Seriously, what is up with that picture? What is the message or point that they are trying to get across with such a picture in that article? is it supposed to add any credibility to the guy or his firm?
Not only that but if you pull a whois on the domain it
has what appears to be Holden's home address. [1] (I won't post that here but anyone interested can find it).
The gear hanging by what appears to be ethernet cabling is really bizarre. I mean who does that? Especially if you know someone is taking a picture.. (Something isn't right here..)
It's a multi-factor authentication platform. The item, application, or website would have to integrate LaunchKey first. The users would be able to login without using passwords with far greater security. The implementer gets the benefit of not having the liability of storing passwords and an enhanced user experience for their users.
It's relatively new. You can login to sites that support OpenID or directly support LaunchKey. You could also install a WordPress or Drupal plugin. Most businesses you wouldn't realize you're using LaunchKey though because it would be with their own branding. Also, it's much more enterprise focused for large companies to secure their employees' access while making it easier;safer;cheaper for everyone.
How much rampant identity theft has to occur before our government admits that it's broken? Leaving things like credit ratings in the hands of 3 incompetent companies like Experian, Equifax and Transunion that control our livelihood is an affront to common decency.
As a victim of identity theft, and as someone who took extreme measure to protect himself from identity theft before it occurred, I can tell everyone without a doubt that the only reason why you're not a victim of identity theft is because of random chance. There is no mechanism to protect yourself, and your information is readily available. The only reason why you haven't gotten your identity stolen is because the thieves simply haven't gotten to you yet.
It's infuriating that these companies can get away with what is essential libel and not have anything done to them. I shredded all my mail, I haven't given any real information about me on any web site since 1997, never gave out any information about me willy-nilly including applying for too many credit cards, and I never fall for phishing attacks. And yet somehow I found myself victim of identity theft, and it took 2+ years to clean up, and it's still not over. Since so many web sites use Experian data to verify my identity, I've lost a lot of opportunity to get credit, loans, etc, because Experian has mixed my information with the fraudulent information, so I get answers to those automated question wrong.
It's truly infuriating, and the system is completely broken, yet no one in government cares.
I didn't sue Experian, but I did sue a collection agency that was reporting an account that wasn't mine- their lawyer called and agreed to have everything removed. I didn't hire a lawyer myself, I filed Small Claims. While it was a pain, it didn't take long after filing the suit to get the record cleared up. If it happens again, I'm going to file suit much faster.
Sadly we have to put up with Experian (and Equifax) in the UK as well. The third most popular agency being CallCredit which for me didn't even have a fraction of my credit history thus causing me severe difficulties when I was arranging a simple mobile phone contract! There needs to be better regulation of these outfits with regards to who gets this data and completeness of data.
It is also very disconcerting that these credit rating companies offer a non-free service to help you improve your credit rating score. That seems pretty damn close to being like a protection racket.
And even when you do pay them they still can't get it right. My bank made a huge error after I separated from my ex-wife back in 2004. When we dissolved the joint account they updated all my addresses to her address and then maintained her as a "linked" person despite us having no financial ties or liabilities.
It took months to fix the address thing and still ten years later I cannot get them to competently resolve the "being financially linked" data error. Sure this was a data provider that caused the problem and they should be responsible for fixing it. But in the end it became impossible to fix because there is no single department in the bank through which the credit record data is passed.
Trying to work with the credit scoring agencies was futile because they just bounce you back to the data provider telling you to tell them to fix their data.
It's like living the the world of Terry Gilliam's Brazil.
It may be like living in Gilliam's Brazil, but we do actually have fairly good protections against this that can usually be used to break out of the bureaucratic nightmare:
(this should be obvious, but just to be sure: IANAL)
Send them a letter where you give them 1 month to resolve the problem, providing full documentation that you are divorced and point that as such the information is incorrect, and that under the Data Protection Act they are legally obliged to ensure incorrect personal information about you is amended or deleted. If you have past correspondence with them where they acknowledge the information is incorrect, then provide copies.
Inform them that if the matter is not resolved, or they have contacted you to agree on how to resolve it, within 30 days, you will file a formal complaint with the Information Commissioner (ico.org.uk).
Provide the same notification to the bank (ensure it is addressed to the legal department).
