"Identity Theft" shouldn't even be a thing. Someone falsifies documents and takes out a loan or something that should not have been approved. That's bank fraud and should be an issue entirely between the fraudster and the lender/bank.
Somehow banks have re-named it from "bank fraud" to "identity theft," deftly shifting responsibility onto some unrelated third party, who now has to deal with it. "Your identity was stolen! That makes you the victim. Now go help fix it!"
Banks should not be able to shift the blame. They did a crappy job and lent money or opened an account for someone they shouldn't have. They are the ones who should bear the burden of mopping up their mistake.
Yes thank you. This is my "actually it's GNU + Linux" tic, please fellow Americans (and I would be interested in learning if this problem exists in other countries) do not accept the framing that a bank giving a loan to someone they thought was you is _your problem_! It's their problem! We should not be normalizing this phrase or practice.
There are four companies in Norway that do credit assessments. You have to individually register your desire to not allow credit assessments for your name with all four of these.
But then, what protects you against someone simply requesting that your credit is unlocked and then taking loans in your name after all? Well, from what I gather one would have to use BankID to confirm that credit is to be unlocked.
So even if someone steals my passport, they will not immediately be able to unlock my credit. They’d have to jump through a bunch of hoops to also steal my BankID.
You can do this in America. It’s called a credit freeze. A problem is credit freezes can also be fraudulently lifted, but serve as a decent barrier for most run of the mill mass frauds. They’re virtually unknown and require you to independent contact each individual credit bureaus to both freeze then unfreeze.
Having that credit freeze saved me from at least two attempted frauds since then - I was notified by two credit card issuers that credit card applications in my name that I had never made were rejected because my credit file was frozen.
Interesting. This should be adopted by the EU. (I know Norway is not a member state but this makes good sense and that's why I would love to see the EU to adopt it.)
I disagree with this system, banks can instead require the exact same Auth process they'd use to unblock your "no credit" request when they want to start a new credit for anyone. Why would there be more checks to "remove block" than to "start credit"? I can think of one reason that's good for the banks.
The "locked" state should be the default, whatever extra checks they need to do to a person that has it "frozen", that should just be the default to start any credit!
If anyone has some dire need for easy credit all the time they can do the opposite and go to some "light checks" state like TSA pre-check.
I imagine they already exist in EU states. I got one in Finland after my ID card was stolen and someone was trying to buy stuff on credit with my ID. Paid a small fee of like 10€ to get a two-year credit freeze. They also give you a certificate from it that you can use to verify that the black mark in your credit history is a voluntary block. Never actually had to use it, was a student back then and I didn't have any credit to apply to, mobile phone plans to buy, apartments to rent etc.
> the framing that a bank giving a loan to someone they thought was you is _your problem_
Brings to mind the tale that jaywalking laws were the creation of early-days automobile manufacturers and dealers who wanted to clear the streets for the vehicles they wanted to sell. [0]
You’re right, both morally and legally. My friend a government law professor told me that in the EU you could probably even construct a pretty solid case arguing this.
The argument would be that If there is not a single slip of evidence tying you physically to the money Except your PII Then the banks anti-money laundering should have catched it. That gets their attention right away since the fines in that cases are proper billions.
If they don’t settle, you go for the kill and settle that PII is not uniquely tied to legal intent (heck, it wasn’t you! The intent is missing and that’s what you point out as well.)
The problem is that that case will take you 7+ years, all the way to the various supreme courts (local, European). It’s why Max Schrems is a hero, except banks are worse adversaries than government regulators.
This whole digital world has had some impact on our two thousand years plus of contract law. It’s sad judges don’t go back to the basics in these cases. Show me the contract (into the abyss).
I’m not sure what the exact rules and regulations are, but at least in Germany you should be well protected. The German Wikipedia entry [0] is a bit confusing, as it both has damages (I checked the primary source, no further information) but also a section how it will not be your issue as the other party was defrauded, so I can only guess it’s people who simply paid (fraudulent online shop orders or fraudulent withdrawals) without fighting back.
> They are the ones who should bear the burden of mopping up their mistake.
This is true to a large extent but having worked in resolving "identity theft" I can say that it is complex.
