Hacker News new | comments | show | ask | jobs | submit login
Cybersecurity Incident Involving Consumer Information (equifax.com)
1044 points by runesoerensen 95 days ago | hide | past | web | favorite | 532 comments



Suppose Alice is a "victim of identity theft". BigBank gives $10k to Fraudster as a loan, thinking that Alice is the actual recipient. Experian, Transunion and Equifax report this loan as a debt which Alice owes to BigBank.

Who is the real victim? The credit reporting agencies want to convince people that the consumer is the victim, and so Alice bears the burden and risk of clearing her name. But it is the credit reporting agencies inflicting this upon Alice. BigBank is the victim who lost money, and BigBank bears the responsibility for making the mistake of giving out a loan in Alice's name. The Fraudster committed a crime against BigBank, not against Alice. It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.

The idea that Alice was victimized by Fraudster is a concept being perpetuated by the credit reporting agencies as a way to absolve themselves of responsibility, and place the burden upon the consumer, and to avoid realistic identity-verifiction which might slow or complicate the practice of issuing large amounts of debt to the general public.


Precisely. In no way was Alice's identity stolen - that's tautologically impossible. Rather, the bank was defrauded by the criminal - Alice is of not a party to whether or not the bank recovers from its own loss. Alice's ownership is entirely unaffected, though the bank's internal processes might not reflect that - again, their problem, not Alice's.

Further - this rat race, where I have to give ever more intimate details about myself to verify who I am, "for my own protection", seems to only ratchet away my privacy until there is nothing about me left unpublic. Facebook, Banks, Airbnb, Credit Card companies, Telephony companies have ALL given me that line when I resist providing SSN, DoB, or whatever mine-able nugget they're looking for this month. Every time I give out a new kind of private information it inevitably leaks - defeating their point of having asked me - all the while my privacy is left scorched while they move on unconcerned to the next piece of my private life. It's uncomfortable.


> In no way was Alice's identity stolen - that's tautologically impossible.

I see this as you being too strict with your definition of "identity".

We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.

"Stolen identity" in this sense means Alice's attributes (the ones which Big Bank uses to identify a person) have been compromised by a 3rd party. It's not that all of Alice's identity has been compromised -- only a subset of her identity. Sadly that subset almost entirely consists of "something you know" (which the internet usually also knows) rather than "something you have" (like a government-issued ID) or "something you are" (biological traits).

I totally agree about the rat race. I think the credit bureaus are complicit in keeping the burden of credit identity low and the availability of credit reports high in the US, both of which lead to perverse incentives for {credit bureaus, consumers, creditors, governments, etc}. But they aren't alone. Credit card systems {VISA, Mastercard, AMEX, Discover, etc} and credit card merchants have done the same, causing the US to fall far behind other developed countries in consumer security.

Additionally, I've heard horror stories about the effort required for consumers to "prove" to credit bureaus that their identity was stolen. It sounds a lot like the insurance company's policies in The Rainmaker.


> I see this as you being too strict with your definition of "identity".

> We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.

Which is not relevant here, as this is not about different sets of attributes pointing to the same body, but about the exact same set of attributes being claimed to only possibly be pointing to one body (hence they supposedly identify Alice) while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.

For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body. Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.


Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".

> For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body.

And then we say that the stating the DoB authenticates anyone to make changes to Alice's account.

And then we say this is a terrible idea. And then we are in agreement.

And then we don't have to say completely unhelpful nonsense like the following:

> Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.

If these credit bureaus insist on conflating the word "identity" with "authentication" then it is up to us, computer / information / system / security professionals to correct this error and continue with more clarity.

Not not to start a one-sided (credit bureaus aren't listening) philosophical argument that nobody was really talking about in the first place. This isn't about ontology, and it never was.

(Ontology is the field of philosophy that asks the question what "is" is, a.k.a. "identity" and it's very interesting but also very much irrelevant to this incident and the problem it poses to badly designed authentication systems)

An important part of our jobs is being able to clearly explain such computer security and authentication concepts to a layman. That includes properly framing the question. Digging into a philosophical argument because you feel you can argue your way around a particular word that is used, only feeds pedantry.


> Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".

Except it's nonsensical to switch to "authentication" when the discussion is about how the term "identity theft" is misleading. It's not "authentication theft", it's "identity theft", and that is exactly why it is misleading.


The point is that it is NOT "identity theft", even if that's what people call it. It is more aptly "authentication theft/fraud".

The original point of this comment thread was that the credit reporting agencies want to keep it confusing so that it's not clear who exactly was the victim of the crime, so it's not obvious that the system sucks.


Yes, I agree, and I might have slightly misread what tripzilch wrote to mean that we should avoid the term here in this discussion, which I objected to. Towards the general public, it totally should be framed as an authentication failure, yes, I agree.


I think my point would be that, by discussing the minute semantic / philosophical points of the concept of "identity", you're still letting them frame the discussion that way. It's a word that they choose to describe something which it isn't. First is to just not go along with it, not to dig in and try to beat them on their own territory (if you succeed, you won nothing).

For the same reason I won't go into discussions about the finer moral points when stealing is wrong or not, if the topic is copyright. Especially not get carried into far-fetched analogies such that it is okay if a starving family steals the blueprint for a 3D printed load of bread or whatever.

In that sense, the term "intellectual property" is actually similarly problematic as "identity theft". While it evokes the connotation of "property", intellectual_property is actually just a legal term that stands on its own and derives nothing from the common concept of "property" except where explicitly defined as such.

Except that identity_theft is, afaik, not a legal term. I believe it stems from the idea of the loss of an interconnected number of (mostly electronic) credentials, an adversary could use to, in a sense "become you", and wreck one's life. This then became a serious fear, that was (in the public) not quite blamed on terrible security practices of powerful entities, but on the ever-growing interconnectedness and electronicification of all aspects of our life. In fact literally about the fear that the large amount of data about us in these computer databases, would some day mistaken to be us and identify, regardless of its truth in the real world. But identify_theft has always been painted as a sort of "curse of the modern age", our penance for living in an ever automated society, kind of typical Hollywood morality story.

Except these credit companies seem to be just focusing on the "wreck your life" part, twisting the definition around, that suddenly a security failure with their authentication/credential system gets to be blamed on the general societal menace of identity_theft, mainly because their error has the capability to wreck one's life.

I'm pretty sure Baudrillard or some other person in critical theory / semiotics has written some interesting stuff about this. Now that is a philosophical discussion on this topic that I would actually find worthwhile.


> while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.

Attributes can be replicated -> attributes don't identify Alice

Why do you consider this implication necessary? It sounds nonsensical.

Counterexample: to verify an identity, the verifier must possess a replication the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.

Note that we're speaking of identity in the context of a technical implementation.


> Why do you consider this implication necessary? It sounds nonsensical.

Because it is implied by the definition that is implied by the concept of "identity theft".

Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice. Using that definition in the context of identity theft would then lead to the following sort of justification: Alice is responsible for paying back this loan because the person that we gave this loan to was a human and we identified Alice by her attribute of being a human to be the person we gave this loan to.

That doesn't make much sense, does it?

The whole justification for calling it identity theft, and thus blaming the identified person, hinges on the implication that whatever attributes are being used to "identify" Alice do imply that it is in fact uniquely Alice who has those attributes. It only logically works if you can say "those attributes are the attributes of the person that we made the contract with, and they are unique to Alice, therefore Alice is the person we made the contract with", not if your claim is "those attributes are the attributes of the person that we made the contract with, which are shared by a whole bunch of people, therefore Alice is the person we made the contract with".

> Counterexample: to verify an identity, the verifier must have replicated the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.

Erm ... no? Just two obvious examples:

In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.

In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.

Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?

> Note that we're speaking of identity in the context of a technical implementation.

Actually, we kindof don't. We are really talking about a legal implementation, where there really is no requirement to do anything as a "technical implementation"!?


The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.

> Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice.

> That doesn't make much sense, does it?

If Alice is the last surviving human being in the universe, it does.

If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.

> In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.

You haven't checked that it's me, you've checked that it is someone who looks like me.

Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.

> In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.

Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.

> Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?

Do you believe this hypothetical example to be true? If not, what's your point?


> The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.

In which case it's just not a refutation of the tautological impossibility at all. Either something uniquely identifies someone, or it does not. Uniquely identifying someone while at the same time being (trivially) being replicated by somebody else is just a contradiction.

> If Alice is the last surviving human being in the universe, it does.

Seriously?

> If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.

Which is exactly why "was able to tell us the DoB of Alice" as an identity is nonsensical, and hence any conclusion of the form "therefore, Alice's identity was stolen" is nonsensical as well, correct.

