This area of finance is utterly, completely backwards and seems like one of the most (evil)successful bits of proper-burden reversal in existence. The entire concept of "identity theft" as it exists now is 100% pure industry propaganda. Nobody is cloning bodies and transplanting brains or something. It's not that anyone is "stealing my identity" it's the financial institutions don't bother to verify it and then somehow have managed to make a system where this is my problem. If I haven't chosen to have a business relationship with a given financial institution or credit bureau, and they choose to give somebody else financial services, it shouldn't matter if that person used my name or widely circulated information about me, anything less then full biometrics/video for signup and establishing mutual certificates and cryptographically signed interactions thereafter should be presumptively invalid. If Person M lies to a Bank A about their info claiming to be Person A and tries to escape their commitments sure they've committed fraud, but if the Bank A then tries to go after Person A then the bank are literally accessories to fraud and should face criminal prosecution or at the least massive financial penalties (with both expenses and punitive fines paid to Person A). If the banks want to have private credit bureaus to help them with scaling, abstracting and reducing bias in the risk aspect sure; there are reasonable arguments for that. But said credit bureaus should have no role in identity verification, and if they are lying about people (claiming financial things about them which are not true) that again should be on them, with serious statutory penalties.
All the burdens are completely backwards, in turn massively perverting the incentives. And it's eternally infuriating. Some rando applying for a credit line on the opposite side of the country should be Not My Problem, 100% of the time, whether they have my name or address or a random symmetric 9 digit number some government assigned me. All the tools exist for financial institutions to manage their risk/convenience tradeoff, but they're the ones who have the power, information and should have the incentive to do so. They are externalizing onto the general public instead.
It's a generalized problem that American corporations have worked hand-in-hand with the government to make sure that they avoid the vast preponderance of legal culpability for any and all malfeasance they cause. You almost have to hand it to them. Almost. As with all systemic issues we face, we can't fix it until we "fix" Citizens United, and that -- as well as any other Constitutional Amendment these days -- will be nigh impossible.
It's a generalized problem that American institutions of all sorts have successfully lobbied for policies that take advantage of the current neoliberal consensus of "individual responsibilities" and individual-level solutions for system problems that need systemic public policies.
Examples
climate change: individuals should choose electric cars, run their thermostats higher in the summer, lower in the winter, and lower their carbon footprint. Ignore industries that dominate the generation of greenhouse gases
obesity: no, it's not the product of individual fallibility. That's the dominant narrative, but the problem is the food system
retirement savings: join your companies 401k and max out your contribution, get an IRA, save more. Don't blame companies that stopped funding pensions, but let the financial industry capture huge profits from managing funds. Oh and don't have any affordable housing for retirees.
plastic waste and garbage: recycle! return your bottles for deposit! But the “Keep America Beautiful” campaign, was actually the product of beverage and packaging corporations such as the American Can Co. and the Owens-Illinois Glass Co., later joined by corporations such as Coca-Cola and Dixie Cup.
In this particular case the corporations in question - banks - would love to see the problem solved too. They don't want to make fraudulent loans in other people's names.
The problem is that America's government does not provide a strong form of identity. In fact, strong identity is culturally resisted: civil libertarians[0] have been adamant that America should not have national ID cards of any kind. Great, except that this now makes fraud a lot easier.
Today, if you are a bank you don't actually have any good options to verify the identity of a new customer. Names are quite common, people move all the time, phone numbers change and can get stolen, SSNs were specifically designed to be easily forgeable[1], most Americans do not have passports, not everyone has a US birth certificate, not everyone can get a driver's license, the ID-only cards you can get are intentionally designed to be a pain for the above two categories, etc.
[0] This is also one of the few times where I don't have to distinguish between left- and right-wing libertarians either.
[1] If you were born before 2011 you can obtain valid SSNs by incrementing or decrementing the last four digits of your own. You will get the SSN of someone else who was born in the same hospital as you. The first five digits are just a function of the state the SSN was issued in and when you were born. There is no check digit, they only started randomly issuing numbers in 2011, and even then it does not matter because compromised SSNs are never reissued unless you are an FBI informant.
> In this particular case the corporations in question - banks - would love to see the problem solved too. They don't want to make fraudulent loans in other people's names.
It is true that banks very much don't want to issue loans that turn out to be fraudulent.
But, they very much more strongly don't want any liability for ruining peoples credit for issuing those fraudulent loans. So they'll rather take the former than the latter. Shift the blame to the innocent person who has no way to prevent it.
> America should not have national ID cards of any kind. Great, except that this now makes fraud a lot easier.
