> you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.
Oh wow, that's one of the dumbest security hole I've seen so far. That means you're either authenticated in the first screen, or the second assumes that you are whom you say you are if you lend on it. There's a clear lack of ethics from whomever built that, whom either didn't care, or didn't know enough know enough to excuse themselves from building it and ask for assistance.
I mean, this is not your regular system. Everyone is in there, not that they have much of a choice, and it's their most sensitive data, that you decide you're up to the task to protect.
I'm all for learning from your mistakes and I'm the first one to screw up once in a while, and to admit that I am not a security expert. But the size of this combined with how freaking dumb this issue is... This is most likely gross negligence. In most of other industries where people call themselves engineers, you would be putting your own professional reputation on the line when deciding you're up to the task. Then you would get in front of am ethics commission and likely get your license suspended or revoked.
I'm still struggling to think how this could have happened. I wonder if it has something to do with interaction with annualcreditreport.com?
Maybe originally the code had multiple levels of authenticating the user: 1) we know who you are, but you haven't proven it yet, and 2) you've proven it, now you can see everything.
But when they integrated with a 3rd party, which could have been a decade or more after the original code was written, some developer who didn't understand the code just lumped everyone who came over from annualcreditreport.com into basket #2, even though that user still had to go through the url flow to prove themselves. Just a guess.
I don't think most non-programmers realize how often preventing this kind of thing comes down to one developer making a stink repeatedly to indifferent higher-ups. If that one developer is incompetent or doesn't care, no one else does.
I don't know about this case, but a lot of the time this class of vulnerability comes down to lack of Authorisation rather than lack of Authentication.
So much effort is put into checking that people are who they say they are (is Person X really Person X) , they forget to check that they're authorised (is Person X actually supposed to be accessing resource Y).
Given the URLs don't have the actual resource Identifier, it means the resource ID will have been gathered from somewhere else, typically one of three places:
1. Cookies / Localstorage - Easily manipulated and should never be treated as a secure place, it's easy to put simple values here and forget that they still need to be validated / checked server side, and that just because you have access to /foo/Y you might not also have access to /bar/Y.
2. Session - An ASP favourite, sticking something in a key like Session["FolderID"] you might assume you've validated and checked authorisation when you set the key, then later re-use (deliberately or accidentally) the same key elsewhere leaving it open for manipulation. And then you might assume you don't need to re-check authorisation when you read the key.
I wouldn't call the "session" concept an ASP favourite - it's the industry standard for any backend web framework to use a user session where the session key is stored as a random cookie value and the actual key-value pairs are stored on the backend somewhere.
That's fair, I associate it as an ASP favourite to mess it up and cause all sorts of security holes with it!
Probably just a lot more inexperienced developers treating it like a magic authenticated bag without enough warnings about improper use in the documentation.
Also a very easy "go to" store via global variable in ASP made it especially easy to use it as a go-to solution for anything that you couldn't be bothered to properly store.
The only way to write something super sensitive like this imo is to have the back-end API that retrieves full credit report be essentially hard-wired to a user access level of "FULLY_VALIDATED".
That way no developer can come along five years later and accidentally grant the wrong access level or show the report to a not fully validated user. Put the security check on or as close to the thing being accessed as possible.
This is pure speculation on my end, but I can see it happen in a way that is not gross negligence.
Backend does not understand what frontend looks like, does, or even supposed to do. Data team just wants to make sure stuff is mapped and goes where it is supposed to go without breaking anything. Nowhere there is a person who is responsible to say 'the fuck yo'.
It's just a classic IDOR, it's very easy to fall into with some frameworks.
If you look, you see it everywhere. When stack-exchange rolled out their CV feature they had a similar thing which leaked everyone's email address regardless of the public profile visibility or whether they had even used the CV feature.
This is where per-user level encryption of data should be used. If your credit report on that site is encrypted and the keys are only successfully derived by answering your security questions, you've added another layer of security [1]. It also prevents the situation where a hacker gets access to the box doing the security check, and they can read everyone's data versus just those users who are concurrently asking for their reports.
Even simpler, this would be prevented if /acr/oow set a decryption key as a cookie after validating the verification data that was then used by /acr/report to decrypt your credit report.
[1] Yes, it's possible to enumerate over all user's security answers, so it's not perfect, but it ensures a simple mistake with an if condition, doesn't release everyone's data.
It seems like they owe us all compensatory damages. Big damages.
I never really understood how they could take my information, which presumably belongs to me, and then could use it to make millions. How about my cut?
Your information has never been presumed to belong to you, and you have never presumed that information you had about other people did not belong to you. Have you ever kept track of information about other people and felt compelled to notify them and potentially send them money? Like when you were in first grade and wrote down a list of "people i hate" or "who to invite to my birthday party"? Or when you got older and were getting petitions signed? Or maintaining lists of who do deliver to and collect money from on your paper route? It's actually an important freedom to be allowed to learn things about other people and to write them down, and share your thoughts with other people.
I'm not saying that I'm happy about the current state of affairs where we are spied on and sold and resold, but I just wanted to clarify that it's not so simple as you make it out to be that each person owns all information about themselves.
<< Your information has never been presumed to belong to you, and you have never presumed that information you had about other people did not belong to you. Have you ever kept track of information about other people and felt compelled to notify them and potentially send them money?
It is an accurate take. The problem starts when the gathering becomes an industrial level process and start charging money for it.
I am almost at a point, where I pray for a Target level breach that somehow involves the 3 bureaus. Maybe then other entities start suing one another over fallout. Until then it is just 'swy'.
That's … optimistic in my experience. I've had reports include breathless disclosures that our application was leaking private information because robots.txt could be accessed without authentication, or that we were disclosing source code (front-end JavaScript).
Places which treat security as an audit checkbox are going to try to outsource that work to save money and they're going to get people who have enough skill to run a few basic tools but not to reason about the results or do anything creative. Experian seems highly likely to be on that side since they've been able to avoid any significant penalties for past negligence.
> There's a clear lack of ethics from whomever built that, whom either didn't care, or didn't know enough know enough to excuse themselves from building it and ask for assistance.
