off your nose to spite your face.
Salary/compensation is not actually provided via your credit report to companies who perform a hard inquiry. If you look at your annualcreditreport, that's exactly the data the inquirer receives, and it just has your start date and company.
3. Your MONTHLY salary and combined comp per yer going back to 20XX when I came to the US.
You work at a big company. Your employer is choosing to sell this information to credit bureaus.
I first learned about this practice in the mid-2000s. Like you, I was quite surprised, but they didn't have any data on my own income or assets yet, and I resolved never to work for an employer that would engage in this type of business practice.
I think employers should be legally required to disclose and obtain written consent to sell your income data, but beyond that point, it's really on you to decide what employment arrangements you are willing or unwilling to accept. It's sad that you had to find out this way given how easy it would be for these employers to just disclose it upfront. I'd recommend looking for a different employer.
How is Experian not sued out of existence for their total failure to protect their customers? I just don’t understand what law allows organizations that compromise large portions of entire societies to continue.
We're not the customer, we're the product.
But why can't people successfully sue for libel/slander/defamation by individuals when they give false damaging information about the individual to creditors?
Those types of suits generally hinge on proving malicious intent
Malicious intent is the standard for public figures. The vast majority of people in Experian’s database are not public figures.
One of the best ways to affect this is to make complaints to the CFPB. They are the regulatory body that is responsible for making sure the credit bureaus aren’t harming consumers
They didn't even ask me to verify my phone number when I entered it. Anyone with my SSN and phone number from an all-too-common data breach could easily pretend to be me and unfreeze my credit file.
That's criminal-grade negligence.
I’m guessing this will continue to happen until, I dunno, some the execs at Experian continually have their accounts compromised in the same way again and again.
The execs may be incompetent, they're probably not stupid, though- they don't use that shit.
If you have any sort of Experian bureau activity, you're at risk by this issue whether you manage your profile with this site or not
This isn’t an opt-in service. It’s a dragnet surveillance system. All it knows is slurping up data. Are there case statements all over the codebases to exclude the execs of three different companies and congress?
Yes, it sure would be a shame if, I dunno, some execs at Experian were to experience some of the same issues that so many others have - due to the existence and ... 'management' oftheir own business...
Why, going through such trials,ex opere operantis,might just sour a 'true believer' in the "invisible hand" on the wholenovus ordo seclorum.*
Hahahhahahaha! Urghk, briefly part-swallowed my tongue from laughter, excuse me...
* As the undoubtedly distinguished graduates of Yale SOM, for example, might phrase it
Unfortunately, the people in charge of these systems have enough money to hire people to do all of this crap for them. They don't do their own taxes, they don't open their own credit cards, they don't negotiate their own mortgages or car loans, nothing. They just tell their butler or financier or real estate agent or whatever "Go get me an X" and that other person deals with all the shit. Being the target of identity fraud just means they hire another gofer to deal with it full time for six months which costs them so little money, relative to their wealth, that's it's not even worth thinking about. And they're not evenusingtheir own credit, most of the time, they're using the "credit" of some shell corporation or limited liability corporation or trust or whatever other financial bullshit they hired a dozen lawyers to set up to commit tax fraud. So no, they experiencenoneof the shit they perpetrate.
How does Equifax or TransUnion handle the case where someone else creates the account before you do?
You try to sign up correctly, then it emails the fake persons email for permission? How does that make any sense.
"Hello scammer, John Doe would like to access his Equifax account. Do you want to give him permission?"
I agree the Experian way is not good either, but how is the above handled?
How does Equifax or TransUnion handle the case where someone else creates the account before you
I can speak for Experian. If you already registered the account, and someone else knows your SSN and the answers to the credit bureau security questions, then _they_ get to register your account. You as the person who originally registered will get an email that your email address changed.
Supposedly the thinking is that they want to make it impossible for someone to truly be locked out of accessing their own Experian account, so they just let you do these stealth registrations as long as you can answer all the security questions. Clearly they need a better solution.
Thank you yes but isn't this the topic of the article we're commenting on?
Do you need to sign up for any of these services? Sounds horrible all around to me (not from the US)
Do you need to sign up for any of these services? (not from the US)
They already have the well-shared data that determines much of your life. Signing up is so you can glimpse it too.
The best outcome is to have minor fraud (someone tried and failed to open an account in your name, or your name+address appears in a data dump somewhere) occur because then you can register a fraud alert and credit freeze in all the agencies which stops a lot of nonsense (random junk mail, risk of actual fraudulent accounts getting established) for a year or so by enforcing extra authentication steps.
I wish I could put a permanent fraud alert on my credit accounts, but would probably have to hire a lawyer or something.
Correct me if I’m wrong, but I’ve signed up for all 3 bureaus and enabled the credit freeze. My understanding, and experience years later, is that it is still frozen. I had to unfreeze a specific one last year for an auto loan.
Is there something else I’m missing that’s only temporary?