In a place like the UK the requirements for a bank loan are pretty stringent but here in Australia they are much much lower and people hate friction. Authentication is a hard problem. Knowing someone's creditworthiness is a hard problem. There are a also many of people out there who are willing to claim "identity theft" has occurred to mean that it is complicated.
Most of the time for people whose identities had been stolen it was fairly easy to remove based on the most cursory evidence (which often I only had access to because I had access to air gapped data that was kept for far longer than the 7 years it was meant to be kept).
The status quo exists because it inconveniences just few enough people and is an acceptable amount of risk to the powerful. One side of politics will denounce anything that looks after the interest of both these groups as too much "red tape" and the other will denounce it as "discriminatory".
For comparison I look to the family violence measures we introduced here in the last decade. It was a battle which took years of firmly but politely refuting the opposing ideas "family violence victims should never have to justify themselves to a credit provider" against "credit providers should never increase their risk without having charged more up front".
A compromise model was found where the credit providers effectively pay for the losses but in reality they just charge it back to their customers. Right now paying for identity theft is a lottery. In future it's going to be internalised up front. This will be good for the victims but for the rest of us its an increased cost.
The case is about whether Ms Luke was operating the PayPal account she created.
I don’t doubt her story, but if you can claim the account is yours when it suits you (“where’s my stuff?!”) is it fine to claim it’s not yours when it doesn’t (“these transactions were done by someone else!”)?
Is there a contradiction there? Perhaps not: I doubt you can use a PayPal database row to enforce a contract — you’d need an invoice or order confirmation — so neither should another party be able to use the PayPal db to convict you of fraud.
My brother in law had his identity stolen about 6 months ago. He went through the normal routine of cancelling everything, putting holds on everything, etc. He thought he was in the clear, until last week, he received a letter in the mail for a summons for several felonies, including fraud, in the state of Utah (he lives in PA).
It is insane to me that PayPal, Venmo, VISA, etc, all can allow someone who isn't him to open accounts, run transactions, etc, but not have to bear the legal liability of it, and instead it appears to be him that is legally liable.
IMO, the transacting companies here are the ones that need to be charged. I never consented into the American credit system, yet by virtue of being born here, all these companies can, and will, apparently let others open accounts in my name, with no liability.
He's lucky he found out about the summons, because it's very common to commit a traffic infraction, get pulled over and then find yourself facedown at gunpoint when the cop finds out you have several warrants for crimes you never committed. And depending on your ethnicity it could certainly lead to your untimely demise by police if you got belligerent about it.
I can’t find anything stating this is “very common”. I guess as a rough metric for “very common” let’s say on a similar level to heart attacks. Quite rare still but common enough that you could be justified in calling it very common.
Isn't that basically conspiracy theory logic? ie. "This thing is totally true! Evidence? That doesn't exist because The Powers That Be are suppressing it!"
There have been a series of US Supreme Court decisions that allow local law enforcement and prosecutors to a.) not have to reveal any statistics on crime and race b.) enormous discretion on powers to stop and arrest such that law enforcement can give conflicting reasons for each action, i.e. this person was suspicious because they were driving too fast, this person was driving too closely to speed limit and every variation of that. The only thing they are not permitted to do is say "we did this because of the color of their skin." McCleskey v. Kemp is one of the cases in a long line of cases that has led to a catch-22, racial discrimination by law enforcement and prosecution is against the law, but as long as they don't admit to it there is no evidence because one cannot get discovery on the past history of law enforcement and prosecution.
None of that tells us anything about whether something is "very common". In fact, as I mentioned in another comment, "very common" isn't even defined and is purely subjective. If there was some medical condition that affects 1000 people in the entire country, I doubt many would call it "very common". The same applies for most other things. A collectible where only 1000 exists in the entire country wouldn't exactly be called "very common". However, "police shootings being common" isn't exactly a rare sentiment despite also occurring approximately 1000 times per year[1]. Obviously this isn't to say that 1000 police shootings per year is fine because that's on the same magnitude as rare diseases, but the phrase "very common" is clearly in the eye of the beholder. In the context of police shootings or people being brutalized, when people say "very common" they're not actually saying it's "very common", they're actually saying "it's unacceptably high", which is an entirely different statement.
Or maybe I'm too sheltered living in my gated community or whatever, and this is actually "very common" in the usual colloquial definition. Feel free to prove me wrong.
