The fundamental issue here is that maintaining security is expensive, and it is cheaper to just deal with occasional hacks. The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It is not that expensive. It is a couple pennies per pull (of a credit report/file) for somebody seeking identity proofing to use knowledge based authentication (the usual “where did you live, are these trade lines you?”). It is $1.50-$2.00 per proofing attempt with the government credential using ID.me or stripe identity. The problem is that no one is incentivized to slightly increases costs to reduce fraud because the burden falls on consumers instead, and credit reporting agencies don’t want to see their moat and revenue stream cannabalized. Bit of a public good Innovator’s Dilemma.
TLDR A better national digital identity story makes this problem go away.
(responsible for customer IAM including identity proofing at a fintech, doing some lift for Login.gov independently as a citizen activist)
I would imagine that most of the data for the ID checks based on public records (where did a person live; own a car/house/boat; ...) are trivially handleable.
Just takes one person to leak the database, which is probably only a few TB compressed) for all of the US and fits on a single HDD/SDD.
I would be surprised if these DBs aren't already sold on the darknet. And this DB doesn't have to be super up to date b/c security questions often go back years.
Interpreting the DB should be easy to hardcode but even easier handled with an LLM.
So the protection afforded by these checks is IMO at best nominal.
This might be somewhat true (it's certainly more expensive than not having security) but when your entire business is around making assurances based on people's identities, you'd assume that they'd put more effort into making their services secure. And if it's too expensive to do it securely, then maybe we should start to question whether such a service should even exist and deserves to store a lot of personal and private information.
>The only solution is to make hacks extremely expensive to the companies that get hacked — through fines as well as lawsuits by victims of identity theft.
It's notable this issue (verification by SSN) doesn't affect GDPR-land - the GDPR has fines of up to 4% of global turnover.
Of course, we aren’t the customers for these spying companies. But it is surprising that the total lack of security isn’t a deal-breaker for their actual customers. I mean if you can basically impersonate anybody using this service, what is the point of using it?
These accounts aren’t for the people who pay Experian money. Companies pay Experian money to access information about individuals; the only reason Experian even allows accounts for individuals is because they are mandated by law to allow things like credit freezes and the annual credit report. If they weren’t required, they wouldn’t do it at all. They have zero incentive to improve the experience or the security of it.
Even the term "identity theft" needs to go. My identity wasn't stolen! I'm still the same person. The bank got tricked by a scammers and somehow the bank tries to make that my fault.
Edit: Imagine this the other way around! Grandma gets scammed by someone pretending to be her bank. So the bank's identity got stolen. So now the real bank needs to fix it, provide more proof of identity to all customers and jump through all kinds of hoops to not owe grandma crazy amounts of money.
If identity theft were to get so common that the data became statistically unreliable, we would be long past the point that even Congress would feel compelled to do something about it.
There’s no such thing as identity theft, it is impossible to steal an identity, the person still has their identity. It is impersonation. The victim is the entity that has fallen for the impersonation (likely a bank, etc), the perpetrator is the one who did the impersonation, and the impersonated person is just some uninvolved third party.
I know it is pedantic but it is important to keep in mind because dumping the need to seek redress on the uninvolved third party is ridiculous, so we shouldn’t use language that plays into that point of view.
I'm pretty sure the OP was meaning that there's little point for the businesses that make use of the credit bureaus, if they can't be sure the bureau is accurate, rather than that consumers might be better off opting out (even if they could).
Stepping back, and looking at the situation as a whole: the real problem is a lack of privacy laws. Banks, businesses and employers should be prohibited from sharing your personal information with third parties.
I live in Switzerland, where this is the case. Even the government doesn't get this information. If the government thinks you're cheating on your taxes, they have to use warrants and follow the same procedures as for any other crime.
The only financial records accessible are records of legal debt collection actions ("Betreibungen"). Before offering someone credit, you can find out if other people had to sue them to collect.
Yet, even with so little information - without credit reporting agencies - everything works just fine.
FWIW, due to international pressure (things like FATCA), Swiss law was changed so that banks do report on international customers.