If someone hijacks your account they can unfreeze your credit. It’s easy to hijack accounts.
I understand that, I’m curious if reporting fraud activity helps prevent that in some way like the parent comment seems to suggest, if only for a year.
The fraud alert adds a requirement that potential lenders call a phone number added to the credit file to authorize new loans/accounts, making it significantly less likely that fraud can take place.
Experian reminds me of enshittification, except it never had any interest in providing actual value to the general public to betray, so started off one step further along the process in a way.
No individual in a personal capacity ever wanted to do business with Experian, like they wanted to buy an iPhone or something. You're introduced to the unpleasant fact of its existence at some point. They don't have anything you want, you're the product from the start, and you don't have to walk into their net, you're probablybornin it.
Every time I log into experian.com, I am greeted with an offer to "upgrade" my account for $0.00. At the top is small text that says "Try Experian CreditWorks℠ Premium for 7 days for free, then pay just $24.99 each month†. You may cancel anytime if not satisfied."
First of all, $25/month for an Experian product? I can't possibly fathom how anything they provide can be worth even 1/100th of that. That price just absolutely blows my mind.
But worst of all, they proudly say it is $0.00 and have the pay button the most prominent. How many people get roped into this? They are just slime all the way down.
Why is it legal for a credit bureau to us charge money to monitor their potential mismanagement of our credit? It's literally blackmail.
We're amidst the proliferation of a class of entity that Joe average doesn't quite have the political vocabulary or tools to deal with yet;
Things that deal inyou.
They make money from you, indirectly.
You have no business or social relation with them.
You didn't vote for them.
They have immense power to harm you.
You have no recourse.
You may not even know they exist.
Until recently this was the preserve of a few government agencies that had a very narrow focus on a few "persons of interest". Today it is every dime store startup in "big data", search, spammers, social network, and the entire grubby, yellow maggoty underbelly of "surveillance capitalism" and all the mushrooms that grow on it.
So far the promised "benefits" of this have never materialised. Will we be able to keep pretending "nobody cares" as public awareness, and governments' will to enact legislation grows? At some point surely "credit agencies" and their ilk will essentially be outlawed under a dozen different digital rights acts.
This all goes back to the social security not being changeable and morphing from some thing to claim benefits with to it being your universal password.
In contrast, I lost my drivers license and in order to get a new one I had to go the DMV in person and put my thumb print on a biometric scanner which pulls up my picture for the DMV person to look at before they authorize the request. I can also file an affidavit of identity theft with a police report attached and they will give me a new license and A NEW DRIVERS LICENSE NUMBER. The federal government trying to shoehorn an unconstitutional universal identity system into social security is the source of all this nonsense.
I was somewhat surprised to find that when I got my driver's licence at 39, it was the same number as the non-driving ID card I got issued at 18. So at least Arizona doesn't seem to be eager to hand out new numbers.
They won't hand out new numbers unless someone has actually used your drivers license fraudulently and you've filed a police report. Seems reasonable enough.
go the DMV in person and put my thumb print on a biometric scanner which pulls up my picture
How does the state have your fingerprints on file?
Maybe naive question: if you never create an account on any of the credit bureau websites, would you be less likely to be an identity theft subject?
You have a hidden credit record anyway, AFAIK. But I'm no expert.
I think as long as they can get name and date of birth they will have credit report.
Then as far as you know, someone else has already done it in your name.
In most contexts, providing false information about someone in a way that harms them is slander or libel. I think we need to revisit whether credit reporting deserves to be exempted from that, and under what circumstances.
Absolutely. We should be able to successfully sue credit rating agencies for monetary damages if they tell a lender false information about us and it causes us to not get a loan or have a higher rate than is warranted. It should not matter whether they know it’s false. The harm happens regardless of whether they were negligent or malicious.
This sets a dangerous precedent. If you won, it would apply to all defamation/libel/slander cases, not just credit reporting agencies. News agencies could be sued for saying anything about someone if it later turned out to be false. Defamation laws are already on the brink of unconstitutionality.
Actually, the way they work is "x company told me y person has <this account> with <these details>". For non-celebrities, it is only defamation if it amounts to at least negligence in verifying these facts - i.e. negligent only if they have reasonable knowledge to believe the information is false. When you report to the bureaus that an account is fraudulent, that is effectively giving them notice that the account in question is not actually yours, and by removing it from your report, it's relieving them of the liability of spreading such defaming information in the future.
There’s a petition on resistbot now to get some legislative eyes on this issue
I'm seeing this for the first time given I'm not from the US, but its reach seems limitedhttps://resist.bot/petitions
In Germany there is Campact for example which usually crosses 200K signatures per petition, if something like this doesn't exist in the US then I think someone with money should create it or promote an existing solution like OpenPetition to enough recurring signers
I'm not sure what you mean by limited reach, but for added context: Resist Bot is an automated service that can be used to contact elected officials in the U.S. Believe it or not, some elected officials actually pay attention to what their constituents say when writing to them.
i froze my credit across all providers a few years back. only experian failed with silly bugs. tried again just now and it worked. progress!
