Given there are 3 credit bureaus, is there a way to avoid having a credit score at one of the credit bureaus? I think that's a way that we as consumers could try to increase competition in the field.
I did some Googling and it didn't seem like there's an easy option.
There is no way to opt out of credit reporting. Lenders report the information to the credit bureaus, typically all three of the big ones, so if you want no information reported, simply close all your credit cards and loans, etc. and place credit freezes on your credit reports.
I don't think that "increased competition" will work here. We are not customers of the credit bureaus. We are the product. The customers are lenders and other people who need your information. From the lenders' perspective, this is all working out fine, largely because the onus for "identity theft" is placed on members of the public as individuals rather than on lenders to accurately verify applicants' identities before extending credit. As many people have pointed out before, "identity theft" is a misnomer designed to pass the buck onto individuals. Ideally, it should be the lenders' responsibility to prevent criminals from misusing your information and to make things right whenever a criminal tries to use your information fraudulently, but right now the onus is placed on individuals.
A better solution would be to have higher standards for identity verification by lenders. That would shift the burden onto lenders to actually verify people's identity before extending credit. Some lenders actually do a pretty good job of verifying people's identities before extending credit in my experience, while others just seem to accept the information given uncritically (as far as I can tell!). High industry-wide standards should help solve this (either voluntarily or mandated by law).
A statutory fine of $50k per compromised account would get the attention of the credit bureaus. (It might drive them out of business, but it sure would get their attention.)
For reference, Equifax leaked the personal information of 147 million people (myself included). Multiplying that by $50k is over 7 trillion dollars. In actuality, they were ordered to pay up to $700 million in total which works out to about $4-5 per person. I agree with you, but the gap between what you propose and the status quo is staggering.
So yeah, in this case Equifax would go bankrupt and other companies would get very valuable lesson to spend more money at security side of things. I see no issue here.
The problem is that we are not the consumers. They receive our data from all the companies we do business with. You would have to figure out on a case by case basis all ties relating to the credit bureau. Probably if you never got a credit card and never took out a loan, you would be somewhat protected from their "research."
Experian reminds me of enshittification, except it never had any interest in providing actual value to the general public to betray, so started off one step further along the process in a way.
No individual in a personal capacity ever wanted to do business with Experian, like they wanted to buy an iPhone or something. You're introduced to the unpleasant fact of its existence at some point. They don't have anything you want, you're the product from the start, and you don't have to walk into their net, you're probably born in it.
We're amidst the proliferation of a class of entity that Joe average
doesn't quite have the political vocabulary or tools to deal with yet;
Things that deal in you.
They make money from you, indirectly.
You have no business or social relation with them.
You didn't vote for them.
They have immense power to harm you.
You have no recourse.
You may not even know they exist.
Until recently this was the preserve of a few government agencies that
had a very narrow focus on a few "persons of interest". Today it is
every dime store startup in "big data", search, spammers, social
network, and the entire grubby, yellow maggoty underbelly of
"surveillance capitalism" and all the mushrooms that grow on it.
So far the promised "benefits" of this have never materialised. Will
we be able to keep pretending "nobody cares" as public awareness, and
governments' will to enact legislation grows? At some point surely
"credit agencies" and their ilk will essentially be outlawed under a
dozen different digital rights acts.
Every time I log into experian.com, I am greeted with an offer to "upgrade" my account for $0.00. At the top is small text that says "Try Experian CreditWorks℠ Premium for 7 days for free, then pay just $24.99 each month†. You may cancel anytime if not satisfied."
First of all, $25/month for an Experian product? I can't possibly fathom how anything they provide can be worth even 1/100th of that. That price just absolutely blows my mind.
But worst of all, they proudly say it is $0.00 and have the pay button the most prominent. How many people get roped into this? They are just slime all the way down.
Of course, we aren’t the customers for these spying companies. But it is surprising that the total lack of security isn’t a deal-breaker for their actual customers. I mean if you can basically impersonate anybody using this service, what is the point of using it?
Even the term "identity theft" needs to go. My identity wasn't stolen! I'm still the same person. The bank got tricked by a scammers and somehow the bank tries to make that my fault.
Edit: Imagine this the other way around! Grandma gets scammed by someone pretending to be her bank. So the bank's identity got stolen. So now the real bank needs to fix it, provide more proof of identity to all customers and jump through all kinds of hoops to not owe grandma crazy amounts of money.
Yes! I’ve been saying this for years. The whole framing is a victim blaming dodge, when the two bad actors are the crooks and whoever made the loan with insufficient ID.
It isn't blaming the victim. I think they meant something else but worded it that way. What they meant was 'redefining the victim'. The victim is the bank, who got defrauded. They then call it 'identity theft' instead of 'bank fraud'.
I think it is a reasonable inference given the context and the description and that it makes sense to think of it like 'victim blaming' because mixing common parlance with legal terminology often results in similar confusions (for instance breaking and entering is a legal term which does not have to involve breaking anything, and assault in common use means physical contact but legally it does not have to).
In any case if it meant literally 'blaming the victim' it makes no sense at all, so either we give the benefit of assuming the poster is able to make coherent statements or we don't.
it's not about blame, it's about responsibility. "identity theft" implies that your identity is a thing that can be stolen from you, and you need to be responsible for preventing it from being stolen.
instutions should be respomsible for protecting themselves from fraud, they shouldn't need me to protect them from my identity being used in an unauthorized way.
I think the point that's trying to be made is, the traditionally recognized 'victim' is not the actual victim. The person whose "identity" was "stolen" is not a victim, the bank is. What was stolen was money--from the bank. But, we've designed our system, laws, contracts, etc such that the third party who was not involved at all has all responsibility of cleaning up the mess shoved onto them
I think you're imagining the ID thief going to the bank and withdrawing your money from your bank account (which probably happens too). I also think your analogy of a "friend" isn't right... you are the bank's PAYING customer... you pay them to secure your money and only give it to you! If they fail to provide the service they're offering to you... seems like they ought to be responsible for their failure.
But another, more common scenario here is that I convince the bank that I'm you and get a credit card or loan from the bank. Now the bank is knocking on YOUR door asking you to pay them back for the cash they handed to some random person... but they're the ones who messed up by giving cash to a random person and not verifying that they are who they say they are!
You aren't really involved... the bank messed up by going "Oh you say you're Bob? Okay here you go!" Why is it your fault that they failed to accurately verify the identity of the person they gave THEIR money to? You didn't play any role in them deciding who to give their money, nor in their ID verification procedures.
> I think you're imagining the ID thief going to the bank and withdrawing your money from your bank account (which probably happens too).
No, I'm imagining a scenario where the things used to identify me to service providers is taken by someone.
> I also think your analogy of a "friend" isn't right...
I didn't mention a friend.
> you are the bank's PAYING customer... you pay them to secure your money and only give it to you!
I agree, but as per my analogy, the car's owner has had their car stolen.
> If they fail to provide the service they're offering to you... seems like they ought to be responsible for their failure.
As per my analogy, I'm not saying that the car shouldn't have been secured, nor that the storage provider shouldn't make the situation right via insurance etc. Only that the car owner is the one who is a victim of car theft.
> You aren't really involved... the bank messed up by going "Oh you say you're Bob? Okay here you go!" Why is it your fault that they failed to accurately verify the identity of the person they gave THEIR money to? You didn't play any role in them deciding who to give their money, nor in their ID verification procedures.
The bank being at fault doesn't mean the victim's identity wasn't stolen.
All of these objections seem to assume that if someone has something stolen, it was their fault. That's not true, and that assertion is what I'm objecting to.
If identity theft were to get so common that the data became statistically unreliable, we would be long past the point that even Congress would feel compelled to do something about it.
There’s no such thing as identity theft, it is impossible to steal an identity, the person still has their identity. It is impersonation. The victim is the entity that has fallen for the impersonation (likely a bank, etc), the perpetrator is the one who did the impersonation, and the impersonated person is just some uninvolved third party.
I know it is pedantic but it is important to keep in mind because dumping the need to seek redress on the uninvolved third party is ridiculous, so we shouldn’t use language that plays into that point of view.