You said it's a conspiracy because it can't be proven, the Supreme Court made it impossible to prove racial discrimination by law enforcement/prosecution but said it's not OK to do it, with a wink wink. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5614457/
African Americans make up roughly ten percent of the US population, but are incarcerated at a much higher rate for drug related offenses. Two simple possibilities occur to me - African Americans somehow commit drug crimes at an astronomical rate compared to others (which I really doubt based on the people I know who sold drugs in college), or police simply enforce the laws against drugs primarily against African Americans.
You didn’t list option C: African Americans commit crimes other than drug possession more frequently and then drug charges are either added on, or it happens during probation.
A quick look at my county jail roster shows that a lot of the drug cases - but not all - are of that sort.
Areas with more overall crime are going to have more police officers patrolling as well.
I think something that happens between 2 and 3 times per day is “very common” in a colloquial sense. I drive a car with less frequency and I’d call it a “very common” occurrence.
You could present all the evidence that cops have lots of effective oversight, but you cant.
Instead, it has been widely documented that they freqently flaunt programs intended to provide oversight, almost never are successfully prosecuted or punished, and commit homicides with regularity.
Does the alternative exist - being uninformed and eager to criticize power? How are we meant to differentiate the two?
I think one way is to note that this post was about being inaccurately charged with a felony - not about cops. The request for stats was not “cop stats” but identity fraud based felony and as a result arrest at routine traffic stop.
If a cop sees you have multiple felonies in another state, it’s quite literally their job to arrest you. Do you suggest they see someone charged with multiple felonies and just say have a good day?
No, the post was about being charged inaccurately due to identity theft. Perhaps you are overly eager to criticize police and became uninformed with reading the comment thread.
Jeez - I can't imagine the stress he's under in dealing with something that isn't, and should never have been, something he has to deal with. It's enough to make you want to scream into a pillow until your lungs give out.
It's just so frustrating and deflating to go through the process. It's a chore that shouldn't really be our problem - but it is and it feels terrible to be beholden to that process and ultimately come out losing in the end when you get a letter like that in the mail.
I had a identity theft come up a few years ago and I'm still dealing with it (all the way back from 2016!). But at the end of the day, I really shouldn't complain because things could always have been worse.
I just empathize with your final sentiment completely. We're just...beholden to it. Bleh.
The only way this gets fixed is if enough people get put through the wringer through no fault of their own and they finally start demanding politicians to do something about it.
You can bet politicians will never feel the pain of this fraud. They are VIPs so they have a staff of assistants who "handle" these things. That and the fact that the ones that should feel the pain (banks and lenders) are campaign donors means that things will not change.
A point that supports this. Friend of mine worked for a high wealth person. One day their company website went down. Because it turned out they forgot to renew it and it was now in the hands of a squatter. When the boss asked asked to approve paying $X to the squatter to get the site back he said no. Made a phone call and the site was back up 10 minutes later.
To give context to people who may have not heard; there has been a MASSIVE amount of high profile data breaches in the Australia in the past 12 months with zero consequences for the businesses involved.
In a 6 month period I had;
- My private health insurance data leaked (AHM/Medibank) - including claim history, medicare number, password, username, email, phone
- My old phone account (Optus) - including my phone number, my current passport number(!!!), current address, phone.
- My old credit card account (Latitude finance) - including my current passport, driver license, my income history and bank statements that was provided to get the credit card originally, address, phone, email
The ONLY thing that any of these businesses have done is pay for a replacement passport and a 12 month credit watch. Optus wasn't even a 'breech', they had an API exposed with the all the data!
How is someone meant to protect themselves from this? It is pure negligence. Until governments legislate that the punishment for exposing personal data is more expensive than the work and infrastructure required to keep it secure this will continue to happen.
> Until governments legislate that the punishment for exposing personal data is more expensive
The EU did. Everyone, for some inexplicable reason hates it; and not the casual hate one spews when it rains or traffic is bad but a deep visceral hatred normally reserved for war criminals or kiddie fiddlers.
This is absurd. This is just as much as indictment of ridiculous American courts as it is the corporations prosecuting such a case. What is happening in that clown country that a civil case against a person who wasn't even involved in the infraction can be judged liable when they are not even present to defend themselves? America is a bully nation.
