Tell HN: Equifax free credit report dark patterns
For years, I have been obtaining free annual credit reports (annualcreditreport.com) which must be provided by law. Recently, for the first time, when I tried to obtain my Equifax report, I was prompted for an email address and a mobile phone number, a new requirement that apparently cannot be bypassed. The other two bureaus, and Equifax previously, confirmed identity by asking knowledge based questions. They do not need my phone or email for anything.
Next, trying to obtain the report by phone instead of web site per instructions, I got to the point where I entered my ZIP code on the phone keypad, the voice menu system correctly repeated the number back to me, but every time I press 1 to indicate it is correct, the system acts like it got an invalid response and only gives me the option to enter further information by voice, not by the phone keypad. Just as with my phone number and email, they do not need to record my voice to provide my report.
I wrote a complaint to the annualcreditreport firm earlier this week, no response yet.
107 comments
[ 2.7 ms ] story [ 167 ms ] threadhttps://reportfraud.ftc.gov/
https://www.consumerfinance.gov/complaint/
At least 3 credit card companies I use are signed up/using a biometrics/information provider. (they wouldn’t tell me who, despite federal disclosure requirements — I only knew they were using someone because my current accurate info was replaced by info from 7 years ago)
There are companies trying very hard to find out everything from your hair color, facial features, and skin type to your email address and connect them all for everything from identity management to advertising. They are working on getting your payroll data directly from your employer as well, so you will not be able to self declare income in the future. You will know when you run across the companies that use these providers because their data is often wrong or out of date and they usually ask you for a video of yourself holding your id to update it and may even give you a problem then.
The amount of information these companies are collecting and piecing together is scary — one company is tracking major website comment activity and tying it back to their core data sets which has your IRL info.
This means that in the future, you could be denied employment, a mortgage, or an auto loan because of something you said last year in Twitter.
As a citizen with some modicum of hope for the future I will vote for strong privacy protections. As an engineer I will not work on products that progress our state of surveillance capitalism (yep, realize the constraints here). I hope others agree and act accordingly.
In short, surveillance state capitalism that strangles actual free markets and reduces choice is the natural form of capitalism.
They can deny bank loans, auto loans, etc based on comment history and then hide behind KYC/AML laws. Under those laws, they don’t have to provide any reason whatsoever for the rejection and can operate without impunity. They are the judge, jury, executioner and the government gave them that power.
It's a bit akin to all those people who complain it's impossible to know why Google closed your account despite evidence [1] to the contrary.
[1]: https://www.huffpost.com/entry/why-google-bothered-to-ap_b_2...
The funniest part is that HSBC already revealed to criminal organizations on how to evade KYC/AML tripwires. When you outlaw freedom, only the outlaws have freedom.
This should be illegal in all countries.
Many people happily put their real names in their social media.
Many people put information and/or pictures which easily identifies them when combined with other data, which credit agencies have an enormous amount of (workplace, purchase of a new vehicle, house photos, school, etc.).
Those two things alone probably cover a large percent of the population.
Add in things like: using a username on social media that is the same/similar enough to the email address you signed up to credit monitoring, purchasing browser fingerprint data from whatever websites and comparing it to logged-in site visitors, etc. and the outlook is bleak.
But unfortunately every single major payroll provider (like ADP) in the US now shares your payroll data with Equifax and more. And those services openly advertise for employers to use them to be able to beat down new employees on salaries among other things.
:(
[1] https://www.csoonline.com/article/567833/equifax-data-breach...
The moment credit agencies started running their own monitoring services, it seemed like they were openly admitting that they were defaming people. I still do not understand why this is legal.
If you're signed up for credit monitoring, you get notified when your credit info gets changed, so you have a chance to react if it's an error (or fraud). How is that defamation? Why would it be illegal?
It's defamation because they know their information is frequently incorrect, that it is trivial for people to get outright fraudulent transactions attached to people's "credit report". Knowing that, they then present that information as fact to others, despite knowing that the information they provided is used specifically for purposes where false information will add significant costs to the people they're reporting on.
Now you're right, I can get credit monitoring, in which I pay money so that I can spend my time verifying they're not publishing fraudulent information. So now it goes from defamation to extortion: we'll defame you unless you pay us and do the work of ensuring we don't defame you.