I highly doubt that Experian attracts the best and brightest. And when you have a company that doesn’t provide any features to the consumers whose data they collect, control, and sell except when sued, you get stuff like this.
True. If a structural engineer designed a bridge with supports made out of balsa wood and held together with duct tape, they would get in big trouble when the bridge inevitably collapsed, and the engineering company they worked for would be liable. I don't have high hopes that this level of negligence will have anything firmer than a slap on the wrist for Experian.
They're already not even commenting on the breach, and it's not as visible to the GP as the equifax leak a few years ago by the "state-sponsored chinese hackers". So I agree, very likely to result in nothing.
The credit bureaus are moving in to work/payroll verification by hoovering payroll data that US companies voluntarily give to them. They sell access to data to people verifying income for loan application, and law offices, and child support services.
I got job offer and told recruiter to put in writing that my payroll data will not be released without a court subpoena. Am waiting on response from recruiter. My outlook is that HR does not care about employees if they purposefully leak this info.
Those concerned may want to ask their HR about payroll data sharing.
This can be more complicated in certain industries where a relationship with a credit agency is otherwise required. I worked at a fintech b2b lending company a while back that worked closely with all the big agencies and I distinctly recall that the company got favorable rates for opting in to payroll sharing when negotiating rates for other services from Experian.
It was sadly before my tenure at the company and I only became aware of it much later, but I would not be surprised if agencies are leveraging their other produces to incentivize more companies to share this salary data.
In the meantime I'm going to continue exercising CCPA wherever I can and hope we see some legislation or court cases at the federal level to address some of these issues.
I mean, from what you’re saying, it’s complicated in the sense that the credit bureaus are exploiting their customer’s greed, because if the customer really cared about their own employees, they would say no to the discounted rates, and that would be the end of that. No?
You're correct, but I believe this line of thinking is a simplification. If you operate a public company and your shareholders demand a return, odds are you'll have a board that's going to force you to have specific policies. Some of those policies are along the lines of "take any discounts you can get on things that cause operational expenses."
The only real way around this is having shareholders that care about employee privacy, and I think _that_ will only happen if these privacy issues impact the bottom line in some way (difficulty hiring, increased costs, etc).
It's frustrating in that this behavior is cultural and endemic to how businesses operate in the US. Change is possible, but it requires support from more than just the line of business employees and management.
> but I believe this line of thinking is a simplification
Yea, sure. I wasn't meaning to take a hard moralist or anti-system stance, when I say "the company is greedy" I understand the company and its people are a cog in a larger machine.
There is a simpler way out than waiting for a cultural change to stop that practice, though: regulation.
I'm not entirely sure, but I doubt that here in Europe it's so easy for companies to sell payroll data - if at all legal. At any rate it sounds like an abhorrent practice.
> If you operate a public company and your shareholders demand a return, odds are you'll have a board that's going to force you to have specific policies. Some of those policies are along the lines of "take any discounts you can get on things that cause operational expenses."
There's a lot of mythology around that, however: managers are giving a large amount of discretion about business decisions because it's extremely rare that there are no trade-offs for any decision. For example, you could save a lot of operational hosting expense by switching from AWS to Bob's Bait Shack and Server Farm. In this case, you could argue that the risk to employees is significant and would potentially spill over to the company if leaked information was used to compromise them.
You can freeze the worknumber so people running background checks can't get information. When I changed jobs the company ran a background check and they kinda freaked out cause they couldn't get anything out of this database. I loved it.
They did not, because the number wasn't estimated by adding up predicted time per tracker or service, but by determining this is about the maximum the market can bear - i.e. a steady state of the system.
Curiously, Stratfor also predicted 60% chance of the US going to war with the EU before 2036, due to EU privacy regulation threatening to shut down the increasingly adtech-based US economy.
I would do the verification over email as that means they didn't typo whatever email you gave them (easier to typo an email address rather than a phone number).
I wonder if security of the payroll data lookup is even worse than the credit report website. A 'freeze' may be worthless if the data leaks are large. And a person making $18/hour to do child support case management may interested in making extra cash by looking up other people for a fee.
Not all companies give out payroll data. Better to learn now if finance/HR doesn't protect their employees and to decline the offer. Lack of qualified applicants ... or people have had enough. I do not consent.
They should also ask their mortgage and auto loan provider. I was running a consultancy when Paysa came online. We were surprised to see it knew a lot about compensation and titles of most of my employees. But not all of them. We found that the common thread was employees who had recently applied for loans/mortgages. They had submitted paystubs as part of the application process which were then sold.
I happened to chat with HR when I did the opt-out. They claimed, which I didn't believe, that most employees actually benefit from it because they get streamlined approval for personal loans and mortgages. I think it's just a way for them to cut down on support requests from employees (like "Hey HR I urgently need you to provide my last three pay stubs or employment verification letters").
Unfortunately you won't stop the tide with simple data practices. If they can't slurp up the the data automatically, they have an army of people making phone calls to gather employment data from other sources to add to their database.
We use them as a provider (unfortunately), and when they don't have the data on hand we have to handle cases where it can take a few days for them to call the business and confirm employment directly with someone who works there. At that point, I don't think where you work has a reasonable expectation of privacy since you walk there, probably put it on your LinkedIn, talk about it with friends/family, etc.
I stopped doing that when LinkedIn added their loginwall.
Clearly LinkedIn wants to harvest data while at the same time making it difficult for others to do so, which would go against my interest of making it public.
So I posted it on my own website. Goodbye to another centralized point of failure/control.
People are lazy. If they can't get the information a very large portion of them will rubber stamp it or just ask you if it's true, possibly to provide some evidence which they will be to lazy to verify as authentic.
>it can take a few days for them to call the business and confirm employment directly with someone who works there
If you hire out this kind of work, half the min wage slaves getting screamed at with hot breath down their neck for "low productivity" are gonna call once at most and likely not at all and then check it off. Speaking as someone who has worked at a call center along with the populace which was basically people on work release/probation.