That was my first thought too. Perhaps companies can't easily differentiate between cases of stolen identity and cases where a bad actor claims their identity was stolen.
Maybe I misread but if they were Exparte, were they implying she wasn't there and it's possible all these verdicts were handed down without any of her input? In that case the companies may not / wouldn't know? Either way still a horrible situation.
No, ex parte means not requiring a party that would normally be required. It is _also_ used in emergencies because the process of pleadings, answers, and replies would be too slow, so you are asking the court to temporarily ignore the rule that the other party respond before the court issues some sort of order or response.
I expect they want a judgement for a specific damage, then when they can’t collect they have insurance to cover that specific amount. Without a judgement for an amount, their insurance would pay out a lesser amount.
I don’t see any evidence that the company thought they were harassing someone. It seems they were just routinely pursuing someone they thought harmed them.
Hopefully, the judgement will be dismissed since it’s based on identity fraud.
>Without a judgement for an amount, their insurance would pay out a lesser amount.
Who in their right mind would insure Adidas (or any other internationally famous brand) for trademark infringement? You're almost guaranteed to pay out millions in "damages" per year.
Corporations insure for all sorts of things and a company as big as Adidas must certainly have operational risk insurance [0] for things like this.
I remember many years ago, the startup I worked for was required to have insurance as part of our funding round and it covered stuff like officers freaking out in public and all sorts of odd things I didn’t think was insurable.
Corporate insurance is pretty interesting in this regard.
And no matter who is insuring, in the US it’s probably reinsured by Marsh McClellan [1], a huge reinsurance firm.
In the US property rights trump most other considerations, and courts are often biased in favor of property owners. Drivers frequently ignore cyclists and pedestrians, because they feel the road belongs to them, and to some extent the larger and fancier the vehicle the more carelessly they drive. Commercial drivers, who typically don't own the vehicle but can easily lose their commercial driving license, tend to be much more considerate of other road users.
(Of course I am being slightly hyperbolic here; deal with it.)
Drivers of nicer vehicles actually drive better around cyclists as they are incentivized to not acquire dents and scratches in their precious. It's the hoopty drivers who DGAF about damage and are likely most ignorant of their legal obligations who are the biggest threat.
Although I dont have a link to the studies, there have been some that both showed an inverse relationship and correlation between income and driver care. Not super definitive. Notably, "nicer" meaning newer is not a static state. Higher income drivers can more easily absorb the costs of minor damage, meaning theres some downward pressure on the reporting stats from both sides.
Despite the bigger risks/penalties involved with being unlicensed (driver and/or vehicle) and uninsured, it does seem that these at-risk drivers are less safe. Uninsured driver premiums are explicitly bundled. Accidents lead to worse physical outcomes for at-risk drivers (https://www.sciencedirect.com/science/article/pii/S259019822...)
Perhaps it depends where you live. Most of the people who ignore my existence and that of pedestrian crossings seem to be driving SUVs or huge pristine clean pickups.
I never said they were good or considerate drivers. They're just less bad for mostly selfish reasons. Ignorance of the law is still universal for US drivers.
Other countries' court systems are just as exploitable, but go unexploited, out of (presumably) a lack of interest / lack of social mores that predispose toward suing people.
Court cost structure also matters. If the civil courts cost upfront and loser might have to pay cost of winning side it pushes up the bar for legal action (which has positiv and negative implications).
Everywhere sucks, this site just has a lot of people (both American and non-American) who seem to revel in posting absurdly anti-American statements at every perceived opportunity.
If she was compromised by credential stuffing at PayPal, I have to say I'm disappointed. I actually wrote the anti-credential-stuffing code 20 years ago. It was one of the core component of PayPal security. We were one of the first sites to get those kinds of attacks so we got good at stopping them.
Sure, but also it would piss off unsophisticated users and also cause a huge increase in customer service issues with people getting locked out. That why it keeps flipping between required and optional.
Way back then we would send RSA tokens to the top users to stop them from getting hacked, but since they cost $10 each and required training and setup with an agent, only top users would get them.