What's that? You never did that? Well, for just $5/month you can sign up for my monitoring service and we can investigate your claims. In the mean time, I'm going to keep warning everyone about your behavior.
I feel like most people would consider the above behavior unacceptable, but it's okay because I'm a big company dedicated to stopping perverts like you.
(hopefully it is clear that I'm not actually serious. Unlike the credit agencies)
Legislative sanity would see a repeal of the FCRA and the addition of a US equivalent of the GDPR, giving us a right to privacy that's applicable to every single company. I don't consent to being a data subject of any part of the surveillance industry, including this oldest part calling themselves "credit bureaus".
I'm not sure I feel good about this either. Isn't your mother's maiden name, the street you grew up on, your first concert, or your pet's name all information that is pretty much well known by now. Primarily by you (royal) for taking those stupid social media quizzes.
Deny them the access? Phones are way more restricted than home computers here. App stores also reject apps that insist on permissions that are out of their scope.
There are major apps that have unique integrations with app stores and consumer devices. Phone security/privacy is largely PR in this regard.
And guess what, my account lists my username, email, and phone number exactly as I entered them. But I still can't change my password since that requires verifying my current password, which they've apparently forgotten. What an absolute joke.
Been annoying when trying to have a credit check run and the place uses equifax and they deny based on frozen credit. Like ya, I know. Could be worse I suppose, could be open and unable to freeze.
For another example, see every customer service phone tree in existence. Or more broadly, any customer service, although Google gets extra side-eye.
I had a frustrating experience trying to obtain my consumer report from Early Warning Services, a less-known alternative to Chex Systems. Their process for requesting a report was unnecessarily complex and seemed designed to discourage users.
Initially, I had to navigate to a hidden webpage, which then directed me to a PDF form. This step alone was convoluted. After filling out the form, I discovered a line within the PDF that provided a link to a consumer portal, which looked like it hadn't been updated since the early 2000s.
The next step required me to create an account on this outdated portal, upload the completed PDF, and wait for a response.
However, my troubles didn't end there. For reasons unknown to me, my account was suddenly deleted. When I reached out to their IT support for help, they were clueless about the reason behind this issue.
Fed up with the lack of support and transparency, I decided to file a complaint with the Consumer Financial Protection Bureau (CFPB). To my surprise, this action prompted a swift response from Early Warning Services. Within just two days of filing the complaint, they sent me my consumer report.
They ask you for your phone number to verify you, not because they want your phone number when they already have it.
If you want to avoid them knowing your "real" phone number and leaking that to marketing agencies, the best thing you can do is get 2 mobile phone numbers, one you actually use with your friends and family, and one you provide to businesses and stick that SIM in a beater phone and keep it silent.
I HATE this system and wish we had some GDPR-like law for preventing sharing of such information outside the corporation you provide it to, but such is the current state of the system in the US.
They have every reason to use this reporting requirement to collect more information about you.
They have every reason to conflate credit freeze with credit hold, and confuse consumers in order to extract regular payments from them.
They have zero reason to keep sensitive data about you secure. In fact, they have every reason to promote fear and uncertainty in the public that their sensitive personal information is in the hands of criminals as a growth opportunity for their industry to sell credit monitoring services.
They have successfully convinced the public that identity theft is a separate and distinct crime done exclusively by one person to another rather than simply fraud that they are aiding and abetting.
Consumers and credit reporting bureaus have a fundamentally adversarial relationship that no legislation can harmonize. They exist because they do serve a purpose for finance, which is to give an indication of how much money they can make lending money to someone. Regardless, this reporting does not have to be done by for-profit corporations. This can just as easily be done by non-profits or government agencies. Although these are not perfect, they are free of the perverse incentives driven by for profit corporate structures.
Similar to why cookie accept/deny interfaces are atrocious. They're intended to be!
I think a solution will require more creativity than "have the government do it", but the current system is clearly broken.
I'd want a non-profit to handle it. I'd want full public disclosure of internal processes, data sources and data buyers. I'd want strong, unhindered oversight provided by a fully independent public board along with separate oversight provided by the FTC - with oversight entities able to exhort meaningful influence over methods, sources and customers.
b) I bounced a check, don't remedy, and owe money to a furniture store.
c) I move a random amount of money each month to a separate account and make loan payments from there.
d) How far back does someone need to account for their spending in order to get a loan? People complain about mortgage applications, but this is a whole new level.