Most places don't do much vetting of your background until you're hired. At which point it can be a lot of work to offer to someone else, especially if it's been more than a few days.
I’m not surprised in the least bit. I keep my credit locked constantly since I’ve had my SSN leaked multiple times (by US government agencies). Every time I go to unfreeze it when I apply for credit at least one of the big 3 credit reporting agencies lets me unfreeze it without specifying the PIN I had to create when freezing.
If there was any justice these companies would get the corporate death penalty.
I froze mine years ago when the first leak of my SS# happened thanks to one of the stupid credit agencies.
I was happy and secure in the knowledge that it was locked until I had to unlock it the first time. The password I set didn't work, as they had apparently changed the log-in system with no alert (also, now the stupid log-in sends us spam e-mail that we can't opt out of).
I called them. I had my account unlocked, and the phone representative even gave me my own SS# within three minutes of being on the phone, and by answering questions that were publicly available information.
It's an absolute fucking train wreck and I wish the system as a whole and the credit companies in particular were destroyed.
> … and by answering questions that were publicly available information.
The 3 questions fraud check system everyone uses to performatively pretend to ensure you are who you are, can only draw the questions it asks from — guess what — publicly available information.
It's illogical on its face.
// After identity theft, it gets worse, as thieves' fraudulent or real data will enter public records under your identity key, and now you can't pass your own check.
PINs for freezes seems to be a thing of the past. I recently unfroze all of my credit reports momentarily so they could be accessed, and none of the big three asked for the PIN. They each have their own login and as soon as you authenticate to that, you're good.
> these companies would get the corporate death penalty
Would suggest replacing this in your vocabulary with “fines,” “license revocation” or “criminal penalties.” Corporate death penalties, i.e. judicial dissolution or charter revocations, while a good slogan, don’t make a lot of legal sense. As a result, I’ve found it in practice used to segregate activism and turnout operations (who like it) from rule and lawmaking influence (where it’s not a serious concept).
Massive fines, equal to market cap, or absolute liability, e.g. a $10k + legal expenses minimum owed to each person whose data leaked irrespective of actual damages, for example, are more specific and actually actionable.
I understand "corporate death penalty" as a dissolution of the corporation, likely with some cool down time for the execs found guilty when they cannot work as execs.
No violence should be involved. Large layoffs resulting from that won't be pleasant one bit though.
I'm pretty confident it wouldn't come to layoffs. If Meta faced such a risk they would simply follow the rule. Remember how many times they threatened to leave EU?
Corporations are a legal fiction. What does dissolving the corporation mean? Revoking its charter? Then what happens to its assets? If you return them to shareholders, you’ve given a boon to its wealthiest, who can now re-organise it free of prior liabilities. If you liquidate them, you’ve delivered a junior fine, since with real fines the fine gets paid before creditors. If you take it, you’ve expropriated (also, fines with extra steps).
In every case, what you want from a “corporate death penalty” is better effected with actual penalties. A market-cap sized fine is more specific and more actionable than a “corporate death penalty,” which is why I suspect the latter is in circulation.
A corporation is an organisation. It has internal processes, both documented/formal, and undocumented/informal - 'the way we do things here'. There are teams and departments, and relationships between them. There are contracts and commitments to and from other organisations. Handshake deals. Unspoken agreements. Expectations around whose turn it is to get promoted. Culture. History. Group identity.
And sometimes these are bad and need to be dissolved.
If I start a company with the express purpose of having it commit crimes, it will be shut down and everyone employed will be fired. That's not on the government, that's on me, the employer. So then where is the line that we draw that says how badly a company needs to behave or how many crimes it needs to commit to justify it being dissolved? We should not tolerate crime for the sake of the livelihoods of the henchmen. "The death star is bad, but think of how many people would be unemployed if we stopped them" is exactly the argument they want you to make.
The theory is that, _once it becomes policy and happens a couple of times_, employees will pay attention to what their company is doing, and get out if they think they're in danger. It aligns individual morality with self interest, and will crater a company that starts sliding towards dissolution.
Thus actual enforcement becomes almost a non-issue.
I'm not sure I buy that the janitorial staff is supposed to keep up on the dark patterns in the sign up page, but that's the theory.
To be consistent you'd have to be opposed to venture capital shutting down and selling off companies as well.
To be fully consistent you'd have to be opposed to firings and layoffs in general (except as the result of a commission of a crime by the person so fired).
I'd be happy with a corporate death penalty that resulted in the stockholders being wiped out, the executives (and possibly board) being fired and barred from the industry, and executive control of the company being taken over by someone like John J. Ray III. This would allow either a restructuring of the company or gradually winding it down in such a way that the non-executive employees and bondholders aren't screwed over.
I would suppose whoever is being forced to terminate their employees is doing so under the threat of state violence (men with guns), but the employees being fired are not being threatened with any force, they're just losing their job.
I am not unsympathetic to your ultimate meaning. However...
Take everyone's favorite whipping boy, Facebook/Meta, as the example corporation. At every turn, they have shown that they have prioritized greed vs community good. Any good they provide is only to further their pursuit of wanting more. Because they are so large, any upstart competitor with a total opposite ethos that might come about gets annihilated by the behemoth.
If legal action were to give Meta the corporate death sentence preventing the company from operating and its execs from pivoting to somewhere else, then and only then could the competitors actually have a chance. So just because there's a death sentence for a corp doesn't mean the "people" lose as well.
> legal action were to give Meta the corporate death sentence preventing the company from operating and its execs from pivoting to somewhere else
Just do the second bit. The problem with judicial dissolution is corporations are a legal fiction. What you do with the people and assets is far, far more important. Ignoring the legal fiction to focus on those is my point. Take their stuff (fines). Force them to restructure (break-up). Limit their scope (corporate criminal penalties). Restrict their executives. “Corporate death penalty” is exactly non-specific enough to avoid specifying those prescriptions.
yes, but in coversation, are you going to list out those things every single time like that or are you going to do it once and then follow up with, "you know, the corporate death penalty?"
i don't think it's nearly as non-specific as you think. if you ask people what a corp death penalty would be, my assumption would be that people would think of it as the corporation no longer existing. if you're saying that corps would just spin off assets as a new name, new corp charter, same people, same processes, then yes, that would be a valid concern. but we can at least state that once, and all agree upon it rather than continuing to repeat it like we're unable to understand the concept.