The credit scoring agencies has a legal obligation under the Data Protection Act to ensure personal information is correct. This applies to all organizations subject to EU data protection rules (which is pretty much everyone with very limited exceptions). That the data comes from a third party is not an excuse if you have provided documentation that the information is wrong. (it may be reasonable that they refer you there first, but if you have tried to get the bank to fix it, and they've not, then it is not reasonable for them to continue to insist).
Ultimately, if even the ICO can not get them to budge, go to a lawyer. Failure to rectify this information is blatant violation of the principles of the Data Protection Act, and you can get a court order to have the information corrected, and in some cases even require that they contact every recipient of the flawed information.
In your case this is important. If either one of you goes bankrupt e.g. you risk the other ones credit score being ruined for about a decade. But frankly, in most cases a threat about a complaint to the ICO ought to be enough. If you've written a letter and complained to ICO, and they fail to correct the information, then a court case will be a walk in the park.
Also note that in certain circumstances you may be due damages incurred as a result of the incorrect information.
A last consideration: The Data Protection Act also provides you with some means of insisting that certain types of decisions are not taken automatically, or to have automated decisions reconsidered. This provides you a fallback if e.g. you are often refused credit based on automated scoring based on the flawed data. You can notify the bank in advance in writing that you do not consent to automated decision making, and providing documentation of the divorce, or you can demand a manual reconsideration afterwards (and provide the same documentation).
In the EU they're subject to data protection laws, so in the UK if they are unresponsive, a combination of a complaint to the Information Commissioners Office + issuing a Subject Access Notice (demanding a copy of the information they hold on you under the Data Protection Act, though some of the information may be exempt it should assist in finding further details on where any bad data comes from if the agency in question doesn't divulge the full details on your credit report) should generally help.
Under EU data protection laws, in most cases failure to provide you a way to delete or amend incorrect personal information held about you is a clear violation of the law. As is failure to grant you access to information about whom they have passed personal information about you on to.
That doesn't mean they won't try to act like asses sometimes, but bringing up the Data Protection Act and mention a complaint to the Information Commissioner can and does make a difference.
Exactly this. Why does the credit card system exist like this? Every time I mention it, people get all worked up about chargebacks and that it's not a big deal and all.
Hey, I don't need to check my account whether I need to chargeback anything. If I need to pay people, I pay people, I don't give them the equivalent to a login.
I wish I had more upvotes to give you. Alas, I can give you only one.
I was the victim of low-grade identity theft about 10 years ago, all stemming from a credit card number illicitly imprinted by someone at a restaurant. Shit spiraled from there, and it took me years to clean up the fallout.
Dealing with the Big Three credit agencies was a process for which the word "Kafkaesque" somehow falls short of descriptive power. I've been caught in bureaucratic snafus at the DMV and the IRS, and in comparison, both of those processes were a walk in the park on a bright, sunny day.
Our country is basically a consumerocracy, in which one's credit rating is more or less one's fate. If we're going to bestow that much power upon a three-member oligopoly, then we should demand much greater responsibility of its members.
> I was the victim of low-grade identity theft about 10 years ago, all stemming from a credit card number illicitly imprinted by someone at a restaurant. Shit spiraled from there, and it took me years to clean up the fallout.
Can you explain this in more detail? I don't understand how a single stolen credit card can cause you years of problems.
The thief made some small purchases that would have been comical if their consequences hadn't been so ridiculous and far reaching. For instance, he rented a video at Blockbuster (!) that he didn't return. Blockbuster attempted to contact "me" several times about the video, assessing various late fees, but never charging them to my card for some odd reason, until finally it sent a collections agency after me. This entire, petty drama went unbeknownst to me until it wound up on my credit rating. All over a fraudulently derived, $15 late fee at a freaking video rental place.
Getting this incident wiped from my credit history took an elaborate and drawn-out series of phone calls, letters, forms, interviews, etc. Even then, a decent amount of damage had been done, and various reports had spawned other reports, and I was borked in countless derivative reports and company databases. I had to do some "rebuilding" (in the parlance of the credit companies) for a few years. And this was just one of several, roughly similar purchases that accrued in the system under my name. The irony is that a bolder thief, making bigger purchases and maxing out the card, would have caused less damage to me by catching everyone's attention in flagrante delicto.