It definitely worked great for a lot of dictators, tax cheats and the sort… I think Switzerland is a great example of why complete privacy isn’t fair on ordinary taxpayers - it allows the ultra-rich to hide what they owe
I'm an American living in Switzerland for over 10 years, and this was definitely my impression as well. But that isn't really the case anymore here - you can no longer have anonymous (i.e. only numbered) accounts, and Switzerland is no longer a preferred locations for dirty money.
> A South Dakotan trust changes all that: it protects assets from claims from ex-spouses, disgruntled business partners, creditors, litigious clients and pretty much anyone else. It won’t protect you from criminal prosecution, but it does prevent information on your assets from leaking out in a way that might spark interest from the police. And it shields your wealth from the government, since South Dakota has no income tax, no inheritance tax and no capital gains tax.
As far as I am aware, Switzerland had always cooperated with law enforcement requests. Even before FATCA, if your government thought you were cheating on your taxes, all they had to do was present a warrant.
That said, yes, dictators and such were - and are - a problem. They aren't going to prosecute themselves, after all.
By the way, one of the top places unsavory types stash their cash is the US. FATCA is a one way street: US banks don't provide information on their international customers.
Additionally the “international pressure” the OP alludes to is since Swiss banks were the banks of choice international crime, including whichever activity you think might be most heinous.
Prior to 1913 the IRS didn't exist. The US seemed to do just fine before then. Tarrifs are the best way for the government to raise revenues. Especially when you are doing business with hostile countries like China. Please do educate yourself on US history before making such comments about privacy.
There's an easy way to do that: pass a law exempting Social Security Numbers from all identity theft and fraud laws.
Make it completely legal and tort-free to lie about social security numbers anytime, anywhere, except when dealing directly with the government (i.e. filing your taxes).
Do you know how Swiss financial privacy and credit reporting laws compare with countries in the EU?
> Around 36 percent of the Swiss own their homes or apartments, the lowest rate in the West and well below the 70 percent average in the European Union, and the 67 percent in the United States. [1]
I’m sure there are many factors, but I would be less willing to finance someone’s large purchase without more information about their creditworthiness.
This is very true. The company that I am at, not going to mention name but just going to say its FAANG, buys data from this company and uses it to allow for better tracking and graph building when we receive experian cookies. The USA does not care about its peoples privacy even though it constantly says that it does lol. If they cracked down on the privacy laws I feel that bank accounts will get affected since in the top 500 of stocks big tech sits on top.
I'm seeing this for the first time given I'm not from the US, but its reach seems limited
https://resist.bot/petitions
In Germany there is Campact for example which usually crosses 200K signatures per petition, if something like this doesn't exist in the US then I think someone with money should create it or promote an existing solution like OpenPetition to enough recurring signers
I'm not sure what you mean by limited reach, but for added context: Resist Bot is an automated service that can be used to contact elected officials in the U.S. Believe it or not, some elected officials actually pay attention to what their constituents say when writing to them.
Given there are 3 credit bureaus, is there a way to avoid having a credit score at one of the credit bureaus? I think that's a way that we as consumers could try to increase competition in the field.
I did some Googling and it didn't seem like there's an easy option.
There is no way to opt out of credit reporting. Lenders report the information to the credit bureaus, typically all three of the big ones, so if you want no information reported, simply close all your credit cards and loans, etc. and place credit freezes on your credit reports.
I don't think that "increased competition" will work here. We are not customers of the credit bureaus. We are the product. The customers are lenders and other people who need your information. From the lenders' perspective, this is all working out fine, largely because the onus for "identity theft" is placed on members of the public as individuals rather than on lenders to accurately verify applicants' identities before extending credit. As many people have pointed out before, "identity theft" is a misnomer designed to pass the buck onto individuals. Ideally, it should be the lenders' responsibility to prevent criminals from misusing your information and to make things right whenever a criminal tries to use your information fraudulently, but right now the onus is placed on individuals.
A better solution would be to have higher standards for identity verification by lenders. That would shift the burden onto lenders to actually verify people's identity before extending credit. Some lenders actually do a pretty good job of verifying people's identities before extending credit in my experience, while others just seem to accept the information given uncritically (as far as I can tell!). High industry-wide standards should help solve this (either voluntarily or mandated by law).
A statutory fine of $50k per compromised account would get the attention of the credit bureaus. (It might drive them out of business, but it sure would get their attention.)