Access to credit gets more expensive without a 3rd party aggregator.
I don’t have an inherent problem with having a broadly accepted and comprehensive credit-risk profile, but the way we do it and the institutions who profit off of it are disgusting.
Yes, it does mean that there will be a certain amount of defaults that we will all be paying for. I'd rather pay for that than for another yacht of some rich finance bro.
After all things seemed to work fine before credit scores. Perhaps we put too much "stock" in them in the first place. There has to be better ways to manage this.
One way I could forsee is a government agency that acted as a reporting depot. Then you could forbid the sale of information, and create legislative firewalls for it to keep it out of the hands of other agencies[1].
Though I will continue to argue that credit scores are deeply flawed[0].
[0]: FWIW, I have excellent credit too, so I hardly run into any real issues with it, but I have see the other side of this table. They are often used in such a way I would classify it as prejudiced discrimination with extra steps. For bigger / riskier loans. You could instead opt for point in time financial audits, for example.
[1]: Two things of note. One, last I looked into this, the government very much pulls credit reports on pull without any oversight as it sits today. Two, there is a history of legislative firewalls that do work, they need clear and strong oversight provisions, and today we have almost zero oversight of the credit bureaus. I'd roll the dice on creating something akin to the GAO or Federal Reserve type agencies (that is to say, very independent from lawmakers and presidents but still have competent oversight), but for something that functions for the intentions behind what these scores are suppose to be for.
This seems to be the harder problem. I read potentially better solutions all the time, but I never read about how to get to that point first.
There's been no systematic callout of the bureaus in wider society, that I can tell.
Probably the only answer is legislation
There was a recent article about Schufa - https://news.ycombinator.com/item?id=39395329.
The old way to do it, pre-credit score, is that they would take a look at your zip code, take a look at the color of your skin, and decide if you were a "trustworthy individual"
They’d also look at the quality of your suit, or lack thereof, your accent, and try to guess your religion.
When a politician gets a loan denied due to bogus data, I'm sure heads would fly. It's probably also subject to whatever their equivalent to FOIA and whistleblowing laws are over there.
The private sector gives us the worst of everything: it's an obnoxious panopticon, PLUS being incentivized to be untransparent and seek out eternal growth.
This demonstrates a fundamental misunderstanding of how credit reporting works.
When "identity theft" occurs, it's important to realize that the credit reporting firms are not involved. That is solely due to failures, at the institutions that actually grant credit, to verify the identity of the person they are interacting with.
The flow goes: a fraudster uses harvested data to impersonate someone to a credit grantor, such as a credit card company. The credit grantor, accepting this identity at face value, asks the credit reporting agency (CRA) about the credit rating of the impersonated entity. The CRA says "Joe Victim has a relatively low risk of fraud". So the identity theft has already occurred before the CRA is even consulted.
Later on, when the fraudster fails to pay as agreed, the credit grantor incorrectly reports to the CRA that the fraud was caused by Joe Victim. Again, the CRA is just relying on the data provided to them by their clients.
They weren't leaked, they were stolen. Does a bank "leak money" when it's robbed?
* Update their dependencies within two months of a critical security vulnerability being patched (Mar 7 to May 12).
* In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).
* Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.
They thought they did, but failed.
> In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).
Impossible to guarantee. A sophisticated enough attack might never be detected, regardless of the competence of the security department.
> Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.
It is impossible to so completely segment a network. If I can get the data via an authorized program, that means there's a path between networks and a hacker can potentially exploit that path.
Oh, never mind then. Clearly since they thought they updated the dependency it's all good.
> Impossible to guarantee. A sophisticated enough attack ... It is impossible to so completely segment a network ...
While I will acknowledge that this seems to have been Equifax's approach to security (it's impossible to do completely so why bother doing it at all?), this is not widely accepted as a philosophy of security in any industry.
That a bank could still be robbed by a military incursion from a neighboring nation state is not sufficient reason to leave the vault door open overnight. The record abundantly shows [0] that Equifax had security protocols that were weak enough that no sophisticated actor was needed to bypass their protections.
As far as their failure to detect the breach, this is what the House investigation concluded:
> Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
[0] https://oversight.house.gov/report/committee-releases-report...
If such an entity demonstrates gross negligence yet there are no repercussions, perhaps it is worse than negligence, it is outright larceny - Equifax could be characterizes as a govt supported cartel.
