I recently sent in an application to Equifax to get my credit score along with all the security documents, proof of address, passport, drivers license, registered mail etc. and they rejected my application because I didn't provide a hydro bill. Unfortunately, I live in an apartment and I don't pay hydro, so I sent in a copy of the lease agreement instead but that wasn't good enough :(
I believe lenders typically use a score computed by s third party - often the "FICO Score," from Fair Isaac.
Presumably, if you had your record from the dump, you could type in the wrong answers they are looking for and get your free equifax report.
Usually, only one or two of the big three have a poison record that blocks access, so I guess this would only reliably unlock equifax reports.
And, critically, a decent modern website/app and good enough customer support.
Does anyone know the specific differences in how these two scores are calculated?
The FICO Software is a scoring engine which will produce an output based on the input you provide it. The three big credit bureaus collect data about you and feed it into the FICO Score software. Even if they all have the same version of the FICO software, because each bureau might have slightly different data on you, your score may be different from each one. Presumably, the FAKO companies also have the FICO Score software, but a much more limited set of data to feed into it - thus making the score less reliable to someone looking to issue you a loan (Big Bank).
At least, that is my understanding of how it works - admittedly, I may be mistaken and welcome corrections.
We only know the factors that go in to the algorithm, and the score that comes out. Basically, a black box.
Answer was: Men tend to have larger feet.
I guess even if you ignore race, sex and other factors, data will seep in eventually anyways.
This could go really wrong if we let non-tech savvy regulators dictate tech stacks, specific hashing/encryption tools. Could work well, but just has a lot of potential to go very wrong.
Given that risk, as much as I don't want to live in an overly litigious society, letting the risk of lawsuits drive good security may be preferable to putting security in the hands of a few faceless government officials who themselves face no repercussions for getting the regs wrong.
Engineers, capitalism, private business have utterly, completely, fully and in totality failed.
This is not a little failure. Not a medium one. Not a large one.
This is a foundational, cataclysmic failure of the most epic proportion.
I think the time for voluntary private action has passed.
If developers, their managers, their stakeholders, and their shareholders took security and privacy remotely seriously, we would not be here.
We are here.
It is time to admit the full and complete failure of private software companies to protect data and privacy, and time for government to create a criminal schedule for management and developers who perpetuate criminal negligence.
I believe only 2 things will solve this:
1) Massive financial loss for shareholders -- they speak 1 language, US Dollars. If we say a US Citizens data is worth $100,000, then the fines would be large enough to literally destroy any firm who dared play loose with security. If there is no existential risk, there is zero motivation for compliancy. Only existential risk matters to shareholders. The rest is Cost of Doing Business.
2) Criminal liability for management and developers of products which violate security and privacy due to criminal negligence
Without this, you can all but guarantee that your full identity is kept in plain-text and has already been stolen.
The DNC was hacked. The FBI and CIA have had their web sites hacked. The OPM had >22 million people's personal info stolen by Chinese hackers. The NSA itself has had major incidents where essentially cyber weapons were leaked. Those are just SOME of the ones we know about.
Let's stop pretending like government is any more capable, or even as capable, of protecting data than competent corporations. When was the last time Facebook or Google had massive data breach? It's not about 'the corporations maaan' it's about competency and the limited consequences of screwing up so bad.
There is such a thing as punitive damages but in most civil cases a company or individual is not going to be held liable for more than actual damages.
Banks are usually happy to provide you with a credit line many times your net worth if you have a reasonable credit score.
The threat of lawsuits already existed before this hack. Look at the multi-million payout Target paid after their credit card breach (and they say it cost their company ~200mil). So that was STILL NOT ENOUGH to change Equifax's behavior.
Improved government oversight/regulation of this industry is more than overdue. This is a national security issue and we should not have our data (and the means of protecting it) held hostage by private companies.
Who is banned from using computers? You mean, in prison?
>Samy Kamkar, the author of the worm, was raided by the United States Secret Service and Electronic Crimes Task Force in 2006 for releasing the worm. He entered a plea agreement on January 31, 2007 to a felony charge. The action resulted in Kamkar being sentenced to three years probation with only one computer and no use of internet, 90 days community service, and $15,000-$20,000 USD in restitution, as directly reported by Samy Kamkar himself on "Greatest Moments in Hacking History" by Vice Media's video website, Motherboard.