No, it makes establishing trustworthy business transactions slightly harder. Only slightly, and the necessary technology has been off-the-shelf for some time now.
> Today, if you are a bank you don't actually have any good options to verify the identity of a new customer.
The folks at my local credit union and I know each other personally. It would take a "Mission Impossible"-style impersonation to get them to succumb to fraud ("identity theft".)
Agreed. I believe it is this issue alone -- not voting or gun ownership or anything else -- that will push the US to implementing a verified identification. Loss from consumer financial fraud. And, again, this will be the government only acting, because of the interest of big business.
As someone who's lived in a couple of countries, I think one reason credit bureaus are so heavily relied on in the US (and UK) is because they lack a centralised identity database that regulated financial institutions are able to draw from.
Credit bureaus — as well as the various credit building products that are so common in these countries — are required to play that role.
>Credit bureaus — as well as the various credit building products that are so common in these countries — are required to play that role.
No they absolutely are not. You know what institutions, after government, should have been in principle be absoultely ideally placed to help with identity in a private distributed way?
BANKS (credit unions too perhaps). Lots of secure, physical locations people were used to going into. Already have a need to deal with serious physical security, and lots of money. Already tons of KYC infrastructure. Well regulated and trusted overall. Reasonable numbers of choices. Valuable in-house dogfooding opportunities. This should have been a slam-dunk service for banks themselves to do, and one near impossible to replicate the same way online which also would have been quite helpful for them vs online-only challengers. Each local branch could have a dedicated room or rooms to take photos and video, verify documentation, history, references, whatever else, all the stuff that was (and in much of the world still is) needed to prove ones' identity and open an account. Then the banks could all have their own CAs and give people a signed cert attesting that all this had been done in-person at XYZ location, every bank required to do it themselves with cross signing possible, and all online account usage required to use PKI, no password/email crap. And we'd live in a different, better world.
Instead they've tried to outsource or externalize that. That should be absolutely on them. All the tech has been easily possible develop for something like 20 years (OpenSC even first release was 2001). I'd love to see a law along the lines that financial transactions and products including loans, credit cards etc that are only backed by stuff like described in this article (name, SS#, birthday etc) are simply unenforceable in court and that defendants can challenge it along the lines of anti-SLAPP statutes where the challenge happens pre-discovery and stops the whole process with attorney fees going to the defendant if they win. Bank tries to after somebody for unpaid debt and all they have are info like that? Case dismissed, they can just eat it. Criminal for credit collectors to go after it too. Bet we'd see some changes in a hurry then.
Strengthening government identification would only be reasonable after the US has the equivalent of the GDPR. As it stands right now, doing so would just be another vulnerability for private surveillance companies to abuse just as they've abused social security numbers, driver's license numbers, and even phone numbers.
It's already "bogged down" - I described a direct concern. Brushing that aside is equivalent to saying the concerns don't matter.
Social security numbers were introduced for the sole purpose of administering the social security program. The protections on private entities abusing them were neutered, which is how we ended up with the backwards regime under discussion. People have a vague fear that social security numbers are important and shouldn't be casually shared, which is the only thing holding back (for example) grocery stores from demanding your social security number to get the regular prices.
If say the US issued everyone a cryptographic identity via a smart card, there would be little stopping every single business from demanding that you scan this card. Imagine needing to link your singular legal identity to every single online service, so they could better associate your surveillance records. Big tech is currently doing its best to accomplish this through phone numbers, but at least it's possible to get additional phone numbers.
The nature of the problem you are describing (private companies having a more reliable unique ID to correlate data than phone number) seems incrementally worse than what we have today. In practice, most people rarely, if ever, change their phone number. I don't like that companies demand my phone number to get cheaper groceries, but in practice I just type in "(local area code) 867-5309" [1] into whatever terminal is asking for my phone number and get the discount 100% of the time.
The consequences of the problem the proposal is trying to address seem larger to me. Currently, you can be denied access to capital and even basic financial services because identity management has been outsourced to unreliable third parties with no incentive to do a better job.
Yes, I agree it is incrementally worse. I agree that de facto, the surveillance industry is practically inescapable. The technical ability to avoid various forms of tracking requires an extreme amount of effort and unreasonableness. I myself will put in such unreasonable effort on many things, but I still cannot manage to do so for everything.
Still, there is a difference between this de facto state of affairs, and a de jure mandate from the government to make us more trackable.
If were talking about the deficiencies causing the original topic, the right answer is to rebuke this nonsensical concept of "identity theft" and make companies fully liable for their attempted frauds (ala the top level comment of this tree). If we're talking about constructively building systems to do things the "right way", then privacy needs to be incorporated in such systems from the ground up, as the previous bait and switch with social security numbers has demonstrated.