> You haven't checked that it's me, you've checked that it is someone who looks like me.

Which contradicts the claim that the verifier does not need a replica of you how exactly?

> Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.

Which still cannot be stolen. So?

> Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.

Which contradicts the claim that the verifier in a context where it is taken to be sufficient proof of identity does not need the private key how exactly?

> Do you believe this hypothetical example to be true? If not, what's your point?

My point is that I am responding to your argument that was about an implication from that hypothetical case.


> Let's assume we define "identity" to mean

... seriously, just stop.


So the only way around this is to disregard information about a person other than information that 100% without a doubt identifies that person making a purchase is who they say they are? I am just genuinely curious.


No. It's to accept liability when you make a mistake. If a criminal tricks a bank into giving away money and debiting some random account, the victim is the bank, not whoever happened to own the account.


Around what? The fact that the term "identity theft" is nonsensical? There is no way around that, it just is.

As for fraud: There probably is no easy way around it. But that doesn't mean it's not fraud.


I was not saying either really. I was asking what sure fire way we have other than a number / name for identity.


Well, there is biometry, with the simplest form being a picture, if you want to somewhat reliably identify people.


While I thoroughly agree with everything you've said on the subject thus far...

How does being in possession of a picture, or any other biometric data, help? These data are reproducible, like any other attribute that supposedly identifies only-Alice.


Checking the possession of a picture is not biometry (that would be possession-of-a-picture-metry). Making a picture is biometry (measuring the body, essentially).

The hard problem with biometry is proving to a third party that a certain identity is responsible for a contract, but identification with biometry (convincing yourself that the person before you is the same person that you enrolled earlier) at least works a lot better than asking for essentially public information.


Here's a typical story.

Online loan firm gives money to someone. Months later, they default, so they call who they think is the holder of the debt. That person has no clue what they are talking about. Finds out through first ever credit report they are defrauded. Victim calls loan firm, who requests lots of proof of existence as well as a police report, before they will help them. Process takes weeks. Victim finds out they signed up at Equifax during hack. Now they are in worse shape.


All financial companies are required to have you SSN for reporting income for taxes and also report money movement under the anti-money laundering laws(AML). Know your customer(KYC) requires a financial company to gather documentation and information to verify your identity and to ensure your not on any list of people we're legally not allowed to provide services eg terrorist watch list.

You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.


Seems KYC as used in the real world doesn't do a very good job of verifying whether the "customer" is Alice or the fraudster... It'd be nice if _that_ requirement had enough teeth to reduce the ability of the financial institution to claim Alice is "the victim"...


Curious how would you verify a user? Right now standard solution is to use public records(LexisNexis), credit history(Experian), fraud detection networks(early warning). Along with a bunch reputation providers around IP(Maxmind,Socure), email(emailage), address. Also government based ID and utility bills etc. This isn't cheap and can costs $10+ to run all these checks.

Even government can't verify people and its problem because people give other people's SSN and DOB when they get arrested which is the worst type of identity theft as it can lead to the victim getting arrested or not getting a job(criminal record showing up in background check).


You ask for their ID card or passport. If you want credit history, you ask for their last year tax sheet.


how about having photo on the credit file. this would solve so many problems.


> You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.

Don't give them any stupid ideas. This year Germany did exactly that: Require proper identification for purchased SIM cards. Lot's of people used that opportunity for some extra cash by selling pre-activated SIM's through Ebay, after the requirements had been changed.

Too bad they also introduced Euro roaming, so people are still free to buy their anonymous SIM's in other EU countries and use them in Germany.

I guess those are the consequences of a future where your mobile device is used for your personal authentication everywhere by everybody. [0]

[0] https://www.nytimes.com/2017/02/13/business/dealbook/banks-l...


I've worked a bit in the industry and around the industry, the worrying thing for me is that it doesn't seem to be working for anyone apart from equifax/experian/call credit.

I have separately worked with one of those companies with a client and their IT staff were utterly incompetent (I won't say which). Loads of different sites, lots of little fiefdoms, utterly inconsistent security policies on each site, blaming everyone but themselves because only half their sites could access a video on a major commercial video provider (not-youtube). We ended up having to host it on AWS cloudfront as none of them had blocked it yet. Their sharepoint could only host a 50mb file, which made their CEO look like a blockhead in the 20 min high def video.

Utterly incapable of hosting a simple video file so all their staff could access it in 2010.

I've also worked with a company one of those companies acquired for $100 million+, holding millions of people's personal details in the UK, with some very sensitive data. Some of the worst IT engineering I have ever seen, a bunch of tools written by the worst out-sourced IT teams I have ever seen (if you've ever worked with C#, these idiots made a project per .cs file. Yes, PER CS FILE. They also wrote the worst SQL I have ever seen, all of the stored procedures seemed to be duplicated but the duplicates had op_ before them. I eventually realised the op_ stood for optimized! They were still terrible and half the program used one set of SQL, the other half the optimised. Whenever I re-wrote one of these 'optimised' queries, I usually knocked it from seconds to milliseconds. Outsourcers in the naughties really did suck that bad, young 'uns).

We've given up huge amounts of privacy, but the scores are utter bullshit and the 2008 crash show what a load of nonsense they are.

A friend even told me at uni he'd got a £1000 loan out to get a good credit rating. You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.

equifax/experian/call credit basically get given all our personal spending habits for free, sell it on to everyone else for crazy money, don't add anything to the economy and as far as i can tell, are a huge security hole.

EDIT: Another anecdote on how incompetent these people are, a couple of years ago someone used my details to scam a few free phones. I got alerted to it when I started receiving insurance contracts for those phones in the post. The phone companies sorted it pronto, almost immediately admitting they'd been scammed, but I wanted to make sure my credit rating hadn't been trashed. In the UK these agencies must provide you with a credit report for a nominal fee so you can check for incorrect details, so I applied to the big 3.

One of them accused me of trying to hack their system because I'd forgotten a security question, eventually told me to fuck off after passing through various layers, then sent me a letter saying they'd detected a hacker trying to access my details. No, you idiots, that was me. Still never got my report from them.

Yes, they still use security questions.


You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.

I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?

Any system can be gamed, but I don’t get the impression that credit agencies are attempting to eliminate all risk - after all, it’s obviously possible that someone who has had perfect credit for years might simply run away with your cash! But the system doesn’t have to be perfect, or detect all outliers, to have value.

It seems intuitively obvious that lending to someone who is frequently late with credit repayments is riskier than lending to one who isn’t, and this is the mechanism by which that information is shared.


For £100 you get a shiny credit rating for no risk. That'll get you a mortgage for £100,000s.

In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay. I appreciate that it probably benefited a certain type of person, but the new system probably has the same prejudices built in. Now it's all about the ephemeral and easily game-able credit score. Until a few years ago you would get negatively scored for not having a landline.

These scores are utter bullshit, they're simply about if you haven't screwed up yet, they're not actual assessments of your ability to pay or the risk you've exposed yourself to.

Again, I worked in the mortgage industry before the Northern Rock collapse, brokers used to be able to go to those guys and openly fudge people's incomes by calling them self-employed, they had a good credit score so no-one blinked an eyelid, get 105% mortgage, and then lo-and-behold, the bank collapsed. Yes, part of it was that they lost their access to easy bank credit, but another part of it was they lent to hugely risky people.

As a slight-side, my bank was willing to lend me crazy credit card money a few years ago because for 10 years I never missed a payment. In reality in those ten years I went through a patch of being the most business-un-savvy freelancer ever, selling myself at a stupid rate and not putting enough aside to pay my tax bill, to the point where I had to get a loan from a parent to pay it. I was flat broke, almost bankrupt, and these people were willing to lend me almost 9 months of my income.

I was not a good risk.

But because I paid on time for X years before, I was to the credit agencies.


> I was not a good risk.

Banks are using actuarial science to make loans. You were (possibly) an outlier. That doesn't matter. All that matters is that their risk models work in aggregate. If they're right enough of the time, they profit. It doesn't have to be perfect.


They had to be bailed out, remember?


> In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay.

You do recognize how terribly inefficient that is, right? In this day and age its all about scale. Expecting a bank manger to have financial profile of all the clients using his firm is impractical.

For all it's faults, the credit reporting agencies are providing a service. It's not perfect and I think it's best they could do with the information available to them. I expect they will improve their score though once they start incorporating signals from social media and other sources.


In reality the new credit agency model's been tested once, and it failed.


You do recognize how terribly inefficient that is, right? In this day and age its all about scale.

Is it, tho'? It is well known that IT doesn't improve productivity[1]; all the benefits of automation get swallowed up in the extra people needed to support and maintain it. So we can assume that the ratio of bank employees to bank customers has remained constant over time. So actually there's no reason for bank's not to operate the old personal-relationship model; they would need to employ the same number of staff to do it, just locate them in branches rather than at head office.