The problem is that we are not the consumers. They receive our data from all the companies we do business with. You would have to figure out on a case by case basis all ties relating to the credit bureau. Probably if you never got a credit card and never took out a loan, you would be somewhat protected from their "research."
I tried to log into their website the other day to just get my profile set up and see what was going on in my account. Their site was so broken, I couldn't even get logged in. How is anyone going to become me if I can't even become myself?
To become you, I just have to go through the channels that Experian customers use. You were not using the channels that Experian customers use. You were using the channel that Experian liabilities use.
Maybe this is why for the past few weeks I am receiving countless emails from major retailers like Casas Bahia or Americanas and even Magazine Luiza with purchase confirmation listing several smartphones and notebooks whose invoice bare my name and cpf.
I tried contacting every retailer. Only Magazine Luiza seem to have acknowledged the fraud and issued a warning but to no avail, as I am still receiving invoices from them.
I contacted the local police and issued a boletim de ocorrência (which I am not quite sure how to translate) that describes the problem and how I was unable to apply countermeasures.
I am expecting fallout from this. I am really anxious about this whole situation and how I am utterly powerless in protecting my identity.
I've been on a similar situation once, this is what I did, and I think you're on the right path.
> I tried contacting every retailer.
Try to reach out to the ombudsman (ouvidoria) and explain your case. Even if they don't actually solve the problem, you documented that you tried to friendly resolve the issue.
> I am expecting fallout from this.
Very worst case scenario, the retailers will send the fraudulent invoices to collection agencies and might report you to the credit bureaus. Don't ever pay any cent toward this fraudulent debt. Don't negotiate. The only option is the debt going away as it is fraudulent. It's their money that's on the hook and paying it shifts the responsibilities to you.
Once it hits the credit bureaus, as you already have a Boletim de Ocorrência, and proof of contacting the companies (protocol numbers + dates), i.e. documentation, sue them and ask for damages. It's a simple and common suit that both the credit bureaus and the retailers will want to settle. Make them pay for your time. They don't have any proof that it was your person that made those transactions.
> I am utterly powerless in protecting my identity.
Yeah, but the thing is, if the retailers, banks, credit cards, etc. really wanted to avoid fraud, every purchase/subscription would require the same level of protection as a real estate transaction. Everything signed, in-person meetings, upfront payments, banks, lawyers, notaries, cryptographic signatures (hey, we have e-CPF and nobody uses it!). But as you see, 100% fraud avoidance means friction, and no sane retail business likes friction. It's a business decision on their end. They accept risk so they can take your money easier.
If it’s a purchase using Credit Card, absolutely zero chance of going to collections. That’s not how it works. There’s no legal footing for collections and they are not in the habit of creating legal headaches for themselves.
If however it’s a credit purchase (personal loan, crediário, etc) then it might go to collections, then this advice works.
Online purchases though are 80% credit card and 15% Pix/Boleto so it’s unlikely they got a loan just to buy stuff. If they can get a loan, they’ll get the cash itself and run.
Edit: on a Credit Card transaction the burden of evidence is on the merchant. THEY have to prove it was you.
Stolen ID from one person (ID, name, sometimes using the real person’s email and phone, sometimes creating fake yet similar emails like wildrhythms2@yahoo.com), someone else’s stole credit card number, and a drop address to receive and reship (sometimes deliver direct to the purchaser of the fraud item).
Typically the item is resold for half the price and it’s spoken for. It’s not like they buy to resell later. If they make the fraud they already have a buyer
I have no idea. There are, however, many official invoices (notas fiscais) being issue in my name. I believe there might also be fraudulent credit cards issued in my name that ate being used, or something like that, which would explain the physical retailers not questioning the purchase. That is why I am expecting fallout from this.
Something similar happened to me once. You need a valid CPF number (something like a ssn) to create an account on most webshops in Brazil, so fraudsters will use stolen ones. They then proceed to purchase stuff with stolen CCs
In most contexts, providing false information about someone in a way that harms them is slander or libel. I think we need to revisit whether credit reporting deserves to be exempted from that, and under what circumstances.