In the UK there is a Jeremy Bentham philosophy, where by people get loaded up with debt because it generally keeps them productive and out of trouble. Then the UK can attend G7 conferences because its GDP is high enough. Some call it slavery by another name! The US Mil call it punching above its weight and the UK is generally recognised as the no1 soft power in the world. Forget expensive military hardware & Police hardware, intelligence led psychological warfare on the population is cheaper and more deniable when rumours are put out in the community as people voluntarily police their manor like vigilantes watching Emmanuel Goldstein figures. The innovation in innuendo based intimidation and harassment is quite entertaining and its all deniable. The techniques used to create the Nazi's can be deployed in tight knit communities via community watch schemes and the like, no paperwork so the Police are happy with that and the security services can also deny it.
Thats the best thing about authority figures, they are believed until they can be proven otherwise, I'm not in a position to prove otherwise. I often wonder if autism is being used as a cover for child abuse!
Innuendo amongst other things is the perfect trigger for paranoia, and in such situations, people will get banged up in a mental health hospital and have drugs forced down their throat otherwise they just get labelled as uncooperative, and then other drugs will be forced down their throat and their detention period increased, perhaps even indefinitely. Its a clever system and there is no judge or jury to convince, you just go straight to mental hospital without passing Go!
You cant argue against this craze for labelling everything as mental health issues, Doctors will not have their authority challenged. I even had a GP tell me how I could suicide myself!
You dont run a country by being nice!
You got a lot to learn, now obey your authority figures and back to work!
Ah yes the portmanteau of negative down votes in order to maintain the aspect of I'm wrong and the downvoters are right. Its the final say #FreeBrunoPowroznik
> a random symmetric 9 digit number some government assigned me
SSNs aren't even that random, they're very deterministically generated for the most part. If you know when and where someone was born its not too hard to guess the first 5 digits or so, meanwhile the last four digits are routinely shown places.
It's true but part of the problem is also that people submit to it. The credit system "works" because for the most part, the information they provide is legitimate enough, to the detriment of victims of fraud who now have to prove their innocence.
If people with the means (those that have "fuck you" money and can afford to walk away) suddenly turn around and say "nope" and are happy to have bad/fraudulent credit, the entire credit system collapses - banks need to lend to survive and if the credit system stops being useful in verifying someone's creditworthiness (because even creditworthy people's records are contaminated with bad/fraudulent data) then banks will switch to a different system that doesn't have these problems (and that system could be to manually search for bankruptcy records and evaluating proofs of income, like it's done in many European countries), or lose out to those who switch because the "fuck you money" people will prefer them as they're willing to ignore the credit history system and use alternative means of evaluating creditworthiness.
Of course, a legal solution that outlaws this privacy nightmare is best, but that's a lost cause in the US. The market-based approach described above is more likely to work.
If someone somehow hacks your brokerage account and steals everything, you may be completely out of luck. The bank will consider it your fault, not theirs, unless it's a mass hack (multiple accounts). The law will probably agree with them, and you'll be out your savings.
Totally agree. As an example of how little companies do in these cases to verify things and how lazy they are about ensuring when they pursue claims that they are doing so against the relevant person, here's my story.
Some time ago someone obviously signed a gas contract for a company and just put my home address as the billing address. The first I heard about it was when I received a gas bill for a property that I have absolutely no connection with. It was addressed to a company I have no connnection with at my home address. I've lived in the same house for over 10 years and this company has never been associated with my address in that time. I don't think it was before either but w/e.
I accidentally opened this bill because I receive a lot of mail and didn't realise it was incorrectly addressed. Having seen that it was the wrong thing I wrote to the company explaining their mistake. I also gave them the name and address of the actual officers of the company who had the debt (this is public information in the UK where I live). I didn't hear back except that I received 3 or 4 more bills all of which I returned to sender.
A few months later I received a legal letter from a collections firm saying they had been engaged to collect this debt and I had to pay up or they would take me to court. I wrote to them explaining the situation saying that this debt, company and the property and debt underlying the address was nothing whatsoever to do with me and that I had written to the creditor to that effect some time ago.
I didn't hear back until a few months later, when I received another legal letter from a different person at the same collections firm basically repeating the threat to take me to court. I wrote to them again and also called them up to explain. The person at the collections agency thanked me for calling and said they would deal with the matter.