Thanks for clearing that up. Did he make a fake ID to open the Blockbuster account? It sounds like he had more than your credit card. If all he had was your card Blockbuster wouldn't be able to go after you, they wouldn't have the necessary ID information.
To be honest, I'm not sure. All I can do is speculate. All I really know is that my credit card number was obtained and was used to make a few small purchases. Blockbuster was one of them. I didn't find out about Blockbuster -- or its attempts to go after me -- until I got a letter in the mail from a collections agency. That was the first I'd heard of anything involving Blockbuster. I put two and two together and realized it must have stemmed from the credit card theft, which had happened a few months prior, and which I'd assumed had been largely wrapped up by then. I figured that the collections agency hadn't just been called in overnight. No doubt it was the third or fourth step in some procedure at Blockbuster, starting with phone calls and letters, presumably to whatever falsified address and number this guy gave them. When it finally came time to involve collections, collections probably figured that I was some sort of deadbeat, and that "my" address on file with Blockbuster was bogus, and that at least the credit card number and bank were valid. So they found a way to contact me at my real address. (It's also possible they found me, at that point, through some ancient account on file with Blockbuster's system. Who's to say how sophisticated their dedupe practices were with their DB, but I'm guessing not very?)
I have no idea what else was involved in the theft, above and beyond lifting my number. It's possible a fake ID was involved. I really can't say, and I don't want to overstep the bounds of my recollection.
The short version is that the way the credit system in the US works is basically an echo chamber. That one stolen credit card racks up a bunch of fraudulent charges, those charges get recorded by one of the credit reporting agencies and then shared with the other two. Those credit reports then get used as the basis for all kinds of other reports at other companies all the way up to and including the IRS. You basically spend the next X years arguing from one company to the next to fix the records, but the records tend to propagate faster than you can get them fixed, because everyone references everyone else.
Sadly at this point it would almost be simpler to concoct a new fake identity for yourself and get that entered in than it would be to fix your original corrupted identity.
If you happen to be lucky enough to catch somebody in the act, you can undo the damage pretty quickly, if not altogether painlessly. It'll take a huffy phone call to your credit card company, and some watchful waiting for a month or so afterward. You will get a new card, with a new number, and you'll have to set up new billing numbers for everything. A small, but sharp pain in the ass. [1]
But if you don't catch things right away, and god forbid, if something winds up on your credit report, you are capital-F Fucked. By then it's too late, and your fraudulent data is commingled with your real data in dozens of databases, each one echoing off of the other. The bad data sprouts like kudzu. You can pluck a few shoots out of the ground, and five more pop up in unexpected places, weeks or months later.
[1] You can also set up a proactive solution, like a super-sensitive, early-warning algo at your credit card company. But this net ends up snaring you half the time, like whenever you use your credit card to make small purchases, or buy gas, or out of state, etc. It gets a lot of false positives. My card gets blocked for "fraud" every few weeks, leading to minor headaches at restaurants, bars, and gas stations. But I guess I'll accept this hassle as the price I pay for advance warning of real fraud. At the same time, I'm concerned that this system is just as likely to run into false negatives, which would really suck.
I'm in the same boat, I didn't figure out my identity was stolen until I was asked what color some car I owned was ( I'm a public transit owner in a large city) when doing a security screen the entire credit rating system is fucked
[1]Identity theft is the number 1 complaint 14 years running according to FTC. To answer your first question: MOAR.
Stories like yours make recovery policies, like [2]this, seem prudent.
[3]My very first post on hacker news, 3.5 years ago, stirred ZERO discussion. "Identity theft is an enormous problem, so what are the solutions? Who's working on something that practically everybody who uses the internet should consider looking into?"
Identity Theft Shield through Kroll Advisory Solutions is the best program on the market. Nothing can prevent it but they are the best at putting the pieces back together after the breach has occurred.Take a look at
http://www.legalshield.com/idt/amysosa
Let me know what you think.
Perhaps a first step would be to stop referring to it as "identity theft". That phrase places you as the victim, thus implicitly any injury is yours to bear. The proper victims of the fraudsters are the businesses falling for it, thus those firms should be the ones on the losing end (instead of you). Perhaps if they had to bear the costs of fraud, those firms would care more about shoddy identity practices.