There have been cases of people being banned from using any personal computer.
> Bouk, Dan. How Our Days Became Numbered: Risk and the Rise of the Statistical Individual (pp. 232-233). University of Chicago Press. Kindle Edition.
> In the case of Lange’s unemployed lumber worker, we find a man who might have opted for a tattoo because it could identify him in the case of an accident. After all, he did dangerous work. Or, as he paid money into the Social Security system, he may have wanted to ensure he’d one day be able to redeem his annuity, that he would not forget his number. Neither explanation, however, encompasses his evident pride in his number, his willingness to show off for Lange (who undoubtedly encouraged him, maybe posed him).
> Was he proud to have been, as the New York Times had put it, a “holder” of a Social Security number? Possessing such a number meant a promise of future income, protection for himself, and— after the just-completed 1939 amendments that included expanded support for families— protection for his wife and future children against his old age or death. 76 Maybe he felt pride in the New Deal, in a government committed to him and his family, and advertised that pride on his bicep. Or perhaps, his tattoo displayed a workingman’s pride in his gender and class identities. Possessing such a number signaled his status as an industrial worker. Such status mattered in a bean-picking camp where most pickers had been excluded from eligibility for Social Security. Possessing an account set this unemployed lumber worker apart, probably even from his bean-picking wife.
This is some Mr. Robot / Fight Club shit. Get it over with.
This whole mess could be trivially fixed by credit bureaus introducing a PIN for every person and require it for opening a new credit line (issue is whether they could keep it safe, but at least it would resolve this problem).
They even already have such mechanism in place, which is done through freezing the file. The problem is that for some crazy reason we are charged when we are trying to protect ourselves.
When you get your report it goes through a process of "generating" the report which you then download as a PDF. This could be logs from that generation service.
If the hackers got unrestricted access they may have found the API's logs and just copied them along with the PDFs?
If I were someone pretending to be the real hacker, I would show a screenshot of SSNs that I could find with Google (e.g. Kim Kardashian, Donald Trump, and Bill Gates).
Disclaimer: I'm no expert on security. I just like applying my things-I-might-do technique.
I realized my mistake a few years later and went through quite the endeavor to fix it.
Want to give me a loan? Search for me in public court records.
Humans don't have an innate right to borrow money. It's a service provided by financial institutions for a fee. I don't think credit reports are the best solution (far from it) but they definitely improve your ability to borrow money, at least if you have a good one. :)
This would be fine, except those financial institutions get THEIR money from the fed discount window. If their service was entirely private, that would be one thing but having the government involved changes the concept of "rights", especially when the fed loans out money with the express reason that the banks will loan it out in turn.
Besides, it's not only the bankruptcies that count. Good tradelines are also important, and those are not public.
That could lead people to not open an account but probably won't deter people from taking out a loan. But will be a big annoyance for customers.
I know equifuckingsucks at security but this is a setup that would actually just be difficult to interact with from a data stand point
"If we are stringifying dob why is address still seperated?"
"Why are the credit report reasource Ids in the thousands not 1M +?"
"Why is the file size null but the file is listed with it's mimeType?"
Be grateful you are in a position to be horrified. I'm currently fighting my way through a system that is not currently "Enterprise" yet, but was certainly headed full bore in that direction.
I consulted on an enterprise project once with EVERY column in EVERY table set to string because the engineers didn't want to think about datatypes.
All the queries used wild cards or just pulled back a ton of data and did the filtering and sorting in the application code.
That job sucked.
I don't think it's as difficult as you are imagining.
It also doesn't need any formatting in order to be displayed, which is likely it's only real use.
One never knows.
Making it just hard enough that anyone with a Coinbase account and a credit card can't just do it without actually running a full node of their own, would probably be bad for business.
Except, how do you actually intend to regulate it? Enacting a law to do so is easy. Actually enforcing that law is another matter.
You do care about the children, don't you?