A few more bills arrived. I returned them to sender (at least once in an envelope with a covering letter explaining the situation again). Then I received a notice saying a default court judgement had been entered and that the bill had to be paid. I wrote to them again and said they had to stop harrassing me and actually pursue the collection against someone associated with the actual company.
It was super clear that at no time did anyone associated with either the original creditor or the collections agency make the slightest effort to actually try to collect this debt from someone who was actually responsible for it. This is in spite of the fact that I spoonfed them the names and addresses of actual people who were associated with the company responsible etc. This situation could also never have occurred if they had actually made any effort at all to check whether the company was associated with the billing address.
It's shocking to me that this type of email change swapping still works. I might have to write up a blog post explaining how to fix it permanently.
It's a fairly simple process though.
1. Create a table that tracks every email address change on the account. It can't just be a single field because once compromised, people have learned to just change the email address twice.
2. That table should contain fields for: user_id, email_from, email_to, confirm_key, reversal_key, created_at, confirmed_at, reversed_at, created_ip, confirmed_ip, reversed_ip
3. When an email change is initiated, an email should be sent to the new email address with the confirmation_key to have them verify the new email address before making the change.
4. Once verified, an email should be sent to the OLD email address notifying them of the change and including a link to the reversal_key to use if they did not make this switch, including the IP address and approximate geolocation of the IP address for some context.
5. If the user clicks the reversal link it will clear the confirmation and reversal links of every email change that came after the link that was clicked, ensuring that the original change can always be reversed no matter how many changes were made afterwards, revert the email address change and force the user to update the password. This password change screen should warn them that their account was likely compromised and strongly recommend they enable MFA (if available on the site) to prevent it from happening again.
I spent a year working on a site that dealt with a TON of fraud and phishing against the user base. This was one of the biggest issues that we dealt with, but this approach completely resolved the problem.
We actually implemented verification schemes similar to this for account holders at rsync.net.
One example:
- Destructive actions to an rsync.net account (manual deletions, account cancellation, etc.) have an "email age" flag. If someone is requesting something dangerous from a just changed email, support looks very closely at the request and sends a heads-up to both the old and new email addresses.
We also have some relief mechanisms for the occasions people get locked out of their lives by (google, et. al) - if a user can prove control over an rsync.net account by `touch`-ing filename of random hash we provide, we can start a reclamation process based on proving the ability to destroy the account anyway.
I like the email age flag. I’m probably going to write more about the work we did there, but implementing a trust score system with several inputs was very important too.
Email age wasn’t included, but definitely should have been.
Moderately tangential, but I just had my Uber account hacked today. I also used a strong, unique password managed by a password manager. As far as I can tell, my email wasn’t hacked (Google Workspace account backed by a physical security key). My best guess is they scammed support, but I am just taking a stab in the dark.
The worst part is, you can’t even talk to Uber support chat unless you put in the account’s current email, phone number, and last 6 digits of the credit card on the account. I have the attacker’s email address, but not the phone number, so I couldn’t even chat with support. They have an “email support” form, but it asks for the same info. I put in what I knew, but I haven’t heard back from support since the attacker took my account this afternoon, and I fear I’m not going to get it back.
That’s a great link, thank you for that! Their support page linked from the “email changed” message, under “if you didn’t make this change”, was less than helpful. It just said to log in and change your password, which isn’t really helpful if the attacker changed the password. The link for “if you can’t login” took me to a 404 page.
This sounds like a situation I had with yahoo email over a decade ago. I could never get support to give me control back. They just got to impersonate me and spam my contacts list while I lost all access to accounts tied to that email. I want yahoo to dissolve.
My Disney+ account suddenly got a few new profiles, some in foreign languages. I had to delete them and change the password. Interestingly, my password never was reset by anyone else.
I think you might be pwned for some other website. Now they are brute forcing all common websites with ur password and email. Reset all passwords just in case
I luckily only had PayPal connected to my account. I was able to unlink it on the Uber side before the attacker blocked access to my account. I also blocked it on the PayPal side too. So all that work, and all they really got is my ride history and reputation.
While I agree with the article that it is embarrassing that Experian doesn't support 2 factor authentication, I'm not sure it would have helped in this case since the account was migrated without ever authenticating to it.
Normally a security breach this egregious would require the attacker to call the help desk, but for some reason Experian has it baked right into the signup process. That is an impressive level of negligence. Someone had to put some serious effort into opening up that security hole.
At a minimum, a good system would email both old and new email addresses saying, "someone has changed the email address, click here if that is wrong". This kind of slapdash approach to security needs to become criminal because companies are clearly not following best-practices and to be honest, as someone who has implemented these sorts of things on a number of legacy systems, it really isn't hard to do.