> ask people what a corp death penalty would be, my assumption would be that people would think of it as the corporation no longer existing
I mean, look at this thread. I’m not saying the impulse is wrong. But “corporate death penalty” seems to be a good way to take a discussion which could lead to an outcome into one that won’t. That’s fine! People vent! But we shouldn’t confuse venting with deliberating.
I just can't wrap my head around what your issue is here. Only lawyers talk like this. Are you a lawyer? People feel a corporation has committed such wrong doing that they should no longer exist. When that happens as an individual, it is known as the death penalty. Applying that same phrasing to a corporation comes with the same understanding. You're pedantry in this case are quite trite
Not the person you're replying to, but I think the issue is that the individual vs. corporation analogy doesn't work. If you kill a person who has done bad things, you will indeed prevent that person from doing bad things in the future. If you kill a corporation (via legally dissolving its charter, the "corporate death penalty"), then you will not keep the individuals and investors associated with that corporation from doing bad things, as they will likely reorganize into a new entity and continue to do those bad things.
I agree that there's an element of pedantry there, so if (as the GP suggested), someone is just venting and doesn't care about a specific outcome, saying "give them the corporate death penalty" is fine. But the downside is that if someone reads that, and looks up legal corporate dissolution, they might get the wrong idea that this sort of remedy will actually fix the problem. Or they might not even do any research, and just decide to start throwing around this term themselves, without really understanding what it means or what it does (and doesn't) accomplish.
But I also agree that listing out other specific remedies (market-cap-sized fine, jailing executives, whatever) is long-winded and annoying, and maybe not really useful or relevant unless the discussion is actually about what specific remedies might be effective.
(2) All assets sold paid out to wronged parties before debt servicing or shareholders
(3) All officers barred from holding political, non-profit, or corporate office at any level in the US states or territories, as well as removing the veil of corporate liability from officers. All technology and security employees have liens put in place to pay affected parties as well.
The fines should be to the shareholders. Ownership should be determined recursively to all actual humans. No trusts, no corporate owners, no funds.
A strawman: Maybe proportion of ownership times current assets and all future income. Whatever fraction of their financial being is proportional to their share of the corporation is "dead".
If you have X% ownership share, you are fined X% of all your current assets and X% of all future income.
A message needs to be sent that it's not okay to invest in a company that is doing harm and then walk away from it. You're ethically and morally liable, the law should reflect that.
It's interesting seeing the American credit model malfunction so badly so often (massive data leaks, crappy gaming of the system - even today i read on HN not to pay off your mortgage if you don't have any other loans or it might tank your credit score).
As with a couple of other things, it's basically the only developed country with this model (useless for-profit middlemen for no good reason), it really sucks for the average consumer, yet there is no actual change coming. Why? Is it American exceptionalism refusing to acknowledge that there are better ways used elsewhere? Is it free market "absolutism" hoping the market will fix itself?
I disagree with the better ways used elsewhere, as a French citizen who has worked abroad all his life, I can barely get anything. When I came back to France for a year due to my father's health issue, it was difficult getting an apartment because I had proof of income for more than 3 years in France (the current income I was declaring of 150k usd a year working remotely from France didn't count). People in France who have a CDI (permanent contract) can easily get mortgages and everything but entrepreneurs, people on fixed term contracts, etc... have a very hard time getting anything.
With a US social security number that I got as a student and good management of my credit card accounts that I kept since, I have a good US credit score and can easily get a mortgage in the US. Of course, it's possible to game it, but you can also get a very decent score by just managing your finances well.
So from my perspective, I think the US system works much better. Does it have issues? Yes, there's data leaks, there is some gaming of the system (by the way, paying off the mortgage won't tank the credit score, it'll lower it yes by a few points, but that's mostly inconsequential)
> I disagree with the better ways used elsewhere, as a French citizen who has worked abroad all his life, I can barely get anything. When I came back to France for a year due to my father's health issue, it was difficult getting an apartment because I had proof of income for more than 3 years in France (the current income I was declaring of 150k usd a year working remotely from France didn't count). P
I had 50k euros in a bank account, didn't help because I didn't fit into the criteria for the so called unpaid rent insurance ("garantie loyer impayé").
“Working remotely from” means long term you’ll be paying taxes there. Which should be proof, and if not should be fixed. Having to wait a year or three is probably fine for a mortgage, no?
French bureaucracy is infamous for a reason and it's not just the state itself. A CDI is a certain type of employment contract, and a CDI is a CDI and everything else isn't, and a CDI is required for almost any significant loan. Workarounds are possible for smaller loans IF you have a personal relationship with the bank officer servicing that area. But if you didn't grow up there, or don't normally bank there, or they're suspicious of your race or tattoos, or were your bully in high school or or or. This sort of thing is more or less exactly what the credit reporting setup was meant to eliminate.
It doesn't matter what it "should be" proof of or what a reasonable person could infer from this income or documentation of it. If you don't have a CDI, which even many full-time employed people don't, you're in a hard spot.
Again, I don't see anything here that requires a third-party as intermediate. If you have a system broken in another way, go right ahead and fix that. But it is not sufficient justification for incredibly bad actors such as Experian et al to exist.
That's the thing, based on my experience living in different countries like France as described above or in Japan for a few years (where I was systematically rejected for credit cards when my ex who was a student with significantly less income than me was approved), I find that having third parties as intermediate setup a reporting credit system with clear rules like the US is so much better.
The US system has issues but it's less broken than every other countries I've lived in.
But what about the other 99% of us that aren't living internationally in multiple countries we have no history in?
The idea that everyone is forced to create a public profile so you have the option of getting a mortgage sucks. You have no right to a mortgage at other's expense. If you want folks to trust you, get a co-signer, put down roots and stay a while.
