
Think You’ve Got Your Credit Freezes Covered? Think Again - el_duderino
https://krebsonsecurity.com/2018/05/think-youve-got-your-credit-freezes-covered-think-again/
======
kxyvr
Since I was having a hard time finding the link in the article. Here's the
page to add a NCTUE security freeze:

[https://www.nctue.com/consumers](https://www.nctue.com/consumers)

Here are the pages for adding security freezes to the other big four agencies:

[https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo...](https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp)

[https://freeze.transunion.com/sf/securityFreeze/landingPage....](https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp)

[https://www.experian.com/freeze/center.html](https://www.experian.com/freeze/center.html)

[https://www.innovis.com/securityFreeze/index](https://www.innovis.com/securityFreeze/index)

Most people don't know about Innovis, which was mentioned in the article. That
said, I've never run into a company where I've needed to lift an Innovis
freeze. Anyway, I agree that it's tiring to constantly track which data
brokers allow (are required to) adding a security freeze. In my opinion,
better legislation is needed to curb this activity and data brokers in
general.

~~~
organicmultiloc
I tried to fill out the NCTUE freeze page several times, it keeps claiming
there is a reCAPTCHA error despite me clicking it out correctly and getting
the green check.

Seems to be intentionally broken to avoid people freezing.

~~~
Jwarder
I've seen the reCAPTCHA issue a few times this month on other sites. My guess
this is a result of Google shutting down the reCAPTCHA v1 API.

------
Dirlewanger
It's all so tiring. It's seriously going to be decades until we get
politicians in power that understand the Internet and start holding companies
accountable that don't give a shit about security (namely, all of them).

~~~
rcthompson
Will it ever happen? When the current generation of children reaches office-
holding age, a majority of them may understand internet _culture_ , but I
don't think a significant fraction will ever understand the internet in a
technical sense.

~~~
InclinedPlane
What is your reasoning behind that? This is seriously one of the dumbest "kids
these days" statements I've ever read. Kids will become technologically
sophisticated, many kids already are. Many kids will attain higher technical
proficiency than _you_ ever had, for example. Why would it be otherwise?

~~~
JoeAltmaier
There are 100 reasons - the innards of technology boxes are less accessible.
Programming languages are more abstract, and few dig down to the lower layers
(which used to be all there was). Its changing faster and hard to get a
mindshare before it all changes again.

I don't think its a 'kids these days' statement at all. More a 'technology
these days'

~~~
gaius
Right. Take 2 10-year-olds. Give one a C=64 and a paper manual, and one an
iPad and an internet connection. Which one is more likely to learn to program?

------
reaperducer
Bottom line: Whenever possible, wherever possible, pay cash.

I used to laugh at my father-in-law whom I once considered to be a conspiracy
theory whackjob with his off-the-grid lifestyle. As more and more of his
"crazy" insights turn into New York Times headlines, I'm starting to think he
was ahead of the curve.

~~~
gascan
Am I missing something here? Paying cash doesn't prevent the opening of
fraudulent lines of credit in your name.

Equifax et al don't particularly care if you pay cash, they have some form of
record on you either way.

~~~
jessaustin
I guess the idea is that if one were "off the grid" enough not to have a
phone, one's details wouldn't be in their DB in the first place. That would
make one's identity harder to steal, which would cause the thieves to move on
to the next victim.

~~~
drablyechoes
The SSN of someone "off the grid" would actually be perfect for doing what is
called synthetic identity fraud. If a given SSN has no credit history, you can
make up a fictitious person and apply for a credit card with it. The
application is probably declined, but a record of this SSN associated to a
completely fictitious identity now exists in the credit reporting agencies
databases, which makes it more likely that a future credit application will be
approved.

If there is no other identity using this SSN, then the likelihood of the
fraudulent activity being dectected is low.

This is why SSNs belonging to elderly people, children/teenagers, and the
recently deceased are of relatively higher value for a lot of people out there
doing identity fraud.

~~~
jstarfish
Stealing someone else's unused SSN is not synthetic identity creation, it's
just fraud. There is a living person associated with that SSN, even if they
are off the grid.