If you start mandating companies do proper authentication, then you kinda need proper authentication to be possible. Really, the way to do that is through a government-issued ID, but the US does not like that idea.
Without government-issued ID as a base, doing authentication right is difficult. Especially account recovery simply becomes a mess. Having high fines might cause certain users to be permanently locked out 'because we cannot properly authenticate you'. It would light a nice fire under efforts to properly handle authentication, but that fire would burn a lot of people first.
This is at the root of the problem. No entity wants to take liability and responsibility for quick and easy identify verification, and only the federal government is in a position to do that.
There is no reason they could not use USPS to provide a passport type identify verification service and API for other organizations to use. It should be a utility.
The crazy thing is no one needs to be forced to get. We already have passports, and they are initially applied for at USPS. All the feds need to do is set up an online verification system with an API to plug into.
Losing access to email isn't a problem if the mail sent to the old address is just "this account was migrated to X, click here if this was in error to have the change reverted". If the email account has been lost then it is no problem, if the attacker has access to your email too then you're up a creek either way.
> having an active account at Experian may be the only way you find out when crooks have assumed your identity. Because at least then you should receive an email from Experian saying they gave your identity to someone else
How does this keep happening... It's pretty remarkable the gallery of blunders a simple HN search gets you for "experian":
It keeps happening because there are no consequences for it happening.
If the c-levels at Experian were sent to prison for a few years each time this happens, you can bet your last dollar they'd put measures in place to prevent this sort of thing.
> It keeps happening because there are no consequences for it happening
Worse than that - the consequences are positive for Experian: "For now, Rishi has decided to pay Experian $25.99 a month to more closely monitor his account for suspicious activity".
It happens because the problem is poorly framed. There's no reason you should have a relationship with Experian. It has a relationship with credit grantors. If they falsely report information about you to credit grantors to your detriment, it seems like they should be liable for libel.
We should really stop the limited liability for shareholders. You own part of company and it does something criminal. You too are going to jail. Would clean up the acts very fast.
This is stupid... I buy one stock of tesla, Elon does something bad, that I literally have no control over, and i go to jail (along with thousands of others)?
Aren't CEOs paid "that much", because they carry all those responsibilites? If they're responsible enough to get so much money, they're responsible enough to deal with the consequences of fucking up.
I could see a sliding scale of consequence. Your one share gets you a fine. A lot of shares gets you some prison time and a bigger fine. Elon gets years and years and a fine that's a significant percentage of his net worth.
Then don't buy any stock in any company you don't absolutely trust? Why should you be able to profit from Tesla's wrongdoings, but not suffer just punishment from them too?
I believe the general argument here would be that if you invest in a company and they later are caught doing something illegal or unpopular, you suffer when your shares lose value.
Sorry class but the schoolteachers were all arrested for murder because their pension fund invested in a fund that bought shares in a company that bought another company that held shares in a company who owned a negligently maintained warehouse that burned down with two people trapped inside.
I own voting shares in a company and it's hard enough just getting information out of them that they should want to share. The idea that the average investor has any idea what's going on in the companies they invest in is absurd.
That's a nice soundbite but it doesn't work like that irl.
If in some dystopian future, the C-levels could be given 2 years for what could amount to a basic human error in an otherwise well-run organisation, no-one would do the job and a whole sector of the economy would probably go bust.
Having worked in a handful of companies, at least some of them try to do the job properly but are restricted by employee turnover, lack of consistent skills across the software sector, negligence at any level, incompetence - even if not malicious, tired engineers, ancient software systems that would be impossible to replace in any reason time etc.
That's the point - if the C-level could go to prison then you'd find that mysteriously there were multiple overlapping systems of control implemented such that no one person could make a simple human error and expose reams of customer data: it would require systematic failure.
(At that point, when safety systems are in place but fail for complicated hard to predict reasons, malicious negligence is hard to prove and executives don't go to jail.)
Simple solutions to all of these that ultimately land on the desk of leadership:
>> employee turnover, lack of consistent skills across the software sector, negligence at any level, incompetence - even if not malicious, tired engineers
Pay better, give raises that keep up with the market, and train your people. Basic stuff.
>> ancient software systems that would be impossible to replace in any reason time etc.
Second best time to start is now. Ancient software systems with tons of legacy cruft and obsolete tech aren't going to get any better.
All this costs money, which is the real problem. If there's a market wide failure, as there seems to be in credit reporting, then serious consequences for cheating out on this stuff to undercut your competitors at the cost of security seems fully justified.
Experian won’t explain anything to us, because we are not their customers. They talk to us only because laws make them talk to us.