100% agree, except the impersonated person is impacted when their credit score eventually gets screwed and they can no longer get loans themselves. So, in that regard, they are also a victim.
Although I think it is more accurate to call them a victim of something like slander by the credit agency, in that case. I mean, I’m not sure exactly what the laws are around slander, I wouldn’t be surprised if there was some cutout for cases in which the person actually believed the lies they were repeating, but if an organization represents itself as an expert in people’s trustworthiness it obviously has a heightened responsibility to verify what it is repeating.
My understanding is that in most cases, slander/libel is never a crime anyway.
It's merely a tort (wrong). It never rises to the level of a crime. The few instances/places where slander is a crime in the US (historically or otherwise) are very problematic and subject to abuse.
Perhaps this specific kind of slander should be criminal, but it might be the only kind that should be. Not only would you need to justify that philosophically, but somehow convince legislators to make it that way (at the federal level, I should think).
Don't forget compensating the injured party for any consequential losses. Which in this case might be a house or the income from a good job. See how fast they clean up their act if they can be held responsible for six or seven figures of damages every time they make a serious mistake.
I don’t think it is that tricky philosophically; they are representing themselves as experts on a topic so, they have a responsibility to ensure that they have a professional level of competence in it. Just like doctors and civil engineers.
Agreed that getting legislators to do anything about it will be a pain, though.
Would them ignoring a few certified letters asking them to contact you to correct slanderous significant errors in your information be enough to show malice?
The point is that the impersonated person shouldn't have these fraudulent items reported on their credit. That's the crux of how the responsibility of cleaning up this mess is absolutely on the wrong person
It’s identity fraud frankly. Hold consumers harmless and put the burden on the industry (if you did not have an high identity assurance you’re on the hook for costs and losses) and this problem evaporates. Also outlaw credit monitoring and identity theft insurance.
The banks aren't the only victims. The person has had their credit rating damaged, and may even be on the hook for fraudulent charges made in their name.
Libel is an intentional act. Agencies are not intentionally reporting false information. Banks may be reporting false information, but even they are unaware until the fraud has been discovered, by which time information they thought was true has already been reported.
This is from That Mitchell and Webb Sound, a radio show they did. The BBC don’t tend to region-lock audio, so you should be able to listen at https://www.bbc.co.uk/programmes/b007lqrh (or using the BBC Sounds app).
I completely agree. But if I recall correctly, they've set up the law so that if they get duped, you're on the hook for whatever they got duped into giving the impersonator. That's the biggest problem.
Tell me you're Bank of America and I'll give you a thousand dollars. You disappear into the night and I'll go get my thousand dollars back from the real Bank of America. Is that how the law is setup? (Honestly, making a website that looks like a legit Bank of America website is about as difficult as getting someone's SSN.)
I'm pretty sure the OP was meaning that there's little point for the businesses that make use of the credit bureaus, if they can't be sure the bureau is accurate, rather than that consumers might be better off opting out (even if they could).
These accounts aren’t for the people who pay Experian money. Companies pay Experian money to access information about individuals; the only reason Experian even allows accounts for individuals is because they are mandated by law to allow things like credit freezes and the annual credit report. If they weren’t required, they wouldn’t do it at all. They have zero incentive to improve the experience or the security of it.
The fundamental issue here is that maintaining security is expensive, and it is cheaper to just deal with occasional hacks. The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It is not that expensive. It is a couple pennies per pull (of a credit report/file) for somebody seeking identity proofing to use knowledge based authentication (the usual “where did you live, are these trade lines you?”). It is $1.50-$2.00 per proofing attempt with the government credential using ID.me or stripe identity. The problem is that no one is incentivized to slightly increases costs to reduce fraud because the burden falls on consumers instead, and credit reporting agencies don’t want to see their moat and revenue stream cannabalized. Bit of a public good Innovator’s Dilemma.
TLDR A better national digital identity story makes this problem go away.
(responsible for customer IAM including identity proofing at a fintech, doing some lift for Login.gov independently as a citizen activist)
I would imagine that most of the data for the ID checks based on public records (where did a person live; own a car/house/boat; ...) are trivially handleable.
Just takes one person to leak the database, which is probably only a few TB compressed) for all of the US and fits on a single HDD/SDD.
I would be surprised if these DBs aren't already sold on the darknet. And this DB doesn't have to be super up to date b/c security questions often go back years.
Interpreting the DB should be easy to hardcode but even easier handled with an LLM.
So the protection afforded by these checks is IMO at best nominal.
More importantly, they can require you provide a government ID and perform a liveness selfie check. This is the gold standard for remote identity proofing. Onboarding secure authenticators is best practice to bind digital identity to IRL identity when proofing occurs and identity assurance is high.
I think we should be asking how to design the procedure for when someone calls and claims they forgot everything and lost everything. An attacker can always call in and say this, and we'll need to call in and say this if we've been attacked.
My opinion: we should be able to visit a government office, get our picture and fingerprints matched, and then we can reset our email/password/2fa right there.
This might be somewhat true (it's certainly more expensive than not having security) but when your entire business is around making assurances based on people's identities, you'd assume that they'd put more effort into making their services secure. And if it's too expensive to do it securely, then maybe we should start to question whether such a service should even exist and deserves to store a lot of personal and private information.
>The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It's notable this issue (verification by SSN) doesn't affect GDPR-land - the GDPR has fines of up to 4% of global turnover.
>malicious incompetence by everyone in the Experian security chain
How do we know it's malicious and not just regular incompetence? Hanlon's razor and all.
My question was related to this quote:
>the GDPR has fines of up to 4% of global turnover.
I was asking what GDPR has fines on. Does it have fines for incompetence? snthd claimed that "this issue (verification by SSN) doesn't affect GDPR-land" saying GDPR-land somehow prevents this with a specific fine. I'm wondering what the specific fine is that GDPR-land has that prevents this issue.
> How does Equifax or TransUnion handle the case where someone else creates the account before you
I can speak for Experian. If you already registered the account, and someone else knows your SSN and the answers to the credit bureau security questions, then _they_ get to register your account. You as the person who originally registered will get an email that your email address changed.
Supposedly the thinking is that they want to make it impossible for someone to truly be locked out of accessing their own Experian account, so they just let you do these stealth registrations as long as you can answer all the security questions. Clearly they need a better solution.
They should be suspended from being able to do business with this kind of bs and their track record. I wonder if any of this violates people's FCRA rights, in which case that's a lot of fines.
I tried to log into their website the other day to just get my profile set up and see what was going on in my account. Their site was so broken, I couldn't even get logged in. How is anyone going to become me if I can't even become myself?
To become you, I just have to go through the channels that Experian customers use. You were not using the channels that Experian customers use. You were using the channel that Experian liabilities use.
Same exact thing happened to me. I only dealt with the various credit agencies and Ford. And I had to make a police report to my local PD despite the crime occurring at a dealership across the country — the officer was very kind, and made clear that they would do literally nothing other than produce the case number I needed for the credit agencies.
I wonder if Ford in particular is more susceptible?
In any event, I’ve no idea whether a law enforcement eventually looked into it. But the sense I got was no one was going to do a damn thing.
(Oh and Progressive, because they got insurance for the vehicle in my name and also didn’t pay that. But it was 1000x less dollars, literally, so when I told the debt collector “lol not mine” they just went away).
Yeah, afaik, most Police won't do anything with this. My spouse's id was used to rent an Oakland luxury appartment in 2021, along with opening a credit union account and trying to open an amex. Thankfully amex called to check because there was already an account opened, and we were able to get the credit union account closed before it was usable, but the apartment complex seemed unable to do anything and Oakland PD didn't do anything other than acknowledge the report, they wouldn't return calls from our local PD either. IdentityTheft.gov is also a black hole.
Credit freezes are a joke, because if you have a person's credit report, you have enough information to cancel the freeze, even if you can't temporarily thaw it. Still, maybe it's better than nothing, so might as well. But it's then a pain if you need to interact with the credit system; some of the bureaux have such poor systems that your accounts will regularly not work; anyway, credit issuers don't tend to tell you what bureau they'll pull from until after they pull, so may as well unlock the big 3 before you do anything; and batch all your credit increase requests together.