Coincidentally, outside the US of A, where the fraud liability indeed lies with the defrauded business, "identity theft" is a much smaller problem, and isn't called as such.
"[T]he Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as a SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.
> though the Russian government has not historically pursued accused hackers.
between a blogger criticizing Putin's regime and a hacker who stole a bunch of millions from an American bank - who do you think the Russian government would go after? :)
Imagine if they wanted to use this for a terrorist attack, or sold the data to someone who did.
If they set up a bot net to log into as many bank accounts as possible and transfer money around (even if it were just between a users own accounts or accounts already setup for transfer), banks would basically be forced to shutdown internet banking until they could come up with a solution. The economic losses would be tremendous--it would take forever to sort out the mess.
You've seen GoldenEye too many times. Evil is selfish, not indiscriminate. Terrorists generally want control over some general area (or their own lives). They don't want to destroy human society. Society is what gives them food, shelter, and all the other things people like to have.
What you're describing would take not just one person who wanted to destroy all of human society, but quite a few of them.
>What you're describing would take not just one person who wanted to destroy all of human society, but quite a few of them.
Woah...I'm not talking about something destroying all of human society, I'm talking about a group of people who would like to harm specific countries economically--of which there are more than a few.
Moving money around like what I'm talking about would result in billions of dollars lost. Worst case scenario a stock market crash followed by a recession, not the end of civilization.
Before my wall of text, i first understand the difficulties of network effects, getting credit cards accepted world wide, much less state wide, but i think with the advent of square, stripe, paypal, etc. the barriers to launch are much lower than they were even 5 years ago. I'm sick of banks trying to squeeze every last drop out of the customers, and i'd gladly pay for a banking service rather than be the product it's selling.
Credit cards are surviving in the stone age, firms would rather make it easy for you to get yourself in debt that to provide a service that prevents fraud and abuse. So, VC people out there. If you want to make a billion dollars, you should start a bank. People who work for the credit card community, there are simple upgrades that would make life a lot safer.
Simple upgrades to make security safer:
Chip and pin is low hanging fruit in the US. The fact that most americas have no idea what those threes words mean is an international embarrassment.
READ ONLY passwords for bank account information, in addition to different read write options, that have an extra level of security. I'd gladly use services like Mint, except i'd rather not give write power to anyone except me and a browser i only user for banking only at home.
Tie credit cards to cell phones. Get a text after EVERY purchase (this would honestly not amount to more than 10 or so texts per day). Have this as opt-out, not opt-in. Yes, i would use this, yes it would effectively stunt any fraud. You would not have to respond to the text at all, however, if you suspect fraud, you can immediately cancel the card.
Voice recognition for phone calls. When you take out a card, you are require to read a paragraph or two, and upload, or mail in a recording of your voice. This could immediately alleviate much of the phone security nonsense that i deal with when i'm on the phone. It's not a cure all for passwords, but it's certainly an additional level of security.
IP zones for online credit card purchases. I know about five 100 mile radii that i will be making an online purchase from. Add an extra level of security for any time i'm outside of that.
As far as credit agencies are concerned, there is a serious issue with quasi-oligopoly situations there. Extremely difficult to disrupt, but developing secure credit vehicles could create incentives for the current oligopoly in credit cards to improve security for their own cards.
At the end of the day, i'm more than willing to admit that people themselves are a big part of the problem. Example: a year ago, watching a man freak out on an apple store employee when he would not give a computer to him, that apparently belonged to his son, who gave it to the apple store a week earlier. The son apparently signed off that only he could receive the computer, and only in person. The enraged father was rambling on about how insane it was that they would not surrender the computer to him, and how he would never use apple products again. I wish there were profitable business models for people who actually like following the rules and read the contracts they sign.
tl;dr: I don't want a credit card that makes it easy for me to spend money. I have cash for that. Give me a credit card that makes me feel safe entering the number into any website, and i'll gladly pay a premium for it.
Would be nice to differentiate banking permissions not only by read/write, but with a full Oauth solution for the entire online banking suite.