If you're talking about RSA tokens as in the tokens sold by RSA Security the company, my company uses them and my team is in charge of their issuance. We've estimated the total including man-hours cost of issuing a single token at about 250€. Sure in the grand scheme of things it isn't much but I can't imagine it'd be better for PayPal, and that gets expensive fast if you send them to clients and not just employees.
Part of this is of course genuine security verifications but a lot of it is due to RSA Security's obtuse design decisions. We tend to avoid them entirely and instead rely on modern SAML providers with app-based 2FA whenever we can now.
>She was then served electronically with papers from the US District Court of Florida outlining Adidas' case against her.
I don't get it, based on this[1] it looks like electronic service is only possible if the party consented. That seems fairly reasonable. How would this have happened? Is there more to this?
My understanding is there are international agreements (eg Hague Convention) when serving civil court documents to someone in another sovereign nation like Australia. US courts have no jurisdiction here and nobody cares about their rules. I think electronic service has similar limitations in Australia.
Situations like these keep bringing me back to the idea that important actions should require an actual, in person, human notary seal.
Contract signings, online court service, title changes, etc should not be valid without an offline record examiner who affirms under threat of perjury that the parties involved are who they claim (or are claimed to be).
Some countries/jurisdictions do exactly that, and trust me, it's a massive pain in the ass. Would you really want to visit a notary just to set up an eBay account? Because that's what you're proposing.
The existing system isn't foolproof but, by and large, it works perfectly well. If the transactions in TFA truly were fraudulent, no court is going to hold her liable. The bigger problem here is a US court being happy to issue ex parte judgments for someone who should have been trivially contactable.
I just tried to set up an eBay account to buy an exhaust part. I created the account, sent the seller a message and twenty minutes later, I got a notification from eBay that I (and anyone from my household) was permanently banned because I was a "threat to the eBay community".
I haven't been on eBay for ages, and as far as I know, was certainly never threatening to anyone on or off eBay. Nobody at eBay would tell me what had gone wrong -- in fact, as soon as I asked what the problem was, they said that they had to "end the call now".
Maybe if I had signed up in person, they could let me know what crimes I'm supposed to have committed or at least save me a hour by not allowing the signup in the first place.
I’m moving away and selling some of our stuff that we can’t take with us. I have a spare 5G/LTE router that I thought I’d throw up on eBay as well as Facebook Marketplace.
I followed their onboarding process to the letter to create a listing, verify my email and mobile phone, add a bank account, etc.
About an hour later I got an email saying I’ve been “permanently suspended because of activity that we believe was putting the eBay community at risk”.
Apparently doing nothing but following their onboarding process is putting the community at risk. They also tell you that “this decision (that was made 100% by an automated system) was not made lightly”.
Did they also ban every member of your family as well? That _really_ wierded me out. I'm not sure a public utility (what eBay, Amazon, et al basically are now thanks to the death of brick and mortar) should be allowed such a totalitarian response.
Somehow this hasn't stopped the people selling empty PS5 boxes and knockoff handbags at all.
The only people with working social media accounts, paypal accounts, ebay accounts are people that had them for 10 years or more. Everyone else is kicked out within a few weeks due to AI surfacing evil people.
Actually, I /wanted/ a replacement flex pipe, but the only way to get it is to buy a rear catalytic converter assembly. The one I was looking at was supposed to be new -- not "RFE" (i.e. stolen)...
> Would you really want to visit a notary just to set up an eBay account? Because that's what you're proposing.
I do, if the service involves hard identity/finance. Maybe where I'm from is odd, but you can't go into a neighborhood without tripping over a notary, there are mobile notaries, notaries in every white collar office etc. Not too inconvenient for a one time (per major action) event.
There could be other options. Perhaps the notary could choose how she authenticates a person. And perhaps that could be using a clever federated scheme that arises because of this need.
It’s entirely possible to do this digitally and have it working seamlessly.
In Denmark we have a thing called “MitID” (MyID) which is basically a government login and which you can use to sign and also login to all kinds of things that need to confirm your identity (e.g. Phone subscription, taxes, 3DS verification for Credit Card transactions, etc).
It’s essentially 2FA, works by the site sending a confirmation to an app on your phone that is behind PIN code. The analog version is a paper slip with 100 lookup codes.
The bar to stealing it is way different now though.
You would have to steal a username + phone + PIN code for phone + PIN code for MitID app.