This sorta happened to me, except as soon as I got an email from Experian that my email address had been changed, I got to work talking to customer service to get back in. The CS rep had “no record” of anything out of the ordinary happening, just a regular email address changed “initiated” by me, when instead it was this brain dead system they have where anyone with the relevant SSN and security question info can register your account anew with a different email.
Once I got back in I saw credit pulls and immediately contacted the companies to figure out the car dealership in question, then called them to let them know that they should under no circumstances sell that car.
Because like always, the punishment for the rich playing games with our lives is a negligible fine 1/10000th the profit they make selling your information to anyone with a buck.
The worst part of such an experience is that once you've reported a case of fraud on your credit report, if you at a later date want to open a new bank/credit/whatever account somewhere then you have to jump through ridiculous hoops, or will simply be denied outright because they won't believe that you're who you are since your PII was flagged in the past.
I am still livid on a weekly basis when some strangers create an account for a service using my email address (non-maliciously, usually); I get a "verification" email; and I can only choose "YES, Please verify", or ignore at my peril.
From tiny little mom-and-pop shops, to FAANG giants, nobody is giving me the opportunity to say "NO that's NOT me!". And though it's a "verification" email, typically account is usable and vast majority of functionality is allowed even without verification. So I get to vicariously and angrily "enjoy" the follow-up emails and updates while the users gamble, purchase, sell, review, invest, write, game et cetera using my email address.
I get these every so often and I'm curious what you mean my ignore at your own peril. My approach has been to ignore it and assume they will realize their mistake and reregister.
There's any number of risk scenarios, assign likelihood as you will :
* owner of account doesn't pay, service sells the debt to collection agency, and they come after you because it matches your email and profile.
* owner of account subscribes to something unsavoury or does something illicit, which is now traceable to you
* given email is a big part of the incredibly ridiculous and overly pervasive tracking economy and profiling of the interwebs, your profile will now be even more annoying then before and be associated with things you don't want them to be.
Etc. Or just, to your point, one day they'll realize their mistake and be mad at YOU (because people aren't generally good at taking responsibility :) and now it's a thing.
I should mention I have a dozen email accounts of various degrees of protectiveness. Thia happens, annoyingly, to my most private address that I have never ever once used for business or signed up for anything, only for friends and family. So among everything else I'm peeved that my pristine email and identity is being polutted by other crap.
And again... The reason this frustrates me, is this should.not.be.and.issue in any sane world. If you're sending verification email it should have a No option. Anything else is grossly neglible or evil or both.
Over years, I've received peoples private medical bills; been subscribed to dating sites of various degrees of sketchiness; my email has been used to register with government agencies in countries of various degrees of sketchiness too; signed up for gaming, gambling, Crypto, banking, nft, investing, and so on - many things where my comfort level for mistakes and mistaken identity and Confusion and incorrect systems of record, is lower than "some kiddie signed me up for blizzard.net" :-/
I understand the problems with people using your email to register for sites. My confusion was the claim that verifying the email for some random stranger causes fewer problems than ignoring the verification email.
Given it is your email that is being used, that should allow for you to take over the account(s)? I'd submit a password reset, change the password, then just allow the account to live a dormant life.
That of course doesn't make it any less annoying, but it would at least stop an actor from using an account that is associated to your email.
Be careful, in the USA that is still a violation of the CFAA and US courts have proven themselves to be technically incompetent time and time again. People have been sent to prison under CFAA for using the “view source” button that’s available in every web browser.
> Governor Parson's office maintained that Renaud had unlawfully hacked the school website: "The hacking of Missouri teachers' personally identifiable information was a clear violation of Section 569.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative."
It wasn't thrown out by a judge. The governor still maintains that the reporter "hacked" and violated state law but the prosecutor's office declined to pursue the case.
Doesn't exactly work when they use your email to create an Apple iCloud account. It needed the actual iPhone it was connected to to complete the reset, I think I ended up getting it into a weird unusable state where neither of us could log in.
For Experian accounts, doing a password reset requires an SMS or phone call code.
The only mechanism you have to alert the person usurping your email identity that there is an issue is to trigger the phone call verification 3 times per day, preferably around 4am.
If you call the phone support, it will give you robots until playing a pre-recorded message telling you to physically mail a legal request including copies of your ID etc.
File an FTC and CFPB compliant. Only regulators will light a fire. Experian isn't going to do anything due to consumer complaints, as the consumer's credit file is the product. Let someone from Compliance have to email the product owner about it, and the complaint starts the clock ticking.
1. That exposes me to MORE involvement with this service, not less, and potentially legal culpability. Risk may be small but impact is large and benefit is neglible, so math doesn't work out for me.
2. It requires MORE effort on my part. For a poor design and error made by not me.
If it were once every 5 years, maybe.
When it's weekly, it's just an annoyance.
Sometimes when I'm really angry, I just write to their gdpr or compliance officer with a stern better and links to various sections of the law and their obligations. Doesn't accomplish much but makes me feel better :-)
But overall, it's a systemic issue, and given we are on hacker news, I'd say it's OUR systemic issue caused by us :-/
Do you have an example of what your email address is?
Is it like "john@gmail.com" or "mike@hotmail.com" or something?
Seems pretty crazy that someone chooses it randomly every week.
Have you considered getting your own domain for your email to make this probably go away? Obviously changing addresses is painful, but living your life with a common email seems worse.
I’ll chip in as john.<reasonably common surname>@icloud.com.
I still get email from AT&T for John Notreallyme who I believe is in his 80s and lives in Montana. He signed up in-store and I got emailed all of his details.
I got the first email that asked me to confirm my email address. Obviously I did not do that.
It makes no difference. I don’t know why they bothered.
I get tons of email intended for the other "first last"s in this world.
Most memorable are an employment offer as an environmental engineer in New Zealand, the results of an environmental survey for some commercial real estate development in Houston, TX, and bankruptcy papers from an attorney in British Columbia, CA.
Mine is first initial, somewhat-uncommon last name at gmail.com. Address acquired during the public beta back in 2004.
I regularly get reminders for dental visits in Oklahoma, purchase orders for machinery in Germany, and course registrations for some person who works in my industry and was easily searchable online.
It is not so intrusive to be problematic, and is mildly interesting.
I’ve made a few online “acquaintances” over the years as I’ve figured out the real email addresses for the people for whom I receive email at iCloud. We check in each time I forward something to them.
It can be fun to figure out how to contact your “acquaintances” the first time this happens. You can't really email them, can you?
I had it when someone (or likely his partner) with the same (somewhat uncommon!) firstname.lastname@gmail.com used my email. I started digging and it turned out we both were/are PhD students, just totally different fields. Must have something to do with the name. I was happy that via the faculty site I found his "real" email. Nearly send him a really weird post card, I had only his postal address...
It wasn't as hard as I expected. In one case, I found her last name on an email and it had an additional letter, so I just modified the address to match her name (we were both first initial/last name).
In the other case I must have simply experimented with first initial/middle initial/last name, and that worked.
One is a minister in the Boston area, so it's not hard to recognize her inbound emails.
Don't be too quick to assume this. Likely the email account is one of many spammers gathered from a data breach.
Reset the password. I even change the username to "spam" or something too, poison as much of the associated data as I can. PITA I know, it happens to me regularly.
I have had spotty success forwarding the confirmation email to security@{wherever the mail came from} explaining the situation. When that fails, you can look up the WHOIS information for their mail sending provider and contact their abuse@ inbox as well.
I was receiving somebody's water bill in my email addressed to someone in the Netherlands (apparently with a similar name). It contained their address, full name, details of their water bill... The email was in Dutch and I used Google Translate to make sense of it. It came from a no-reply so I couldn't just reply and say 'wrong customer', and there was no customer support email address to be found. I had to go to the company website and hunt down some kind of feedback form and begged them to fix this customer's email address. Eventually I stopped receiving the emails. I guess that company never even verifies email addresses. The company is called Oasen in case you're wondering, name and shame.
Vietnam Airlines once sent me someone's airline ticket, about 48 hours before they were due to fly (and about 10 years after the only time I ever flew with them). Their name wasn't even remotely similar to mine and their email can't have been either. At least that one appeared to be human error so there's a chance that my email pointing out the mistake was read by a human that was actually able to sort it out.