[1] http://www.computerweekly.com/opinion/McKinsey-Why-IT-does-n...


> I was not a good risk.

But you were- you had access to a parent with money to bail you out.


> I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?

That's probably the reason why it would increase one's credit rating in a positive way. I have no doubts about these systems being broken in such a way that they consider people who take on credit, paying it back in time, as more "credit-worthy" than people who never needed/wanted to take up a loan.

A bank obviously wouldn't want to miss out on the first group of people, why they couldn't care less about the second group of people from which they make no money in the form of interest.

It's also interesting how these kinds of rating systems seem to be "broken" all over the world. In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany and they are quite infamous for mixing up people and thus giving them a negative rating, often without the people noticing until it's too late and their negative credit check denied them access to a rented flat/credit whatever, after which it's their responsibility to get in touch with Schufa to clear up their misidentification.


> In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany

Just for anyone from Germany reading: There are multiple, less well known agencies that are used by banks and others as well. They are definitely worth keeping an eye on. I will only mention Creditreform Boniversum, Arvato Infoscore, and Bürgel.


What Alice is the victim of is slander, not fraud or identity theft. The bank lent some money to someone who claimed to be Alice (though the bank only relied on the fact that that person knew Alice's SSN as proof of that fact). Then when the bank didn't get paid back, they told a bunch of credit check bureaus that Alice was a credit risk. This was a lie about Alice, which has a material impact on Alice's reputation. The credit agencies then go ahead and repeat that slander.


This is a great description of what is going on with "identity theft". I don't usually like changing the name of something to try to push an agenda, but calling "identity theft" "bank slander" would be good idea.


So presumably a class action law suit against the reporters for slander? Might depend on specifics of the law... Maybe it's time for a better credit reporting agency startup.


Especially if a very large class action law suit was started from this.

Calling all identity thief peeps....


You mean slander by banks, not slander of banks. The term you propose is ambiguous.


Defamation laws differ by state, but in NY for example, I believe libel (slander refers to oral defamation) requires that the perpetrator knew, or should have known, that the statements were false.

The question would then become whether the bank's identity verification procedures satisfy that burden. I think it would be a difficult endeavor, but it would be good to see it tested.


Yes, libel is correct.

They absolutely should have known it was wrong -- their business is lending money to people! If their procedure is insufficient, they should have fixed this.

I would love to see the banks sued for libel, a massive class action suit. There are real monetery damages it one could put a number on, and the difference between a bad and a good 30 year mortgage will be a big number.


Well, yes, Alice is the victim of slander, and the bank is a victim of fraud. But the important point is that neither of those imply that Alice is responsible for anything.


I haven't dug too deeply into this, but a defamation claim under state law would probably be pre-empted by the Fair Credit Reporting Act. You mostly can't sue them unless you can prove they defamed you with malice or with willful intent.

https://www.law.cornell.edu/uscode/text/15/1681h

In this case, maybe you could have a shot by arguing that since the bureaus know that like half the population's information was stolen, they are acting with reckless disregard for whether their statements are true if they don't now do additional investigation to confirm the identity of the subject of their statements in order to mitigate the effects of the breach.


Hmm, I guess you could call it slander if the person and the dossier were perfectly interchangeable. But all the institutions know is that someone has been failing to pay back loans that were issued based on the information in a dossier. After a series of fraudulent loans to "Alice Doe, SSN 123-45-6789" (the file, not the person), when some random shows up at Yet Another State Bank and tries to take out a loan under the same credentials, the credit reporter is right to warn of the risk. They don't know if Human Alice is a risk, but Paper Alice definitely is.


That distinction holds up only if real Alice isn't inconvenienced in any way.


She would be inconvenienced, but that doesn't mean she was slandered.

If someone steals Alice's car and commits a hit-and-run, she will be inconvenienced when the cops show up at her door, but the person who reports her plates won't be committing slander.


But if a newspaper reported that Alice was a murderer because her stolen car was involved in a hit and run, that would be libelous.


If they said they had received word that the car was registered to Alice, that wouldn't be libelous. If they said she was the driver, that would be libelous. If she was charged with murder and they said she was an alleged murderer, that wouldn't be libelous.


Wow, I learned a ton from this comment. I would have never come up with this on my own.


Technically since the defamation is written rather than spoken, it is libel, not slander. :-)


"Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed £10,000 and legged it, that was "impersonation", and it was the bank's money that had been stolen, not my identity. How did things change?" https://www.lightbluetouchpaper.org/2017/08/26/is-the-city-f...


Brilliant Mitchell and Webb from the comments there:

https://www.youtube.com/watch?v=CS9ptA3Ya9E


Agreed. Thought experiment: suppose instead that Fraudster convinced Alice that he represented BigBank, and so Alice was duped and gave her money to Fraudster thinking she was depositing into BigBank.

The only thing she could expect from BigBank was politeness while explaining to her that she was duped. If it's a very friendly bank, she may tie up a manager for a couple hours, but that's it. If she keeps coming back, she'll soon be escorted out by security, or the cops.

Now, what if she started falsely telling others that BigBank took her money, and that significantly affected BigBank's reputation? Are we talking jail time, or just civil penalties?


> Now, what if she started falsely telling others that BigBank took her money, and that significantly affected BigBank's reputation? Are we talking jail time, or just civil penalties?

Probably not jail time, and perhaps not civil penalties. Even civil defamation in US law generally requires knowing falsehood or reckless disregard for the truth, not just mere falsehood, and criminal defamation, where it exists, tends to have high . Unless the bank had provided concrete evidence so solid that it was unreasonable for her not to believe their denial of responsibility, there likely be no legal wrongdoing.


An even more analogous experiment would have Alice take out a mortgage with BigBank, then receive a fake notice of debt reassignment to BiggerBank, which is actually Mallory. Alice makes mortgage payments to Mallory for many months. Now BigBank is wondering why Alice fell behind on her mortgage.

Who's the victim?


> Are we talking jail time, or just civil penalties?

Jail time could be a possibility depending on jurisdiction. In the US, a handful of states have criminal defamation statutes - https://en.wikipedia.org/wiki/Defamation#Criminal_defamation...


This is actually quite eye-opening. Thank you for that.


This is very clearly what's going on. Fraud is uncommon enough and the cost of fraud to the banks is smaller than the cost of reducing the velocity of money and loan-making, so the problem will never get fixed so long as it depends on the banks to initiate the fix.


Work at a financial firm and have built a bunch of identity theft detection features. Curious what your fix would be. Identity theft and friendly fraud losses are in the tens of billions annually and identity verification services is a huge industry.


I've never talked about this with anyone who knows the industry so it may be stupid in some obvious way, but I would gladly accept the inconvenience of having to go to my bank in person, carrying official ID, when opening lines of credit, if it would make the whole process secure. Banks could serve the process of relatively slow but reliable authentication for specific financial transactions, and communicate those authorizations to each other. Individuals who need more flexibility could opt out or do something more complicated, at the cost of some risk.

There's some cost to this, but I still suspect quite a few people would accept it.


My information was used to open a fraudulent mortgage loan, then when I asked my bank to not allow opening credit lines or transfers online was told "we can't do that!"


Time to fire your bank.


Thats how traditional banks work. You walk in Chase with your government ID to open up an account. It doesn't work. You can get high quality forgeries of government IDs made in China and there's no public DB to verify information on the card. RealID requirement for states to open up their driver license DBs only applies to government agencies(eg: TSA).

Also would you want to go in person to signup for paypal, venmo, etrade, betterment etc?


> Also would you want to go in person to signup for paypal, venmo, etrade, betterment etc?

Honestly, maybe that wouldn't be such a bad idea. A well-designed system would probably wind up contracting the post office for ID verification for online services (since in my country at least, they do a pile of random related stuff).


Some thoughts in response to comments:

1. The bank should capture the ID you used the first time you entered and do comparisons. They should also capture your ID when you come in again. This will raise the difficulty of impersonating you and the risk the criminal takes.

2. One thing I didn't think to say, because my bank only exists in North Carolina: geography should matter. If you live in a particular city, opening an account from another state should be seen as suspicious, and merit greater checks. This is the kind of thing some people should be able to relax, but it's probably a good default for most of us.

3. Should I have to go to my bank for PayPal, Venmo, Betterment, eTrade, etc? Those cases don't all sound the same to me. But here's what I'd consider: how often is a person going to need to do this, and does the activity involve requesting credit? We've currently optimized almost exclusively for convenience at the expense of security. I'm proposing that we shift that balance a bit.