I hadn't heard about this last site. How did morons take it down? Or is that suppose to mean that morons put it up? English...
 https://www.facebook.com/HydraHackingUnited/posts/9614975439... (November 24, 2015)
 http://www.jeuxvideo.com/forums/1-50-138814262-1-0-1-0-qui-s... (June 20, 2013)
Having zero debt (and no credit cards) can easily knock your score that low, even if you have a perfect payment record.
The whole credit score thing is an extortion game:
To the consumer: Want a loan? Buy everything on cash back cards.
To vendors: Don't like the fact that we're upping transaction fees? What percentage of your customers use credit cards again?
If they actually were worried about your ability to repay a new debt, the fact that you already have a pile of debt would not increase your score.
While I'm not a fan of the credit bureau system, I understand the reasoning behind it. It's an efficient way for creditors to get access to the needed information. Lacking that, to allow the bank to evaluate your creditworthiness among other things you'd likely have to provide a list of references of past creditors and then your new potential creditor would have to validate those references individually: verify you had credit with them, verify you adhered to the payment terms, etc.
For better or for worse today instead of an on-demand complete graph we've got a centralized cache. This serves the needs of the financial players better (read: cheaper) while putting the PII of consumers at more risk.
Many other countries don't have such a system, and creditors use your past and projected income as a basis for making decisions.
From the perspective of the finance industry, these "absurd situations" are so far below the level of noise that they are effectively theoretical. If you want to discuss "in practice": in practice the users of the US credit system have no "current wealth" worth speaking of (look up the median net worth of US households), and their ability to maintain their existing debt is the defining feature of their financial status.
Again, there are many countries - including First World European countries - that don't have the credit score system, or only have reports on non-payments (usually govt-run). They seem to be doing just fine.
Or perhaps she had little credit history. I could see a scenario where most of her stuff is financed through an LLC vs her personal credit. If your business is solely "being popular", almost everything is a business expense :)
There's more than one embarrassing car repo celeb picture floating around.
This data is questionable anyway.
The reason is that they mean little for those with tons of money - but they mean everything for the average person with limited money.
They literally keep the poor poor.
All to say that just because you've been able to convince creditors to loan you $53 million doesn't necessarily mean your credit is good.
As far as I know credit scores are not part of credit reports as they do not show up when you request your credit report. If they were storing "credit score" as part of your credit report but withholding that information when you request a copy that would seem to violate the Fair Credit Reporting Act.
It wouldn't really make sense to store a credit score with the report anyways, it would only make sense to generate it on the fly only when a lender requests it. I'm assuming that different creditors report credit information on different days so it would be changing every time a creditor submitted information on that person which would be multiple times a month for someone with multiple accounts. And if the credit score algorithm was updated they would have to recalculate the "credit score" field on the entire database! This wouldn't really make sense from a technical perspective.
Furthermore, there's not just one "credit score," there's different algorithms for coming up with a credit score. One creditor may request FICO 8 and another one may request VantageScore 3.0 on the same day. Then another comes by and wants FICO 5. So even if they saving a credit score in the database I wouldn't think that they would have a field labeled as a generic "credit score" without any qualifier. It would be "FICO 8 score" or whatever algorithm was used to generate the score.
There's also other problems, I don't have my Equifax report in front of me right now but credit bureaus store alternative/former names which aren't included here. Like for me my reported names are FirstName LastName; FirstName MiddleInital LastName; and FirstName MiddleName LastName. All because different creditors reported my name slightly differently. If you change your name (like Kim Kardashian did - she's Kim Kardashian West now) it would report both your former name(s) and current name(s). I don't see any indication that this sort of information is included.
Therefore I very seriously doubt the authenticity.
(From a technical perspective "pdf" is not a MIME type, the MIME type of PDF files is "application/pdf")
Also, why credit reports for Donald Trump and Kim Kardashian were created at the same second and then modified at the same second? Probability of this happening as a result of natural client activity - i.e. just watching the logs of the active service - is zero. If the attackers had access to this service and initiated the requests, then why not show the resulting PDFs, that they supposedly also must have had access to if they had access to the API?
It still looks sorta "off" to me even as logs.
Since there's no cost associated with this, they may well generate one for everyone and store it with their data.
Back when I was relatively new on the (full time) job market, I pulled my reports from annualcreditreport.com and it would tell me that my "credit score" is 720-740, and no negative marks.