Synthetic identity fraud involves you making a bunch of inquiries with
completely fake SSNs and squatting on them for a few years, maybe bringing
them out of cold storage every so often to make a few more inquiries to keep
them on the credit-building radar before you ultimately qualify for actual
lines of credit and do a bust-out. There is no oblivious meatbag being used as
a patsy-- the identities are completely fake, which is what makes them
synthetic.

~~~
drablyechoes
There is more than one way to construct a synthetic identity, but in most
cases that I've been aware of, a stolen SSN is used to construct the totally
fake identity.

Using a completely fake SSN instead of a stolen SSN is what distinguishes
"synthetic identity theft" from "synthetic identity fraud".

The identities in both cases are completely fake, but only in the identity
theft case is the synthetic identity backstopped by a legitimate SSN that
belongs to a real person somewhere. If that real person is a child or "off the
grid", then the CRAs have no idea who the real person is and their SSN is ripe
for creating a synthetic identity that will probably go undetected for years.

------
hex1848
I am tired of people calling me a "victim" of identity theft. I'm not the
victim. The companies and government agencies that allowed themselves to be
defrauded by someone posing as me are the victims. If you didn't do your due
diligence in properly verifying the identity of the person you handed out
cash, goods or services too it's on you. That being said, the entire system is
broken. I've had 5 cellphones taken out in my name, I've had multiple credit
cards opened using my social security number. I've been interviewed by a
special agent with the State Department because someone tried to get a
passport using my data. I'm sick of dealing with other peoples fraud problems.
Fix it already!

~~~
dragonwriter
> I am tired of people calling me a "victim" of identity theft. I'm not the
> victim.

Usually, the person whose identity is stolen is the victin.

> The companies and government agencies that allowed themselves to be
> defrauded by someone posing as me are the victims.

They are also victims, but until you—often at considerable personal
effort—have gotten all the debts and other bad marks by the fraudster
dissociated from your identity, you are disadvantaged by it, and if you are
disadvantaged or have had to pay a cost to escape that disadvantage, you are a
victim, too.

~~~
typomatic
> They are also victims, but until you—often at considerable personal
> effort—have gotten all the debts and other bad marks by the fraudster
> dissociated from your identity, you are disadvantaged by it, and if you are
> disadvantaged or have had to pay a cost to escape that disadvantage, you are
> a victim, too.

You seem to be misunderstanding the point badly--the situation you have
described is nonsense.

Firstly, what do we mean by "having your identity stolen"? I submit that this
is not an attack on me as a person, it is an attack on a fictional
representation of me held by a conglomerate of corporations.

This is the point of OP: I am not involved in these transactions! I haven't
committed a crime, purchased anything, or interacted with either the party who
has defrauded this conglomerate nor this conglomerate. In fact, due to the way
this information is collected and stored, I may not have _ever_ had any direct
relationship to either party.

So what's happened here is that a conglomerate of companies have been
defrauded and now insist that I am to make amends for it. It's nonsensical,
and no amount of repeating the facts of the current situation will make it
anything but ridiculous.

------
dsfyu404ed
I'd pay money for a service that monitors who all the services are in the
credit reporting space and freezes my credit at them for me.

~~~
Shivetya
I would rather anyone opening a line of credit be required to obtain proof of
acceptance by the person named on the account and until doing so they are 100%
liable for all debts incurred. How this is defined will require regulation.
The burden is increased at any time a request is made outside of the state and
city of residence

~~~
njarboe
This is already the law. You are not responsible to pay debts incurred by
another person. The problem is when the bank or company that gave credit to
someone else that used your identity information is allowed to lie to a credit
bureau about the fact that it was you who defaulted on the debt. Otherwise you
could just tell the bank, "Pound sand stranger, I never borrowed any money
from you. Stop bugging me or I'll get a restraining order.", and never have
worry about how someone has pretended to be you to a bank.

Large fines for banks and companies that libel people by telling information
brokers lies is the way to stop this problem. The idea that when this happens
it is "identity theft" and the person whose identity was stolen is responsible
for the problem is ridiculous. This problem should be called libel and the
perpetrators (the entity reporting false info that hurts you) punished.