This is basically what Vanguard does if they get suspicious about your account security. Basically you have to show up at a notary with photo ID and get a form notarized.


>carrying official ID

It's probably not hard to forge a social security card and birth certificate if you have the relevant information. From there, a state ID (or maybe even passport) should be possible to get. I don't believe there is any biometric security on either. A determined identity thief might go that far.


> A determined identity thief might go that far.

This is the old "because a solution is not 100% effective, it's not good" chestnut. This solution would cut down on the theft by over 90%, I'd venture, probably more like 98%. There is huge difference between perpetrating a crime from the safety of a computer and physically walking into a bank to commit it.


$16 billion was stolen from 15.4 million U.S. consumers in 2016, compared with $15.3 billion and 13.1 million victims a year earlier. In the past six years identity thieves have stolen over $107 billion.

http://www.iii.org/fact-statistic/identity-theft-and-cybercr...


The thief would have to physically resemble the victim's photo, height, age, gender, etc, which is some added defense in depth. For instance it would be hard for most males to pass themselves off as a typical female.


> The thief would have to physically resemble the victim's photo

Why? Show up to a government station with your birth certificate, SSN, some telephone and utility bills, and they'll take the thiefs picture and put it on an identity card with your name on it.


That sounds incredibly bad for a first-world country. If that was the case, I'd argue that the entire country is in collapse. As you then have no control over foreigners impersonating locals and manipulating something as serious as elections, never-mind bank-fraud.

Edit: Point being, this needs to be fixed ASAP if you are to move your country into the future. Fix the regulatory/state hurdles that prevent it from happening, and get yourselves National Identification that's secure. Things will flow positively from there.


They don't use the SSN to check for prior IDs issued by other states and/or the Feds, and compare the applicant's photo/gender/age/height/eye color, etc to them first?


There's no network between all the systems.


About twenty five years ago a bank allowed someone to cash checks with my name on them with all the correct account info on them as well, but was a different race and gender than I am (the banks had video of the customer). They did this about a dozen times for checks for what I assume was just under the amount that would flag it (about $2000) to empty my account over the course of about an hour, using different drive throughs at different branches in Houston, I lived in Austin at the time and had never visited a branch in Houston.


The big architectural flaw is that when I as a consumer prove my identity to company A, that gives company A enough information to impersonate me to company B. Or equivalently, it can give a rogue employee at company A that power, or anybody who hacks company A's database.

The solution is asymmetric cryptography, wherein identity is tied to a public/private keypair, and I can prove I have the corresponding private key without giving the other party the ability to impersonate me. Ideally, the government wouldn't know my private key, either, rather they would just give their own attestation that a given public key is owned by a person with a given name, DoB, SSN, and biometrics.

Along similar lines, any financial account would have its own keypair, with moving money out of the account requiring signing with the private key.

The state of cryptography today is way too obtuse for this to work right now, but I think it could be made more user friendly with specialized hardware to hold the keys and perform the encryption.

The idea that SSNs are secret, but we hand it out to half a dozen organizations is absolutely ludicrous.


Verify that person's biometrics against the national database? I know that's what's happening in South Africa, a third-world country:

http://www.htxt.co.za/2015/09/16/this-is-how-banks-and-home-...


Banks carry the risk like they do for credit cards, consumers carry $100 of the risk and the risk to their credit rating.


Change the way checks are issued/redeemed. Right now the customer is on the hook for 7 years because a check isn't cleared until it goes back to the bank that issued the check . The customer thinks by seeing the money in the account the check was good and can clear a sale. The reality is the bank can take that money back if it is later determined to be false/fake.


> customer is on the hook for 7 years

7 years? Are you sure it's not something like 7 days?


It takes 7 years for a bankruptcy to clear your credit record in the USA.


Not just bankruptcy. Banks and businesses contract with check verification companies such as ChexSystems. I had a friend who bounced a check and it took him a few weeks to reimburse the bank. By then the bank closed his account and reported him to Chex, who put a 5 year hold on his ability to get another checking account through any bank that used Chex verification (> 90%), essentially blackballed.


That may be so, but the GP was talking about the time it takes checks to clear. IIRC, uncashed checks aren't even valid after 180 days, let alone 7 years.


Ten, I think. Ten years. Or should I dispute that with the credit-reporting agencies?


Negative credit information falls off after 7 years from date of first delinquency.

Always dispute negative credit items; more likely than not, it won't be verified and is usually removed. Otherwise, wait 7 years and then dispute again.


Paper checks are going away. Some of the online banks don't even support them. ACH allows only 60 days to claw back the money(disputes) and with same day clearing requirement we can get rid of 2 day holds.


What are they being replaced with? Yeah, as a young renter I went years without using a check. When buying a home last year I had various inspectors during the process. After buying, I've had electricians, plumbers, contractors, locksmiths, and other consultants. I think one gave me a bill and accepted credit card. The rest preferred checks (to be fair, I didn't seek other forms).

I've tried all sorts of p2p methods over the years. All of the banks are too confusing, obscure, or too limited (i.e. only within their bank). Paypal and credit cards charge a not-insignificant fee. Venmo or Square Cash work fine if your group of friends accept them--but more than half the time, they don't for me.

I often do ACH transfers between my own accounts, but the first time I set it up a cringe a little bit and cross my fingers. It sucks waiting the 2 or 3 days waiting to see something. I can't see small businesses accepting ACH as payment because they want something in hand. If we had the setup I've heard about in Britain or Europe, I can see checks going away, but with as much churn as I've seen in this space in the 20 years since Paypal, nothing seems to stick.


> I've had electricians, plumbers, contractors, locksmiths, and other consultants. I think one gave me a bill and accepted credit card. The rest preferred checks

Try cash? I use cash for almost all transactions like that and have never been turned down :-)


Cash is nice, but the the main point of banks is that I don't have to carry a bunch around. I honestly didn't even use an ATM or carry cash for years. I started carrying cash only when my job reimbursed me for parking (and they only accepted cash). It's also nice for bookkeeping. I can write the account number or purpose on the check itself.


For some, it might be walmart. Previously, on hn https://news.ycombinator.com/item?id=8361329


>It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.

I think you're confused. It's BigBank that's falsely placing a debt burden on Alice. The credit reporting agencies are only reporting what they are told. Imagine if Alice doesn't care about her own credit worthiness. Let's say she has no debt, and no intention of acquiring debt. What happens if criminal tricks BigBank? They say, "Alice, you owe us this money." Alice tells BigBank, "No, prove it or pound sand."

What happens then? BigBank goes to the court and tries to get a judgment against Alice for the money owed. If Alice isn't aware of the proceeding, the judge will grant BigBank's request, and now Alice will owe BigBank the money stolen by criminal.

BigBank's poor authentication and the judicial branch are the ones doing the real harm to Alice. If anything, the credit reporting agencies are providing value to Alice by warning her before BigBank goes after her in a secret proceeding and makes the debt hers.


What actually happens:

1. Alice does have debt, and does intend to acquire debt in the future, like most people. The presence of this fraudulent debt in her credit report makes credit more expensive and hard to get.

2. Before filing suit and going to court, BigBank makes persistent but usually polite attempts to collect. But when she says "that wasn't me" they don't believe her, because lots of deadbeats say that sort of thing too.

3. Perhaps BigBank sells the debt to a collection agency, which is far more aggressive and (willfully?) ignorant of laws regulating how and when they can contact Alice. Perhaps they call Alice's employer, threaten to garnish her wages (even if they legally can't), or lie about Alice's ability to contest the debt.

4. If Alice is determined enough to keep fighting and go to court, she has still sunk significant time and money into fighting this. It's unlikely she'll be compensated fairly for that.

I agree the credit reporting agency is in some ways helping Alice, and would add that these agencies probably do reduce the rate of fraud overall. But they also have a responsibility to do a good job minimizing errors. We can't expect them to never make a mistake, but they should have some skin in the game when their inaccuracies hurt a credit applicant.


Step 3 is the insidious part. If Alice files a paper with the reporting agencies, they're required to remove the false report. But the collection agency will just as persistently file an equal but opposite paper to reinstate. The reporting agency is legally caught in the middle of he said, she said. And if asked for proof? The collection agency says BigBank told them Alice owed it, and sold them that debt. So now the originator of the loan has harmed the collection agency as well as Alice.

Don't kill the messenger. The credit reporting agencies are doing what they are obligated to do in that business. There needs to be penalties for BigBank beyond the money BigBank lost in the scam perpetrated by criminal.

Blaming the credit reporting agencies for bad credit reports is intellectually lazy. Blaming them for garbage computer security is much more appropriate in this story. A more interesting discussion here would be about the technical details of the hack.