If that happens, then it would also be trivial to unlink the app from that phone.
At no point in time would you be unaware of the theft here.
Contrast this to what happens in the US often: your personal info is leaked from the plethora of places it’s kept. Someone can now in perpetuity exploit your identity, or at the very least for a long time until you find out randomly.
Which system sounds better to you? I sure know that I’d prefer the first one.
I’d welcome any actual arguments against it, but you’ve not really presented any at all so far.
"You would have to steal a username + phone + PIN code for phone + PIN code for MitID app."
And when your phone is hacked then all three are up for grabs?
"Contrast this to what happens in the US often: your personal info is leaked from the plethora of places it’s kept."
And yes, totally never is your govt info leaked from the plethora of places it is kept. /s
The problem is not having govt information, the problem is having it kept on phones or entered on devices at all.
"I’d welcome any actual arguments against it,"
See the above. I dislike the automated exfiltration of my identifying information, and then being saddled with the "responsibility" for it. The solution is not to make it even more automated, but to generally never to accept any credential except as a revokable guarantee - doing business as a large corp you should accept the risk of fraud, and presume your clientelle are not who they say they are.
I got locked out of mine and that's a freaking nightmare to deal with.
Several trips to a government office, had to get a new set of ID, and wait weeks, all while there was important communications waiting for me on one of the dozens of subordinate government sites which were time sensitive but no one could provide me by an alternative method....
I am just waiting to hear the first story of someone going to prison because they couldn't get the message the tax man sent due to the tax man not letting them read the message....
That's the thing I don't understand about people who live in the USA and their absolute hatred towards a National ID system. It would be a political nightmare for them to even suggest anything like that. Even their "new" FedNow service is being as governmental overreach for "reasons".
Most non-it people I know who are opposed to FedNow are the kinds of folks who get a lot of 'gifts' that they conveniently get around reporting, alongside a CPA they always owe favors to.
I am against government overreach yet these people really seem to want to change my mind.
We have e-notaries in Nevada. It requires a webcam/ability to make a video call, and to show your ID in a solid resolution. It's actually probably not the worst thing.
I'm sure it happens, and I know the bar for becoming a notary public (official able to notarize documents) isn't that high, but I haven't heard about a ton of fraud where things were falsely notarized. I suppose accessible notarization is a positive thing, at least as long as fraud doesn't become a problem with the system.
Eh, I was forced to have a notary do something and it ended up being an apparently 20 year old dude at a UPS store looking at some papers for a few seconds. Not exactly the high trust exercise it’s made out to be.
I suspect this could be improved by, say, installing the same biometric recognition machines they have use for border control at every post office/bank/etc. These machines could attest that you are present and signing something. They would still require some oversight, but one person could oversee many machines.
I'm sure this is an unpopular idea on HN, but at least it's a way that our governments could use facial recognition/fingerprints/retina to reduce fraud.
Looking at the court documents, it seems shady organizations registered a bunch of domain names that are used in the trade of brand-name athletic gear. The victim's identity was used to register one of those domain names, but just looking at the other registrations it's pretty clear the organizations are based out of China. In this context, the case brought by the brand owners is a little more reasonable -- if they did not try to defend their brands against this level of counterfeiting, then, they can be found to have lacked diligence in defending their trademarks.
However, in the case of the victim, her owing $1.2mm in penalties hinges on her identity being used as the owner of some domain names that contain these brands' names.
I suppose if the victim had "infinite resources" the next step as the victim would be to file a lawsuit against the domain name registrars for claiming she owned the sites. If the registrar would remove her stolen identity from the site then the suit would have no basis to link her to the domain names and she would be cleared.
But then again, what incentive would a domain name registrar have to remove your stolen ID as the owner? If they simply agreed to do it when asked, then anyone could send a fake letter to the registrar claiming you don't own your DNS records and remove you as the owner of them.
Genuine question to HN readers -- if you woke up tomorrow and found a whois entry that had your name and details listed as owner for a site that traded in illicit goods and/or morally objectionable content, how would one go about correcting that?
globalsupport@icann.org and contacting the registrar to start. File a police report (this will help if anyone comes to visit your address) regarding identity theft. Contact the IRS regarding identity theft and possible foreign dba. Contact the post office if you dont have a locked mailbox..also, if you get any domain related mail, it can elevate the federal response. Talk to your bank about invalidating all checks and putting a limit on daily withdrawls/spending.