Ok, granted, living in different countries is not something that most people do, so let's talk about the other big advantage that a system with a credit score has. It protects against racism. If you don't have that, it's very easy for a bank officer to reject a mortgage because you're the wrong colour. You'll tell me there's law against discrimination but what often happens is people discriminates and then find other excuses to justify the rejection. Are you going to tell me that this isn't a problem?
Without a credit score that follows simple algorithmic rules, how do you want to prevent this from happening? A credit score that has rules that people know in advance may be gameable but it also creates fairness by making it easy for everyone to know what to do to get a decent score.
Now, the fact is that the credit score could be managed by government agencies (although honestly, I'm not sure any government is much better in term of data security), there could be stricter fines in case of data breach (that sounds like a good idea), but those are implementation details.
Lofty goals but too many degrees of separation I'd say. Not my responsibility to fix the problems of society. I'd go farther and say ubiquitous credit is not a human right, to the extent to force its drawbacks on the rest of us.
That said, I'd agree that both of our plans could be implemented a lot better.
Yeah but having to wait a year or three (three actually because as someone working remotely, you're self employed and self employed always require 3 years salary for anything) during which 80% of apartments reject you because you don't fit the criteria of the "garantie loyer impayé" is more than frustrating. It's downright hostile. Getting a mortgage is a pipe dream...
Being a French national and not being able to get a mortgage to buy an apartment for my mum is also more than a little frustrating. And that's despite having quite a bit of money saved.
You getting a mortgage is not a problem I'm willing to pay for with my privacy. (Not that I was given a choice.) Buying property here is a pipe dream, period.
I've rented apartments without credit by showing paycheck stubs and bank balance.
Also, I'm kind of confused, why do you think you'd have more privacy in other countries or with other systems? Even without credit scores, you still have credit cards, debit cards etc and all this can be tracked? There were massive data breach at places like Target, wouldn't you be impacted without credit scores and those 3 companies?
Outside of living off the grid, paying everything in cash, how do you want to have privacy about how you spend your money in this day and age?
Well, I'd say having a soon-to-be expired credit card transaction revealed here and there is a lot less worrisome than a single entity hoarding everything over my lifetime, combined with an utter disregard for security. They also sell it without knowledge and usually consent.
At least CC processors have PCI standards right?
Bulk surveillance is a problem as well, but a big topic for another day.
Having done PCI compliance audits and talked to QSAs who told me about pretty serious breach from a well known payment processor owned by Visa, I wouldn't put too much faith in the PCI compliance process when it comes to protecting my data.
I guess where we differ is that between banks having lousy security, social medias and search giants selling all our data, the cat is already out of the bag when it comes to privacy and won't be put back until law is updated to have teeth, so I see that as a separate problem (which does bother me) that's orthogonal to the 3 companies credit scoring system.
That doesn't mean that it shouldn't be solved, I believe Equifax, Experian and Transunion should be heavily fined for any breach of data especially considering how important the data they have.
It's not really malfunctioning, in my opinion. It's more or less designed to violate individual privacy and offer as many people access as efficiently as possible.
Neither free market absolutism nor exceptionalism are the reason that it's designed this way. At least, not in the way that I think you mean it. Rather, it's because the current economy of the USA is an inflationary credit economy. It's a very un-free market; a great example is education. The government subsidizes loans which drive up the price, and put people in debt so that they are more desperate to take jobs.
I mean, a credit report is only useful if it actually tells me about _your_ credit worthiness.
Sure, some Elon Musk guy might have enough credit worthiness to make a $44 billion purchase. But are _you_ Elon Musk or just some guy impersonating Elon Musk? Fraud may not be rampant enough currently but if Experian/etc continue to help fraudsters it will just keep getting worse.
Because our government is completely corrupt and doesn't represent the interests of the People, at all. It serves and is beholden to large corporate interests, chief among them banks and financial institutions. In a just system that represented our interests Equifax would be forbidden from compiling consumer data after what they did.
Exactly, and the best part is it is all out in the open but the majority of people either don't understand or don't care. The corporations openly write legislation via their lobbyists, huge bills that congress themselves don't even fully read let alone write. I've just about given up hope that this will ever change.
We should remember the reason why it was created - to replace decisions for approvals on loans, mortgages, apartment rentals etc being made by low-level individuals for a variety of arbitrary reasons. Many places made such decisions based on personal connections, class, race, and other such things. AFAIK most other places still use such systems. Replacing that with a system where everybody's worthiness and terms for such things is determined algorithmically based on numeric data is a great move towards equality.
>even today i read on HN not to pay off your mortgage if you don't have any other loans or it might tank your credit score
Only when it drops off your report, which is 10 years after you pay it off.
If you were so concerned about having a line of credit on your record then open up a credit card and don't use it, no reason to pay thousands of dollars in interest to avoid an abstract fear of "tanking your credit score."
>it really sucks for the average consumer, yet there is no actual change coming
I am an average consumer. The credit system is great for me! I'm able to demonstrate my responsibility and as a result I'm able to obtain a large amount of credit products at very low cost as well as pay less for insurance. I guess you can argue that the government should be providing this service rather than private companies or there should be more regulations around security, but the system only "really sucks" for people who take out loans and don't repay them.
Rocket mortgage fraudulantly tanked our credit score and refused to fix it. The other bank's underwriting department looked at it, shrugged, and honored the mortgage office's request for an override to give us the best available rate.
I had $60k in the bank and was paying $12k down on a used car that cost $28k and would be worth $30k the second I had the keys (the dealership seemed to low ball it a little, probably because they were a new volvo dealership with one GTI on the lot they had for like a couple months that they needed to get rid of), but no, they still needed to check my credit, which at the time did not exist, and still required me to sign up to $2k interest payments over a 5 year loan that would have been more profitable if I never paid a cent and they could reposes the collateral.
I know there are contrived ways I could have killed the value of the vehicle before the loan was done and they couldn't recoup it, but like, come on. My credit report was BLANK. It was never needed in the first place.
> Only when it drops off your report, which is 10 years after you pay it off.