~~~
jessaustin
These proposed "large fines" would still require regular people to deal with
putative creditors and occasionally to defend themselves in court. Structural
changes are required to make the system as it actually functions more
equitable to humans. What are structural changes? For instance, prior to
enforcing a debt the law could require the production of an authenticated
video recording of the debtor clearly stating, "I am John Doe and I agree that
I owe EvilCo $1,000 on May 9, 2018." This requirement would make it more
difficult to lend money, so it would be opposed by some very deep pockets. I
suspect that any actual solution to the inequity in this area would make it
more difficult to lend money, so progress is likely to be slow.

~~~
njarboe
I agree. First, it could be made a criminal offense for a company or bank to
lie to credit agencies and then public prosecutors could pursue these
companies for big PR wins.

Second, making giving and getting credit harder to do is probably a good thing
for society. Do people really need to take out a half million dollar home loan
from their phone a la Rocket Mortgage? Many cultures had/have very strict
rules about charging interest on loans. Debt jubilees were common in past
civilizations and seem necessary to prevent the masses from creating their own
via revolution. Making personal loans illegal and bringing back the loan shark
is not the way to go, but making going into debt to buy consumptive goods much
harder would be big positive for most people in the US.

Like you said, there is a huge amount of money and power behind easy lending,
so change seems unlikely. On the other hand, change seems to be in the air
these days, so maybe one can afford a bit of hope.

------
PotionSeller
I absolutely hate our entire credit system, the lazy way it handles our
sensitive info, and the eagerness to extend credit to anyone without scrutiny
of their identity.

Big incoherent rant incoming:

In 2016 someone stole my identity and in about a 1 month period took out tens
of credit cards and new bank accounts and phone account which they immediately
over drafted. They somehow managed to change the address in my credit file,
and so I wasn't getting any failure to pay notices. At the same time it was
quite soon I found out because at least one creditor managed to find my real
address asking about a 18,000 loan approval for furniture from The Brick. The
police were easy enough to deal with and took a report and I had to use this
to prove to creditors it was fraud.

I had Equifax do their own investigation, and they agreed it was fraud, but
they only removed the creditors who happened to appear on file during their
investigation.

A year past, and I check my credit and it was 799, all clear. Then last fall I
get a call from a creditor saying I owe them money, they required I go to
their bank to fill out the paperwork. One more cleared. Then in February I'm
hearing from yet another bank about an overdraft account. Once again I proved
to them it was fraud by providing the police report number. "Ok, well it will
take us 30-45 days to remove this from your credit file". Its coming up to 45
days and its still there. I called them to clarify about when it will be
removed, and get the same bs. I do not believe their word so I have also sent
another dispute to equifax. MY MORTGAGE RENEWAL IS DUE JUNE 1 AND THIS SHIT
HAS STOPPED ME FROM MOVING MORTGAGE PROVIDERS TO GET A BETTER RATE.

Now during this latest fiasco, I do another credit check and discover ANOTHER
phone company on there says I have a bad debt with them and a note that a
collections agency is after me. I succeed in having this removed from my
credit file after dealing with Equifax, but for reasons beyond me they did not
remove the one from the bank I am disputing in the previous paragraph, so I
have to hope it will clear when they way it will (30-45 days from early
April), or hope my second dispute works. Note that these latest bad debts are
still originating from 2016, its just taken the banks that long to pin the
blame on me and attack my credit file.

So this has been a lot of stress on me, I have failed to secure a new mortgage
lender which will cost me in interest over the next 3 years on mortgage
payments. In addition, I just discovered my TransUnion file is still a giant
mess with shit from last fall on it. Apparently Trans Union and Equifax don't
synchronize.

Long story short, there isn't shit you can do to speed up anyone helping you.
The police are competent and will have your back but they can't stop creditors
from attacking your file. Equifax is slow and not thorough in their
investigations and make themselves hard to reach. The banks can pin a bad debt
on anyone they chose, never mind that the onus should be on them to prove I
took out the loans they claim. Like, show me a signature, show me the ID used
to get the loan... Oh its fake? Then fuck off. Nope, they will make you jump
hoops to prove it isn't you, and then the cherry on top is they will be very
very slow to do anything to remove it off your credit file once you have in
fact proven its not you.

Good luck to all of you, you are all vulnerable to this shit.

~~~
TechieKid
The answer is registered mail, return receipt requested, and a complaint with
the CFPB, although how on-the-ball that agency will be since the new
administrator was appointed is YMMV.

~~~
logfromblammo
I'd be more inclined to write a pro forma letter, then sue for statutory
damages for technical violations under the FCRA and/or FDCPA the instant the
established deadlines pass. It puts the burden of proving the validity of the
debts on them, and if they ignore you or drag their heels, you win by default.

------
slumberlust
Anyone else getting an unsecured link warning from the freeze link on the
NCTUE website?

[https://www.exchangeservicecenter.com/Freeze/jsp/SFF_Persona...](https://www.exchangeservicecenter.com/Freeze/jsp/SFF_PersonalIDInfo.jsp)

------
just_observing
Brian Krebs - can you please change to a responsive theme?

Thanks.