This is just off the top of my head. It is a huge headache that will trouble you for a few years.
So in other words, the state that results from wrongfully typing someone's name in a textbox that is never verified when buying the domain is a multi-year endeavour for that person? Surely there has to be a better way.
I had a paypal account. They demanded copies of my govt. ID. I refused and said close the account. I only ever used it to make payment to web shops using my credit card.
Paypal refused repeatedly to simply close the account given their change in terms of service to which I do NOT agree.
Will someone hack into paypal? Absolutely they will and it will have happened multiple times since this debacle. Will someone hacking paypal then use this account which should not exist to do something that causes a problem for me?
Paypal are responsible for this. This is 100% paypal's problem. Paypal should be on the wrong end of the most expensive litigation seen in this are from which they do not survive.
Paypal's actions in this area are quite deliberate and they know and understand the consequences to people.
You wouldn't think there is a very good judicial process in place if it could charge someone of a crime without first establishing the identity of the perpetrator beforehand. What's to stop fictitious entities from being charged with fictitious crimes against fictitious victims? Surely the standard of proof should be higher...
This was a civil case, not a criminal case[1]. In civil cases after the plaintiff has made a prima facie case the burden shifts to the defendant to dismiss the claims against them, if they can, usually at their cost. Lots of people end up with default judgments against them every day because the court systems are terribly difficult to navigate with no legal knowledge. Civil in rem forfeiture is even worse as most jurisdictions allow for the state to take your property with no court involvement at all if you fail to file the right paperwork at the right place at the right time.
[1] I have been in court three different times and seen the wrong defendant brought from the jail to be released since they aren't the person being sought by the indictment, but a case of misidentification by law enforcement. Quite how these people managed to alert the jail authorities to the problem I do not know; having spent significant time in jail I have no idea how you would get any personnel to take seriously the idea that you "aren't supposed to be there."
This is really stupid. Follow the money. If she had been responsible for the theft, the money collected should somehow be traceable back to her. Obviously it would not be, and given the data breach she would have plausible deniability.
Furthermore, no sane lawyer would hope to recover such large numbers from a single mother of four children. There is no value in prodding a legal system to render a pointless judgement against a plaintiff who is very likely not responsible for the crime.
How was the ex parte trial even allowed here? Did she not respond to the summons? Is this just something they do if the person is outside US jurisdiction?
The court docs say that the brands made the case that because the illegal business had been happening over the internet, reaching out to her via email was a satisfactory way of serving her. What a farce.
> In court documents seen by the ABC, default judgements were handed down by the US courts and damages were awarded against Ms Luke of $US200,000 ($293,000) in the NBA case and $US1million ($1.5 million) in the Adidas matter.
Strange co-incident, just woke up from a dream about something similar where a deep state mole remained annonymous using these kind of transactions.....Yikes, not a good start to the day, going to bed again...
The tl;dr is that the victim was Australian and the court proceedings were heard in the US. Unless they're put before a court in Australia she's under no obligation to pay. Knowing a bit about Australian society it would not go down well if they tried.
I would've used the money she spent on a US IP lawyer to sue Medibank for negligently allowing her personal information to be hacked and sold on the dark web. At the very least I hope she's part of the class action.
She’s under no obligation to pay but I do wonder if she ever decides to take a trip to the US if she will be escorted away from the airport under police escort on landing. That’s a big worry if I was in her shoes.
The next big data breach in Australia will be from the wave or realestate rental “startups”, it’s only a matter of time.
The sites are badly designed which doesn’t give much faith in security. Also the largest being a Murdoch subsidiary which I guess the data conveniently has huge money value for ad targeting…
The online rental application companies collect (require) more data than any paper rental application form, credit card/bank/mortgage application, or visa application. It’s also unregulated! They’ve positioned themselves so a large number of rental applications have to go through them to apply. The amount of detailed sensitive pii data they hold has to be huge. It’s a treasure trove for any hacker and an easier target than a bank or insurance company.