Actually, it would be nice if a service built an API that interfaced with multiple banks, and provided this Oauth natively. Of course, then you have the same problem -- that service has all your passwords. Unless there's some clever end to end encryption that can be done, then sadly we are reliant on all the banks upgrading their systems individually.
I'd just be happy if my bank offered two factor auth like gmail, facebook, namecheap and other sites that are far less financially important to me. Hell even evernote offers two factor, why can't the largest bank in Canada do the same?
I really like the idea of getting texted for every purchase. It's immediate and you can do something fast. What can you do is another issue but at least you know now rather than maybe a month later when all he'll has broken loose.
In India, atleast with my bank, we get SMS notification for every purchase, I also got a confirmation call couple of times from bank when making purchases of large amount(relative to my normal usage). Also online credit card transactions in India have a password/OTP authentication.
A lot of these items are about protecting your own payment cards which are kind of pointless. You are not liable for credit card fraud. It can be a bit of a pain to replace a card but getting rid of fraudulent charges is now as easy as a phone call. I'd rather have to make a single phone call every few years to dispute a fraudulent charge then go through all this BS to use my cards.
That said, chip and PIN is great and is coming to the US in 2015.
Most Americans are going to get an education in cards with chip next year - the majority of cards should be chipped by end of 2015. Looks like they're leaning towards chip + signature for most issuers, though, so will probably be another couple of years before they give up that to and go chip and pin, given that they're increasingly becoming the prime target for fraud as pretty much every other developed country is going or have gone chip and pin.
I'm resisting the urge to offer you a tinfoil hat or ask if you're joking. Instead, I'm going to reason through this.
The scenario you describe is unlikely. Before such a global catastrophe happens, it's likely that a smaller catastrophe will happen. Like the Titanic, the world will be shocked into preventative action. Governments will make laws.
After that, the difficulty in collecting such massive amounts of information will be greater than the value in that information. Even now, requiring proper software security practices would prevent information-theft from being a viable business. You might get the occasional massive haul, but it wouldn't be an epidemic.
This might be wild speculation but it just makes me wonder what with the recent sanctions against Russia, you just wonder if their government is actually behind it.
Affiliate revenue (of the sort these criminals got from pushing weight loss products) is pocket change to Russia. I am curious, though, so some quick napkin math is in order..
1.2 billion accounts
Modestly estimate they sent emails/posts with 200 million
5 emails from each account
Click rate of 0.01%
Landing page -> offer conversion rate of 15%
Credit card details conversion of 5%
$15 commission on each lead
= $112,000
Even if you tweak that to send more emails or use more accounts, the number is still going to be somewhere around $10-15 million. Not that much.
86 comments
[ 17.4 ms ] story [ 1852 ms ] threadhttp://www.dailymail.co.uk/sciencetech/article-2703440/There...
http://www.holdsecurity.com/
Not only that but if you pull a whois on the domain it has what appears to be Holden's home address. [1] (I won't post that here but anyone interested can find it).
The gear hanging by what appears to be ethernet cabling is really bizarre. I mean who does that? Especially if you know someone is taking a picture.. (Something isn't right here..)
[1] According to street view.
https://i.imgur.com/aghESl7.png
https://imgur.com/nDO0STG.png
Original (odd) photo: http://static01.nyt.com/images/2014/08/06/business/06bighack...
Current photo: http://static01.nyt.com/images/2014/08/06/business/06bighack...
It's like the opening shot of a Sofia Coppola film. In my mind, that guy is played by a young Bill Murray.
Was better with the original.
As far as I can tell, I carry my phone around and it magically does everything to let me into everyplace I'm supposed to be.
As a victim of identity theft, and as someone who took extreme measure to protect himself from identity theft before it occurred, I can tell everyone without a doubt that the only reason why you're not a victim of identity theft is because of random chance. There is no mechanism to protect yourself, and your information is readily available. The only reason why you haven't gotten your identity stolen is because the thieves simply haven't gotten to you yet.
It's infuriating that these companies can get away with what is essential libel and not have anything done to them. I shredded all my mail, I haven't given any real information about me on any web site since 1997, never gave out any information about me willy-nilly including applying for too many credit cards, and I never fall for phishing attacks. And yet somehow I found myself victim of identity theft, and it took 2+ years to clean up, and it's still not over. Since so many web sites use Experian data to verify my identity, I've lost a lot of opportunity to get credit, loans, etc, because Experian has mixed my information with the fraudulent information, so I get answers to those automated question wrong.