I had a positively hilarious interaction when somebody with my name used my personal email address for their retirement fund provider. I received an invitation to a zoom meeting addressed to my personal email account and their work email account. So I went ahead and joined the meeting in progress.
I sat silently for a bit while the financial advisor finished his talking point. Then I spoke up. I don't remember exactly what I said but the other guy with my name sat there with a scared / dumbfounded expression on his face while the financial advisor calmly asked me to leave.
I told him I would leave as soon as they promised to remove my email address.
Lyft likely cost customers' funds though a poor process like this in the past.
One could create an account, hail rides and add their own payment method while still being associated with someone else's email. Ride recipes would then be sent to someone else's email where the receiving party could add or increase a tip through an unauthenticated link and have it charged to the riders credit card.
I have an early/obvious gmail account and get around 3 messages per day from unauthorised signups to legit sites. facebook and google (as recovery account) are the only ones that allow you to de-link your address from an account
I frequently get emails intended for someone who has my same email handle, but with the extension "@googlemail.com" instead of "@gmail.com".
I know a lot about them. I know their shipping address in the UK. I know that they order inexpensive club attire, online Dominoe's delivery, and have a specific gym membership.
I am shocked that Google offers no way to disentangle my email address from this person's. A more malicious person than I could easily take advantage of all of this personal information.
Or they could just have a similar gmail address they frequently get wrong (or that looks like yours when written in the terrible handwriting they fill in forms with)
There's probably a single digit number of people with my initial and surname in the world, and I still get order confirmations for one of them, car promotions for another and am on some sort of targeted B2B spam list for a third to my Gmail address in that format. I quite like the order confirmations tbf, most of them are for a fish and chip shop I actually used to get food at when I was a kid and my grandparents lived nearby so they're oddly nostalgic
Nah, this person just doesn't know what their own email address is and types yours instead (yours with googlemail). This happens all the time and it really isn't something Google can do anything about.
I can beat that on annoyance level at least. I still get postal junk mail for Mr Qwe Rty after I put it in a test form when I was a contractor in 2005. This got onto a database somewhere and was sold to someone and I just get junk mail galore!
I've been getting mail that is a variation of my name, wondering if someone used my identity damn. I did put some lock thing on my credit so it's harder to open new accounts, forget what it's called.
I have stuff like credit wise, karma, etc... have not seen weird/unknown accounts so hopefully I'm good.
I’ve received two data breach notices in the past week, one from my healthcare provider and the other from the bank that holds my mortgage.
In both instances they said to lock my credit, and provide free credit monitoring for a year.
I find this egregiously insufficient to the point where I think we need more regulation in this space. They should provide lifelong credit monitoring and full insurance on any financial fraud that now occurs on my behalf, as well as immediate presumptive financial compensation.
That aside, the root cause here is that identity in the U.S. is a dumpster fire. We have no distinction between unique identifier (SSN) and secret (also SSN). Every other security question is just another version of the same factor type (something you know) which is easily accessible to scammers.
There is quite literally no agreed upon way to prove you are who you say you are.
We need DMVs to begin issuing IDs that are physical with digital capabilities, like credit cards. We need the equivalent of Apple/Android Pay for identity online. We need to mandate that banks support digital IDs. And we need strict enforcement for people who misuse a digital ID.
I believe that the consequence of ignoring this problem is at least tens of billions of dollars in GDP annually lost to fraud. And perhaps more importantly, it’s an insidious erosion of our status as a country of laws.
> We need DMVs to begin issuing IDs that are physical with digital capabilities
The problem is that there is a very vocal segment that views such things as "government overreach" through to the literal mark of the devil.
And then there are the challenges of issuing them. There are states (the same states, typically, who shut down voting locations in working class areas and defund their DMVs) who will fight tooth and nail about having to implement this in a way that is free to all.
You've put forth an utter straw man. I am rationally against making government verification of identity stronger precisely because the existing identity systems have been pervasively abused with essentially no recourse. After there is a US equivalent of the GDPR that lets me prevent the surveillance industry, including the traditional financial surveillance industry, from unilaterally creating dossiers about me, then we can talk about better implementations of identity verification. Until then, that dumpster fire is the main thing holding back the surveillance industry from pushing identity verification for ever more routine things like opening online accounts or buying groceries.
> You've put forth an utter straw man. I am rationally against making government verification of identity stronger precisely because the existing identity systems have been pervasively abused with essentially no recourse.
There's absolutely no straw man. Among other reasons, things like this are exactly why there is opposition in some segments.
You've literally argued "You're making a strawman by describing what I think!" You're against it because overreach and abuse. I say a segment is against it because of reasons including that. Maybe less of a hair trigger is needed.
> There's absolutely no straw man. Among other reasons, things like this are exactly why there is opposition in some segments.
Sure, technically there is a sliver of actual people out there worried about "mark of the devil". I'd still say it's a straw man to use that to characterize general opposition.
> You've literally argued "You're making a strawman by describing what I think!"
Uh, not at all. I accept that the government wants to be able to identify citizens. I'm not calling this government overreach. What I have a problem with is the ongoing failure to pass any corresponding laws that prohibit companies from abusing these identification systems to build limitless privately-owned completely-unaccountable surveillance databases. These abuses need to be stopped first, rather than brushing off the problems we're already suffering and giving even more to the surveillance industry.
As I said, pass a US GDPR that gives me the right to opt out of most of the surveillance industry, lets me drastically curtail and audit the parts I don't completely opt out of, and make sure any new types of identity attestation are still refutable in the legal system, and I am generally on board with stronger identification through something like a smart card.
> We need DMVs to begin issuing IDs that are physical with digital capabilities, like credit cards. We need the equivalent of Apple/Android Pay for identity online. We need to mandate that banks support digital IDs. And we need strict enforcement for people who misuse a digital ID.
And how will all this magically work online? Answer: you'll have to provide whatever digital secret gives you access, just the way you provide your SSN now. Which means your digital secret will be in all the same online places where your SSN is now, vulnerable to the same kind of hacking. How does this fix anything?
> Which means your digital secret will be in all the same online places where your SSN is now, vulnerable to the same kind of hacking. How does this fix anything?
Loads of ways to do digital attestation but they all involve some 3rd party being the trusted source of truth. Typically this would be the DMV or other government branch and at this point a few red flags start to go off: dmv isn't known for it's competence and I'm not really thrilled about them getting hit to confirm my identity for pornhub.
This is a REALLY hard problem to solve unless you take a "privacy must be sacrificed for the greater good" mentality.
I think computers need a card reader (like a credit card reader) to read the card. Or you can use your phone to read it wirelessly via NFC.
One neat thing about systems like this is that the card itself can perform a cryptographic computation that proves its own "ID", without communicating its private key to the connected computer/phone. So even if your computer was compromised, the ID card connected to it still can't be copied. The card is simple enough that there is less attack surface (as compared to an entire computer), so it's much less likely be be hacked, even if it's connected to a hacked device. Though mistakes do happen, since no system is perfect. So if a vulnerability is discovered, new cards might need to be issued.
Granted, an attacker on your computer (controlling it remotely) could just wait until you log in to your bank via smartcard and then quickly pull all your money out... you need a more complex solution to fix that problem (like cryptocurrency hardware wallets use; they have a little screen that shows the proposed transaction, and you have to physically push a button to confirm it, and then it does another cryptographic operation to authorize that particular transaction).
However, the smart card system does prevent an attacker from simply buying a database dump of email addresses, passwords, SSNs, etc. and using that to get into your bank account.
Maybe this is why for the past few weeks I am receiving countless emails from major retailers like Casas Bahia or Americanas and even Magazine Luiza with purchase confirmation listing several smartphones and notebooks whose invoice bare my name and cpf.
I tried contacting every retailer. Only Magazine Luiza seem to have acknowledged the fraud and issued a warning but to no avail, as I am still receiving invoices from them.
I contacted the local police and issued a boletim de ocorrência (which I am not quite sure how to translate) that describes the problem and how I was unable to apply countermeasures.
I am expecting fallout from this. I am really anxious about this whole situation and how I am utterly powerless in protecting my identity.