> She’s under no obligation to pay but I do wonder if she ever decides to take a trip to the US if she will be escorted away from the airport under police escort on landing. That’s a big worry if I was in her shoes.
Do connecting flights in the US count? It's possible also that airlines can reroute flights to connect through the US.
It's crazy that a lot of this crap is just associates hiring paper throwers that just keep this shit going. Responding to the cases just raises a blip somewhere and it's passed onto another yet higher-level paper shuffler. But in the end, the courts just keep awarding because Shifferd-Melnap-Hamilton (fake name), a well trusted legal firm, always wins therefore should continue winning.
So if there was a crime, and it was committed by the person whose identity was "stolen", is the implication that there is no reason for law enforcement to investigate the person who "stole" it?
She’s an Australian and the US and Australia do not have reciprocal agreements to enforce civil cases. She’s probably best off contesting that the US court has no jurisdiction over Australian citizens.
Right because if some idiots in a country where you've never been get their paperwork wrong it should bankrupt you... Note that you're effectively arguing for your own book here, this shouldn't require a lawyer and it should have never gotten this far.
I mean... mistakes get made. It shouldn't be hard to get this one reversed if that's all there is to it, but hiring a lawyer is absolutely the right way to make that happen. By all means, try to recover attorney's fees after the fact.
But sticking your head in the sand and complaining about it isn't going to get you very far.
This goes well beyond mistakes, it is utterly absurd that the judge would not look at this more closely absent a defendant in a country on the other side of the planet, especially when this kind of money is involved. It's not a $50 parking ticket.
Imagine yourself in their situation, having to defend a legal case in court in a place where you've never been to that has no bearing on anything you've done in your life. That makes the world's population open to being sued for profit in these courts because the courts simply don't do their job. A mistake is when you pass the pepper instead of the salt. This is ruining someone's life.
From TFA:
"Ms Luke has engaged an intellectual property lawyer in the United States, with an initial engagement fee of $US10,000 ($14,800), in a bid to have the rulings overturned and the damages retracted. "
"The single mother of four said the situation was taking its toll.
"The anxiety that this causes, not knowing if they are going to come and take our house, can they freeze my assets, can they get access to my bank accounts?
"We just don't know and it really is a case of guilty until I can prove otherwise.""
That engagement fee is on the low side and yet I think that 99% of the people that might get caught up in stuff like this have absolutely no way of paying that kind of money to correct something they have part in. Besides, the suggestion that you can recoup your legal fees is not really fair: in practice you won't be able to recoup all your fees and you certainly won't be able to recover your time or the stress.
Questions of jurisdiction, evidence and costs all suggest otherwise.
This person has been dragged into an expensive American civil case .
She was clearly contactable as the corps had found her yet she was contacted with what any person who has any cybersecurity training would dismiss as a spam email.
The jurisdiction is a place she has never been.
This should case should have been thrown out, instead she got a summary judgement.
In Australia she could automatically be awarded costs at trial. Here she's going to have to counter sue.
And last but perhaps most significantly, it's clearly not her. Sure, we don't hear about any of the ones they knock back, but this shit would not even get close to getting up in a good legal system.
"In both cases, Adidas and the NBA were given leave by the courts to run the cases ex parte — without a requirement for all parties in the case to be present. "
Wait, what? I thought habeas corpus was a thing in the US?
Habeas corpus only applies to criminal cases, and it's about the state having to justify its detention of an arrested person. You can be tried and convicted in absentia although this is quite unusual. But you see a few murder cases prosecuted against fugitives every year if the evidence is strong enough.
Well that's terrifying. People can sue you in civil court and you don't even have to be present or notified that the trial is happening and then be on the hook for millions of dollars? Am I the only one who thinks there's something wrong with that?
I'm just explaining why habeas corpus isn't the issue here. My understanding is you do have to be notified for civil suits, but the article is so poorly written it's hard to understand exactly what the legal issues were and I don't feel like spending an hour researching the case.
Somehow banks have re-named it from "bank fraud" to "identity theft," deftly shifting responsibility onto some unrelated third party, who now has to deal with it. "Your identity was stolen! That makes you the victim. Now go help fix it!"
Banks should not be able to shift the blame. They did a crappy job and lent money or opened an account for someone they shouldn't have. They are the ones who should bear the burden of mopping up their mistake.