If the credit reporting agencies wishes no responsibility then for all practical purposes they are a database table, nothing more. In that case they must offer their services on the same lines as AWS or Google Cloud. That is guarantee is only on infrastructure uptime and availability and not the quality of information. Note even in this case, a level of liability regarding security is on them.

If you wish to provide a service with a level of guarantee, responsibility and liability comes along with it.


It isn't BigBank warning her.. it is the collection agencies, but that's just semantics.


That's exactly the point. BigBank isn't going to warn anyone. It's just going to seek judgement, or sell the debt to shady collectors and write off the difference.

https://www.nytimes.com/interactive/2014/08/15/magazine/bad-...

Think about the credit reporting agencies as a rather sloppy "master list" of who owes who money. It seems what is needed are stiff penalties for banks and collection agencies who falsely claim they are owed money. Until then, you can't live in peace. Someone is going to claim you owe them money if you have any money yourself.


Exactly.

Eve lies to bob, and tells Bob she's Alice. Bob asks Claire, who says Yes, that's Alice." Bob gives Eve money, and Eve runs off.

This should not be Alice's fault, responsibility to solve, or problem to deal with. It is, because Bob is much, much more politically powerful than he ought to be.



The credit agencies report what has been told to them by BigBank. Once the fraud is detected BigBank should update them that Alice does not in fact have a $10,000 loan with them and it would then be removed from Alice's report. If the loan has been determined to be fraudulent and it has not removed from her credit report, BigBank is victimizing her not the credit agencies.


> then be removed from Alice's report.

That's a long process (5+ years sometimes).


If the creditor that reported an account to a credit agency then sends a request to have the account removed it happens right away.


There's a nice comedy sketch on this point by Mitchell & Webb: https://m.youtube.com/watch?v=CS9ptA3Ya9E


Clearly, both the bank and the individual are victims of the crime.

Generally speaking, the impact to the customer is usually greater, as bank business model aren't dependent on every loan being repaid. Consumers stand to lose money directly and lose the opportunity to access capital.

The credit agency or anyone else who has a breach is usually a negligent third party.


They are victims of very different things though.

The bank is a victim of fraud.

The individual is a victim of impersonation by the borrower, and slander by the bank and credit agencies.


The individual isn't in any way a victim of the crime. A bank used some information presented to them to conclude that they were dealing with Alice when that information was objectively not sufficient to justify that conclusion. That has absolutely nothing to do with Alice. Alice is victimized in the next step by the bank when the bank claims that it somehow is Alice's responsibility that they took someone else for Alice.


Not sure how the individual is victimised by the fraudster here. If the bank had a 100% success rate at detecting fraud with no false positives and no false negatives, then the individual wouldn't need to know and likely would never find out about the impersonation attempt.

The individual is victimised by the bank and the credit reporting agencies by their spread of misinformation.


In some countries when you sign out a loan and a card you get picture snapped. but then this measure would stick banks with loans and not the consumer.


"Mitchell & Webb Sound - Identity Theft"

https://www.youtube.com/watch?v=CS9ptA3Ya9E


I wish I could remember details, but a cofounder or single digit employee of a acquisition Equifax made, elected to forgo their earn out, because they were opposed to working in any capacity for Equifax. I think that they were somehow bullied into revealing their reasoning, to escape penalties in contract (which in any event were unlawful in the UK, I heard this from a employment attorney friend who has super reported cases, ie those which established new law). They were immediately snapped up by a startup in VA. Equifax managed to suppress their credit file completely. Preventing them from even renting a apartment for at least a year, and I believe it was a year before they had been even recognised by a US reporting agency and could open and operate a checking account. This was picked up by The Register, which still was then still Mike Magee's baby, so honourable 1., 2.. I can't find a link from my phone, but even if you never believe me the actual events happened, I bet you had a thought that you would not be surprised if it happened more often.

1.(added to qualify that adjective "honourable" which I apply to individuals not companies, and individuals who risk sacrifice without burdening others. My career is in advertising and I am truly impressed when publishers are able to maintain standards that are able to raise their costs of sales. (a large publisher may not lose a account, but the sale often consumes expensive energy, even only to explain why policies exist. I work far from such high sensitivity issues, as does the company I started around the time of this recollection.)

2. last I spoke to Mike, he was telling me how he simply was never issued his shares in "ElReg" and he was long enough into The Inquirer to think that Limitations applied. But Limitations 80 runs from the time of discovery of tort, not the event of tort. Before the chance arose to catch up, and establish facts, Mike had passed away. RIP a great man and two great journalistic servants to the IT community. I did not establish the facts that were alleged, therefore my statement is hearsay, but protected by the statutory defence of genuine belief, and I had always faith in my source.

Edit: italics removed from footnote, earn out replaced phypo earnings, and great man replaced good man. Mike was exceptional and altruistic to a fault.


This may damage Alice's reputation temporarily however, once the bank determines that it has been defrauded, it should make the loan information inaccurate.

I believe the Fair Credit Reporting Act allows Alice to remove inaccurate information from the report?


Agree with your point on Experian absolving itself, but there are many scenarios in which Alice is also the victom of the thief. With enough info about someone, you can steal digital assets too.


This argument is akin to splitting hairs. The fraudster who applied for the loan against BigBank was at fault. The BigBank accepted the Fraud and reported it to the credit agency. The Credit Bureau reports/includes the data provided by BigBank; it's what they do.

If there is a dispute between what BigBank says and what Alice says, it's not necessarily so easy to resolve, and that's the position the Credit Bureau has to deal with.

To absolve the fraudster of the primary fault is ridiculous. That said, this is the problem with difficulties in identity verification, we all want privacy and security at the same time. While they are not mutually exclusive, having both is much more complicated than one or the other.


If it was on the BigBank to always prove that their identity was indeed stolen, it would quickly become unmanageable. People would commit fraud in the opposite direction, by getting a huge loan from some a bank and claiming that their identity is stolen. I'm sure it would be easier than stealing someones identity to do it, and it would obviously involve some necessary actions to avoid being caught but this would drive loan rates through the roof for the average citizen to make up for all the fraud occurring. I agree with you ideologically, but in practicality i do not believe it would work.


This would obviously drive the BigBank to collect some better evidence that the person applying for the loan is who they say they are, which is exactly the incentives we want here.


In that case banks would just have to verify who they were giving money to before they start handing out loans. That doesn't sound particularly unmanagable to me.


very well said!!


Bigbank is the only one in your scenario that actually has monetary loss since they lent out the money and most likely will never get it back. In identity theft, the company has the financial loss. FBI won't investigate unless its over 250k in losses as well.


You certainly can quantify the monetary losses to Alice too. When her credit rating is shit and she buys a car or home, the banks are expert at placing those rates and can tell you exactly how much more she pays. What is more difficult is calculating the loss of what she doesn't even do due to bad credit, like she might not be able to rent the same apartment, she might not even try to buy a car.

She may not have to pay that bank loan back but that doesn't clear her credit up immediately.


Fraud isn't limited to credit. My dad had someone open a savings account in his name and transfer a significant amount of money via ACH. He only found out because he got a welcome or from the bank!

The police investigator told him that the particular fraud that he was a victim to was impacting >500 people and >$5M


Pretty twisted world where provable financial loss is the only or main measure.


> It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.

Credit Reporting agencies report the data passed to them by companies such as banks. In your scenario BigBank thinks it's given a loan to Alice, and when they don't get repaid, report that to the CRAs. Alice is a victim of the thief because her identity was appropriated to secure the funds. BigBank is a victim of the thief because they were defrauded. The CRA is a victim because they were just reporting the information that was provided to them in good faith by their customer BigBank. So saying that the CRAs are "victimizing" Alice is completely false.

Alice bears the burden and risk of clearing her name, just as a victim of car theft bears the burdens of reporting the crime, getting another vehicle, dealing with the any outstanding loans, etc. These burdens are inflicted by the thief, not the bank or CRA.

> perpetuated by the credit reporting agencies as a way to absolve themselves of responsibility, [...] and to avoid realistic identity-verifiction which might slow or complicate the practice of issuing large amounts of debt to the general public.

This completely misunderstands the role of a CRA. The CRA doesn't have to verify identity, it's up to the credit grantor to ensure they are dealing with the person they think they are.


Your comparison is bullshit. I have control over how I secure my car from being stolen. It's complete nonsense to equate that to me being responsible for a bank's failure to protect themselves against fraud where I have no power whatsoever to influence how the bank secures itself against fraudulent loan applications.