I haven't seen what happens at 10 years, but there's definitely an effect after about a year; mine dropped 50 points, which isn't really tanking, but could switch you into a different risk category depending on where you started. Finishing up my car payments didn't help either.
Then your online banking is using the same fake score as Credit Karma (usually called VantageScore or something like that)
If you actually want to get the score that lenders use, experian.com will give you your FICO 8 score. This score considers all accounts open the same until they have been closed for 10 years.
> The FICO® Score pulled on [date] is the FICO® Score 8 based on Experian data, and is the same score that [name of institution] uses, along with other information, to manage your account.
Another says:
> The score provided here is FICO® Score 8, which is based on TransUnion® data and may differ from other FICO® Scores. Variations may also occur when your score is based on data from another consumer reporting agency or calculated at a different time. [name of institution] and other lenders may use different scores and other information in credit decisions.
I'm not going to intentionally interact with Experian directly, unless I have to, so not going to compare there. From what I recall, when I last opened a loan and they disclosed the scores, they were within spitting distance of what I was seeing from my banks at the time.
Now maybe FICO 8 score means something different than FICO Score 8; these guys like to be deceiving, and maybe some banks give the VantageScore, but mine seem to give a FICO Score 8.
I paid off my mortgage almost 15 years ago. I have zero debt, no car loans or anything, and pay off my credit cards in full every month. My credit lines are barely utilized (single digit percentage.) My score seems to vary from 790 to 810.
Using credit cards and paying them off is keeping ytour score up.
If you have no debt and pay cash as you go for your expenses, you will eventually drop because the credit bureaus will have no recent data to compute a score.
I posted on my sibling that 22% of Americans have no credit and of the ones that do have credit, 18% have a subpar credit score. That sums up to over a third of Americans that the credit system is either working poorly or not working at all.
Maybe you are indeed an “average consumer” (whatever that means) but if you are, then the credit system is heavily skewed in your favor, with many “non-average consumers” falling by the wayside.
I would love to see some data about this but it wouldn’t surprise me if many USA residents don’t have a credit score at all, or if they do, it is very minimal. Given how many are underbanked, I wouldn’t be surprised if the average credit score is heavily skewed by the people gaming it.
Anecdotally, neither me nor my partner have a credit score. I know several people where I’m living that are permanent renters/get owner financed loans, buy used cars with cash (or are simply given old cars, or don’t have a car at all).
> 22% of Americans do not have a credit score. Half of this percentage has a stale credit score that makes it impossible to generate a valid FICO score while the other half do not have any credit file with any of the three credit bureaus—Equifax, Experian, and TransUnion.
> 18% of Americans have credit scores that fall in the 580-669 range of “fair.” those in the fair range are considered sub-prime and have lower chances of qualifying for a loan or getting better interest rates.
I don't have any resources to share but in my country the bank looks at my income - expenses then checks if I've defaulted on any debts. My limited understanding of the US system is that everyone has (often several) credit cards to build the necessary credit score. Here owning a credit card is for people drowning in debt who struggle to pay bills on time or in rare cases new money flexing their amex black, which is also shunned upon.
I've always thought the US system was super weird and backwards forcing debt on people. We don't have credit cards from every big chain and don't get harassed into signing up for cards in the mall, it's just not a thing.
We have the same safeguards you have, but we prove it with sensible spending instead of getting debt just to prove that we can pay it in time.
"looks at my income - expenses then checks if I've defaulted on any debts" - This is basically what we do in the US as well. But HOW do they do this in your country?
In the US, the loan originators look at year-end tax forms or recent pay stubs to verify income. They look at credit reports from e.g. Experian to verify defaults and other debt information.
The paychecks are verified at the bank, probably tax as well. For the debts we have a government authority which is usually the last resort for creditors. This authority also takes care of getting your cash, selling belongings etc to pay off creditors.
This is all open data and can be verified with just a phone call to the tax office and debt authority. Some private aggregators exist for convenience but they're regulated in what they're allowed to share and for how long.
The private companies are also required to notify me anytime someone checks my score, the government agencies aren't.
I can tell you about the system here in France - when you apply for a loan, the bank asks for some information (your salary, marriage status, kids, etc.) from you to see what you're capable of to spend monthly, and checks with the national bank what loans you have/had, and if you've defaulted on any of them. That's it, they don't need to know more, and the national bank doesn't keep track of everything, only very basic loan information (and of course they have no for profit motive), and nobody outside of a bank where you're applying for a loan uses this information to define your worthiness as a tenant or employee.
Well, French laws are heavily in favour of tenants so actually contrarily to the OP, it's not that easy to rent an apartment. I'm guessing the OP has a CDI (permanent contract), has a French family name and doesn't look Arab or Black. In those cases, yeah you can get a mortgage relatively easily, you can easily rent too.
But, 24.8% of people who are employed have those permanent contract. People who do not have that, have it much tougher. To get back to the example of renting, landlords in France are scared of renting to tenants who don't pay because it's hard to evict tenants, so they often use something called a "Garantie Loyer Impayé" which is an insurance backed by the government that will pay back any unpaid rent to the landlord. But if you don't have a permanent contract, it's hard to qualify for this. When I was searching for an apartment 7 years ago, 80% of apartments rejected me because I was working as a contractor (and what's worse my income was from another country since I was working remotely). They used that insurance and that means that I couldn't qualify.
So, yes, if you have a permanent contract in France, things are relatively easy but, even then, I have a friend who is black and worked as an electronic engineer with a permanent contract but still had a hard time securing a mortgage because, for some unknown strange reason, he got rejected a lot more than his white friends.
Credit systems with clear rules like the US may be gameable but they have the advantage of actually protecting against racism, of enabling people with non-standard profiles access to credit and of actually being relatively easy to follow.
Depends on the terms. People change, situations change. It's a big reason why finance firms in the US are attempting to move away from the three CRAs to cashflow underwriting; it turns out credit scores aren't a great forward looking proxy for repayment ability.