It's truly infuriating, and the system is completely broken, yet no one in government cares.
Equal chances of success as suing them but considerably less expensive.
Also considerably more likely to get you arrested, possibly with overwhelming force.
Which could possibly cause media attention and Internet outrage, so it still feels like a better option than suing.
It took months to fix the address thing and still ten years later I cannot get them to competently resolve the "being financially linked" data error. Sure this was a data provider that caused the problem and they should be responsible for fixing it. But in the end it became impossible to fix because there is no single department in the bank through which the credit record data is passed.
Trying to work with the credit scoring agencies was futile because they just bounce you back to the data provider telling you to tell them to fix their data.
It's like living the the world of Terry Gilliam's Brazil.
(this should be obvious, but just to be sure: IANAL)
Send them a letter where you give them 1 month to resolve the problem, providing full documentation that you are divorced and point that as such the information is incorrect, and that under the Data Protection Act they are legally obliged to ensure incorrect personal information about you is amended or deleted. If you have past correspondence with them where they acknowledge the information is incorrect, then provide copies.
Inform them that if the matter is not resolved, or they have contacted you to agree on how to resolve it, within 30 days, you will file a formal complaint with the Information Commissioner (ico.org.uk).
Provide the same notification to the bank (ensure it is addressed to the legal department).
The credit scoring agencies has a legal obligation under the Data Protection Act to ensure personal information is correct. This applies to all organizations subject to EU data protection rules (which is pretty much everyone with very limited exceptions). That the data comes from a third party is not an excuse if you have provided documentation that the information is wrong. (it may be reasonable that they refer you there first, but if you have tried to get the bank to fix it, and they've not, then it is not reasonable for them to continue to insist).
Ultimately, if even the ICO can not get them to budge, go to a lawyer. Failure to rectify this information is blatant violation of the principles of the Data Protection Act, and you can get a court order to have the information corrected, and in some cases even require that they contact every recipient of the flawed information.
In your case this is important. If either one of you goes bankrupt e.g. you risk the other ones credit score being ruined for about a decade. But frankly, in most cases a threat about a complaint to the ICO ought to be enough. If you've written a letter and complained to ICO, and they fail to correct the information, then a court case will be a walk in the park.
Also note that in certain circumstances you may be due damages incurred as a result of the incorrect information.
See: http://ico.org.uk/for_organisations/data_protection/the_guid...
A last consideration: The Data Protection Act also provides you with some means of insisting that certain types of decisions are not taken automatically, or to have automated decisions reconsidered. This provides you a fallback if e.g. you are often refused credit based on automated scoring based on the flawed data. You can notify the bank in advance in writing that you do not consent to automated decision making, and providing documentation of the divorce, or you can demand a manual reconsideration afterwards (and provide the same documentation).
Under EU data protection laws, in most cases failure to provide you a way to delete or amend incorrect personal information held about you is a clear violation of the law. As is failure to grant you access to information about whom they have passed personal information about you on to.
That doesn't mean they won't try to act like asses sometimes, but bringing up the Data Protection Act and mention a complaint to the Information Commissioner can and does make a difference.
Hey, I don't need to check my account whether I need to chargeback anything. If I need to pay people, I pay people, I don't give them the equivalent to a login.
I was the victim of low-grade identity theft about 10 years ago, all stemming from a credit card number illicitly imprinted by someone at a restaurant. Shit spiraled from there, and it took me years to clean up the fallout.
Dealing with the Big Three credit agencies was a process for which the word "Kafkaesque" somehow falls short of descriptive power. I've been caught in bureaucratic snafus at the DMV and the IRS, and in comparison, both of those processes were a walk in the park on a bright, sunny day.
Our country is basically a consumerocracy, in which one's credit rating is more or less one's fate. If we're going to bestow that much power upon a three-member oligopoly, then we should demand much greater responsibility of its members.
Can you explain this in more detail? I don't understand how a single stolen credit card can cause you years of problems.