However, I also had never taken out a loan before. So whenever I tried to do use that pristine credit (e.g. for a mortgage, credit card, or apartment), I had "no credit history" which appeared to the credit as toxic and subprime.
(Relatedly, when I got my first part time job and tried to buy a PS console with a check, Best Buy said it violated their "risk parameters" and wouldn't take it, though Walmart would.)
I'm curious to see what happens when I buy my first house. There was a huge chance I wouldn't have even needed the car loan but life happens.
>And if the credit score algorithm was updated they would have to recalculate the "credit score" field on the entire database! This wouldn't really make sense from a technical perspective.
This obviously depends on your real-time requirements on providing a credit score. If you need to be able to return any credit score in X milliseconds, and you need to be able to do this at certain throughput, and have load that's not distributed across the day, then you might choose to pre-compute data.
There are techniques you could use to ensure you minimise re-computes and you could also pre-compute values into the future and re-calculate them when new/unexpected data came in.
It might not make sense to do this in a general-case, but placing retrieval performance constraints on a system can lead to non-obvious pre-calculation/computation solutions.
Wouldn't it be that one?
^ you can see if you or any of the above mentioned people have been compromised using this tool.
If you don't have a SSN, you'll need an ITIN for taxes.
(ITIN - Individual Taxpayer Identification Number)
Everyone American should be scared shitless at this incompetence. It's going to cost everyone thousands of dollars over their lives for credit fraud protection. Just another expense to add.
People can complain all they want about credit, but the reality is that it exists as a financial service because loaning things with interest is probably older than agriculture in human society. We've just gotten very good at risk assessment, and this going public would ruin our ability to assess risk for years.
Honestly, the credit industry ought to be the ones raging against Equifax's fuck up. If only all the other credit bureaus weren't on eggshells hoping they're not next.
The only change would be that you need to present photo ID in person to open new credit lines... which doesn't seem that unreasonable really.
So far, I have had three phones signed up in my name (essentially stolen from the suppliers), can't easily get a mortgage because I own my own company, somehow making me riskier than people who earn half my income, and in the past had my credit card limit extended to £10,000 without asking when I was almost broke.
To me that doesn't sound like they're good at assessing risk at all, they're just blindly following extremely simple algos instead of knowing their customers.
The records wouldn't be rendered meaningless any way, the fundamental of a credit report is how much debt you already have and if you ever miss payments or have judgements against you. Then a lender compares that to your income.
The film ended that way. The novel had a different, more Palahniuk-ish ending. Spoil it for yourself if you must at https://en.wikipedia.org/wiki/Fight_Club_(novel)
Offtopic I know, but quantitavie economics and bureaucracies were both borne out of agriculture; before that value was subjective.
The Target breach was the thing that finally catalyzed the move from magstripe ccs to EMV ccs. I think we are currently on the precipice of the point when we need to move towards a second factor of authentication ("something you have" or "something you are" in addition to the lots of "something you know" that the current credit bureau system uses).
What would an accurate "what if" scenario like this look like?
Overall, many thousands of folks would have their home plans/vacation/card-flipping/whatever plans screwed up, some thousands would have a more severe financial problem, the banks would muddle through, "we'd" rebuild the financial-surveillance system over again, and it would probably be less stupid in some ways at the cost of being more uniformly intrusive.
With such a large percentage of our social security numbers being potentially outright public, financial institutions need to stop assuming that an account holder is legitimate because they provide an SSN. And it is in their best interests to do so, since they end up on the hook in most cases for fraudulent accounts (after putting you through an awful process to prove it isn't yours).
For example, rather than letting someone sign up for an account with the SSN as a verification of identity, new credit accounts could potentially be considered probationary (or just outright not created) until a one-time code is mailed to the credit holder's established home address (based on their existing credits and payment history) as confirmation that the real person with that SSN authorizes that transaction. While such a step would not be completely impossible to defeat, it would mitigate attackers on the other side of the globe opening fraudulent accounts.
In my mind, the Just thing to do would be for Equifax to offer ongoing fraud protection to all of their customers affected by this leak. (Gosh, that might be expensive!)