They have never shown interest in anything outside their B2B relationships with creditors and employers (remember, they track your employment history plus salaries for future employers’ use).
Experian should be shut down by the Federal Trade Commission and the Consumer Financial Protection Bureau today. There's no reason after the breach to allow them to have even one more sloppy mistake.
The biggest mistake here was not having a link in the old email that says "CLICK HERE if you did NOT change your email" that would undo the email change and put some sort of lock or hold on the account.
Transunion only requires payment for “Premium Services”. I just signed up for a free account and I am able to create a freeze without entering payment info
What should be illegal? Not having 2-factor auth? Allowing an account change?
SOftware is massively complex and not everything has been defined in a way that there is a "right" way and a "wrong" way to do things. What happens if they setup 2-factor and someone loses their phone? What happens if someone needs to change an email address and can't access their old account because an ISP has gone bust or is refusing to give you access?
I agree that things should be much better but until there is a book of "this is the right way to do signup/signin/account reset/ etc. " then most of us are trying to do things the best way we know how to and sometimes bad things happen.
It should be unlawful to process sensitive personal data without adequate security. It already is in the EU, which is why private credit registers are all but extinct in the bloc now.
Define adequate security. Maybe I want to adopt post quantum crypto but now the law doesn't allow it? Or u2f not totp but the law doesn't allow it? Law can hold back security just as much as improve it. Remember how long it took the feds to get off 3DES? Remember all the leaks of personal data (like all military in US or basically everybody in china)? Govts are shit at security.
> It should be unlawful to process sensitive personal data without adequate security
> Define adequate security
If there is no means of defining "adequate" when it comes to security of sensitive personal data, then companies should not be allowed to amass and process sensitive personal data.
If it's not possible for a company like Experian to exist safely, then it probably shouldn't exist at all.
In the case of, say, the GDPR, security requirements aren't prescriptive. You can read Article 32 yourself, but it comes down to being able to "ensure a level of security appropriate to the risk". Whether a company has met that standard is decided by data protection authorities and ultimately the courts.
> It should be unlawful to process sensitive personal data without adequate security
It is but "adequate security" is not defined. That is what I am saying. Would someone without 2FA or this particular account reset process be prosecuted in the EU? Almost certainly not because the Prosecuter cannot currently say, "you didn't follow NIST guidance XYZ requiring it to be done this way".
> private credit registers are all but extinct in the bloc now
I'm not sure why you think that. In the UK, we have a number of them who are used by organisations. They are bound by the same GDPR regulations as everyone else.
>I agree that things should be much better but until there is a book of "this is the right way to do signup/signin/account reset/ etc. " then most of us are trying to do things the best way we know how to and sometimes bad things happen.
And when these (hopefully rare) bad things happen (and are documented and reproducible) what do you propose, do nothing and wait some more until that book is published by someone?
Or take note of what happened (useful to later publish the "other" book "these are the wrong ways to do signup/signin/account reset/ etc. ") and quickly implement a remedy for the found issue?
My argument is that the blanket "enforce it with laws" is meaningless until this document exists. I'm not saying that I don't practice security in my apps or that no-one should, just that the law (right now) is not the right tool to fix this problem.
Hmm I wonder if you could register a new account for the CEO of Experian and take his identity? That perhaps would create some incentive for them to change to better security. As long as its just grubby peons like us, why should they care?
Too bad our elite senators and congress folks have no interest in keeping people's identity safe.
I'm sure they reserve the extra tough prison cells for people who simultaneously commit identity theft and impersonate senators, and I'd certainly not advocate anyone commit crimes. However, I do think that if someone were to steal identities of sufficiently many senators and house representatives, we'd see incentives massively re-aligned within a couple of weeks.
This page really drills into you how pathetic this settlement is. Less than $3 per affected person for something that affects over a hundred million people.
And as if to rub salt in the wound:
> 3. I don’t want Equifax to have my data. What can I do?
> Equifax is one of three national credit bureaus. These companies collect information about your credit history, such as how many credit cards you have, how much money you owe, and how you pay your bills. Each company creates a credit report about you, and then sells this report to businesses who are deciding whether to give you credit. You cannot opt out of this data collection. However, you can review your credit report for free and freeze your credit.