Absolutely. We should be able to successfully sue credit rating agencies for monetary damages if they tell a lender false information about us and it causes us to not get a loan or have a higher rate than is warranted. It should not matter whether they know it’s false. The harm happens regardless of whether they were negligent or malicious.
This sets a dangerous precedent. If you won, it would apply to all defamation/libel/slander cases, not just credit reporting agencies. News agencies could be sued for saying anything about someone if it later turned out to be false. Defamation laws are already on the brink of unconstitutionality.
Actually, the way they work is "x company told me y person has <this account> with <these details>". For non-celebrities, it is only defamation if it amounts to at least negligence in verifying these facts - i.e. negligent only if they have reasonable knowledge to believe the information is false. When you report to the bureaus that an account is fraudulent, that is effectively giving them notice that the account in question is not actually yours, and by removing it from your report, it's relieving them of the liability of spreading such defaming information in the future.
Readit News
TLDR A better national digital identity story makes this problem go away.
(responsible for customer IAM including identity proofing at a fintech, doing some lift for Login.gov independently as a citizen activist)
Just takes one person to leak the database, which is probably only a few TB compressed) for all of the US and fits on a single HDD/SDD.
I would be surprised if these DBs aren't already sold on the darknet. And this DB doesn't have to be super up to date b/c security questions often go back years.
Interpreting the DB should be easy to hardcode but even easier handled with an LLM.
So the protection afforded by these checks is IMO at best nominal.
This might be somewhat true (it's certainly more expensive than not having security) but when your entire business is around making assurances based on people's identities, you'd assume that they'd put more effort into making their services secure. And if it's too expensive to do it securely, then maybe we should start to question whether such a service should even exist and deserves to store a lot of personal and private information.
It's notable this issue (verification by SSN) doesn't affect GDPR-land - the GDPR has fines of up to 4% of global turnover.
And your firm pays Experian/Equifax/etc. to GIVE information about you, e.g., automated employment verification.
Plausible deniability allowing them to push as much significant risk of identity theft onto consumers instead of themselves where it should be.
Edit: Imagine this the other way around! Grandma gets scammed by someone pretending to be her bank. So the bank's identity got stolen. So now the real bank needs to fix it, provide more proof of identity to all customers and jump through all kinds of hoops to not owe grandma crazy amounts of money.
I know it is pedantic but it is important to keep in mind because dumping the need to seek redress on the uninvolved third party is ridiculous, so we shouldn’t use language that plays into that point of view.
Dead Comment
can you opt out? is there even a choice at all? where i live I can’t opt out of Experian or other credit rating services.
I'm pretty sure the OP was meaning that there's little point for the businesses that make use of the credit bureaus, if they can't be sure the bureau is accurate, rather than that consumers might be better off opting out (even if they could).
I live in Switzerland, where this is the case. Even the government doesn't get this information. If the government thinks you're cheating on your taxes, they have to use warrants and follow the same procedures as for any other crime.
The only financial records accessible are records of legal debt collection actions ("Betreibungen"). Before offering someone credit, you can find out if other people had to sue them to collect.
Yet, even with so little information - without credit reporting agencies - everything works just fine.
FWIW, due to international pressure (things like FATCA), Swiss law was changed so that banks do report on international customers.
It definitely worked great for a lot of dictators, tax cheats and the sort… I think Switzerland is a great example of why complete privacy isn’t fair on ordinary taxpayers - it allows the ultra-rich to hide what they owe
The ironic thing is that one of those new hot spots, in addition to the usual suspects like Cyprus, the Caribbean, etc., is the USA. See https://www.washingtonpost.com/business/interactive/2021/wyo... for some juicy details.
https://www.theguardian.com/world/2019/nov/14/the-great-amer...
> A South Dakotan trust changes all that: it protects assets from claims from ex-spouses, disgruntled business partners, creditors, litigious clients and pretty much anyone else. It won’t protect you from criminal prosecution, but it does prevent information on your assets from leaking out in a way that might spark interest from the police. And it shields your wealth from the government, since South Dakota has no income tax, no inheritance tax and no capital gains tax.
That said, yes, dictators and such were - and are - a problem. They aren't going to prosecute themselves, after all.
By the way, one of the top places unsavory types stash their cash is the US. FATCA is a one way street: US banks don't provide information on their international customers.