Well I am from the fraud remuneration department of Brazil and know the person who pays out compensation for these crimes. Simply send me all your personal information and credit card details and I’ll make sure you get your appropriate payout.
Excuse me, you're calling me a scammer? I suggest you click on my username and see that it is a very legitimate account, with twice the karma as you to boot. I think you're more likely to be the one scamming! Don't listen to 'Aeolun, everyone!
Look, you are literally posting on the internet, on an anonymous account, that if someone sends you their personal details and credit card info everything will be taken care of.
Your first reaction should absolutely be that it’s a scam, and only then further evaluate if it might possibly be true because this is HN.
I could have potentially used the word ‘looks like’, but it’s just a matter of degree.
I think the individual you’re replying to may be lying about their identity to make a point (re: the first individual asking a stranger to send them financial info) :)
I have no idea. There are, however, many official invoices (notas fiscais) being issue in my name. I believe there might also be fraudulent credit cards issued in my name that ate being used, or something like that, which would explain the physical retailers not questioning the purchase. That is why I am expecting fallout from this.
You can check any credit card issued on your name in Banco Central’s Registrato page[0]. Credit card, loans, etc.
However, HIGHLY unlikely they issue a card in your name and purchase stuff in your name online. If they have a card with them, they’ll go to physical stores and leave with the product with them immediately.
Typically (as I said above) they have purchased a stolen CC number online and are using it until it gets blocked or run out of balance/limit.
In any case, there’s zero fallout for you, the victim. These retailers are used to this (0,5% of transactions turn into fraud), so they’ll eventually figure out it’s fraud and they know it wasn’t you. They know you’re a victim too.
> I believe there might also be fraudulent credit cards issued in my name that ate being used
As tmcz26 said, it's very unlikely they issued a card on your name, but if that happened, contact the bank's ombudsman AND report it to the Central Bank, as they failed the KYC process.
Stolen ID from one person (ID, name, sometimes using the real person’s email and phone, sometimes creating fake yet similar emails like wildrhythms2@yahoo.com), someone else’s stole credit card number, and a drop address to receive and reship (sometimes deliver direct to the purchaser of the fraud item).
Typically the item is resold for half the price and it’s spoken for. It’s not like they buy to resell later. If they make the fraud they already have a buyer
Something similar happened to me once. You need a valid CPF number (something like a ssn) to create an account on most webshops in Brazil, so fraudsters will use stolen ones. They then proceed to purchase stuff with stolen CCs
I've been on a similar situation once, this is what I did, and I think you're on the right path.
> I tried contacting every retailer.
Try to reach out to the ombudsman (ouvidoria) and explain your case. Even if they don't actually solve the problem, you documented that you tried to friendly resolve the issue.
> I am expecting fallout from this.
Very worst case scenario, the retailers will send the fraudulent invoices to collection agencies and might report you to the credit bureaus. Don't ever pay any cent toward this fraudulent debt. Don't negotiate. The only option is the debt going away as it is fraudulent. It's their money that's on the hook and paying it shifts the responsibilities to you.
Once it hits the credit bureaus, as you already have a Boletim de Ocorrência, and proof of contacting the companies (protocol numbers + dates), i.e. documentation, sue them and ask for damages. It's a simple and common suit that both the credit bureaus and the retailers will want to settle. Make them pay for your time. They don't have any proof that it was your person that made those transactions.
> I am utterly powerless in protecting my identity.
Yeah, but the thing is, if the retailers, banks, credit cards, etc. really wanted to avoid fraud, every purchase/subscription would require the same level of protection as a real estate transaction. Everything signed, in-person meetings, upfront payments, banks, lawyers, notaries, cryptographic signatures (hey, we have e-CPF and nobody uses it!). But as you see, 100% fraud avoidance means friction, and no sane retail business likes friction. It's a business decision on their end. They accept risk so they can take your money easier.
If it’s a purchase using Credit Card, absolutely zero chance of going to collections. That’s not how it works. There’s no legal footing for collections and they are not in the habit of creating legal headaches for themselves.
If however it’s a credit purchase (personal loan, crediário, etc) then it might go to collections, then this advice works.
Online purchases though are 80% credit card and 15% Pix/Boleto so it’s unlikely they got a loan just to buy stuff. If they can get a loan, they’ll get the cash itself and run.
Edit: on a Credit Card transaction the burden of evidence is on the merchant. THEY have to prove it was you.
Tell this to MercadoPago. Once I did a chargeback on a fraudulent gift card purchase and months later they sent this debt to collections - they didn't report it to the credit agencies, though. It resolved pretty fast once I escalated the issue to the ombudsman.
This all goes back to the social security not being changeable and morphing from some thing to claim benefits with to it being your universal password.
In contrast, I lost my drivers license and in order to get a new one I had to go the DMV in person and put my thumb print on a biometric scanner which pulls up my picture for the DMV person to look at before they authorize the request. I can also file an affidavit of identity theft with a police report attached and they will give me a new license and A NEW DRIVERS LICENSE NUMBER. The federal government trying to shoehorn an unconstitutional universal identity system into social security is the source of all this nonsense.
I was somewhat surprised to find that when I got my driver's licence at 39, it was the same number as the non-driving ID card I got issued at 18. So at least Arizona doesn't seem to be eager to hand out new numbers.
They won't hand out new numbers unless someone has actually used your drivers license fraudulently and you've filed a police report. Seems reasonable enough.
That's the point. Politicians get paid (donated, contributed, whatever) to vote businesses' laws to benefit the business, not you. Toothless laws make a good sound bite but do nothing to help you.
How is Experian not sued out of existence for their total failure to protect their customers? I just don’t understand what law allows organizations that compromise large portions of entire societies to continue.
But why can't people successfully sue for libel/slander/defamation by individuals when they give false damaging information about the individual to creditors?
One of the best ways to affect this is to make complaints to the CFPB. They are the regulatory body that is responsible for making sure the credit bureaus aren’t harming consumers
They didn't even ask me to verify my phone number when I entered it. Anyone with my SSN and phone number from an all-too-common data breach could easily pretend to be me and unfreeze my credit file.
I’m guessing this will continue to happen until, I dunno, some the execs at Experian continually have their accounts compromised in the same way again and again.
This isn’t an opt-in service. It’s a dragnet surveillance system. All it knows is slurping up data. Are there case statements all over the codebases to exclude the execs of three different companies and congress?
Yes, it sure would be a shame if, I dunno, some execs at Experian were to experience some of the same issues that so many others have - due to the existence and ... 'management' of their own business ...
Why, going through such trials, ex opere operantis, might just sour a 'true believer' in the "invisible hand" on the whole novus ordo seclorum.*
Hahahhahahaha! Urghk, briefly part-swallowed my tongue from laughter, excuse me...
* As the undoubtedly distinguished graduates of Yale SOM, for example, might phrase it
Unfortunately, the people in charge of these systems have enough money to hire people to do all of this crap for them. They don't do their own taxes, they don't open their own credit cards, they don't negotiate their own mortgages or car loans, nothing. They just tell their butler or financier or real estate agent or whatever "Go get me an X" and that other person deals with all the shit. Being the target of identity fraud just means they hire another gofer to deal with it full time for six months which costs them so little money, relative to their wealth, that's it's not even worth thinking about. And they're not even using their own credit, most of the time, they're using the "credit" of some shell corporation or limited liability corporation or trust or whatever other financial bullshit they hired a dozen lawyers to set up to commit tax fraud. So no, they experience none of the shit they perpetrate.
I'm seeing this for the first time given I'm not from the US, but its reach seems limited
https://resist.bot/petitions
In Germany there is Campact for example which usually crosses 200K signatures per petition, if something like this doesn't exist in the US then I think someone with money should create it or promote an existing solution like OpenPetition to enough recurring signers
I'm not sure what you mean by limited reach, but for added context: Resist Bot is an automated service that can be used to contact elected officials in the U.S. Believe it or not, some elected officials actually pay attention to what their constituents say when writing to them.
There needs to be a better alternative to credit reports. They only exist because banks and lenders could no longer discriminate on race directly, so they created a roundabout way to discriminate based on "credit score", which happened to be worse for the people the wanted to exclude in the first place.