The whole concept of “identity theft” is a concoction meant to pass blame on to consumers rather than creditors. If a bank gives away money to a person pretending to be you, that shouldn’t be your problem. The bank screwed up. Your “identity” wasn’t stolen, the bank didn’t do basic due diligence and now they’re looking to pass the blame on to you.
I’d be ok with it if my identity was a secret that I needed to guard myself. But it isn’t. My name, DOB, and address are made publicly available by my municipality. My drivers licence can’t be kept secret because the law requires me to carry it on my person, where it’s easily lost or stolen (and also needs to be shared in case of an accident). My passport also can’t be kept secret because every airline and hotel takes a scan of it. There are hundreds if not thousands of copies of my passport, most of which I assume are stored without any security whatsoever.
These are physical documents that should only have power when produced physically. It simply shouldn’t be possible to do anything with just the details or a copy, especially not taking out credit in my name or taking over my bank accounts.
Without going into too much detail, I once encountered an Experian identity verification question on behalf of someone else. This person was an Uber driver making ~$20,000 per year.
The question was: "According to our records, you purchased or leased one of the following vehicles in the previous year. Which vehicle do you currently own?"
A. Maserati Granturismo
B. Ferrari 458 Italia
C. Aston Martin Lagonda
D. Honda Accord
So... 2 Italian supercars, another supercar with only 200 ever produced, or a mass market sedan.
Bonus - of the 4 questions, you only needed to answer 1 correctly to pass the check.
Every single report like this serves to make me feel sick and angry. These organizations are responsible for so much data that can literally ruin lives and they can't be bothered to think through their solutions. It's not but should be criminal.
Why isn't there more regulation on these? It seems something that 99.9% of voters would want to get behind. These credit report agencies horde data and then misuse it so frequently. It feels like there needs to be some accountability for misuse of data like this and breaches, especially when there's essentially no way to opt out and still function in society.
In a representative democracy, it doesn't matter whether 99% of the voters are behind the issue. What matters is where that issue is in the overall stack ranking of "important" issues, where "important" is defined as "effective for the purposes of winning elections".
Basically, when it comes to voting, is this going to be the reason why you vote one way or the other? Or is it going to be the usual cocktail of taxes, abortion, immigration etc? If you have an opinion - no matter how strong - but they already have your vote, why should they care about it?
Ugh. "Identity Theft" is a term invented by the finance industry to victim-blame when their weak authentication mechanisms are compromised. We should instead talk about "Banks being defrauded by criminals due to lax procedures".
> "Identity Theft" is a term invented by the finance industry to victim-blame
“Identity Theft” blames to the exploiter, instead of the (possibly negligently) exploitable system; it is shifting blame, but not principally to the victim.
> We should instead talk about "Banks being defrauded by criminals due to lax procedures".
If we want to focus responsibility on the banks, we should instrad talk about “Banks failing to safeguard customer funds”, or “Banks enabling criminals to steal customer funds.”
Just so it’s clear, if person A borrows money from bank B under person C’s name, person C will have to fix the problem. And make no mistake, it’s a huge problem. It will affect person C’s credit score and potentially cause loss of property as bank B will hound person C for their money back. This is in spite of the fact that there may be no relationship between B and C or A and C. And then credit reporting agencies D will happily report the lie from B, that C owes money to B.
It’s completely upside down. And good luck getting the local police to fix the issue.
Yeah. It's burden shifting. It should really be called "weak fraud controls." When one withdraws cash the bank is liable for unauthorized withdrawals so they use 2FA (debit card + PIN) and for larger amounts they check two forms of ID.
Why everything is tied to our SSN, I don't understand. Why we allow private companies to manage our US social credit score, I don't know either. There are a lot of things we've done here that make no sense.
The main reason is "the mark of the devil", every time the US Federal Gov. wanted to issues ID Cards, that came up. Just look at the "Real ID" issues, but that is still not a useful ID for everyone.
Also if you look at your Social Security Card, it states "Not to be used for identification". But Companies, Univ and everyone ignored that because they wanted a Unique Number. Not may people realize the SSN is recycled as people die off.
I wish the US Gov would sue all Companies and Orgs that used the SSN for ID purposes for trillions and return that amount to people with Social Security Numbers.
No, the issue isn’t religious irrationality — it’s understanding the inherent dangers of a mandatory government identification system and not wanting one.
Unfortunately, we have several anyway, but that’s no reason to accept a universal inescapable federal ID that we would never be able to roll back.
> I wish the US Gov would sue all Companies and Orgs that used the SSN for ID purposes for trillions and return that amount to people with Social Security Numbers.
At least on that we agree. The SSN bas become a poor, backdoor replacement for federal identification documents — which is exactly what people were worried would happen, and why they received the sop of “not for identification”. That didn’t last long:
If nearly all choices and utterances are linked to the same database and can be used against you in ways that don't even exist today people will feel a strong chilling effect. We have bankruptcy and privacy laws specifically so the owners of these private ledgers and databases do not entirely control our lives.
The issuer of an universal ID gains gatekeeping power. Besides the danger of people getting excluded, children and marginalized demographics won't have one.
Ironically widespread deployment of an ID can sometimes lead to more fraud. Bureaucracies tend to confuse identification, authentication, and authorization. Possessing a scan of a passport is often accepted as possessing the passport which is accepted as authority to transact with that name. Through the transitive property possessing a hacked .jpg can allow a fraudster to transact as you. When businesses and bureaucracies are not liable for fraud or their errors, they focus on the ID tokens as a way to improve throughput instead of assessing the legitimacy of the transaction in a holistic manner.
... because back in the 70s it was decided that disclosure (a/k/a "transparency") was all we'd ask of private companies (with exceptions, as in, some companies aren't even expected to disclose). Who do you think _actually owns_ the U.S. Congress anyway?
It seems like it'd be a national security issue at the very least. Those databases also contain an up-to-date financial picture of government employees holding security clearances. Even if clearance holders are nominally supposed to remain above-board and unsusceptible, I'm willing to bet that enough data mining would allow decent targeting. The DoD is already monitoring those employee's credit reports, so clearly there must be something actionable in them and it's quite likely they miss something.