Getting this incident wiped from my credit history took an elaborate and drawn-out series of phone calls, letters, forms, interviews, etc. Even then, a decent amount of damage had been done, and various reports had spawned other reports, and I was borked in countless derivative reports and company databases. I had to do some "rebuilding" (in the parlance of the credit companies) for a few years. And this was just one of several, roughly similar purchases that accrued in the system under my name. The irony is that a bolder thief, making bigger purchases and maxing out the card, would have caused less damage to me by catching everyone's attention in flagrante delicto.
To be honest, I'm not sure. All I can do is speculate. All I really know is that my credit card number was obtained and was used to make a few small purchases. Blockbuster was one of them. I didn't find out about Blockbuster -- or its attempts to go after me -- until I got a letter in the mail from a collections agency. That was the first I'd heard of anything involving Blockbuster. I put two and two together and realized it must have stemmed from the credit card theft, which had happened a few months prior, and which I'd assumed had been largely wrapped up by then. I figured that the collections agency hadn't just been called in overnight. No doubt it was the third or fourth step in some procedure at Blockbuster, starting with phone calls and letters, presumably to whatever falsified address and number this guy gave them. When it finally came time to involve collections, collections probably figured that I was some sort of deadbeat, and that "my" address on file with Blockbuster was bogus, and that at least the credit card number and bank were valid. So they found a way to contact me at my real address. (It's also possible they found me, at that point, through some ancient account on file with Blockbuster's system. Who's to say how sophisticated their dedupe practices were with their DB, but I'm guessing not very?)
I have no idea what else was involved in the theft, above and beyond lifting my number. It's possible a fake ID was involved. I really can't say, and I don't want to overstep the bounds of my recollection.
Sadly at this point it would almost be simpler to concoct a new fake identity for yourself and get that entered in than it would be to fix your original corrupted identity.
If you happen to be lucky enough to catch somebody in the act, you can undo the damage pretty quickly, if not altogether painlessly. It'll take a huffy phone call to your credit card company, and some watchful waiting for a month or so afterward. You will get a new card, with a new number, and you'll have to set up new billing numbers for everything. A small, but sharp pain in the ass. [1]
But if you don't catch things right away, and god forbid, if something winds up on your credit report, you are capital-F Fucked. By then it's too late, and your fraudulent data is commingled with your real data in dozens of databases, each one echoing off of the other. The bad data sprouts like kudzu. You can pluck a few shoots out of the ground, and five more pop up in unexpected places, weeks or months later.
[1] You can also set up a proactive solution, like a super-sensitive, early-warning algo at your credit card company. But this net ends up snaring you half the time, like whenever you use your credit card to make small purchases, or buy gas, or out of state, etc. It gets a lot of false positives. My card gets blocked for "fraud" every few weeks, leading to minor headaches at restaurants, bars, and gas stations. But I guess I'll accept this hassle as the price I pay for advance warning of real fraud. At the same time, I'm concerned that this system is just as likely to run into false negatives, which would really suck.
Stories like yours make recovery policies, like [2]this, seem prudent.
[3]My very first post on hacker news, 3.5 years ago, stirred ZERO discussion. "Identity theft is an enormous problem, so what are the solutions? Who's working on something that practically everybody who uses the internet should consider looking into?"
[1]http://www.nbcnews.com/business/consumer/id-theft-tops-ftcs-...
[2]http://www.zanderins.com/idtheft/idtheft.aspx
[3]https://news.ycombinator.com/item?id=2163006
Just so long as there's not a bailout back-door on that.
"[T]he Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as a SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.
“They audited the Internet,” Mr. Holden said."
between a blogger criticizing Putin's regime and a hacker who stole a bunch of millions from an American bank - who do you think the Russian government would go after? :)
http://en.wikipedia.org/wiki/Iran_Air_Flight_655#Post-tour_o...
If they set up a bot net to log into as many bank accounts as possible and transfer money around (even if it were just between a users own accounts or accounts already setup for transfer), banks would basically be forced to shutdown internet banking until they could come up with a solution. The economic losses would be tremendous--it would take forever to sort out the mess.
What you're describing would take not just one person who wanted to destroy all of human society, but quite a few of them.