Your statement is nonsense. Regardless of your efforts, the best you can ever hope for is to minimize the chance of your car being stolen. You can never prevent it completely. If your car is stolen in spite of your best efforts, are you at fault? Do you still have to deal with the consequences as a victim of that theft?


When someone takes out a loan in someone else's name, the only theft that truly occurs is the imposter stealing money from the bank it duped.


Which thus makes it equivalent to a scenario where you have no power to influence things whatsoever?


Which makes your statement (that you have sufficient control to prevent the possibility of theft of your property) completely invalid. You can do everything right, and through no fault of your own have things go wrong.


> Which makes your statement (that you have sufficient control to prevent the possibility of theft of your property) completely invalid.

Luckily, I didn't say that.


> I have control over how I secure my car from being stolen.

Really? Those were your exact words, in the context of claiming that your ability to secure your car made the comparison to identity theft invalid.


Yes, really. Having control over how I secure my car does not in any way imply that I can guarantee success. However, as a matter of fact, you can essentially get arbitrarily close to that, it's just a matter of your effort. Which is in contrast to banks being defrauded and blaming me for it, where I can not do anything about how the bank protects itself against the fraud.

The problem is that the power to do anything about the problem and the blame is not aligned, which leads to a situation that is equivalent to the bank leaving the key in the ignition of the unlocked car, not allowing you to change anything about that setup, and then expecting you to foot the bill when the car inevitably does get stolen.


Do you really not understand the difference between having control over something and being able to guarantee it?


I strongly encourage anyone in the US to put a full credit security freeze on all three credit agencies. When a credit freeze is in place, you still have access to all of your existing loan accounts and whatnot (e.g. credit cards), but lenders cannot access your credit to open new accounts unless you want them to.

It's not difficult nor expensive to do, and the freeze lasts until you decide to revoke it. Whenever you need to allow access to your credit (credit check for rent, taking out a loan, etc), you can temporarily lift your credit freeze for a small fee. The fees associated with this are going to be much cheaper than any of the professional "identify protection" services that exist out there, and the freeze is significantly more effective at protecting you.

When a company leaks your social security number and personal details, which almost certainly will happen at some point if it hasn't already, then opening fraudulent accounts in your name isn't the only risk you face, but it's an obvious and dangerous possibility that can ruin you financially or make you spend a considerable amount of time and energy fixing the situation.

For every person in the US with kids, I also strongly suggest that you freeze their credit as well. There's no good reason for your 13 year old to take out a loan, but identity thieves don't care about how old their victim is.


At this stage, if you have to pay the company that leaks your own data to prevent it from harming you, it starts to sound like protection racket.


It is a protection racket that shifts the risks and costs from the financial system to consumers.


Same with chip and pin here in the UK


At least you get the pin as well. We just have chip, and it does ~nothing.


I have heard of no cases where liability has been shifted in that way.


There is strong evidence for it here: http://www.cl.cam.ac.uk/~sjm217/papers/oakland14chipandskim....

And regardless of whether you claim the evidence is inconclusive, it is simply not acceptable to dismiss a known vulnerability in something important by saying "I don't know of any case where it has been exploited yet."


That's explicitly not what I said.

I know that flaws have and will continue to be discovered in those authentication systems, and also that a theoretical shift in liability occurs. Any bugs will need to be fixed, and that's important. But you can't ignore the situation in practice – liability is not being shifted, and all UK banks and credit card providers are pretty happy to refund fraudulent transactions regardless.


It is good to hear that UK banks are apparently no longer shifting liability, but this case, and others, show that banks were shifting liability until it was irrefutably demonstrated that the system was not as secure as they claimed. 'Liability shift' is not a term invented by conspiracy theorists: banks were explicit about this being a primary goal of EMV, so it does not require a leap of faith to accept that it happened. Sadly, neither is a leap of faith required in accepting that the banks' first response to evidence of weaknesses was to deny their exploitability.

Does your statement about UK banks no longer shifting liability apply in cases of fraud against merchants?


They only refund credit card transactions if suspected with fraudulent. Debit card transactions are held and investigated. I've had a card ripped and lost £500 permanently because the bank decided I had made the transaction. I had to small claims them to get it back. I have seen at least three other people lose against the bank.


Exactly. All it does as far as I can see is flag the transaction as card holder present. The PIN is easy to steal as well evidenced by the number of fake reader heads and cameras found attached to ATMs as well.


I recently did this and highly recommend IdentityTheft.gov for assistance. It has tons of great resources/guidance for dealing with identity theft and other credit issues.

https://www.identitytheft.gov/


Direct link to phone numbers for security freeze: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


This will make a great addition to the /r/personalfinance wiki! Thanks for posting it!


Happy to help! I was really surprised how well the site works. A bit more about my experience here in case it could also be useful (though the post is admittedly a bit scatter brained): https://chrxs.net/articles/2017/03/23/responding-to-identity...



I can't agree with this more. I was the victim of identity theft many years ago. I my case the data leaked from an employee at my company's payroll dept! There was nothing I could have done to prevent it. Anyway I did this many years ago and have not worried about it since. There is some small hassle because people run credit checks for weird reasons that have nothing to do with trying to get a loan or line of credit. For instance when I got promoted to a certain level at my last company they ran one, and while they didn't run them when I got hired, I think later they started doing them as part of "background checks" for all new hires. The other hassle is sometimes the credit agencies change the way you "unfreeze" and I've had some problems with that, or the people running the check don't actually know which of the three credit agencies they are using. However for the once every four or five years hassle it is definitely worth the piece of mind for me. In many cases you can "temporarily" revoke it for a week or 10 days.


I'd phrase this more as, "I was impersonated by someone, and a third-party compounded the problem by lying about it to others. Now, to avoid that problem, I pay protection money to that third-party and waste my time jumping through their hoops."

I do the same thing, BTW, because the alternative is worse. But it is a protection racket offered by the very people causing the problem.


I think that pretty much is exactly how I felt about it at the time. One thing I haven't seen mentioned is the fact that this "remedy" was actually a requirement imposed (at least in California) on the credit agencies by the government, and it wasn't always that way. So for several years instead of this, I would have to actually go check (all three) credit agencies getting my "free" report (since I was an identity theft victim). Of course I still had to ask for it, they didn't just send it to me. So yes it was the least bad alternative. If a large enough people actually signed up for this it would actually destroy the credit agencies business model, because instead of working by default, they would be broken often enough that people would do other, more reliable solutions. I think they may already be happening in some cases. For instance when my son moved into his first apartment, I had to put my name on the lease. I told them my credit was locked and they said they don't use the credit agencies, they had some other check they did. So yeah, no love for credit reporting agencies from me..


So if an identity thief has enough of my information to potentially open a new line of credit, wouldn't they also have enough information to reverse the freeze?

In other words, is a freeze enough to stop new accounts from being created?


You get a unique long pin code when you freeze the account. You need that to unfreeze it. There is some "recovery" procedure, I think you need a notary or something


And that unique long pin definitely isn't stored in plaintext in the next column over in their database, right?


At least it's only in one database, and not all of them, like SSNs are...


At this point it's about doing that one thing the other 1 million won't. It might be surmountable but do you figure the adversary is going to have the incentive to surmount it?


"don't worry, your 12 digit pin is securely encrypted with md5"

/s


md5? They use triple ROT13.


Sounds like such a freeze should be the default state.


That doesn't sound very profitable.


Anyone know if there's a way to get your free credit report if you can't answer the questions for the free one?

The computer says no, and the phone number just sends a letter that says no. I tried to to buy one from my bank, but as far as I can tell they only sell subscriptions...


You could see if Credit Karma works. I think it is mostly a free interface to Trans Union though.


Funny enough, it also provides your Equifax report.


Each of the credit reporting agencies has a process for requesting your credit report by snail mail. The form is hidden away on the various websites, but it has generally worked for me when the online form didn't work (it turns out another person's delinquent loans and CCs were in the report that they were using to test that it was me).

Not as free, since you need to buy envelopes / print the forms / photocopy your ID / get stamps / wait X weeks, but as free as it gets when the online system doesn't work.


http://annualcreditreport.com/ is the "official" site for this, per the FTC [0].

There's info on that page on how to proceed to get yours via snail mail (along with a link to the form).

[0]: https://www.consumer.ftc.gov/articles/0155-free-credit-repor...


there is! https://www.annualcreditreport.com/ i use it every year along with being a regular credit karma user.


credit karma


Why not just shift the presumption of liability (absent verification) to the financial institution instead of the consumer? Loan issuers can hire skilled professionals to do credit verification, so why should consumers bear the risk for their lack of due diligence?


"just"

Consumers would love this. Financial institutions would not. Guess who wins this battle?


> Consumers would love this. Financial institutions would not. Guess who wins this battle?