The best outcome is to have minor fraud (someone tried and failed to open an account in your name, or your name+address appears in a data dump somewhere) occur because then you can register a fraud alert and credit freeze in all the agencies which stops a lot of nonsense (random junk mail, risk of actual fraudulent accounts getting established) for a year or so by enforcing extra authentication steps.
I wish I could put a permanent fraud alert on my credit accounts, but would probably have to hire a lawyer or something.
Correct me if I’m wrong, but I’ve signed up for all 3 bureaus and enabled the credit freeze. My understanding, and experience years later, is that it is still frozen. I had to unfreeze a specific one last year for an auto loan.
Is there something else I’m missing that’s only temporary?
I understand that, I’m curious if reporting fraud activity helps prevent that in some way like the parent comment seems to suggest, if only for a year.
The fraud alert adds a requirement that potential lenders call a phone number added to the credit file to authorize new loans/accounts, making it significantly less likely that fraud can take place.
346 comments
[ 3.1 ms ] story [ 299 ms ] threadI did some Googling and it didn't seem like there's an easy option.
Imagine if they were like password manager apps? We could evaluate all of them, choose what we wanted, and migrate whenever something happened.
As a business? Sure, report to the ones you want to
I don't think that "increased competition" will work here. We are not customers of the credit bureaus. We are the product. The customers are lenders and other people who need your information. From the lenders' perspective, this is all working out fine, largely because the onus for "identity theft" is placed on members of the public as individuals rather than on lenders to accurately verify applicants' identities before extending credit. As many people have pointed out before, "identity theft" is a misnomer designed to pass the buck onto individuals. Ideally, it should be the lenders' responsibility to prevent criminals from misusing your information and to make things right whenever a criminal tries to use your information fraudulently, but right now the onus is placed on individuals.
A better solution would be to have higher standards for identity verification by lenders. That would shift the burden onto lenders to actually verify people's identity before extending credit. Some lenders actually do a pretty good job of verifying people's identities before extending credit in my experience, while others just seem to accept the information given uncritically (as far as I can tell!). High industry-wide standards should help solve this (either voluntarily or mandated by law).
Without it (also without a sufficiently high number), most avenues to housing are cut off
No individual in a personal capacity ever wanted to do business with Experian, like they wanted to buy an iPhone or something. You're introduced to the unpleasant fact of its existence at some point. They don't have anything you want, you're the product from the start, and you don't have to walk into their net, you're probably born in it.
Things that deal in you.
They make money from you, indirectly.
You have no business or social relation with them.
You didn't vote for them.
They have immense power to harm you.
You have no recourse.
You may not even know they exist.
Until recently this was the preserve of a few government agencies that had a very narrow focus on a few "persons of interest". Today it is every dime store startup in "big data", search, spammers, social network, and the entire grubby, yellow maggoty underbelly of "surveillance capitalism" and all the mushrooms that grow on it.
So far the promised "benefits" of this have never materialised. Will we be able to keep pretending "nobody cares" as public awareness, and governments' will to enact legislation grows? At some point surely "credit agencies" and their ilk will essentially be outlawed under a dozen different digital rights acts.
First of all, $25/month for an Experian product? I can't possibly fathom how anything they provide can be worth even 1/100th of that. That price just absolutely blows my mind.
But worst of all, they proudly say it is $0.00 and have the pay button the most prominent. How many people get roped into this? They are just slime all the way down.
Plausible deniability allowing them to push as much significant risk of identity theft onto consumers instead of themselves where it should be.
Edit: Imagine this the other way around! Grandma gets scammed by someone pretending to be her bank. So the bank's identity got stolen. So now the real bank needs to fix it, provide more proof of identity to all customers and jump through all kinds of hoops to not owe grandma crazy amounts of money.
https://www.youtube.com/watch?v=CS9ptA3Ya9E
Well, we have no idea about that :)
In any case if it meant literally 'blaming the victim' it makes no sense at all, so either we give the benefit of assuming the poster is able to make coherent statements or we don't.
instutions should be respomsible for protecting themselves from fraud, they shouldn't need me to protect them from my identity being used in an unauthorized way.
It doesn't imply this second bit.
But another, more common scenario here is that I convince the bank that I'm you and get a credit card or loan from the bank. Now the bank is knocking on YOUR door asking you to pay them back for the cash they handed to some random person... but they're the ones who messed up by giving cash to a random person and not verifying that they are who they say they are!
You aren't really involved... the bank messed up by going "Oh you say you're Bob? Okay here you go!" Why is it your fault that they failed to accurately verify the identity of the person they gave THEIR money to? You didn't play any role in them deciding who to give their money, nor in their ID verification procedures.
No, I'm imagining a scenario where the things used to identify me to service providers is taken by someone.
> I also think your analogy of a "friend" isn't right...
I didn't mention a friend.
> you are the bank's PAYING customer... you pay them to secure your money and only give it to you!
I agree, but as per my analogy, the car's owner has had their car stolen.
> If they fail to provide the service they're offering to you... seems like they ought to be responsible for their failure.
As per my analogy, I'm not saying that the car shouldn't have been secured, nor that the storage provider shouldn't make the situation right via insurance etc. Only that the car owner is the one who is a victim of car theft.
> You aren't really involved... the bank messed up by going "Oh you say you're Bob? Okay here you go!" Why is it your fault that they failed to accurately verify the identity of the person they gave THEIR money to? You didn't play any role in them deciding who to give their money, nor in their ID verification procedures.
The bank being at fault doesn't mean the victim's identity wasn't stolen.
All of these objections seem to assume that if someone has something stolen, it was their fault. That's not true, and that assertion is what I'm objecting to.
I know it is pedantic but it is important to keep in mind because dumping the need to seek redress on the uninvolved third party is ridiculous, so we shouldn’t use language that plays into that point of view.
It's merely a tort (wrong). It never rises to the level of a crime. The few instances/places where slander is a crime in the US (historically or otherwise) are very problematic and subject to abuse.
Perhaps this specific kind of slander should be criminal, but it might be the only kind that should be. Not only would you need to justify that philosophically, but somehow convince legislators to make it that way (at the federal level, I should think).
It'd be a tough journey.
Agreed that getting legislators to do anything about it will be a pain, though.
This is called libel. This person is a victim of a crime the credit reporting agency committed.
can you opt out? is there even a choice at all? where i live I can’t opt out of Experian or other credit rating services.
I'm pretty sure the OP was meaning that there's little point for the businesses that make use of the credit bureaus, if they can't be sure the bureau is accurate, rather than that consumers might be better off opting out (even if they could).
And your firm pays Experian/Equifax/etc. to GIVE information about you, e.g., automated employment verification.
TLDR A better national digital identity story makes this problem go away.
(responsible for customer IAM including identity proofing at a fintech, doing some lift for Login.gov independently as a citizen activist)
Just takes one person to leak the database, which is probably only a few TB compressed) for all of the US and fits on a single HDD/SDD.
I would be surprised if these DBs aren't already sold on the darknet. And this DB doesn't have to be super up to date b/c security questions often go back years.
Interpreting the DB should be easy to hardcode but even easier handled with an LLM.
So the protection afforded by these checks is IMO at best nominal.
My opinion: we should be able to visit a government office, get our picture and fingerprints matched, and then we can reset our email/password/2fa right there.
This might be somewhat true (it's certainly more expensive than not having security) but when your entire business is around making assurances based on people's identities, you'd assume that they'd put more effort into making their services secure. And if it's too expensive to do it securely, then maybe we should start to question whether such a service should even exist and deserves to store a lot of personal and private information.
It's notable this issue (verification by SSN) doesn't affect GDPR-land - the GDPR has fines of up to 4% of global turnover.
They should absolutely be fined and punished harshly even beyond that. If SBF can go to prison, so can the CISO of Experian.
How do we know it's malicious and not just regular incompetence? Hanlon's razor and all.
My question was related to this quote:
>the GDPR has fines of up to 4% of global turnover.
I was asking what GDPR has fines on. Does it have fines for incompetence? snthd claimed that "this issue (verification by SSN) doesn't affect GDPR-land" saying GDPR-land somehow prevents this with a specific fine. I'm wondering what the specific fine is that GDPR-land has that prevents this issue.