Woah...I'm not talking about something destroying all of human society, I'm talking about a group of people who would like to harm specific countries economically--of which there are more than a few.
Moving money around like what I'm talking about would result in billions of dollars lost. Worst case scenario a stock market crash followed by a recession, not the end of civilization.
Credit cards are surviving in the stone age, firms would rather make it easy for you to get yourself in debt that to provide a service that prevents fraud and abuse. So, VC people out there. If you want to make a billion dollars, you should start a bank. People who work for the credit card community, there are simple upgrades that would make life a lot safer.
Simple upgrades to make security safer:
Chip and pin is low hanging fruit in the US. The fact that most americas have no idea what those threes words mean is an international embarrassment.
READ ONLY passwords for bank account information, in addition to different read write options, that have an extra level of security. I'd gladly use services like Mint, except i'd rather not give write power to anyone except me and a browser i only user for banking only at home.
Tie credit cards to cell phones. Get a text after EVERY purchase (this would honestly not amount to more than 10 or so texts per day). Have this as opt-out, not opt-in. Yes, i would use this, yes it would effectively stunt any fraud. You would not have to respond to the text at all, however, if you suspect fraud, you can immediately cancel the card.
Voice recognition for phone calls. When you take out a card, you are require to read a paragraph or two, and upload, or mail in a recording of your voice. This could immediately alleviate much of the phone security nonsense that i deal with when i'm on the phone. It's not a cure all for passwords, but it's certainly an additional level of security.
IP zones for online credit card purchases. I know about five 100 mile radii that i will be making an online purchase from. Add an extra level of security for any time i'm outside of that.
As far as credit agencies are concerned, there is a serious issue with quasi-oligopoly situations there. Extremely difficult to disrupt, but developing secure credit vehicles could create incentives for the current oligopoly in credit cards to improve security for their own cards.
At the end of the day, i'm more than willing to admit that people themselves are a big part of the problem. Example: a year ago, watching a man freak out on an apple store employee when he would not give a computer to him, that apparently belonged to his son, who gave it to the apple store a week earlier. The son apparently signed off that only he could receive the computer, and only in person. The enraged father was rambling on about how insane it was that they would not surrender the computer to him, and how he would never use apple products again. I wish there were profitable business models for people who actually like following the rules and read the contracts they sign.
tl;dr: I don't want a credit card that makes it easy for me to spend money. I have cash for that. Give me a credit card that makes me feel safe entering the number into any website, and i'll gladly pay a premium for it.
Actually, it would be nice if a service built an API that interfaced with multiple banks, and provided this Oauth natively. Of course, then you have the same problem -- that service has all your passwords. Unless there's some clever end to end encryption that can be done, then sadly we are reliant on all the banks upgrading their systems individually.
You mean like a virtual credit card?
https://en.wikipedia.org/wiki/Controlled_payment_number
That said, chip and PIN is great and is coming to the US in 2015.
That’s it. It knows everything about us, and we think it did this consciously. Yes sir, by manipulating people into doing specific things.
What can it do with this information?
Well sir, it is going to do what it can to establish the ability to keep this information as up-to-date as possible. Nobody is able to escape.
The criminal gangs, Russia and Asia. They were the ones behind this?
Yes and no. They each collected enough information and stole it from each other.
We have to warn the world!
We can’t. It controls everything.
What caused this?
A Meta-pattern within the human psyche reached into the computer and in turn used the computer to amplify its own motives.
The scenario you describe is unlikely. Before such a global catastrophe happens, it's likely that a smaller catastrophe will happen. Like the Titanic, the world will be shocked into preventative action. Governments will make laws.
After that, the difficulty in collecting such massive amounts of information will be greater than the value in that information. Even now, requiring proper software security practices would prevent information-theft from being a viable business. You might get the occasional massive haul, but it wouldn't be an epidemic.
1.2 billion accounts
Modestly estimate they sent emails/posts with 200 million
5 emails from each account
Click rate of 0.01%
Landing page -> offer conversion rate of 15%
Credit card details conversion of 5%
$15 commission on each lead
= $112,000
Even if you tweak that to send more emails or use more accounts, the number is still going to be somewhere around $10-15 million. Not that much.
5 emails from each account? CTR is WAY higher when email comes from someone you personally know.