Unconstitutional just means it's not in the constitution. My claim is that nowhere in the constitution does it require the USG to audit a private company for security (especially in conjunction with an after major data breach clause).
Yeah, I guess that ensuring foreign actors can't publicly dump massive amounts of data on an arbitrary number of american citizens to be used in economic warfare definitely doesn't fall under any mandates that the US government has...
What's absolutely infuriating about this is that Brian Krebs has sounded the alarm about Experian's horrible security for a very long time, and Experian has done jack shit about their problems.
This company needs to be shut down. It's incapable of safeguarding PII in a reasonable way.
Until our government creates a law that makes the credit bureaus have to pay every time their security fails, nothing will happen. They don't have to care and probably laugh at all of us. But politicians are cheap to buy off and nothing changes. I am sure all 3 of them have huge legal teams anxious to slap you silly if you try to sue them.
It's so important everyone knows that this genius, Albert Vadim can fix your credit for you. I started to have credit at 18. I ran all my credit cards all the way up as I didn't know much about credit. At the time I had collections and all sorts of derogatory reports. I recently made a decision to get things together with the help of Vadimwebhack@gmail.com because I wanted a car. His program worked impressively for my credit and I got a new car. I consider him the best. You can also reach him on WhatsApp +17472252004
Ugh, annoyingly Experian was the hardest one to do a credit freeze on. A few weeks ago, I was able to easily do a credit freeze on other bureaus but Experian wanted me to call them during business hours so I put it off. It might not help much but I’ll plan on doing the credit freeze with them today.
The whole free-annual-credit-report-via-the-web-thing worked great in the beginning. I used it for years. Then, it went to shit. First, it was the barrage of ads for free credit monitoring or whatever. Then, it just stopped working altogether. It's now obvious they're just trying to make it as difficult as possible to get your free annual credit report, which, I think, is supposed to be guaranteed by law.
I actually wrote to one of the credit agencies a few years ago (forget which one), attempting to get my free report. Three months later, the agency sent me an insane form to fill out to get the report. They also started mailing me ads, telling me how easy it was to obtain my credit report...if I paid them. Nice.
Came here to ask this. The article doesn't say why this is a bad thing.
At best it implies poor security by the credit agencies might increase the risk that "identity thieves will ruin your financial future" but it doesn't say how access to a credit report will do this.
Guessing: something in the report (what exactly?) might make taking out bogus loans easier by selecting the most vulnerable victims (why?)
Identity verification questions are generally based on public records along with the credit report information. Some questions might not be detailed in the report (like how much a specific loan’s monthly payments are) but others would definitely be included, like the name of a creditor on file.
If the credit record has your SSN, a criminal can pretend to be you and borrow money in your name. Then the bank will come after you for repayment and the credit reporting company will 1) report that you have outstanding debt 2) report on any “missed payments” on this debt 3) lower your credit score because of 1 and 4) share this false info with other credit reporting agencies.
Huh. So basically these guys got access to stuff that thousands of companies and governments who subscribe to Experian already have, but didn't pay for it. Color me outraged.
I strongly suspect this was more widely exploited than what's being let on. I have received hundreds of Medicare robocalls where the caller was suspiciously able to suss out a fake dossier - even though street addresses and names would be plausible, but the birthday and SSN were fake.
I would definitely investigate this further to see if this knowledge was in the hands of criminals/scammers who were selling access for $$ over the past few years.
How much value do the credit agencies add beyond what could be obtained by knowing income, location, number of dependents, and current debt/liabilities?
verifying identity is another matter, but I’d expect what you put on the credit application to be the data that explains the defensible reasons to not give a loan, without needing a magic credit score.
"How much value do the credit agencies add beyond what could be obtained by knowing income, location, number of dependents, and current debt/liabilities?"
Theoretically they verify these numbers. Otherwise people would lie. Presumably, in the credit score calculation, they also have actuarial tables that allow calculating the odds of delay or default for each person.
This is a really poorly written article. It goes on and on about poor security and how much the credit agencies should not be trusted, but it never says why this disclosure is harmful or why anyone should care.
To say "identify thieves do this" implies "this is harmful" is a post-hoc fallacy.
I mean, I might be generalizing here but I think the target audience for Krebs is usually security minded individuals who probably don't need an explanation as to why having your credit information leaked is bad.
At the beginning of the article he mentions that Telegram channels where attackers discuss methods have been sharing the method, as part of their plans to steal money from people. If the red team wants it, it's probably worth their while.
Can Experian please just go away. This is just the latest example of where they’ve demonstrated themselves wholly unqualified to be handling the sort of data they handle. This is like elementary level security 101 stuff that they messed up here.
I'm not surprised Experian's security is shit. Equafax proved that there are basically no consequences. Here's some basic free credit monitoring that you probably already had for free.
I shouldn’t need credit monitoring in the first place. No, banks need to do their own credit monitoring i.e. monitor who they’re giving credit to. And not just that the name is credit worthy, but also that the person asking for the credit actually matches the name.
And if they don’t, banks and credit reporters don’t get to slander me until the end of time about patently false debts.
I was a victim of the Experian data breach in 2015 and I now have a lifetime of credit monitoring services to pay for, meanwhile Experian had to pay a fine that amounted to a slap on the wrist.
Oh wow, that's one of the dumbest security hole I've seen so far. That means you're either authenticated in the first screen, or the second assumes that you are whom you say you are if you lend on it. There's a clear lack of ethics from whomever built that, whom either didn't care, or didn't know enough know enough to excuse themselves from building it and ask for assistance.
I mean, this is not your regular system. Everyone is in there, not that they have much of a choice, and it's their most sensitive data, that you decide you're up to the task to protect.
I'm all for learning from your mistakes and I'm the first one to screw up once in a while, and to admit that I am not a security expert. But the size of this combined with how freaking dumb this issue is... This is most likely gross negligence. In most of other industries where people call themselves engineers, you would be putting your own professional reputation on the line when deciding you're up to the task. Then you would get in front of am ethics commission and likely get your license suspended or revoked.