You try to sign up correctly, then it emails the fake persons email for permission? How does that make any sense.
"Hello scammer, John Doe would like to access his Equifax account. Do you want to give him permission?"
I agree the Experian way is not good either, but how is the above handled?
They already have the well-shared data that determines much of your life. Signing up is so you can glimpse it too.
I can speak for Experian. If you already registered the account, and someone else knows your SSN and the answers to the credit bureau security questions, then _they_ get to register your account. You as the person who originally registered will get an email that your email address changed.
Supposedly the thinking is that they want to make it impossible for someone to truly be locked out of accessing their own Experian account, so they just let you do these stealth registrations as long as you can answer all the security questions. Clearly they need a better solution.
This sounds like it was used to get a vehicle - which are fairly trackable things. How did the ordeal unfold and conclude?
I wonder if Ford in particular is more susceptible?
In any event, I’ve no idea whether a law enforcement eventually looked into it. But the sense I got was no one was going to do a damn thing.
(Oh and Progressive, because they got insurance for the vehicle in my name and also didn’t pay that. But it was 1000x less dollars, literally, so when I told the debt collector “lol not mine” they just went away).
Credit freezes are a joke, because if you have a person's credit report, you have enough information to cancel the freeze, even if you can't temporarily thaw it. Still, maybe it's better than nothing, so might as well. But it's then a pain if you need to interact with the credit system; some of the bureaux have such poor systems that your accounts will regularly not work; anyway, credit issuers don't tend to tell you what bureau they'll pull from until after they pull, so may as well unlock the big 3 before you do anything; and batch all your credit increase requests together.
Once I got back in I saw credit pulls and immediately contacted the companies to figure out the car dealership in question, then called them to let them know that they should under no circumstances sell that car.
And the form to get that settlement meant giving some random authority more personal information than these companies even have.
I would keep going too.
From tiny little mom-and-pop shops, to FAANG giants, nobody is giving me the opportunity to say "NO that's NOT me!". And though it's a "verification" email, typically account is usable and vast majority of functionality is allowed even without verification. So I get to vicariously and angrily "enjoy" the follow-up emails and updates while the users gamble, purchase, sell, review, invest, write, game et cetera using my email address.
Boo to this, I tell ya, boo!
* owner of account doesn't pay, service sells the debt to collection agency, and they come after you because it matches your email and profile.
* owner of account subscribes to something unsavoury or does something illicit, which is now traceable to you
* given email is a big part of the incredibly ridiculous and overly pervasive tracking economy and profiling of the interwebs, your profile will now be even more annoying then before and be associated with things you don't want them to be.
Etc. Or just, to your point, one day they'll realize their mistake and be mad at YOU (because people aren't generally good at taking responsibility :) and now it's a thing.
I should mention I have a dozen email accounts of various degrees of protectiveness. Thia happens, annoyingly, to my most private address that I have never ever once used for business or signed up for anything, only for friends and family. So among everything else I'm peeved that my pristine email and identity is being polutted by other crap.
And again... The reason this frustrates me, is this should.not.be.and.issue in any sane world. If you're sending verification email it should have a No option. Anything else is grossly neglible or evil or both.
Over years, I've received peoples private medical bills; been subscribed to dating sites of various degrees of sketchiness; my email has been used to register with government agencies in countries of various degrees of sketchiness too; signed up for gaming, gambling, Crypto, banking, nft, investing, and so on - many things where my comfort level for mistakes and mistaken identity and Confusion and incorrect systems of record, is lower than "some kiddie signed me up for blizzard.net" :-/
That of course doesn't make it any less annoying, but it would at least stop an actor from using an account that is associated to your email.
https://www.theregister.com/2022/02/15/missouri_html_hacking...
It wasn't thrown out by a judge. The governor still maintains that the reporter "hacked" and violated state law but the prosecutor's office declined to pursue the case.
The only mechanism you have to alert the person usurping your email identity that there is an issue is to trigger the phone call verification 3 times per day, preferably around 4am.
If you call the phone support, it will give you robots until playing a pre-recorded message telling you to physically mail a legal request including copies of your ID etc.
https://reportfraud.ftc.gov/
https://www.consumerfinance.gov/complaint/
https://www.youtube.com/watch?v=9CWbc6pekd8&t=1310s ("We have a complaint database, we collect information, and are always eager for information" -- FTC Chair Lina Khan at Y Combinator)
1. That exposes me to MORE involvement with this service, not less, and potentially legal culpability. Risk may be small but impact is large and benefit is neglible, so math doesn't work out for me.
2. It requires MORE effort on my part. For a poor design and error made by not me.
If it were once every 5 years, maybe.
When it's weekly, it's just an annoyance.
Sometimes when I'm really angry, I just write to their gdpr or compliance officer with a stern better and links to various sections of the law and their obligations. Doesn't accomplish much but makes me feel better :-)
But overall, it's a systemic issue, and given we are on hacker news, I'd say it's OUR systemic issue caused by us :-/
I still get email from AT&T for John Notreallyme who I believe is in his 80s and lives in Montana. He signed up in-store and I got emailed all of his details.
I got the first email that asked me to confirm my email address. Obviously I did not do that.
It makes no difference. I don’t know why they bothered.
I get tons of email intended for the other "first last"s in this world.
Most memorable are an employment offer as an environmental engineer in New Zealand, the results of an environmental survey for some commercial real estate development in Houston, TX, and bankruptcy papers from an attorney in British Columbia, CA.
I regularly get reminders for dental visits in Oklahoma, purchase orders for machinery in Germany, and course registrations for some person who works in my industry and was easily searchable online.
It is not so intrusive to be problematic, and is mildly interesting.
I had it when someone (or likely his partner) with the same (somewhat uncommon!) firstname.lastname@gmail.com used my email. I started digging and it turned out we both were/are PhD students, just totally different fields. Must have something to do with the name. I was happy that via the faculty site I found his "real" email. Nearly send him a really weird post card, I had only his postal address...
In the other case I must have simply experimented with first initial/middle initial/last name, and that worked.
One is a minister in the Boston area, so it's not hard to recognize her inbound emails.
Don't be too quick to assume this. Likely the email account is one of many spammers gathered from a data breach.
Reset the password. I even change the username to "spam" or something too, poison as much of the associated data as I can. PITA I know, it happens to me regularly.
I sat silently for a bit while the financial advisor finished his talking point. Then I spoke up. I don't remember exactly what I said but the other guy with my name sat there with a scared / dumbfounded expression on his face while the financial advisor calmly asked me to leave.
I told him I would leave as soon as they promised to remove my email address.
One could create an account, hail rides and add their own payment method while still being associated with someone else's email. Ride recipes would then be sent to someone else's email where the receiving party could add or increase a tip through an unauthenticated link and have it charged to the riders credit card.
I know a lot about them. I know their shipping address in the UK. I know that they order inexpensive club attire, online Dominoe's delivery, and have a specific gym membership.
I am shocked that Google offers no way to disentangle my email address from this person's. A more malicious person than I could easily take advantage of all of this personal information.
There's probably a single digit number of people with my initial and surname in the world, and I still get order confirmations for one of them, car promotions for another and am on some sort of targeted B2B spam list for a third to my Gmail address in that format. I quite like the order confirmations tbf, most of them are for a fish and chip shop I actually used to get food at when I was a kid and my grandparents lived nearby so they're oddly nostalgic
https://support.google.com/mail/thread/125577450/gmail-and-g...
https://www.quora.com/What-is-the-difference-between-gmail.c...
https://www.gmass.co/blog/domains-gmail-com-googlemail-com-a...
I live in NY.
I have stuff like credit wise, karma, etc... have not seen weird/unknown accounts so hopefully I'm good.
In both instances they said to lock my credit, and provide free credit monitoring for a year.
I find this egregiously insufficient to the point where I think we need more regulation in this space. They should provide lifelong credit monitoring and full insurance on any financial fraud that now occurs on my behalf, as well as immediate presumptive financial compensation.