Did the same, but it looks like this security issue would allow someone to just unfreeze before taking a loan in your name.
true. one hopes they also improve their opsec over time. would it be better to not freeze?
This happened to me and I ended up calling them to get them to reset my email. It hinged on me answering security questions correctly. Which btw, some of these were also wrong since my identity thief changed some addresses on my credit report. What a fucking mess
What even is the next step if everything's been changed?
Not a lawyer, but I wonder if Tortious interference Laws can be used by individuals to file civil lawsuits against credit reporting agencies ?
In my head I am interpreting the law like this: Credit Reporting Company negligence "interferes" with a person being able to obtain a loan.
https://www.ftc.gov/legal-library/browse/statutes/fair-credi...
IANAL either, but it seems the losses suffered from ID fraud are only recoverable via this.
I still find it infuriating that the punitive settlement for giving away extremely sensitive information was only... $34.34 per person impacted.
Why even have laws or fines if they're so toothless?
That's the point. Politicians get paid (donated, contributed, whatever) to vote businesses' laws to benefit the business, not you. Toothless laws make a good sound bite but do nothing to help you.
I tried to log into their website the other day to just get my profile set up and see what was going on in my account. Their site was so broken, I couldn't even get logged in. How is anyone going to become me if I can't even become myself?
To become you, I just have to go through the channels that Experian customers use. You were not using the channels that Experian customers use. You were using the channel that Experian liabilities use.
That’s why we need the threat of the corporate death penalty
And punishments that involve the personal freedom of the C-suite members.
It's not just Experian. We publish an article every couple years or so with the same content and just the names changed:
https://qbix.com/blog/2021/01/25/no-way-to-prevent-this-says...
https://qbix.com/blog/2023/06/12/no-way-to-prevent-this-says...
And then of course there is this:
SIM swapping - someone can just steal your SIM and then get into a lot of accounts
https://www.bloomberg.com/news/features/2023-08-04/teen-game...
Amazon - someone can just take over your account
https://www.reddit.com/r/cybersecurity/comments/hsj4x8/my_am...
Apple and Amazon together, they can take over ALL YOUR ACCOUNTS (the most terrifying read):
https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...
I recommend toeveryoneto use aemail aliasat gmail or a similar service, different once for every site, instead of your actual email, as the login to Amazon and other services. That way the attackers can't guess your actual login, let alone your password.
Also, enable the SIM lock on your SIM! This will help prevent someone from receiving verification codes if they stole your SIM card.
This makes me feel pure rage. The execs should be thrown in prison and the keys should be thrown away with them. Punish this at the highest levels, severely. The government needs to make examples out of them.
What even is the CISO doing? Sitting on her thumbs for a year?
I would pay so much money to make these companies go away.
Maybe it is designed like this on purpose.
They should be suspended from being able to do business with this kind of bs and their track record. I wonder if any of this violates people's FCRA rights, in which case that's a lot of fines.
hello
Yet another reminder that account recovery is the weakest link in the security chain for online accounts. Consider all the work going into new tech such as passkeys -- none of it matters if it's possible for janky account recovery techniques to punch a hole through flawless authentication standards. Unfortunately, companies have come to expect that a large number of their users cannot be expected to reliably store and retrieve their login credentials, whether in a password manager or their head.
God this is so frustrating. I saw multiple ads today on TV for Experian's debit card. Wool over the eyes and a brand grab for "the Experian promise" or whatever it was
I've been getting mail that is a variation of my name, wondering if someone used my identity damn. I did put some lock thing on my credit so it's harder to open new accounts, forget what it's called.
I have stuff like credit wise, karma, etc... have not seen weird/unknown accounts so hopefully I'm good.
I noticed this as well... you didn't even need to verify the phone number you enter to sign up as someone else when I last checked.
It's unbelievable
Sounds like the beginnings of a class action.
Bet they stole his information from setting up the Experian account to begin with.
There needs to be a better alternative to credit reports. They only exist because banks and lenders could no longer discriminate on race directly, so they created a roundabout way to discriminate based on "credit score", which happened to be worse for the people the wanted to exclude in the first place.
Not as easy on Fox News:https://www.youtube.com/watch?v=2p0J65FOIgQ
I'd like to see Experian shut down at this point to send a message to the rest.
I am still livid on a weekly basis when some strangers create an account for a service using my email address (non-maliciously, usually); I get a "verification" email; and I can only choose "YES, Please verify", or ignore at my peril.
From tiny little mom-and-pop shops, to FAANG giants, nobody is giving me the opportunity to say "NO that's NOT me!". And though it's a "verification" email, typically account is usable and vast majority of functionality is allowed even without verification. So I get to vicariously and angrily "enjoy" the follow-up emails and updates while the users gamble, purchase, sell, review, invest, write, game et cetera using my email address.
Boo to this, I tell ya, boo!