I signed up for the identity monitoring offered as part of the class-action lawsuit for the 2017 hack. Now I get an email whenever the developmentally disabled guy who works at Hardee's moves to a new apartment, because 15 years ago he tried to have sex with a teenager when he was 20. Yeah, obviously not good, but what the hell does it have to do with my identity? None of these people have lived within half a mile of me, and they have no connection to me or any of the identifying data that Experian associates with me. And I know who they are, because they are already half the content of the police Twitter. Their website has an FAQ item asking specifically what unrelated sex offenders have to do with identity protection, and the answer is, "Many of our customers like getting these alerts". Literally no attempt to answer the question that they voluntarily added to their website.
It turns out you literally cannot turn off sex offender notices (within an unspecified distance of your home) without turning off all notices for activity under your name, address, or SSN.
My mortgage servicer recently moved to a new system where it apparently has different password standards than the old system, and the frontend will filter it, and doesn't work properly with password managers, and it locks the account after 3 incorrect passwords. The only way to reset it is a call-in system which does not support mortgage accounts - it will not take a mortgage account number or SSN or a third-party-bank checking account number as being a valid identifier. So basically it is impossible for mortgage-only customers to ever reset a password once it's become locked out.
Just start opening CFPB complaints and do your best to push all the buttons in the way that sets off the maximum alarm bells. Yes, this is preventing me from making my payment, why do you ask? Got a call from an "executive support team" two days later.
Her answer was to just batter my way through the phone system until I got an operator because it was definitely, totally the right number... should go back and see if they ever actually fixed it, I ended up just knuckling under and using a short, insecure password that their system would actually accept, maybe I should see where the CFPB complaint is. But if you don't let up, CFPB complaints are a big deal and will absolutely get movement, they've definitely resolved "intractable" (read: bank couldn't be bothered reading the case notes after a half dozen times repeating it to them, even when I repeated it all for them) issues for me in the past.
(I am on autopay but genuinely if something went wrong with my credit union or the mortgage system and I needed to get in, I would be fucked. Sure I could pay by check/paper coupon but I'd have to cancel the autopay first and I don't know if I can do that on the coupon either... it's really only the inertia of a few things still working right that actually did prevent problems with payments in general, so actually "problems with payment" isn't real far off.)
Only use creditors that don’t report to Experian? You’ll probably have to look outside of traditional creditors to do this. Maybe through a credit union?
It would be difficult. They aren't just using creditor information. All three big agencies have access to DMV records, a variety of real estate databases, they scan court records from the biggest counties down to tiny municipalities, they buy mailing lists, etc. The data gathered by them goes far beyond your employment, purchase, and credit histories. And it is constantly ongoing (much to the chagrin of small municipal courts who have one old Dell that's scraped multiple times per day, every day).
You just don't know it because it's hidden behind a series of machinations that not only generate the credit score we're all used to, but also a variety of B2B products from renter risk to identity verification.
That reminds me, I recently registered to Experian only to find out ".dev" emails are considered invalid. I had to register an email on one of my ".com" domains then forward over to even register with them. I called up support and they found it confusing as well, but hey ho - I can't even raise a ticket.
this is what i keep telling my friends who get .dev .io .ninja or whatever. Spam filters don't care how fun and quirky your domain is. Neither do boomers they won't recognize it as a domain either. Just get the damn .com
Whilst I agree people should at least have a ".com" backup domain (at least for email use), many services are supporting the less common TLDs nowadays. In particular, ".dev" seems to be supported well in my experience (where Experian has been the only problematic service).
As for the spam filters, whilst the domain definitely does play a part in some cases - there's more to it than that. Having the correct security configuration (DKIM, etc.) and a "trusted" mail server (good luck asking M$ for their list, though) goes a long way.
So this is a security hole, but isn’t the real reason for all these problems the fact that financial institutions don’t check identities properly?
There would be no identity to steal if thieves knew that any bank will properly verify they are who they claim to be instead of just handing them money after they recite a SSN…
The online instructions I found for reaching a human at Experian didn't work. They seem to purposefully change their menus when it becomes too easy to reach a person, as a cost-saving measure. Out of desperation/exasperation, I randomly mashed the phone keypad until I reached a human.
I placed a lock on my Experian credit score years ago when I moved overseas with no clear plan to move back to the US. I was living overseas, and read something that a lock only lasts 2 years, so I had the lock PIN sent to a relative and told my relative to just shred the PIN letter. The last I read was that for some states, the lock lasts 2 years, some 7 years, and some indefinitely.
In any case, I moved back to the US and my Experian credit was still locked, so I sent a notarized letter from my bank indicating my new address to Experian, in order to initiate re-issuing my PIN. A week or so later, I got an email from Experian saying my address had been updated. I logged in online and saw that Experian then thought that I lived inside my bank! The Experian employee read the bank's address off of the notarized letter, not my address from the body of the letter.