It is not unreasonable then we should actually physically destroy their premises and all related collected information as an active threat to the nation, as well as re-issuing all sensitive information to all affected individuals.
As for what to do instead, credit reporting need not be the important solution, rather one part of an accepted solution, such as multiple scores issued to multiple numbers that are not tied together by a single bureau. Then when credit checks are pulled it is not sufficient to use a single service and the incentive to illegally utilize said information decreases, as the relevance is reduced for any one credit check.
Huge stock hit (since recovered, of course), top executives lost their jobs, fines, had to give away a paid product, extra oversight, cost of fixing security, several rounds of layoffs for the employees, etc.
> It is not unreasonable then we should actually physically destroy their premises and all related collected information as an active threat to the nation
This is why we can't get real, meaningful change. No wonder our "leaders" think so little of us.
Every data source (such as a bank or credit card) provides that data to CRAs because consumers granted permission to do so when entering into a business relationship. Either that, or it's publicly available data purchased from aggregators.
Do we have an actual choice?
There are costs to that approach, of course.
Take housing - perhaps it is possible to purchase outright a home with cash, however you will not find generally anyone willing to take payment in cash.
If you cannot afford that and are not taking a loan, then you must rent. However you cannot rent without a credit score.
So no the consumer did not consent to anything. This is a ridiculous and dishonest viewpoint.
And notably, it’s entirely possible to rent without a credit check. Just not big corp places.
My current place didn’t check my credit, and they weren’t the only ones. I was disappointed they didn’t. But a lot of the cookie cutter places will.
https://privacyrights.org/data-breaches/court-ventures
But I find comments like these often become popular and highly upvoted because of their formulation but end up serving very little utility and ultimately dismissive. I think they're upvoted because they are in factual and accurate, and we like the confirmation because it shows how intelligent we are. But I think they end up being dismissive because it is missing the point. It is dismissive because there are no actual points being addressed or solutions being offered. There is an implicit solution of the government generating said report, but I think this would need to be (more) explicit. It also seems that anytime these comments raise to the top that the conversations become very unorganized and off topic, because frankly there is little to go off of. If writing a purely educational response I think it is quite hard to do (and even this comment might have the same repercussions but I'm trying to add more and my intent here is to align the thread. No one need reply to my comment).
Personally I think a good solution would be for the law regarding these free reports should be updated to specify that they should not be a data collecting process. That they are only allowed to ask for information that they already have and that this is solely used to verify the authenticity of the user. Using this process to generate novel data is an abuse of the system. I also personally feel that the public should be able to have more recourse for mistakes that are made by these companies (within reason). I still feel like there has not been enough recourse for the Equifax breach and that not enough has been done to protect citizens. I don't think this is an unpopular opinion, but ensuring our politicians are aligned with public beliefs is a whole other conversation.
[0] Personally I feel it is pretty obvious and apparent that credit agencies operate to collect and process data about people. It is then also apparent, to me, that of course the incentives align to them getting even more data about you as possible. It seems to me that anyone that is doing yearly report generating is highly likely to be aware of the business model. But not everyone is me so maybe that's not the intent. And what's obvious to one person isn't always obvious to others.
I interpret that as: Companies like Equifax allow (or disregard good security practices to enable) data breaches to land your data into identity theft rings. They (Equifax) then try to sell you "protection services" while they continue to dangle your data to tantalized thieves. What a fucking racket.
https://unifiedid.com/
Equifax will give you a copy off your real credit report once per month if you sign up with them which is better than the other two will do. The rub though is they try as hard as possible to make you think you have to pay for it and every time you sign in you have to decline to pay.
It’s so fucked up. If we’re going to have our lives controlled by credit agencies, then individuals should be able to access their real score at any time for no cost and no bullshit. What a fucking racket.
[0] https://employees.theworknumber.com/employee-data-freeze
[1] https://krebsonsecurity.com/2017/11/how-to-opt-out-of-equifa...
Equifax doesn’t care.
From consumerfinance.gov:
"You can request and review your free report through one of the following ways:
1. Online: Visit AnnualCreditReport.com
2. Phone: Call (877) 322-8228
3. Mail: Download and complete the Annual Credit Report Request form. Mail the completed form to:
You can request all three reports at once or you can order one report at a time. By requesting the reports separately (for example, one every four months) you can monitor your credit report throughout the year."