Dead Comment
Make it completely legal and tort-free to lie about social security numbers anytime, anywhere, except when dealing directly with the government (i.e. filing your taxes).
That'll stop them being used, and right quick.
> Around 36 percent of the Swiss own their homes or apartments, the lowest rate in the West and well below the 70 percent average in the European Union, and the 67 percent in the United States. [1]
I’m sure there are many factors, but I would be less willing to finance someone’s large purchase without more information about their creditworthiness.
[1] https://www.nytimes.com/2023/11/06/realestate/zurich-switzer...
Deleted Comment
https://resist.bot/petitions/PONADR
In Germany there is Campact for example which usually crosses 200K signatures per petition, if something like this doesn't exist in the US then I think someone with money should create it or promote an existing solution like OpenPetition to enough recurring signers
https://en.wikipedia.org/wiki/Campact
I did some Googling and it didn't seem like there's an easy option.
I don't think that "increased competition" will work here. We are not customers of the credit bureaus. We are the product. The customers are lenders and other people who need your information. From the lenders' perspective, this is all working out fine, largely because the onus for "identity theft" is placed on members of the public as individuals rather than on lenders to accurately verify applicants' identities before extending credit. As many people have pointed out before, "identity theft" is a misnomer designed to pass the buck onto individuals. Ideally, it should be the lenders' responsibility to prevent criminals from misusing your information and to make things right whenever a criminal tries to use your information fraudulently, but right now the onus is placed on individuals.
A better solution would be to have higher standards for identity verification by lenders. That would shift the burden onto lenders to actually verify people's identity before extending credit. Some lenders actually do a pretty good job of verifying people's identities before extending credit in my experience, while others just seem to accept the information given uncritically (as far as I can tell!). High industry-wide standards should help solve this (either voluntarily or mandated by law).
Imagine if they were like password manager apps? We could evaluate all of them, choose what we wanted, and migrate whenever something happened.
As a business? Sure, report to the ones you want to
Without it (also without a sufficiently high number), most avenues to housing are cut off
I tried contacting every retailer. Only Magazine Luiza seem to have acknowledged the fraud and issued a warning but to no avail, as I am still receiving invoices from them.
I contacted the local police and issued a boletim de ocorrência (which I am not quite sure how to translate) that describes the problem and how I was unable to apply countermeasures.
I am expecting fallout from this. I am really anxious about this whole situation and how I am utterly powerless in protecting my identity.
> I tried contacting every retailer. Try to reach out to the ombudsman (ouvidoria) and explain your case. Even if they don't actually solve the problem, you documented that you tried to friendly resolve the issue.
> I am expecting fallout from this.
Very worst case scenario, the retailers will send the fraudulent invoices to collection agencies and might report you to the credit bureaus. Don't ever pay any cent toward this fraudulent debt. Don't negotiate. The only option is the debt going away as it is fraudulent. It's their money that's on the hook and paying it shifts the responsibilities to you.
Once it hits the credit bureaus, as you already have a Boletim de Ocorrência, and proof of contacting the companies (protocol numbers + dates), i.e. documentation, sue them and ask for damages. It's a simple and common suit that both the credit bureaus and the retailers will want to settle. Make them pay for your time. They don't have any proof that it was your person that made those transactions.
> I am utterly powerless in protecting my identity.
Yeah, but the thing is, if the retailers, banks, credit cards, etc. really wanted to avoid fraud, every purchase/subscription would require the same level of protection as a real estate transaction. Everything signed, in-person meetings, upfront payments, banks, lawyers, notaries, cryptographic signatures (hey, we have e-CPF and nobody uses it!). But as you see, 100% fraud avoidance means friction, and no sane retail business likes friction. It's a business decision on their end. They accept risk so they can take your money easier.
If however it’s a credit purchase (personal loan, crediário, etc) then it might go to collections, then this advice works.
Online purchases though are 80% credit card and 15% Pix/Boleto so it’s unlikely they got a loan just to buy stuff. If they can get a loan, they’ll get the cash itself and run.
Edit: on a Credit Card transaction the burden of evidence is on the merchant. THEY have to prove it was you.
Typically the item is resold for half the price and it’s spoken for. It’s not like they buy to resell later. If they make the fraud they already have a buyer
Dead Comment