And everyone thought SOPA and PIPA were done deals, that is until the great internet SOPA/PIPA blackout day that resulted in so many calls to congress that the congress critters backed down.

If enough voters could be motivated appropriately to contact their congress critters requesting jail time for the Equifax executive staff that clearly did not stress security sufficiently, there would be some change that would occur.

Remember, money (donors) only help the congress critters to pay for the costs of the election. They still have to get those voters to actually vote for them. So there's still a way to influence their viewpoint. It just takes _way_ more than a few handfuls of voters calling/writing to reach the point where they actually pay attention anymore.


For sure, and that's precisely the problem.


Wow. Equifax's Credit Freeze line is just dead. Must be getting slammed right now.


Their signup process for the credit freeze involves entering your SSN which is not obscured at all. It's increasingly obvious how this could have happened -_-


Care to elaborate?


Shit-tier security practices


Also just tried to pull a credit report for Equifax via annualcreditreport.com and received a messages a condition exists at this time not allowing my report to be pulled and instead gave me mailing instructions.


I did this about 8 years ago, and have only needed to temporally unfreeze it 3 times. Besides the big 3, I also froze reporting from Innovis.

The only unforeseen hangup from frozen credit reporting I've run into is with car rentals. With a few exceptions, most car rental companies (at least in the US) run your credit. Everything else was pretty predictable.


Do they refuse you rental?

Here in UK they verify address via utility bills, cross-check with drivers license (verified by gov agency, DVLA). They maybe only take card payments too, no cash?

I'd expect that to be enough, given they force you to take out expensive insurance, that must cover them, surely. What's the credit report going to get them at that point?

(It may be even stricter now, don't know.)


I just changed to one of the rental companies that doesn't require pulling credit.


> Besides the big 3, I also froze reporting from Innovis.

Why Innovis? Who typically uses their reports?


Same people that pull from the other 3. It's not as commonly used, though its usage is trending upwards from what I understand.


Can you call and it get it unfrozen immediately if it needs to be run?


To unfreeze it entirely it looks like it can take no longer than 3 days. Unfreezing it for specific parties it sounds like is less money and perhaps takes less time but that will depend on the company.

Source: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


Law limits it to no more than three days. My experience has been that it mostly takes place within 12-24 hours.


I did this about 2 years ago with all 3 of the major agencies and in addition to the benefits described in post and comments, my junk mail volume dropped considerably. I don't know if it's always the case but this did not cost me any money.


This is actually a major inconvenience. You won't be able to apply for credit cards or get a loan to buy a car if you have a credit freeze. You have to unfreeze and re-freeze each time you apply for a credit card, and this costs about $30.


It depends on your situation. I've done this for the last 3 years, and have only had to lift the freeze a 2 times, both times actually for job offers (it's pretty routine for companies to run background checks on new hires, which includes a credit history check). It does cost ~$30, but can be done online, and takes little time. You can also reduce the cost by asking whoever wants to legitimately check on your credit history, which reporting agency they will be checking with. Then you only need to lift the freeze for that agency, and for that entity asking for a report.

If there isn't some handshake/ack mechanism like this, I'm not sure how you cut back on fraudulent activity. I can see the case for making the credit agencies eat this cost and provide these services for free. That would probably require an act of congress...

Edit: You could also ask a potential employer to eat the cost of unfreezing to check your credit history, or ask them not to do the check at all (especially if it's not really relevant to your job). Either request seems reasonable to me, although I haven't tried that, I'm betting at least most employers would pay for the unfreeze.


It's definitely not routine for employers to do credit history checks except in certain narrow roles (and even illegal in many states). You absolutely should not unfreeze it for an employer unless they can provide justification for needing credit information.


How often to you apply for credit?

It is, in any case, far less of an inconvenience than not paying the protection racket, having someone impersonate you, and having the credit oligopoly lie about you because of it, leaving you to somehow clean up their mess.


Some folks churn, so they apply for credit several times a month. It's not a very small niche community either.


It is a small niche relative to the credit-using public at large, and there's no reason to accommodate them at the expense of everyone else.


No one asked anyone to accommodate anyone.


How often do you apply for credit? In the last 5 years I’ve done it zero times...


I have one credit card that I got in my twenties, and have never taken a loan. I'm wondering too what these people are doing.


What stops the would-be identity thief from removing the freeze before opening a fraudulent account?


A credit freeze gives you a PIN that they'll ask for before the freeze can be lifted.


Does a credit freeze stop you from accessing your free credit scores (e.g. CreditKarma, Mint etc.)?


No it won't prevent you from accessing your free credit scores.


You've sold me, now tell me how to do it


You have to place the freeze on each of the three credit agencies individually. In most states it's $10 each, but it can vary state to state.

https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo...

https://www.transunion.com/credit-freeze/place-credit-freeze

https://www.experian.com/freeze/center.html


I think you are missing something. Here's what's needed to initiate your TransUnion freeze:

To set up a security freeze with TransUnion, please visit our online form. You should be prepared with the following types of information: 1. Your full name, including middle initial and suffix, such as Jr., Sr. II, III 2. Social Security Number 3. Date of birth 4. Current address 5. All addresses where you have lived during the past two years 6. Email address 7. A copy of a government-issued identification card, such as a driver’s license or state ID card, etc. 8. A copy of a utility bill, bank or insurance statement, etc.

So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

The problem is these companies, who non of us ever chose or nominated to collect our data, are careless with our PII. And until some accountability is added into the system, this will continue.

I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.


> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

Nope. Ain't gonna happen. Financial crime pays, big time! No one goes to Jail. They usually have an investigation followed by a hearing in Congress (if it is "BIG" enough), then come back and pay a fine. Media will report the fine as "MILLIONS OF $" but the fine hardly makes a dent in the Bank / Financial institute's coffer.

W.r.t. this particular situation, here's a story that just broke.

Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed (bloomberg.com) => https://news.ycombinator.com/item?id=15196309

It's called INSIDER TRADING.


If they did that because of this, the SEC will likely nail them for it.


Of the three letter agencies, the IRS and the SEC are particularly ruthless. They can only enforce what Congress will allow, unfortunately, so that leads to bigger fish not being fried up.


Equifax can handle its internal management and operations however it wants.

Externally, though, I want Equifax to have to pay a fine for every individual whose information was compromised. Identity theft can easily cause five figures worth of damage, so $10k per individual would be fair. Maybe as a warning shot we could lower this to... $1k? $100?

That's the only way to properly align incentives so companies will proactively defend against attacks like this.


This thing called "Identity Theft" does cause damage, but it's important to remember that if fraudsters trick a bank into thinking they are you, it is the bank's fault for failing to properly verify it was actually you. Doing so would cost them more money and it is much easier to do cursory checks instead.

No doubt fraudsters impersonating you is a hassle and you must spend some time and money dealing with it if you are targeted, but do not lose sight of why it happens and who is ultimately responsible.


But you still pay the fees from the banks failings, so it really does hurt everyone even when the bank eats it.


It hurts everyone foolish enough to still do business with the bank after they jack up their fees to pay for it. Or in jurisdictions where a small number of banks are given a monopoly, or competition is otherwise discouraged, it hurts everyone.


Yes and no.

If a "Too Big to Fail Bank" fails, we all pay. If a credit union in Utah messes up, their customers pay. Let banks compete on operational excellence.


I expect managers to go to jail, in addition to a financial kneecap that forces other companies to vigilantly pressure their management for security.

Well, maybe not expect. This is America... I expect infuriating golden parachutes. But I certainly hope for criminal charges and jail time.


$1k, $100, that's far too low in my opinion even for a warning shot.

As someone who has had their info leaked by two universities before, both of whom subsequently paid for multiple years of credit/fraud protection, the sheer pain and stress of having random credit cards frozen and need to be replaced is worth far more than that dollar amount of my time. This is potentially messing with people's livelihoods with long term lasting effects.

If monetary sums are given out, then I hope a fair amount is given out instead of a warning shot. Those tiny figures won't help at all and effectively send the message that companies are more important than the people they serve.


$100 per each individual would be 14 billion dollars... Which would definitely put Equifax out of business.


Perfect. If they're in the business of selling access to sensitive information and cannot keep said sensitive information safe, they should not be allowed to continue to leak that sensitive information.


$1k would mean a $146 billion fine in this case. Hardly a "tiny figure".


I would not doubt a class action lawsuit results from this, and I'd be very surprised if Elizabeth Warren didn't pursue congressional action against them (although not officers of the company unfortunately).


And then I'll get six months of free credit monitoring from Equifax? Oh boy!!1!