There are supposedly 3 ways to reset your Experian PIN: phone, website, and snail mail. The phone system tells you that you actually need to use the website or snail mail. The website, when I gave it my particulars, generated internal errors multiple days in a row, and the error message told me to use the phone or snail mail. They say they'll respond to snail mail within 2 weeks, I think, but it was closer to 6 weeks, by which time I had sent 3 letters and finally resorted to the aforementioned random mashing of the phone keypad.
Some executive at Experian clearly heard that Kafka is very popular at many companies now, completely misunderstood, and structured their processes around the complete works of Franz Kafka.
I'm totally not surprised that they allow you to just sign up a new account for an existing identity, and when called out on it, claim they have some opaque secret security process that's you know, totally better than not allowing strangers to make duplicate accounts for your identity.
Side note: if you move overseas, do your best to keep a US credit card open in the off chance that you move back. Note that you can't even gen a secured credit card issued without a credit check, which is ridiculous. The cash on deposit fully covers the card's maximum balance, so the credit risk to the issuing bank is zero. I had to use my foreign credit cards for my first 2 months in the US while getting my Experian credit lock sorted out. Both Experian and the banks are jointly at fault for that mess.
You don’t need the lock pin to unlock your credit. The form will ask if you remember it and if you click no it’ll disable that field and let you proceed.
This article explains the terrible experiences I've had with my Experian credit report. I recently acquired a loan, and in the process found multiple fraudulent hard credit checks against my frozen (?) account.
Now I know why. My only recourse is I suppose to call my loan originator and advise them against the reliability of Experian.
>and other remnants of the last century that are non-existent in many European countries
And also very much existent in many European countries, in particular the most important ones. Paper tech debt isn't exclusive to the US, any State that is old enough will have that sort of inertia. In my job I see a lot of systems dedicated to ingesting paper documents and normalizing them to newer digital standards, which obviously break constantly in semi-catastrophic fashion and requires regular manual intervention (I know a fellow production engineer who has refused to pay taxes on the Internet for as long as possible due to his experience of the sausage factory). Most of Western Europe seems to exist in that limbo.
I lived in a major west European nation for a decade and never saw:
* paper checks in use anywhere; in fact depositing one from the States was a huge pain, if you could even find a bank that would accept it
* any telephone system that authenticated an account number via touch-done dialing -- all had much more secure authentication systems that typically involved use of a custom digital ID two-factor via a specialized app or other mechanisms
Custom ID apps can be insecure as well. There are a lot of moving pieces there, from the app's source code itself to the security protocols and processes when someone has an issue with their app login or loses their phone.
Billions of euros were spent to make basic apps for tracking CoV-2 vaccine status and they all failed miserably. If governments couldn't get a basic QR app to be secure when they effectively wrote themselves a blank check, I wouldn't be so sure that the app used to authenticate all of your private government accounts is better implemented.
I literally used a paper check last month for my new apartment's deposit. It's still fairly common for some transactions in France. Last I heard, faxing was still a thing in corporate Germany.
> I literally used a paper check last month for my new apartment's deposit.
That's interesting to hear. I didn't know that was still common; this article from 5 years ago suggests Europe doesn't use checks any more, and that's my experience as well.
> The love affair with checks may be strictly American — countries in Europe, like Poland, Denmark, Finland, and the Netherlands stopped issuing checks over the last two decades
Many of the electronic services charge fees which paper checks don't. There's a reason people do this, it's not "love" or lack of knowledge or legacy. It's a big incentive on large transfers (like rent) to avoid a percentage fee.
Direct bank transfers in many European countries I've transferred to is free and easy and the way everything (including rent) is typically done when a check might be used elsewhere. Same in other countries I've lived in in Asia. In the U.S. bank transfers may not be free, though.
My global observation is that sometimes certain kinds of countries, e.g. Uruguay, India, or Finland, are more agile at adopting new technology than certain two-tiered monoliths like the USA. Since they are often integrating technologies from a mix of themselves, USA, and EU, even China, it must have something to do with how strongly-rooted the previous existing technology was.
In my travels through Latin America it seems like a continental custom to go to the park downtown to use WiFi while sipping the local morning stimulant beverage.
All the burdens are completely backwards, in turn massively perverting the incentives. And it's eternally infuriating. Some rando applying for a credit line on the opposite side of the country should be Not My Problem, 100% of the time, whether they have my name or address or a random symmetric 9 digit number some government assigned me. All the tools exist for financial institutions to manage their risk/convenience tradeoff, but they're the ones who have the power, information and should have the incentive to do so. They are externalizing onto the general public instead.