That aside, the root cause here is that identity in the U.S. is a dumpster fire. We have no distinction between unique identifier (SSN) and secret (also SSN). Every other security question is just another version of the same factor type (something you know) which is easily accessible to scammers.
There is quite literally no agreed upon way to prove you are who you say you are.
We need DMVs to begin issuing IDs that are physical with digital capabilities, like credit cards. We need the equivalent of Apple/Android Pay for identity online. We need to mandate that banks support digital IDs. And we need strict enforcement for people who misuse a digital ID.
I believe that the consequence of ignoring this problem is at least tens of billions of dollars in GDP annually lost to fraud. And perhaps more importantly, it’s an insidious erosion of our status as a country of laws.
The problem is that there is a very vocal segment that views such things as "government overreach" through to the literal mark of the devil.
And then there are the challenges of issuing them. There are states (the same states, typically, who shut down voting locations in working class areas and defund their DMVs) who will fight tooth and nail about having to implement this in a way that is free to all.
There's absolutely no straw man. Among other reasons, things like this are exactly why there is opposition in some segments.
You've literally argued "You're making a strawman by describing what I think!" You're against it because overreach and abuse. I say a segment is against it because of reasons including that. Maybe less of a hair trigger is needed.
Sure, technically there is a sliver of actual people out there worried about "mark of the devil". I'd still say it's a straw man to use that to characterize general opposition.
> You've literally argued "You're making a strawman by describing what I think!"
Uh, not at all. I accept that the government wants to be able to identify citizens. I'm not calling this government overreach. What I have a problem with is the ongoing failure to pass any corresponding laws that prohibit companies from abusing these identification systems to build limitless privately-owned completely-unaccountable surveillance databases. These abuses need to be stopped first, rather than brushing off the problems we're already suffering and giving even more to the surveillance industry.
As I said, pass a US GDPR that gives me the right to opt out of most of the surveillance industry, lets me drastically curtail and audit the parts I don't completely opt out of, and make sure any new types of identity attestation are still refutable in the legal system, and I am generally on board with stronger identification through something like a smart card.
And how will all this magically work online? Answer: you'll have to provide whatever digital secret gives you access, just the way you provide your SSN now. Which means your digital secret will be in all the same online places where your SSN is now, vulnerable to the same kind of hacking. How does this fix anything?
Loads of ways to do digital attestation but they all involve some 3rd party being the trusted source of truth. Typically this would be the DMV or other government branch and at this point a few red flags start to go off: dmv isn't known for it's competence and I'm not really thrilled about them getting hit to confirm my identity for pornhub.
This is a REALLY hard problem to solve unless you take a "privacy must be sacrificed for the greater good" mentality.
Some countries already have national ID systems that use cryptography like this to secure identify oneself online, such as Estonia: https://en.wikipedia.org/wiki/Estonian_identity_card#Electro...
Also, the Estonia system apparently includes keys allowing the manufacturer to perform card operations. How do I know that won't get hijacked?
One neat thing about systems like this is that the card itself can perform a cryptographic computation that proves its own "ID", without communicating its private key to the connected computer/phone. So even if your computer was compromised, the ID card connected to it still can't be copied. The card is simple enough that there is less attack surface (as compared to an entire computer), so it's much less likely be be hacked, even if it's connected to a hacked device. Though mistakes do happen, since no system is perfect. So if a vulnerability is discovered, new cards might need to be issued.
Granted, an attacker on your computer (controlling it remotely) could just wait until you log in to your bank via smartcard and then quickly pull all your money out... you need a more complex solution to fix that problem (like cryptocurrency hardware wallets use; they have a little screen that shows the proposed transaction, and you have to physically push a button to confirm it, and then it does another cryptographic operation to authorize that particular transaction).
However, the smart card system does prevent an attacker from simply buying a database dump of email addresses, passwords, SSNs, etc. and using that to get into your bank account.
I tried contacting every retailer. Only Magazine Luiza seem to have acknowledged the fraud and issued a warning but to no avail, as I am still receiving invoices from them.
I contacted the local police and issued a boletim de ocorrência (which I am not quite sure how to translate) that describes the problem and how I was unable to apply countermeasures.
I am expecting fallout from this. I am really anxious about this whole situation and how I am utterly powerless in protecting my identity.
Your first reaction should absolutely be that it’s a scam, and only then further evaluate if it might possibly be true because this is HN.
I could have potentially used the word ‘looks like’, but it’s just a matter of degree.
However, HIGHLY unlikely they issue a card in your name and purchase stuff in your name online. If they have a card with them, they’ll go to physical stores and leave with the product with them immediately.
Typically (as I said above) they have purchased a stolen CC number online and are using it until it gets blocked or run out of balance/limit.
In any case, there’s zero fallout for you, the victim. These retailers are used to this (0,5% of transactions turn into fraud), so they’ll eventually figure out it’s fraud and they know it wasn’t you. They know you’re a victim too.
[0] https://registrato.bcb.gov.br/registrato/
Edit with the link
As tmcz26 said, it's very unlikely they issued a card on your name, but if that happened, contact the bank's ombudsman AND report it to the Central Bank, as they failed the KYC process.
Typically the item is resold for half the price and it’s spoken for. It’s not like they buy to resell later. If they make the fraud they already have a buyer
> I tried contacting every retailer. Try to reach out to the ombudsman (ouvidoria) and explain your case. Even if they don't actually solve the problem, you documented that you tried to friendly resolve the issue.
> I am expecting fallout from this.
Very worst case scenario, the retailers will send the fraudulent invoices to collection agencies and might report you to the credit bureaus. Don't ever pay any cent toward this fraudulent debt. Don't negotiate. The only option is the debt going away as it is fraudulent. It's their money that's on the hook and paying it shifts the responsibilities to you.
Once it hits the credit bureaus, as you already have a Boletim de Ocorrência, and proof of contacting the companies (protocol numbers + dates), i.e. documentation, sue them and ask for damages. It's a simple and common suit that both the credit bureaus and the retailers will want to settle. Make them pay for your time. They don't have any proof that it was your person that made those transactions.
> I am utterly powerless in protecting my identity.
Yeah, but the thing is, if the retailers, banks, credit cards, etc. really wanted to avoid fraud, every purchase/subscription would require the same level of protection as a real estate transaction. Everything signed, in-person meetings, upfront payments, banks, lawyers, notaries, cryptographic signatures (hey, we have e-CPF and nobody uses it!). But as you see, 100% fraud avoidance means friction, and no sane retail business likes friction. It's a business decision on their end. They accept risk so they can take your money easier.
If however it’s a credit purchase (personal loan, crediário, etc) then it might go to collections, then this advice works.
Online purchases though are 80% credit card and 15% Pix/Boleto so it’s unlikely they got a loan just to buy stuff. If they can get a loan, they’ll get the cash itself and run.
Edit: on a Credit Card transaction the burden of evidence is on the merchant. THEY have to prove it was you.
There's no legal footing, but they will try.
In contrast, I lost my drivers license and in order to get a new one I had to go the DMV in person and put my thumb print on a biometric scanner which pulls up my picture for the DMV person to look at before they authorize the request. I can also file an affidavit of identity theft with a police report attached and they will give me a new license and A NEW DRIVERS LICENSE NUMBER. The federal government trying to shoehorn an unconstitutional universal identity system into social security is the source of all this nonsense.
How does the state have your fingerprints on file?
It's a basic requirement in California to get any form of ID.
Why even have laws or fines if they're so toothless?
That's criminal-grade negligence.
Why, going through such trials, ex opere operantis, might just sour a 'true believer' in the "invisible hand" on the whole novus ordo seclorum.*
Hahahhahahaha! Urghk, briefly part-swallowed my tongue from laughter, excuse me...
* As the undoubtedly distinguished graduates of Yale SOM, for example, might phrase it
https://resist.bot/petitions/PONADR
In Germany there is Campact for example which usually crosses 200K signatures per petition, if something like this doesn't exist in the US then I think someone with money should create it or promote an existing solution like OpenPetition to enough recurring signers
https://en.wikipedia.org/wiki/Campact
I wish I could put a permanent fraud alert on my credit accounts, but would probably have to hire a lawyer or something.
Is there something else I’m missing that’s only temporary?