More seriously, this is a breach big enough that Equifax should honestly no longer exist as a company. So call it $100/incident, and I'm happy. Other agencies would still exist, and, although they're just as terrible, it might get them to kick their asses into high gear to fix their security.


Maybe, the suggested demise of Equifax, the extreme perpetrator of neglect in this particular case, should lose the ability to print money, much like Symantec and other ssl cert issuers (identity certifies) for their recklessness; perhaps that doesn't go far enough.

Maybe the whole commercial enterprise of credit reporting (and identity verification) needs to be dramatically reworked in a more modern, sane design, with different governance and oversight.


The NYT story states that they are already offering this to affected consumers: https://www.equifaxsecurity2017.com/potential-impact/ .


I went there and used the site and guess what? It doesn't work. It just said 'Thank You!' and gave me an enrollment date. It gave me no info as to if I was one of the people affected.


The number of affected people was 143MM, which I think is numerical shorthand for "everyone we've ever known about."


Likewise, WTF. I thought you were joking but nope, it returns this text:

-----

Thank You Your enrollment date for TrustedID Premier is: 09/13/2017 Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.

For more information visit the FAQ page.


That means you are affected. If you enter a non-existent name and SSN, it will say that you are not affected.


Even better, they ask for your last name and the last six digits of your SSN to even check your potential impact. The problem is that the first three digits of your SSN are derived from your state of birth, so the last six give up basically the entire thing. http://www.ssofficelocation.com/social-security-number-prefi...

This whole system is so fucked.


The content of the landing page (since it appears broken, here's the content from Reader View):

Equifax Announces Cybersecurity Incident Involving Consumer Information

[Equifax CEO statement] https://youtu.be/bh1gzJFVFLc

No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases

Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Read More


Did that https work for you? For me it redirects to plain http and then OpenDNS blocks it as a phishing site. Why are they using such a scammy looking domain, anyway? Why not just host it on their main site?

Edit: I'm abroad and just tried through a VPN and it worked. Don't know why I tried without it ...


Domain name was registered on August 22nd 2017...


[flagged]


Please don't post like this here.

https://news.ycombinator.com/newsguidelines.html


> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay.

The issue here is likely related to business units that were acquisitions, with the breached product in question having been developed pre-acquisition by a code farm staffed by interns in some developing nation. I spent a few years trying to unfuck some of those messes and moved on.

It's more a problem with their reckless growth over the last decade than anything. (ed) Due diligence is obviously lacking, but I can personally attest that nobody in senior leadership there willfully ignores matters of security once it becomes known.


We don't know if this has anything to do with any acquisitions - this is a conjecture, at best.

At any rate - I don't care. I never gave Equifax permission to collect my personal data. I certainly never gave them permission to store it in a way that it can easily be hacked. If you buy a 3rd party company, "unfuck" and harden their software BEFORE you let the data flow in.

Allowing data to slip out is negligent. If you're in the army, or the intelligence community, you get punished for this. It's about time the private sector felt some sort of accountability.


This so much. The stream of corporations passing the buck into a black hole of irresponsibility needs to end now. If people arent held responsible, they will continue to make these failings without pause. I hope everyone is writing their legislators and congresspeople right now. They listen more than even my disillusioned self thought. The just might have bigger incentives to act otherwise. But if they dont know, they cant even choose to be corrupt or not, they are ignorant by proxy. Communicate to your leaders, and remember their response when you vote.


The only real solution here is that we need consumer privacy laws similar to Germany's-- not more scrutiny of those who participate in the PII trade.

There is no reason beneficial to consumers to be collecting intelligence of this nature.


The best way to punish them is for us all to organize and create a Proposition that bans them from being a credit bureau, etc. If this passes in California, it will destroy them as a company.


The problem here is that they've expanded their core business to be so pervasive, they're no longer reporting on just your credit history-- they've also moved into the employment history, salary history, etc. space. So you kill their financial tentacle, they'll still be collecting intelligence for other purposes.


Not really conjecture:

> The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Since core business was unaffected (nobody hacked the mainframe), I guarantee you some crappy product they acquired got compromised.

And like it or not, you do give them permission to collect your personal data every time you authorize a creditor, utility or employer to run a credit check. Never sign up for utilities, loans, credit cards or get a job and then you'd have a case for privacy.


It could also be related to how they sell things. Given how commonly they redistribute this data I wouldn't be surprised if it turned out to be something like a customer portal where they can say it wasn't core because the attacker couldn't have altered data, etc.


Oh, good, it wasn't their _core_ business. What a bullshit copout - you acquire a company, you own it, warts and all. Who's worse, the crappy company or the company that acquires it and continues to operate it without fixing it?


You probably did if you have any sort of bank account or loan or job application or rent. It's pervasive in contracts/agreements that they report to partners and credit agencies.


I find it difficult to reconcile your second and third paragraphs.

I guess choosing not to prioritize security (vs profit or whatever) when making acquisitions is different than just ignoring it entirely.


If that were the case, then who approved the acquisition? Who did due diligence on it?

Suddenly letting a bunch of untrusted, poorly audited code run on your infrastructure is itself a massive security breach. And even that doesn't explain how data was extracted for two months with no one noticing.


>Preferably with their jobs

That's not nearly enough, considering the reach and impact this could potentially have. These people need to be getting life prison sentences before security is finally taken seriously enough by executives.


It's high time we had an equivalent law to Sarbanes-Oxley for security.

S-O made sure that when a C-level type guy signs a report, he knows his ass is on the line in case an illegal transaction just occur under his nose. If your company deals with PII, I want that data to be treated as important, if not more important, then company's funds. If you lose it, and you had any say in security (or lack thereof), you should do time.


> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

Sure, but TU already has all the above information anyways.


> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

To what end? As has been pointed out they have all that info anyway so it's not like you're making the situation worse.

But more importantly, if your credit is frozen who cares? What are they going to do with your SSN? Get a loan? Get a CC? Buy a house?

That's the point of a freeze, it makes your PII less valuable.

The actual concern is about the PIN. Because surely they could go through the trouble of PIN recovery to unfreeze your credit and then make use of it. But considering the numbers game, its not worth their trouble vs all the unfrozen accounts.


> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

No. With jail. And go bankrupt.


Now there are news that they sold their shares last week.


/me sighs

The Equifax site appears broken in at least some browsers. Transunion wants me to sign up for an online account, and Experian charges a $10 fee in my state to place a freeze.

All three want to collect my name, DOB, SSN, etc. _again_ in order to sign up.

This is complete and utter BS. Credit reporting agencies are one of the greatest/worst rackets in the modern financial system.


"You could be at GRAVE RISK because we accidentally leaked your personal information. Please give us all of your personal information so that we can tell you if you were affected."

It's almost funny, in a way. What, so I can become affected if I'm not already?


I don't understand this. Equifax claims they just leaked my SSN, Drivers License, and other pertinent data to everybody. How would they possibly confirm that I am the one lifting the 'freeze'?


When you get your account frozen they provide a PIN to unlock.


And what happens if I call to unfreeze but have lost the PIN? Can I never get a loan again for the rest of my life? Or is there some way around the PIN - perhaps only requiring the already leaked information?


>>And what happens if I call to unfreeze but have lost the PIN? Can I never get a loan again for the rest of my life?

Exactly. There's no shot this "PIN" is like one-way a encryption passphrase. There is definitely a way around it.


You call them up... but this will probably no longer work b/c of the data breach. Otherwise you snail mail them a letter with a govt ID and they send you a new pin.


thanks for this info! saved me a lot of time hunting these links down myself


Unfortunately it appears freezing credit reporting is impossible in Canada, presumably because there are no laws forcing these companies to allow it here: https://money.stackexchange.com/a/54677


Calling a phone number is easier than signing up by web

https://www.transunion.com/fraud-victim-resource/important- contacts


Question for you: My card comes with Identity theft protection [1]. Do you think that's a good alternative to freezing credit completely?

[1] https://www.discover.com/credit-cards/member-benefits/securi...


It sounds like this would alert you to potential fraud, but not prevent it from happening. You'd still have the headache of undoing the damage, although that may be easier if you find out sooner.

If you freeze your credit, it basically prevents anyone from opening any new credit under your name. The reason for this is that any lender (car, mortgage, credit card, etc...) first would want to see your credit history, to determine how credit worthy you are. If they can't do that, they will not lend.

I'm waiting for the headline one day soon that hackers were able to unfreeze people's profiles and commit fraud under these accounts anyway. It's just another database entry somewhere, which says "freeze". All these systems are vulnerable and can be penetrated.


That's a bad idea I think. You are giving your card company proxy rights, and more data about yourself then they should have.


Dilemma: spend $30 on credit freezes or put $30 into bitcoins?

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: