Hacker News new | past | comments | ask | show | jobs | submit login
Hackers can use credit bureaus to dox nearly anyone in America (404media.co)
582 points by kmfrk on Aug 22, 2023 | hide | past | favorite | 387 comments



It's definitely worth taking the time to set up a credit freeze with the three big agencies (Experian, TransUnion, Equifax). Initially setting it up is a pain in the butt and is rage-inducing, as you have to provide a bunch of personal data when the whole problem in the first place is that they're careless with your data.

However, once you've got it set up, it's very easy to freeze and unfreeze them. Just keep all the URLs, usernames, and passwords in a secure note somewhere, and any time you need to apply for credit, unfreeze them for a day or a week.

I used to have all sorts of identity theft problems (people taking out credit in my name) but freezing my credit has solved it.

Experian: https://www.experian.com/freeze/center.html

TransUnion: https://www.transunion.com/credit-freeze

Equifax: https://www.equifax.com/personal/credit-report-services/cred...

I truly hate these companies but holding my nose and going through the process was worthwhile and I'd recommend it to anyone.


As a long time freeze user, it seems literally every time I go to unfreeze the process has changed at one of them and it can't be unlocked with the username +password I setup. The last time was because I didn't log in for 3 years, meant that the account was locked without a bunch of additional validation. Sometimes the validation is just knowing the usual historical address/etc info they ask when you initially set it up (which seems insecure itself), or its more involved.

So, give it time, when you least expect it, they will take 60 days to validate something about your account before allowing you to unfreeze it.


This is my experience as well. Saving a username and password almost feels like it's worthless with these cretins. And then the dark patterns to upsell you on garbage hiding the actual unfreeze/thaw button.


TransUnion is broken for me, has been for years. I have to reset my password every single time.


Complain to the FTC (or the appropriate regulator). They are now very cognizant of dark patterns.


It is pretty wild that people can take out credit in your name without the issuer of the credit doing their dd, and then it causes you trouble afterwards. They should be fined massively for every time that this happens.


This is the magic of reconceptualizing fraud as "identity theft" in the first place.


There's a pretty funny sketch about that: https://youtube.com/watch?v=CS9ptA3Ya9E


It was never more than marketing for "identity theft protection". When you put it like that, it starts to sound an awful lot like paying a protection racket doesn't it?


That's ancillary; the biggest thing is offloading liability that would sensibly lie with the institution that lent money to a fictitious version of you.


Before I actually had kids was the first .com bust... I was unemployed as were many in bay area and I filed for unemployment or medical (i cant recall now) but I was told that I was ineligible for benefits because I had a bunch of unpaid child support and other debts in Los Angeles... (never lived there, no kids at time, avoid LA all my life)

It took me months to prove that I wasa childless, 20-something dork in bay area...

nightmare - but any "credit" agency is scum


Not to be that guy, but I have one better.

My nephew is now 20. When he was 5 we gifted him some cash in a savings account (to teach him about money stuff). We were immediately served notice that he was overdue on two mortgages. It took three years to get that straightened out (and find out that his ss# was already compromised).

What a mess. What kind of an agency would see the ss#for a literal child and just think, yep, this is fine.


LexisNexis Risk reported two inaccurate judgements in my risk report, preventing me from getting a mortgage in my name for almost a decade. It was finally settled in a class action, and I received a check for $625. I wish a terrible time to the individuals who were directly involved at LexisNexis, because someone, somewhere decided to just not care about their data hygiene because there was no incentive to.

https://www.lienandjudgmentdisputes.com/lang/en/


I mean that's really what it comes down to, isn't it? The incentives. Why should any of them care? They make thousands of errors with regularity that cause millions of consumers endless hours of agony trying to get jobs, trying to buy homes, trying to buy cars, but like, we can't not use them. In my entire long life I have never once done business with Equifax, Experian, and TransUnion. Yet each of them have an entire drawer's worth of data on me, all of which is stored incredibly insecurely, is rife with errors, and the only time I really hear from them is when they've once again screwed something up and have dropped it in my lap like a cat showing up with a dead bird: "Heads up, you gotta handle this."

Like, name one thing they actually do right. Literally anything. I challenge anyone who reads this to name a single bad thing that would happen if all these leech companies got Thanos-snapped out of the universe tomorrow.


Banks would have to find an alternative. And that's a vacuum which could be filled with worse actors. I keep close tabs with all 3 bureaus because that's the reality we live in.


> Banks would have to find an alternative.

We might have worse actors or arbitrary decisions or more expensive loans. Or, why not, all three!


That's awful. I assume you didn't remove yourself from the class action, because you didn't have or want to invest the time and resources into suing them yourself? $625 is a laughable amount of money for the amount of bullshit they put you through.


Your assumption is correct. Time is non renewable and I instead focus on higher leverage efforts, such as donating my time to Congressional representatives and federal regulators who craft legislation or attempt enforcement actions (respectively). Do things that scale and all that jazz.


Sounds kinda similar to a former coworker ~2 decades ago. Tried to get a mortgage, rejected, he obtained his credit file...and ~80% of the stuff in "his" credit report was for similar-named people (mostly living in the same part of the U.S.). Report said that he had purchased a house at age 5, based on the well-paid job he got at Ford Motor Co. at age 4, etc., etc.


It's pretty much impossible to get your free annual credit report these days. It used to be relatively painless, but now you get slammed with ads for credit monitoring or whatever useless products. Or, the website just doesn't work, redirect to a page telling you to send a letter to some rando PO box.

I used to get my free credit report every year, but I stopped, which I'm sure is exactly what these scumbags want.


Which website (AnnualCreditReport.com? or the three bureaux' own sites? or some other third-party website (which?)) and what do you mean "the website" just doesn't work? Be aware there are tons of unaffiliated copycat websites claiming to be the official one and just want to serve you ads; don't use them.

IME AnnualCreditReport.com was easy-to-use and never sends ads. It sounds like you were tricked into using something else. If you genuinely had an issue with AnnualCreditReport.com (unlikely), please do tell the FTC: https://consumer.ftc.gov/articles/free-credit-reports


Have you tried this site? https://www.annualcreditreport.com


> My nephew is now 20. When he was 5...

So that was 15 years ago when these mortgages were taken out in his name? Placing it between 2007 and 2008.

That's basically right at the inflection point when the housing market had gotten out of control and started crashing down. This was caused because anyone could get a mortgage, regardless of whether they could afford it or who they were. The banks were accused of doing zero due diligence. In some cases no income verification, no identity verification, no job verification, etc.. You could take a mortgage out in your dogs name, and also apparently a 5 year old's name too.

I like to think that the system is better now, but that's probably a fantasy.


To make this worse, they won't even let you apply a credit freeze online until you're eighteen years old.


I had this come up when I was buying a house.

I have a very common name and some guy 20-30 years older than me had past due child support. I also have no kids. This was my first house purchase so I was completely ignorant of the process. What blew my mind is that before verifying whether or not that was me, they informed the sellers of it. I forget the process I went through to prove it wasn't me, I probably just showed them the guys age vs mine or something. That was wild though, like, the sellers could've just cancelled the sale right there if they didn't want to sell to a supposedly deadbeat dad. I couldn't believe they informed the sellers.

Buying a house is awful. Telling someone all of my finances and everything else when I already have an approved mortgage. Ugh. I did have a worse experience SELLING that house though, if you can imagine.


What a miserable process. Worst thing is that these functions will increasingly be black boxes. You'll just get a negative result from the seller or buyer or landlord or bank and have no recourse. And that's especially unfair when we're talking about something as vital as shelter for decent citizens.


Let me rephrase it so the meaning of what you just said impregnate my mind: you were denier money because their records showed you badly needed it. Sound to me the credit agencies aren't the only evil.


Agreed. It is astounding to me that a private company can accuse me of a crime with no proof that I did it, and then the government will enforce that without question. You would think they would need fingerprints or something to prove that a particular person did something.


They're not accusing you of a crime, though. They're pinning debt on you. It's not just a pedantic difference either, because it means it falls under an entirely different body of law for assumption of liability.


How close does such an accusation come to defamation?


One lawsuit away.


In the West they give you money in someone's else name without an ID? Must be a paradise.


It's amazing what you can do without an ID in the States.


Is it actually a problem or are people just worrying about it? I dont see how a bank or court can enforce anything if you didn't do it.


It's a major concern. When someone steals your identity, they can incur debts, commit crimes, and manipulate data under your name. Victims often spend extensive time and energy clearing up the aftermath. While it seems counterintuitive, banks and institutions usually hold you liable until you can definitively prove the activity wasn't yours. Essentially, in the realm of identity theft, it's often 'guilty until proven innocent' rather than the other way around


Sure I can guess that too. I haven't ever seen anyone with problems though. Does it really happen? Given that nearly every SSN and address has leaked you'd think it would be everywhere.


I had this experience after the Equifax hack a while ago when something like 100M+ people's info was stolen. Until I froze my credit I was getting phone calls every few days asking if I had _really_ tried to open some line of credit I had never heard of. The people calling me explained that ever since the Equifax hack they had to do a bunch more due diligence because all they were getting was fraud. No lines of credit were successfully opened in my name, and the issue stopped completely once I froze all my credit.

I think the lesson is when bad stuff happens you really don't want to be in the small minority of people who it is happening to. Once it's happening to everyone then the problem actually gets solved.


An example from last month. "Byron Bay breach victim told to pay Adidas, National Basketball Association $US1.2m by US courts" https://www.abc.net.au/news/2023-07-25/byron-bay-data-breach...


In Australia.


In the Southern District of Florida, United States of America:

    But then she was charged in the United States with offences including trademark infringement, and was told to pay damages of $US1.2 million ($1.8 million).
Her 'bogo-debt' can still be sold for cents on the dollar to local (Australian) collecters who might haress her, future vacations to US STeates and Territories are now ill advised, etc.


It's more like "you spent it until you can prove you didn't", which might be worse.


That's odd, I'm in Pennsylvania and have had multiple fraudulent purchases with my accounts over the years. Every single time, the bank put the money back in my account within days and I never heard anything more about it.


fraudulent purchases are not identity theft.


Obligatory rant against the "Identity Theft" deception promoted by banks.

The victims of fraud in these cases are the banks, not you.

You still have your identity. The banks/creditors gave their money (not yours) to a criminal through their own neglect.

It's an unconscionable fantasy that you as an individual are the victim in these situations when you had no involvement whatsoever.

Laws need to be updated to reflect this reality. Banks will continue to act haphazardly so long as they are allowed to pass the bill for their own carelessness onto innocent people.

Awareness should be spread by disavowing the entire "identity theft" deceit any time it comes up in a public forum.

Highly relevant Mitchell and Webb radio skit:

https://www.youtube.com/watch?v=CS9ptA3Ya9E


>Banks will continue to act haphazardly so long as they are allowed to pass the bill for their own carelessness onto innocent people.

I kind of feel like banks are fans of one mister Dewey Crowe, "The anus is upon you" to protect your data. (https://www.imdb.com/title/tt1489428/characters/nm0380632?re...)


If you want to sell this idea you at least need to have a name for it.


Fraud. It's called fraud. Someone is defrauding the bank. The bank is the victim. However, the person whose identity was referenced by the criminal has nothing to do with the interaction. The criminal did not steal an identity. They stole money from a bank through fraud.


Lets take this one step farther, call it identity fraud and not just fraud; otherwise, identity theft will probably be with us.


That term was already coined as a synonym. I wonder which form of fraud does not involve some kind of misrepresentation though. What makes it notable that a person who actually exists is being used as the conman's fictitious identity if we aren't interested in somehow offloading the risk to that person? Presumably this happened before the 1960s when it began to be called "identity theft" (and if you look at an ngram the term really only comes to be widely used in the mid-to-late 90s).


You build up a reputation for being a reliable borrower of debts or a good/clean societal record and someone steals that identity to abuse it and leave you with the baggage. You report "Identity Theft" to regain that identity and reputation, not on behalf of the money banks lost to fraudsters, hence the name.

There are plenty of things wrong with the current credit identity system, the name of identity theft is either not one of them at all or near the bottom of the list.


> someone steals that identity

This is exactly the fantasy that we need to dispel, not rationalize.

Nobody steals your identity. You always have your identity, and nobody else ever does. Your identity is not the few pieces of trivia a criminal can easily discover about you.

The criminal never takes or has your identity. The bank is simply neglecting to correctly identify someone.

> steals that identity to abuse it

Criminals are not abusing your identity, they are abusing the banks' careless failure to correctly identify people.

> to abuse it and leave you with the baggage

The criminal is not leaving you with the baggage, the bank is. They use willfully inept processes, because they have tricked you into believing you should bear the responsibility for the consequences of their own hubris.


I mostly agree with you that banks are hiding their victim status but I think your framing is too intense. The magical idea of identity as an intangible self isn’t helpful.

It is bank fraud and imitation with the intent to abuse the reputation of the person imitated. It should be illegal to imitate you when it negatively hurts you. It’s illegal to imitate police and doctors etc because it uses their reputations for fraudulent means. This is the same thing.

Banks are the financially defrauded victims in this situation, but the victims are also individuals because banks passed the reputational risk of fraud to the customers. If your credit score is hurt and you need to hire lawyers to fix it or you get denied for a mortgage (or just a good rate), you’ve experienced tangible harm.

Banks know they experience harm here. They plan for it. It’s baked into the prices and financial statements. Read the essays by Patrick McKenzie, he’ll argue that fraud is intentionally tolerated. They know that the consumer won’t be expected pay once the fraud is discovered. That’s not their goal, and they’re not being deceitful here.

You can argue if this system is overall good or bad, but it almost certainly has led to cheaper credit for everyone. Outsourcing credit worthiness to a magic national number (or 3) is cheaper than every credit union assessing risk themselves, with less knowledge.


> the victims are also individuals because banks passed the reputational risk of fraud to the customers

In that case I am not a victim of the fraudster, I am a victim of the bank.

The banks do not have sufficient incentive to improve their identification methods, so long as we tolerate the concept that we bear any responsibility for a transaction that involves only themselves and a fraudster who knows the answers to a few trivia questions about me.


It’s like defamation. If someone goes and spreads a bunch of terrible lies about you by pretending to be you… then you are their victim.

You’re not the victim of people who merely believe the lies and start to avoid you.


That's not a good analogy. If those people believe the fraudster and give them something.. I'm not liable for whatever they gave that person. You're leaving out the most important part. Avoiding != Requiring something.


I think I was focusing on the fact that identity fraud ruins your credit score, so you can’t get loans and the such for yourself.

To me that was akin to being ostracized because your reputation was ruined by an impersonation.


But most victims of identity theft don't have to repay the loans. They just have ruined credit scores. So I think it's an excellent analogy


> The banks do not have sufficient incentive to improve their identification methods

On the contrary, they stand to risk 100% of the loaned money. What more could be at risk. Also the fair credit reporting act has pretty strict requirements for what a bank or credit agency should do when you’ve told them the debt is fraudulent, returning you to whole eventual.

What would be required to fix false identity frauds? Is that more or less tolerable for society than X% of people dealing with a stolen identity. What about people who have some problematic history (ran away from home, prior homeless, etc)? How would strict requirements impact them?

Really I guess my question. Oxygen_crisis, why do you believe identity theft is actually a problem that needs solving?


> It is bank fraud and imitation with the intent to abuse the reputation of the person imitated. It should be illegal to imitate you when it negatively hurts you.

I think the argument is that the hurt is generated by the bank. Why isn't it the bank's responsibility to have their shit together and not do that?


You are not wrong at all. There is a certain level of fraud tolerated by banks so that they can more easily make loans to people. It's the classic security vs. convenience trade-off.

Two big problems are:

1. If you happen to be one of the victims of the fraud, it hurts! Sometimes a lot! A lot more than it hurts the bank.

2. If you don't like the level of (in)security that the banks have chosen, what other options do you have? Right now I don't know, I think maybe Bitcoin is your best bet?


Even if I pretend for a minute to seriously believe Bitcoin is less susceptible to fraud, using a different financial product doesn't help since the entire fraud takes place without your participation in many cases. They can just as well open credit lines with banks you don't use as ones you do.


I don't see how bitcoin changes much, other than you have to convince CoinBase that it wasn't your identity. Bitcoin specifically tries to avoid being tied to identity.


> Bitcoin is your best bet?

Because nobody can take out a fraudulent loan in bitcoin? Well.. that’s problem accurate.

I’m just not sure how is bitcoin even the tiniest bit relevant in this case?


It might generate even cheaper credit if the banks were allowed to randomly seize your assets whenever they felt like it with no justification whatever, so long as you weren't one of the unlucky targets.


There seem to be stories in these comments that leave consumers as victims without there being any intentional imitation. e.g., the five year old child getting mortgage payment demands. Or the person struggling to get a mortgage because of someone else with the same name but different age.


Having your identity stolen and having your identity permanently removed are not identical actions. If I use a keylogger to grab your passwords and impersonate you in emails, forums, and so on then your identity is stolen, it's in use by someone else instead of you without consent for a period of time. This does not mean your identity has been removed from you permanently. This also does not mean your identity was always in your control just because the sites should have done more verification to see if it was you. It was still stolen but the fraud wasn't caught, and the lost money due to fraud falls between the criminal and 3rd party regardless independent of your identity being fraudulently used. Keep in mind that's how it is today, if your identity is stolen it is already the bank that eats the loss due to fraudulent lending.

If you still disagree please try to make an argument without mentioning banks. Identity theft covers a lot more than banking fraud so the explanation shouldn't explain how you want the term to be changed to something which focuses solely on banks.

The processes in place do suck. That has nothing to do with the name of the crime though.


If you still disagree please try to make an argument without mentioning banks.

I don't think it's possible to avoid mentioning the banks. They are the ones committing the harm against you.

They are a stand-in for numerous other institutions who abuse you. You can take the name "bank" to mean any organization who is defrauded, and then abuses you to obtain repayment for that fraud.

I think it's important to recognize that this is a two-step process. The middle-man in this procedure is crucial, because they are the ones with a lot of power to use the legal system against you. If they were somebody other than a bank or other significant corporation, you'd be able to say, "No, I'm not the John Smith you gave money to. Go away and find that person." The imbalance makes it necessary to define the argument in terms of banks and similar institutions.


Criminal identity theft is one class of examples. An example scenario from this class is someone passes your identifiers off as theirs while committing a crime. Nobody was defrauded, no money exchanged, but you'll still want to report identity theft.

Claiming identity theft is precisely the process to notify the bank (or others) they cannot legally abuse you to get repayment for that fraud or you are not responsible for those crimes or whatever occured on your behalf. Under identity theft laws they are responsible for the loss due to fraud, not you. The same as credit card companies. The legal system is used but as much by you saying "I didn't buy that house, clear my records and eat the losses" as by the bank initially saying "this person didn't pay their loan". To not involve the legal system by both parties just opens up an even worse can of worms of fraud.

One thing I do agree on is that anything that can reasonably be done to make the process easier on the victim of identity theft should be as the process is too hard on them right now. Probably more fines to most middlemen to increase the cost further beyond their losses. I just don't think changing the name of the crime has anything to do with that kind of improvement.


> If I use a keylogger to grab your passwords and impersonate you in emails, forums, and so on then your identity is stolen

This is actually a great example.

If you impersonate me in an e-mail and talk someone into sending a thousand dollars they owed me into some strange account, a reasonable victim isn't going to come to me and say "we're square now, because I paid that fraudster's account what I owed you."

Instead they should admit they made a mistake in assuming it was me based on suspiciously inadequate information and pursue the fraudster if they want their money back.


Identity can’t be stolen. You can be impersonated. I think the point they’re making is that it’s not the victims fault if someone is impersonating them. I would agree. It makes zero sense for the victim of impersonation to be held accountable in any way for the actions of the criminal.


There is just more than a singular definition of identity in English and one of them can't be stolen while several others can. Impersonation is one way of stealing one of those definitions identity theft refers to. This doesn't mean the definition of identity is simultaneously violated.

The victim of impersonation isn't held accountable for the action of the criminal, particularly with banks. That's precisely what identity theft laws protect. I'm in favor of making that process even easier for the victim wherever possible but changing the name is not that.


> identity, noun, The condition of being a certain person or thing.

Someone who steals my passwords can impersonate me, they can not become me. Someone who tricks people into thinking they are me is still not me. An account is not an identity.

My online accounts are not me, and I am not my online accounts.


There are many dictionary definitions of identity. Take Merriam-Webster:

"1a: the distinguishing character or personality of an individual

2: the condition of being the same with something described or asserted

3a: sameness of essential or generic character in different instances"

Or the Cambridge dictionary:

"a person's name and other facts about who they are:"

Of course, you're always welcome to intentionally pick the incorrect context (going back to Merriam-Webster):

"4: an equation that is satisfied for all values of the symbols"

And just as easily rant the name of the crime has nothing to do with math so it needs to be renamed.


If it's open to interpretation, you're choosing the worst interpretation.

How this is interpreted is the primary problem that needs to be solved in order to legislate the issue, and from the interpretations you're supporting, it seems you're firmly on the side of the parties failing to identify fraudsters correctly, versus the innocent individuals.


"Worst interpretation" isn't about matter of preference on which interpretation is moral rather intentionally choosing the least supportive definition as proof the phrase is a misnomer. Ignoring the Cambridge one, which seems to be post phrase, definitions like "sameness of essential or generic character in different instances" are very stealable things, even if another definition is not.

As I've stated I'm in favor of the individuals. When doing so, I like to stick to factual and logical reasons why instead of insist the root of the problem is the chosen definition of "identity" does not match my preferred one. The root of the problem is the current process for dealing with identity theft is more burdensome than it needs to be on individuals. If you change the name it's still too burdensome because, outside of you, everyone already interprets "identity" to mean what it should in this case. That the process is bad is not proof the interpretation of the phrase is bad and needs to be fixed, it's proof the process is bad and needs to be fixed.

Just because someone disagrees with one component of your stance does not mean they automatically agree with all opposing positions that followed from it.


What is stolen is information relied on for authentication, but using “identity” with that meaning is common, even in technology.

That is, after all, what an “identity provider” actually provides.


"Identity provider" in technology is something that should be disavowed heavily, too. Identity is hard to define, but it's definitely not something that should be provided, unless we're talking about assuming others' identities.

Giving up ownership of our own identities led to very harmful results.


You're confusing two concepts that share a word: Your identity in the sense of self worth and personal ideals, and other people's view of you, your identity to them - Their interpretation of the former, to some extent, but also their judgements on your trustworthiness.

It's the latter that's being stolen. It's a crime against both you and your friends and creditors.


Often, bankers themselves are the fraudsters.


Many people don’t know this but you also need to set up a freeze at https://nctue.com/consumers/

I had to deal fraudsters getting cell phones and also electricity to their apartment.

Setting a freeze up here solved it.


> Q. Can I opt out of pre-approved offers based on NCTUE data?

> A. Yes. NCTUE provides information to companies that provide consumers with pre-approved offers of credit. If you would like to Opt-Out and exclude NCTUE information about you from being used in lists provided to companies that make pre-approved offers of credit (as provided in the Fair Credit Reporting Act), you may call us toll free at 1-888-327-4376.

> You may also submit your request via mail to NCTUE at the address below. Please include your name, address, Social Security number and date of birth in your request.

... well that is infuriating.


I wonder which is worse: not setting up a freeze and risk being the victim of identity theft, or setting up a freeze by submitting your info and risk having it stolen from NCTUE?


Thank you for this, I had no idea this was a thing. Out of curiosity how did you find out about this?


Maybe from here: https://www.equifax.com/business/data-network/nctue/

Seems to be an Equifax product.


I really don’t remember. But I kept getting people creating different accounts that I wouldnt know about until it went to collections and dinged my credit. Took me a couple years to finally get it locked down. After 5ish police reports and ftc identity theft reports that all these energy/cell phone companies require for you to dispute.

It’s maddening that these companies give out service with wrong variations of my name and no ID but then want me to jump through hours of hoops to get it removed from collections.

Luckily I got it all resolved prior to rates shooting up so I was able to refi at all time low rates or this would have cost me a lot of money.


I've never taken on any debt in my life, would I still need to do this or an I fine since I've never initialized anything in the first place?


Yes, still worthwhile. The bureaus collect all sorts of information and attach it to you regardless of whether the information is even correctly attributed. A freeze might prevent some of that nonsense.

I had a difficult time getting loans to go to college many years ago. Come to find out my credit was through the floor due to all 3 agencies misattributing dozens of pages of bad loans to me starting when I was only a toddler. The middle initials & socials were 1 character off each, but it all still went to my name.

Unfortunately I didn't have the knowledge to freeze my credit when I was 3 years old - my fault, I should have known I would later suffer the consequences of my inaction.


You have to be the dumbest toddler I have ever met!

-

We need a financial revolution (which is what OWS was all about -- and you know how they responded to that - especially in SFO.... "people are mad at the FED!, so must remove all planter boxes in front of the SF FED and install giant granite bollards and update our lifting stop gate at the entrance - and we have to get our fed workers to stop bragging about their $30,000 a month bonuses loudly on BART (yes this is an actual thing)


Full stop, yes you should freeze.

Issue isn’t if you have debt or not. Credit rating agencies start tracking very early, and what they’ll track for you is basically “no data/low credit score.”

That doesn’t mean you’re not in the system, or more importantly - doesn’t mean qn attacker can’t take out debt in your name.

A freeze is the only thing that stops this for you and your kids. I hate that it works this way but such is life.


That's a really good question that I don't know the answer to. I would guess that they have a file on you somehow – Utility bills? Landlords checking your credit? But I'm not confident enough to know what would be the best thing to do in that scenario.


In the US utilities are normally yet another credit reporting agency: https://www.consumerfinance.gov/consumer-tools/credit-report...


Somebody using your social security number and other information would be able to apply for credit. As soon as they do that, the bureau(s) called by the lender would have a file on "you".

The federal government requires that all three major bureaus (Experian, Equifax, TransUnion) provide you one credit report each per year, for free. You can request it here, the official source for these mandated free reports:

https://www.annualcreditreport.com/index.action


Thank you for the information, I'll look into this.


First, you should take this quiz by telling "us" your mother's maiden name, the name of the street you grew up on, your elementary school's name, the name of your first grade teacher, the name of your first pet, the make/model of your first car, and to help make sure we know it's you, please enter your SSN# which also helps keep all of this info from being confused with someone else. After all of that, please, continue to avoid taking on any debt. We will relieve you of that burden


Have you paid a utility bill? Signed up for a utility account? Had a credit check run for an apartment for made payments on a lease? You are probably in the system. Learn to play it before it plays you.


It doesn't matter that you don't take on debt. The point is to protect yourself from unscrupulous individuals who want you to take on debt on their behalf.


> I've never taken on any debt in my life

Why not? Do you ever anticipate getting a mortgage? If yes, then you probably should be.


Sadly, if they are under 35, they may never have the chance. Home ownership seems to be going the way of the Dodo.

But credit scores are used for apartment rentals, and even employment.


> if they are under 35, they may never have the chance. Home ownership seems to be going the way of the Dodo.

This is false.

Millenials are trailing previous generations a little, but > 50% of them now own homes:

https://rentalhousingjournal.com/more-than-50-percent-of-mil...


Hmm, given the average age of a millenial is ~33 the statistic and the claim (exaggerated as it is) don't necessarily need to be totally out of alignment.


The primary problem with this claim as it usually presented is that it tends to ignore that earlier generations did not go from kindergarten to home ownership in a year: you grow up with your parents' generation's condition as "normal" when it actually represents 30-50 years of "accumulation".

So yeah, 10 years ago, very, very few millenials owned a home. But that was true for 23 year old boomers too.


You can look at that data too.

https://www.forbes.com/sites/katherinehamilton/2023/04/21/ge...

Millennials own less homes than boomers did at their age. Though based upon the data Gen Z is possibly turning things around.


Anecdotal though it is most millennials I know that have houses only have them because they were inherited rather than purchased outright.


Out of my international circle of friends between twenty five and forty, only one outright owns their own house. And they have a high paying internal software development job for a big European company. The rest of us either split rent or live with family. Those of us in said circle living in the U.S. will likely never own houses because of what ChrismarshallNY below stated: The few places that aren't McMansions and aren't in HOA developments and thus are actually affordable are being bought by massive investment firms and flipped into being duplexes for rental.

Even the trailer parks aren't safe, as the companies buy them from the owners, evict all the tenants living in their own houses, and then develop the land into more unaffordable HOA clone mega houses, luxury apartments, or McMansions. Near where I live six of the eight trailer parks have disappeared in the last four years and have been turned into two separate campgrounds, a car wash, a dirt parking lot waiting to be redeveloped, a warehouse, and a new luxury senior apartment complex, with intent to redevelop the others into retail or housing shortly. There's been a spike in homelessness because the people living in these trailer homes couldn't afford to move their houses and didn't have anywhere left to go even if they could.


I see a few options with this of anecdote.

1. just ignore it, on the basis that the statistical data collected by many private organizations and the federal government say that it is incorrect.

2. as much as I hate quoting Bezos, he does have a good line about how, if anecdotes and data don't align, there's probably something wrong with the way the data is being measured and/or collected.

3. Accept that the data is correct, and that this sort of anecdotal reporting is also correct, but represents conditions that were also the case for previous generations yet somehow never became part of the zeitgeist.

I don't know which to choose. Maybe there are others.


See also:

"Most US millennials finally own homes – and it’s not thanks to their parents"

https://www.theguardian.com/us-news/2023/aug/17/millennial-h...


Also anecdotal, none of the millennials homeowners I know inherited them, but all are software developers.


Depends. These massive investment corporations are buying up houses like crazy.

I have a friend that works for one, and he's making a lot of money.

They come in, overbid, pay cash, and frequently spiff the agents (in a legal way).

Then they gut the place, and turn it into a pretty decent rental.


How does that relate to records of individual home ownership, by age?


Huh?

If you don't think these rental investment corporations are a problem, then I won't gainsay that. I just have some local IRL experience in the matter, and have seen it discussed.

I'm not in a debate. I made an offhand comment, which was not unique to me (it has been bandied about in popular culture for quite some time), you called it "false," in a fairly harsh manner, and I didn't attack back, because I like to behave myself, here.

If my offhand comment offended you, then I am sincerely sorry, and you have my apology, but it won't change the way I think or interact, and I'll likely offend again. I'm a decent person, and don't mean to offend, but I also have the approach I have, and some people find it offensive. I'm not sure why, because no one ever takes the time to explain. They just attack. I've learned not to attack back, and make my best guess at what their problem was. Given that data (my guess), I may (or may not) choose to modify my approach in future interactions.

In the aggregate, I yam what I yam, and some folks like it, and some folks don’t. Seems most folks find me easy to get along with.

No worries. It's all good. Have a great day!


I'm not offended, and I'm not attacking you.

You made a remark about millenial home ownership that, according to data collected by the relevant agencies, doesn't appear to be correct.

I just pointed out that millenial home ownership is only a little behind the age-adjusted levels for the last 4 "generations".

I think this is important - if the data is correct, then it's essentially a myth that millenials have no access to home ownership, and there's a certain kind of psycho-social danger to this idea being believed (particularly among millenials).

It is of course possible that the data is incorrect, or misleading, and I'm interested in that possibility, because the "story" about millenials and home ownership is widespread, and perhaps we should be alert to the idea that the data is not representing reality correctly.

Then you mentioned corporate residential real estate investment, which I certainly agree is a problem, but that seems orthogonal to the basic question of whether or not millenials do or do not own housing at roughly the same level as prior generations. I wondered if you saw some specific reason to mention it. If it were true that they do not, then certainly corporate RE investment could be a part of the reason. But it appears that in broad terms, they do, and so although it would be nice to end corporate RE investment somehow, it doesn't seem to be a particularly large problem.


It's worse for renters. Any arbitrary thing could cause them to be denied for a rental. Good luck fishing out what that is at each rental company/landlord.


I don't plan on ever getting a mortgage. I am extremely debt averse, I'd rather live frugally than essentially being a slave to the bank/creditor for years.


This will also impede your ability to get rentals.

I only take on debt I can immediately pay off (ie. credit card debt), but it still is important to demonstrate to creditors.


Do you have a credit card? That is technically debt.

If someone has your information, they can open a credit card under your name and max it out. Or even more common, they’ll get a car loan under your name. Since loans are furnished at the end of the day, they’ll often get 2 or 3 car loans in the same day.


I don't have a credit card, I only ever pay using cash or debit card directly from my bank account.


Like FB, LinkedIn etc the credit bureaux maintain a file on everyone they come across. So they likely have a file on you regardless.

In addition, in the US these files are used for other purposes than taking out a loan, for example renting an apartment, for some jobs, etc.

I recommend building up a credit history even if you don't need it now. You might later. There are plenty of articles on the web about how to start, basically getting a credit card (perhaps secured) and slowly building up your credit.

I am lucky enough to be a cash buyer. I tried to rent a house for a year a few months ago but my credit rating was not good enough. I have a couple of credit cards which I pay off every month (so good, my credit utilization is low) but by the rating companys' POV there wasn't enough to go on: not enough accounts, and no accounts apart from the CCs: no mortgage, no car payments etc. The fact that I'm a homeowner doesn't appear in the report.


Note that Experian runs their own protection racket called “Credit Lock” that is different from a freeze. It costs money. The freeze doesn’t cost money only because congress mandated that it be free. That’s right, these fuckwits are so irresponsible and greedy that congress actually got off their sorry asses and made a tiny piece of legislation that actually protects consumers.


But would freezing your credit in any way help with the problem identified in the article? (sale of your credit header data)

Specifically:

1. Would it prevent any future occurrences?

2. Would it do anything to help with the leaks that have already occurred?


Would a credit freeze prevent data brokers also accessing the credit header?


15 character max password at TransUnion... How outdated is their system?

And none of the 3 allow MFA via something else than text/email.


This should be taught to every high school senior before we let them off into the world.


Why is it not the default?


Save you a click: the secret weapon is paying a criminal on a Telegram group $15 to dox someone. The article is mostly about where the doxxing services are getting their data, which changes. TransUnion's TLOxp is a popular service right now.


Wait, you mean the data that any random company can access when I apply for a credit card or job is also available to other people with money but don't care if I agree to it first?


The article says that people pretend to be private investigators and the data companies don't confirm except 'remotely'.


Why should private investigators be allowed this information at all? As the name implies they are private individuals.


From the article... TU (and the other credit bureaus) decided your PII can be sold without much regulation. Despite laws that require credit reports to have tighter controls. They just say "it's not a credit report; it's just PII" and poof they're magically in the clear.



Because PIs are nominally regulated. It's a popular career with ex-cops who have investigative skills but are over the physical danger aspect of dealing with crime.


Anyone can become a PI in Colorado with just some business cards.


How else are credit bureaus going to make money other than selling this data?


Please tell me this is sarcasm


No, it is a real question. There is a consistent thread of bureaus selling to criminals. It's part of their revenue stream at this point. Doing anything that involved cutting back on this would threaten their profits.


I'm pretty confident that the parent is using sarcasm and fake surprise to illustrate how the point should be rather obvious that just any old person can get a credit report on another person because in reality the credit companies wouldn't have the capacity to validate the credentials of someone requesting the data without creating other significant disturbances such as making it nearly impossible to start a company. But this feels like a lot more words and doesn't actually convey as much as what you get when you have to internalize the rhetoric.

Honest question, is sarcasm dead?


In text sarcasm generally works best when it is either appropriate for the setting or it is blatantly obvious. If one employs it otherwise then being treated seriously should be expected. When in doubt many will opt to treat it as genuine since reacting to a serious comment as if it were sarcasm comes across as condescending.


> or it is blatantly obvious

It falls under this case.

First, we notice the comment isn't an actual question, as there is nothing to actually be answered. This is a clear indication that its usage is therefore that of rhetoric. This is likely why they didn't respond, as there was nothing informative you could say unless you are significantly updating the premise which is being mocked.

Second, the diction and pattern of the sentence matches a commonly user sarcastic pattern of "wait, you're saying x but y?!" and the only thing missing is a surprised pikachu gif. It even does this at an abstracted level as it emphasizes the arbitrariness of the entity requesting the information. The pattern is up there with "I have a modest proposal" and I am having difficulties in even coming up with a more prominent pattern. There are several prominent memes built off of this.

Third, it involves additional flare to indicate a mocking of the obviousness of the claim made by the article which is summed by the parent. The comment is quite pejorative, with a clear disdain for the lack of accountability of the credit agencies.

As far as sarcastic comments go, this is about as blatant as one can get. Even my sarcastic addendum ("Is sarcasm dead?") is less obvious than the comment. Similarly the sarcasm you are employing is far less obvious. But none necessitate vocal inflections. I think your detector is defunct and you may wish to take it in for repairs or an upgrade.

I also disagree with your interpretation of when sarcasm works and I would suggest a different strategy. Your strategy will have a high false positive rate and teach you to misidentify sarcasm rather than learn to identify it. If a comment appears reactionary and condescending without a abundantly clear question to answer, either assume sarcasm or bad faith. In the latter case, one should not engage as you're only encouraging hostility. Simply downvote and move on. If you are wrong, you have just downvoted a sarcastic comment (which may not be adding too much to the conversation, as is the case here), which also sends a signal to the user that they need to work on their sarcasm or save it for other forums. You can take a middle case and hedge by saying "I think this is sarcasm, but if not..." This also goes with a different strategy of not responding if you don't have much to contribute. If you don't have a clear question to answer then the only reasonable responses are to ignore or ask for clarification, least you just create more noise. Internet conversations are well known to degrade easily and quickly.

We also should mention satire, as it is often employed. Satire's foundation is that of an alternative interpretation. The simple metric here is "would a reasonable person state this?" If there is any doubt to this, I suggest reading this document which describes the definition of satire while also making heavy use of it[0].

I mention that my addendum employs sarcasm, through exaggeration, but there is some real question to it, as lately I have seen severe identification even with the use of "modest proposals." Language itself is compression and if one is to take a literal interpretation of everything then you will be unable to accurately communicate and are likely to frequently enrage and annoy others. Due to the compressive nature, you will always be required to "read between the lines" otherwise even this sentence would be uninterpretable.

[0] https://www.supremecourt.gov/DocketPDF/22/22-293/242292/2022...


Translation: "I think I'm better than you for being better able to detect sarcasm, and, as the better being, I think you should adapt to me rather than I to you. I believe that I will always be a perfect sarcasm detector, and immune to any akwardness or embarrassment from miscommunication. If lesser people are confused, I don't care."

>The simple metric here is "would a reasonable person state this?"

You're saying there's universal agreement over the set of statements that are considered reasonable? Check out /r/PoesLaw.

Oops, I mean: Yes, because there's universal agreement over the set of statements that are considered reasonable.

Oh, and in a parallel thread, a error I'm sure you would never make /s:

https://news.ycombinator.com/item?id=37226965


> Translation

Certainly not

That is quite divorced from what I wrote given that the model I presented is dependent upon accounting for modes of failure.

> Oh, and in a parallel thread, a error I'm sure you would never make /s

Quite the irony give littlestymaar is following a similar model as I am.


> First, we notice the comment isn't an actual question, as there is nothing to actually be answered.

You noticed. My answer got 11 upvotes so far, so I think it was far from obvious without a careful reading, which I did not give it.

> This is a clear indication that its usage is therefore that of rhetoric.

Rhetoric is the art of writing or speaking effectively. It does not mean 'a questions which does not require an answer', which is a type of rhetorical device, but certainly not 'rhetoric'. I wouldn't bother mentioning this except you started the lecturing so I am proceeding in kind.

> This is likely why they didn't respond, as there was nothing informative you could say unless you are significantly updating the premise which is being mocked.

I don't try to ascertain the motives of people's non-responses. Guessing one option out of infinity seems like a losing game if you do it consistently.

> Second, the diction and pattern of the sentence matches a commonly user sarcastic pattern of "wait, you're saying x but y?!"

Sorry that I am not as up to date on meme phrasing as you are. Or maybe you are retrofitting a pattern after you already established it?

> As far as sarcastic comments go, this is about as blatant as one can get.

After re-reading it carefully, you may be correct.

> Even my sarcastic addendum ("Is sarcasm dead?") is less obvious than the comment.

You wrote 'honest question'. That is not sarcasm, not even a little bit. If you intended it to be, then I will absolutely call you a liar for using that terminology because some things should be taken literally and 'an honest question' is one of them. Like the 'biohazard' sign, it should never be used improperly, and if you are trying to press it into use as a non-literal phrasing, then I call you out and ask you to cease and desist.

> Similarly the sarcasm you are employing is far less obvious.

I have employed zero sarcasm in any of this correspondense. Perhaps your meter is faulty?

> I also disagree with your interpretation of when sarcasm works and I would suggest a different strategy.

Cool. I don't care.

> Language itself is compression and if one is to take a literal interpretation of everything then you will be unable to accurately communicate and are likely to frequently enrage and annoy others. Due to the compressive nature, you will always be required to "read between the lines" otherwise even this sentence would be uninterpretable.

And we must also account for non-perfect readings. The compressive nature of language means you are not reading every letter and every word all the time, you are fitting patterns and using previous experience to match them to correlations. This is an imperfect process. If your writing style cannot account for misreadings then I argue that you are doing it wrong.

Your pandering lecture has been noted and discarded.


As a European citizen, I love GDPR.


https://www.tlo.com/about-us

TLOxp is the latest version of the game-changing technology that ushered in the science of data fusion

  Who Uses TLOxp
  Collections
  TLOxp for Legal Professionals
  General Counsel
  TLOxp for Licensed Investigators
  Financial Services
  TLOxp for Insurance
  Corporate Risk
  Investigative Reporters
  TLOxp for Law Enforcement
  State, Local, and Federal Government
  Asset Recovery and Repossession


Some of the "people finder" type websites have most of the data they mentioned for free. I assume they source it from the credit bureaus because it had the same mistakes that I sometimes get asked to confirm when a financial institution is trying to verify my identity.

It's good to google yourself a couple times/year and file a request for those sites to remove you. Most of them do it fairly quickly.


If you want to be more aggressive, you can pay a service like Kanary that Googles you, submits removal requests, and then does a deeper search across data brokers and people search sites and submits removal requests as well.

It's unfortunate, but useful if keeping your info off these sites is important for safety/security. We're advocating for the CFPB to tighten regulation so this isn't such a challenge for people (and companies).

If interested in the technical challenges of scaling this, we're also hiring.


Cool service and I hope you do well. Feedback: it's a little expensive for me. I'd pay about $50/year for a scan every 3 months. I know you want the ARR but I'd also pay $15/scan. Then you could have an opt-in reminder option to remind me again in 1/2/3/4/5/6/etc months.


good feedback ty - we'd like to test a lower cost tier. This is very helpful and common feedback from folks who don't need as intense support as our earliest adopters.


+1 for Kanary.

The amount of time/effort/rage that goes into dealing with a stolen identity makes paying for this a no-brainer.


Why thank you!


I feel like this is a dismissive response to the article, as if there were some sort of “gotcha” clickbait going on. I perceive it to have delivered exactly what the headline promised: Doxxing (and worse) for sale using lightly regulated lookup tools provided by credit bureaus.

Was there something that diminutives these claims?


My post was a dismissive response to the clickbait headline, and thus the Hacker News topic name. I liked the article.


Wrong approach. Person's identity and authentication should not be based on the immutable and public information like social security number, driver's license number, address history, etc. There are many ways such information can leak and when it does its stays there forever. We need a proper digital ID, certification and conflict resolution mechanisms. It would not be cheap but the alternatives are costlier in the long run.


I don’t disagree, but if we build a digital ID the free internet will finally be permanently dead.


Not sure. Here in Denmark we have a digital id called "MitId" (my id). It is used for all kinds of official stuff, from looking at your prescriptions to signing real estate deals. But not for posting comments on random websites etc.


We have something similar in the US, actually. It's a Federal standard that states have been asked (told) to adhere to called REAL ID [0]. Hysterically, it was conceived by and pushed by the Ministry of Peace.

[0] https://www.dhs.gov/real-id


There's just about zero similarity between MitID and REAL ID. It's more similar to login.gov, but still not super close.


Don't zero knowledge maths give us a mechanism in theory to theoretically guarantee privacy and verity?

In practice, I agree with your conclusion as the likely course of action.


100% possible technically, and some countries may have/may already have had success in this area. Sadly, at least according to our popular narrative, America was founded on the principle of extreme distrust of the government. Combine that with mass ignorance and a technological solution to these issues becomes impossible politically.

We only even have SSL because no governments needed to be convinced to approve of it, and the list of operating system and browser vendors is so short that it became possible to essentially self-organize a set of generally-trusted root certificates.


Agree re struggling with implementation.. Zero knowledge stuff seems impossible on the surface so explaining it to political folks is extremely difficult as I have first hand experience with. "Guaranteeing I've paid my taxes without revealing anything else about my finances" tends to get them to listen up long enough for me to explain it to them most of the time though.

Re govt distrust, not uniformly. As my older leftist friends remind me they grew up in a time were they thought anything was possible for their government to do, with enough protest they could get the civil rights act, the voting act, the infrastructure spending , etc with all their dreams on the horizon. Then a few people got a little too loud about ending poverty and other more ""radical"" progressive stuff and got killed for it. But it is possible, we've just been beat down for 50 years by neoliberal austerity politics.

Very interesting stuff re SSL. Any book recommendations you might have on the history of stuff like that? How security standards manifested and became adopted? from https to aes to pgp I vaguely know about all these things but would love to read more. I thoroughly enjoyed chip wars and master switch and stuff in that vein.


I appreciate the perspective you've shared about the longer-term history. That's good to keep in mind when I start feeling too cynical/hopeless.

As for books, I wish I did have a recommendation but haven't read anything matching that description.


As I have taught my children: there are so many cameras around you are always being watched, or can be traced through cameras. As for the "free internet", I told my kids it's already fucking dead.


The free internet died the second that Google bought doubleclick.


In practice for recent bank and brokerage account opening they seem to have moved to take a pic of your passport and then take a selfie or vid of you holding said passport. Bit of a pain but quite hard to hack. Of course it doesn't work if you don't have a passport or comparable ID.


Identity thieves would love a system that let them completely take over someone’s identity in event of a compromise.

Can you imagine trying to get a loan and discovering that your identity has been cancelled and someone else has take it over now?


> “On the very rare occasion where we confirm misuse of TLOxp, we coordinate with law enforcement to help prosecute those responsible,” TransUnion added.

This is categorically false.

I've had transunion hand my entire credit report over to hackers who had nothing but public information, and transunion absolutely do not give a shit.


I hope you can coordinate with law enforcement to help prosecute those at TransUnion responsible...


law enforcement largely do not care either


Largely? They give absolutely zero shits.


Put some of their names into these services. Cops, feds. Lookup some high-profile court cases, see if you can get names of witnesses.

Now let's see if they care.


If they start to care they'll shoot the messenger which in this case is you. Don't poke the bear.


This is why someone who has a large stage should do it, like a journalist or a performer or a politician. They can't come after them without Streisand effecting it.


They really enjoy laughing at you.


So in a sense they do care :)


"Well, they forced my hand, I'm going to call the police..."

https://youtu.be/lehmQ5mUveg?t=20s


I bet if there were meaningful consequences for sloppy custody of data (i.e. fines large enough to hurt, as opposed to the "LOL whoopsie doopsie have some free credit monitoring" nonsense), credit bureaus would clean up their act. I do not anticipate this happening anytime soon.


Free credit monitoring for a year, then ato-renews at $89.99/yr after that. Oh, and to sign up for credit monitoring you have to share even more personal data with them, but they pinky promise not to lose it this time.


Exactly, what reason do they have for being more careful if there's nothing to lose and everything to gain for them?


If you have the means, perhaps a civil suit against TransUnion for their tortious actions is appropriate. Of course, it's a gigantic hassle.



>transunion absolutely do not give a shit.

I'm sure they would respond to a subpoena if you were willing to work with an attorney


The GP would need to see if they have ever used any Transunion service. There is probably a click-wrap agreement that you can't sue for basically any reason. Maybe it will go to arbitration, where they won't do squat for regular people.


I mean, you can literally sue anyone for any reason. There is no agreement you can sign that could possibly stop you.


They even say so themselves; "on the very rare occasion where we confirm misuse."

They're not saying anything about how much they care about or follow-up on confirmation.


It can be true if they intentionally never confirm any or even investigate potential misuse


Your grievance is misguided.

Transunion can't do shit about some Belarusian teenager stealing your identity any more than anybody can indict them for deploying ransomware on government networks. The framework for prosecution of international cybercrime does not exist.

Domestically, Transunion absolutely will shut down access to data furnishers who do not vet employees, in cases where an employee is bored and looking up their exes and random celebrities. It is a violation of the FCRA and subjects the bureau and the furnisher to fines. The bored employee scenario usually just results in termination but if there are other factors at play like identity theft/fraud, law enforcement absolutely gets involved.

This rogue employee scenario is the mechanic I'm guessing is being exploited here, only it seems crowdsourced to obfuscate attribution (so one person isn't making hundreds of fraudulent requests that gets them noticed).

This stuff happens at Equifax all the time too. People are always trying to look up Donald Trump, athletes and rappers in misguided attempts to see how much money they have or where they live. (Celebs have taken to getting around this by buying properties in relatives' names.)


> Your grievance is misguided.

I'm not sure what makes you think that, given you don't know any of the details involved.

In my case, TransUnion received credit checks for me with dates of birth 1 Jan, 2 Jan, 3 Jan, 4 Jan and so on until they hit upon my date of birth, then a credit account was opened that same day, then later in the day a third party credit monitoring agency accessed my credit report and they were allowed to pass 'knowledge based authentication' using their knowledge of that credit account.

I am completely sure TransUnion could have detected and foiled this incredibly obvious attack. I'm also completely sure they could have identified other victims of the same attackers and informed them, but they chose not to.


TransUnion also has full control over what authentication mechanism they use. On the extreme end, they could require a Yubikey to be used. However, they deem the hassle to implement better auth not to be worth it while it's users who carry the cost of TransUnion's inability to properly authenticate people.


They also see zero reason to spend even a dime on better security of processes when they saw that the entire company could be pwned and distributed on the dark web and you end up losing zero revenue, maybe a million bucks in a class action suit.


Are they vulnerable to SSPR Abuse? I'm having great fun reporting to Very Large Services and being rebuffed because they don't understand or care.


> I am completely sure TransUnion could have detected and foiled this incredibly obvious attack. I'm also completely sure they could have identified other victims of the same attackers and informed them, but they chose not to.

It's entirely possible that nobody at TransUnion knows how to achieve this given the state of their databases' and/or staff. For example, maybe their system was set up before constraints were a thing and they stopped development once it started printing money, so the only person "working" on it does light maintenance as a portion of their other duties.


KBA must die.


> Transunion can't do shit

They can but they don't. There being no framework for prosecution doesn't mean it's impossible to not hand out data to anybody that asks with minimal info provided.


That kind of unbounded massive privacy violation would result in million € fines (if not dozen or hundreds of millions) under GDPR law. And it was already not possible at scale in major European countries before GDPR. What permit it to happen in the USA at scale, is that the baseline of protections is so low compared to Europe. Depending on the state it is getting better, but there is still this culture about making massive files on everybody about everything and then selling them to anybody who ask and pay. Such databases are often forbidden in Europe to begin with because we think of what could happen if they are misused.

The notion that the fault would completely be on a "Belarusian teenager stealing your identity" and no responsibility whatsoever on people organising a system of massive private data collection in the first place, and then not even able to keep such data secure, is ludicrous. And even when you know that privacy invasion is attempted all the time you don't reach the conclusion that at the very least better securing the data would be needed, that task I'm not sure can be done by any "Belarusian teenager" - and that task has de-facto not be done by whoever is collecting and maintaining the private data that has leaked and is still leaking.


> That kind of unbounded massive privacy violation would result in million € fines (if not dozen or hundreds of millions) under GDPR law

No they wouldn't. GDPR enforcement is severely lacking and the regulators tasked with enforcing it are either incompetent or corrupt.


If they aren't responsible enough to handle the data, then they shouldn't have it in the first place. The end. Fine them out of existence if they hand over PII to random 3rd parties.


lolwut?

The criminal made a false request for credit report. TU released the credit history without confirming ID. The bank relied on that credit report to extend credit.

The problem is, as a whole, ruining the credit of a few thousand people/year (and making them jump through hoops to regain their ID) is less costly than clamping down. TU absolutely contributes to the problem; they just have no incentive to fix it.


Here is another thing I despise about these Credit Bureaus.

Ive walked into Commercial Real Estate brokerages where every single broker had a license to a credit bureau - with many of the junior brokers using it daily to look up real estate owners to call their mobile phones.

Obviously TLO knows theres no way a huge chunk of the CRE brokerage industry should be in their product on a daily basis if they were actually using a GLBA compliant use case... and they look the other way and find a way to monetize.

You really dont need to go digging in some dark corner of the internet to obtain this information... you can walk in through the front door


"It's not a data breach if you collect money from the criminals for the data. Then it's a service offering."

- Credit bureaus


Just a reminder to never give private info to someone who calls you, even if they seem to have a lot of your private data already to "prove they are legit".

Always call back on a number you look up, not one that they give you.


Also, don't call from the same phone you received the call on, if on a landline. One time (I can't find the reference) scammers called from the bank, suggested the person called back to the number on their credit card. The person hung up, picked up, and the scammers had held the line, played a fake dial tone, and had someone else "pick up".


In USA telephones, unless you timetravel to "party lines" (when sets of local numbers had the same line, so picking up while a call was in use allowed people to listen or join in), hanging up any one end of a line disconnects the call the departing user from the call.

If the described scam happened, in should have required a simultaneous fault in the phone system. Or more likley, the scammer played a recorded sound of a disconnect+dialtone, which could tricker the target into dialing.


This is incorrect at least on Bell Atlantic's (and then Verizon's) network in the late 90s. Since there is no double-billing on landlines in the US, the person initiating the call is the only one that can immediately terminate a call to a landline. There's a timeout for the reverse direction, but it at least used to be fairly long.

Someone pulled a trick where they took advantage of this. Had a friend call and keep the line open. Then claim that you have the entire phone book memorized. To prove it, ask someone to name a random name, punch in 7 digits and hand it off to the person who named it. They ask for the name and your friend says "yes that's me" (or "they're not home now if the gender mismatches).


> There's a timeout for the reverse direction, but it at least used to be fairly long.

This brings up one of those cultural things: ever noticed how in movies and TV shows from the 80s and 90s, if the caller hung up, the person called immediately got a dial tone?

It's a trope that prop wranglers, set designers, and writers picked up because the telephone company around Los Angeles (Pacific Bell) had switches that would reset the line state for the destionation back to "ready for call", which meant dial tone, when the origin side disconnected. If the destination side disconnected, the origin would only be disconnected after approximately 20 seconds.

Almost all other exchanges would put the destination--after the origin disconnects--into an off-hook-but-not-ready and then, after 10 or so seconds, play the "if you'd like to make a call, please hang up and try again" recording, then Special Information Tones, then a rapid busy.

Yet because the service in and around LA is what a lot of people in the TV and movie business experienced, it is what got baked into those productions.


> rapid busy

I was a rather violent sleeper when I was young and would occasionally knock the phone off the hook while sleeping. Then I woke up to the fairly loud rapid busy sound. Hadn't thought about that a while.


Interesting. I always assumed that the immediate dial tone after origin disconnected in movies & TV was for dramatic effect to let watchers know that the person hung up the phone.


Now that you mention it, I did vaguely used wonder why some phones took longer to hang up than others. Some, I would hear the receiver go onto its rest, and 'immediately' hear a dial tone. Some, it took a few seconds.

Related to what some other commenters pointed out…

- The delay did seem to get longer when call-waiting became avaliable in an area.

- Sometimes, right after pressing your own hook and then releasing it, I could not dial; I had to wait a couple seconds.

- I never used a system where you could hang up and have time to run to another extension, but I may have known a couple people who claimed they could? If so, I probably dismissed it as "weird".

- My direct experiences were with various regions of just three Bells, so another commenter's remarks about LA/PacBell were interesting.

Thanks, everybody, for jogging my memory a bit.


The time required for a good hangup might vary a little bit from exchange to exchange. I recall occasionally being able to transfer to different handsets hanging up one before picking up the other. But not to the extent reported in some anecdotes where one end can hold the call open indefinitely.


This is definitely true. I remember being able to quickly press and release the hangup button on a single phone and if I was quick enough the other person would remain on the line. I don't recall exactly where the threshold was, but I believe it was around a half a second or so.


I remember being able to hang up the phone in one room, run to the next room, and pick up the phone and continue the conversation. My friends and I did this on several occasions. This was in the Atlanta area, in the late 1980s.


Rapidly pressing and releasing the hang up button simulates pulse (as opposed to tone) dialing used by rotary phones.


IIRC, the originating party's on-hook will immediately disconnect the call, while if the receiving party goes on-hook, there is a short but significant delay before disconnect is finalized.

This may have something to do with service offerings such as call-waiting and 3-way, which depend on detecting a "flash" signal.


I believe that potential exploit only work(s|ed) in the UK telephone network, and maybe those of countries developed in parallel using similar technology. Either way, it is a zero-cost precaution so you might as well do it just in case.


What? Where do phones work like that? Isn't it enough for one party to hang up for the call to be over?


They used to operate this way in the UK - the line would stay occupied until the call initiator hung up. We used to play with this when I was a kid, but I've not had a landline since early 2000s, so I've no idea if this survived the transition to digital exchanges. TBH I doubt it, and I know lots of people complained about it, because it was really annoying if someone who'd called you hadn't hung up properly as then you couldn't make any further calls yourself.


Who answers phone calls, let alone from unknown numbers, these days?


I do. My mom is terminally ill with cancer and most all of the caregivers, physical therapy, palliative care, pharmacy, oncologist, etc still use good old telephone calls to communicate. Sometimes it comes from a predictable number I can put in my contacts list, but not always. So I turned off the call blocking on my phone so I don't miss important calls.


I have a lot of medical appointments these days and it's a nightmare how many offices insist on communicating over the phone, calling from a different number than the original one I found. All phone calls must be considered personal attacks until proven otherwise.


My new insurance company cajoled me into "opting in" to their SMS spam for a $100 gift card, but evidently I didn't even need to consent to voice spam.

Thankfully, their CID is "Unknown/Unknown" and my spamblock sends it direct to voicemail.


I do. I have to. I get lots of important calls from numbers that I don't know. I have a call screener but the scammers play along with that.

I'd say anyone who is involved in anything outside of work probably has to answer phone calls.


I'm "involved" in plenty outside of work, with an active social life, including regularly meeting new people, volunteering, and more.

I can't remember the last time I got a legitimate phone call except from work. It's been several years at the very least.


It's not very practical for a lot of people to decide that they just won't be available by phone.


I keep my phone on silent 24/7 except for the very rare occasions when I'm expecting a call I don't want to miss.

Sometimes I notice the screen when someone calls, otherwise I call back when I next notice the phone, usually within an hour. If they're busy then, I just send a message instead.


I used a paid app to block the whole entire area code my number is from because 99.999% of the spam calls I got were from there. The phone app is in the "Notification Jail" folder 3 pages deep on my phone.

Getting a call and being like "I don't use my phone for that." and ignoring it is a realistic description. Now it hardly ever rings, but it's still spam 85% of the time.


This has nothing to do with that

Everyone is vulnerable to what this article is about


The reason it is relevant is because after the scammer gets your details, they call you and say they are they bank and need to verify some information, and then you trust them because they seem to have details that only the bank should have.

Then you confirm the scammer got good info.


IMHO this is only going to get worse from here. There are piles of data that simply have not been categorized because noone cared enough about it. now a good llm will do that for you.


That whole industry needs to be banned. Courts should record loan defaults, and make that information available to creditors. Nothing else should be in the report.

Lenders already require independent verification of income and (for mortgages) monthly expenses.

The rest of the information that’s in your report and that is used to compute your credit score seems to be there to force people to get credit cards and to perpetuate systemic racism.


This stuff was apparent 20 years ago when PIs gave talks at hacker cons telling them all the legal ways you could get any information you ever wanted. If you Google around there are 500 online services (public companies, not hackers) to dig up private info for a small fee. I guess somebody just finally made a bot to make it easier.

Articles like this read to a hacker like an article that door locks aren't secure.


On a tangential note, slightly less than 20 years ago I got a phone call from an ex of a girl I was seeing at the time telling me to back off. All he had to go on was my name and what college I went to. I asked him how he got my number, he said he used a service like you're describing. This has never been particularly hard for someone who was determined.


I mean even whitepages.com surfaces and aggregates quite a bit of public data if you buy their $20 background check, and all you need is the person's phone number.


A lot of the deep web stuff has gone behind $20 or so paywalls so I haven't looked in a while. But, yeah, even 20 years ago it was obvious that by knowing very little about a person, especially if their name wasn't very common, you could find a huge amount of information about them.


Has anyone ever used that DeleteMe [1] service the article mentions? It's not very cheap, and I'm wondering the value or if anyone has any first hand 2 cents on using it?

[1]: https://joindeleteme.com/


I have not used DeleteMe, but I’ve used Optery [0], which does seem to at least reduce my information footprint.

Consumer Reports also provides a free service called Permission Slip [1] that auto-submits opt-out requests for a variety of retailers/services as well as data brokers.

It is difficult to tell how effective these services are, but if nothing else, I’d prefer to minimize my footprint as much as possible. I don’t think this does much to help with the credit bureaus, though.

We desperately need real privacy laws with teeth.

- [0] https://www.optery.com/

- [1] https://www.permissionslipcr.com/


is permission slip available as a service, vs an app?

forcing users to install apps, which can harvest much more personal data, seems sketchy to me, especially for a service that's supposed to understand that the user doesn't want that


I’ve only interacted through the app so I’m not sure if there’s a web interface. That said, the fact that this is a service by Consumer Reports carries some weight, and the privacy label in the App Store shows minimal information collected.

I haven’t combed through the privacy policy on their website, but the way I see it, I’m not worse off by sharing a few bits of data with CR, and as far as I can tell, they’re not doing obviously nefarious things.


I've been using it for a few years and am a happy customer. However - what deleteme does is remove you from "Spokeo"-type websites, it will do nothing to protect you against the issue in this article, which is people buying your data from the credit bureaus.


I think the concept of "Remove yourself from all major data broker websites for 1 year." is what worries me, like do they just resubmit your info once you stop paying? Do I just have to pay for this until forever? haha Or do you think you could get away with paying for a year, then again in like 5-10 years after you cancel the first year?


They don’t resubmit your data, but they’ll stop actively removing it from websites where it gets published.


I wonder how often or how fast it would get back on there once it stops being removed? Maybe with the typical life events that trigger it? Buying a house, new drivers license, etc. etc.


Yes exactly. I don't know much about deleteme but I know a decent amount about the aggregation and reselling of data. Any time an event happens with some entity they will sell/contribute your information to a data aggregator which puts it everywhere. So if you buy a house or get a credit card or a loan, your info is back.

If you want to be horrified, use a different email address for each service. I have a domain that I configured to forward to me, so for example if I got a loan through Hacker News Home Loans, I'd give them email "hackernewshomeloans@example.com" . Doesn't work for everything, but it is a good eye opener.


My credit monitoring services will search for an email address, but not for wildcards...


That's quite unfortunate, it would probably be easy for them to add support for matching all domains, but I doubt anyone asks for that.

IIWM I think the benefits outweigh the cons of dropping the monitoring, but others may have different situations/priorities.


> Submit personal information for removal from search engines.

This sounds very much like trusting a fox to guard the henhouse. When do they then do with the submitted personal information? Why should we trust that they will behave ethically with it? What happens if, and when, they have a data breach?


> This sounds very much like trusting a fox to guard the henhouse. When do they then do with the submitted personal information? Why should we trust that they will behave ethically with it? What happens if, and when, they have a data breach?

They have no incentive to behave incorrectly as all their business is based on trust.

https://help.joindeleteme.com/hc/en-us/articles/817118498523...


Trust seems cheap when individuals often just close shop and move on.


Does not factor out data breaches. And "our business is based on trust" also has the caveat of "for now". What if they're bought out?


> Does not factor out data breaches. And "our business is based on trust" also has the caveat of "for now". What if they're bought out?

Then nobody knows. "What if?" works for litterally anything anywhere and nobody can respond to all of them, so I’m not sure what you’re expecting here.


I'm not expecting anything, I'm just pointing out that handing over personal data to have your personal data deleted may not be the most sound idea.


Has anyone collected a list of data brokers to opt out yourself?


We've written about the need for policy reform in the US. https://www.kanary.com/blog/privacy-protection-through-regul...

And offer a deleteme-like service with broad coverage and an affordable rate for removals and monitoring. We received a grant from YC for our work in 2019.

https://www.kanary.com/


I had DeleteMe for a year. It was pretty good but for whatever reason "whitepages . com" would continue to publish all of my PII and even DeleteMe couldn't take care of it.


Not this one but there is a YC W22 company called Optery [1] that does something similar and it works really well.

[1]: https://www.optery.com


I’d never heard of it but it certainly comes up often in the article. Feels like something DoNotPay will offer soon, if it doesn’t already.


Interestingly, you actually never get signed up for these credit services until you get a credit card. So all the things people tell you “build credit” (eg: pay your bills on time, pay your rent, etc.) don’t actually “do” anything. There’s no credit score to attach to them, so they just go off into the ether. I built credit a bit late in life and it was a struggle to get started. At this point, I kind of wish I’d just avoided building credit altogether. I wouldn’t be in any of these systems.


This isn't the case. You get signed up for these credit services when anyone makes reports about you to them. This can be, for example, your landlord. Paying rent does not indeed affect a credit score, but credit scores are separate products from credit reports. You have a right to your credit report annually, but you have no right to know your FICO (or other such) credit score; they're proprietary products.

Basically, these companies will build profiles on anyone whose information gets reported to them, even if those profiles do not include a credit score.


Not having credit means you’ll never get a mortgage, auto loan, etc.


Some lenders still do "manual underwriting" for mortgages.

So instead of blindly trusting your credit score as the measure of your ability to repay a loan, a human looks at your situation - income, other debts, etc, and makes a judgement call. It's more paperwork and slower, but it definitely exists.


You can get a mortgage without a credit score. It is called manual underwriting.


So if you don't anticipate needing a mortgage or car loan, could you get rid of credit cards and perhaps cut down your online footprint? The question is how you would pay for stuff — are debit cards just as bad? Cash is being phased out at some stores so that's not always an option. I guess you could load up my Apple Pay straight from your bank and use that instead of a credit card?


Debit cards are (typically) connected to a checking account, and most banks and credit unions use the credit reporting agency ChexSystems to check for a history of checking account infractions and report infractions there as well. However, accounts in good standing aren't typically reported. So once your account opening falls off the report, assuming you don't kite checks or overdraft, your report will be empty. I think overdrafts likely need to be frequent or left unresolved for a long enough time to get on your report too, but I'm not 100% sure.

Some banks will run a credit report from other agencies while opening too, but if you don't ask for or refuse any credit cards offered, you should have an empty report from them, once everything falls off.


Interesting! So what you're giving up is the 2% cash back, and purchase protection that credit cards offer, in exchange for having privacy?


Yeah, debit cards interchange is much lower as I understand it, so there's no room to give big rewards. I think purchase protection is, in theory, equivalent or close, but debit cards presume the transaction is good and hold your money, whereas credit cards are more of a review your bill and decide if you're going to pay.

But if you don't want to have a credit profile, then you can't use credit.


At least one debit card kicks back 1%. Look around.


Drivers license ID numbers in many states are almost public: they're deterministically generated from basic personal information. You therefore can't use a drivers license ID number as a secure identifier anyways.


> they're deterministically generated from basic personal information

This used to be true, including in my state (Washington), but as of the last few years, I believe all states upon renewal of licenses now give you a non-deterministic license number.


It's been a minute (I think I renew this year) but my driver license ID is still soundex-encoded.


My last name is soundex-encoded as the first 4 of my Illinois license, issued 18 months ago, but I don't recognize anything deterministic about the last 8


They also provide social security numbers.

What really sucks is you can't practice good hygiene and preemptively update your SSN periodically. You have to wait until your identity is stolen first.


The more you use your own identity, the more possibilities there are for an attacker to compromise you. So ideally.. don’t use credit. But even criminals need credit too, so they craft synthetic identities and use these as proxies to operate in, without ever using their real identity. The entire system is broken, and at this point you’re better off joining the criminals in using synthetic identities too.


>A short while later, the bot spat out a file containing every address that person had ever lived at in the U.S., all the way back to their college dorm more than a decade earlier. The file included the names and birth years of their relatives. It listed the target’s mobile phone numbers and provider, as well as personal email addresses. Finally, the file contained information from their drivers’ license, including its unique identification number. All of that data cost $15 in Bitcoin. The bot sometimes offers the Social Security number too for $20.

Other than SSN, I don't find most of the information listed very concerning. Addresses, phone numbers, emails are semi-public anyways, considering that you hand them out anytime you make a purchase online. I'm not sure what bad stuff you can do with a drivers license id. Date of birth/relatives seems like something that can be sourced from public records (eg. voter roll). I'd prefer it if there weren't a telegram bot that dispenses all this for $15, but it's not exactly super privileged either.


"...the target’s credit header. This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement."

...

"“Of all the entities that are the root cause of this data, “the credit bureaus are number one,” Shavell added. “They are the ones that should be subject to the strictest compliance and ultimately be held to a higher privacy standard by the federal government and by state governments than they are being,” he said."

TLDR: People are using social engineering attacks to gain access to data brokers' tools that tap credit bureaus' profiles of everyone. There are no incentives for the companies in this supply chain to perform adequate due diligence before granting access to the data.


It isn't even social engineering because the credit bureaus are for-profit entities and want to sell any data they have to the highest bidder. Right now, the cost of a (subset of a) single user's data on the competitive market between the three terrible companies is roughly as low as $15.

This isn't a "bug", it's a "feature" to these companies' profit models. It's maybe a bug in the American system that so much of this data is in the hands of for-profit companies running a race-to-the-bottom auction on it.


It's even lower than that. It's $15 for a third party to purchase that information, and sell it to you at a profit to that middleman.


I am from India and the credit bureau world here is Kafkaesque.

Even to get the attention of a credit bureau you’ve to be their paid customer. A new loan in your name which didn’t even turn up in your dream? They helpfully tell you to contact the org that issued the loan. A card that’s not yours? Nope, not your problem. You can’t even tell them to delete your data altogether even if you’re fine working zero credit history.

Even to get your own data that they got without your informed consent you’ve pay!

There seem to be no venue! And suddenly one day I realise there’s yet another credit bureau and they have all my data! Amazing!

Their infra even feels so sketchy that you kinda know it can be hacked the moment someone tries.

As for freezing as some suggest, unfreezing is even worse. Besides it just doesn’t protect in case of data breach in any shape or form.

This is one field where I hope government regulates deep and hard into their collective bottom.


> Senator Ron Wyden told 404 Media in a statement that “These companies have demonstrated that they can't control who has access to their data products. The government needs to stop these companies from packaging and selling our personal information, and the senior executives that put profit over national security and Americans' safety should be punished accordingly.”

I'm amazed that the quote from a politician is the most even handed substantive part of this article. The rest of the article is essentially scaremongering a misguided narrative around "criminals" gaining access to surveillance databases, when the real problem is the uncontrollable and unaccountable surveillance databases existing in the first place. The US desperately needs a port of the GDPR to give us data subjects the rights to control and prevent dossiers being kept on us.


Credit bureaus should be illegal. You can’t opt out of them and they take no responsibility in protecting you. How is it that every tech company has to abide by all kinds of rules re: PII, but they get to do whatever they like?


It is a public subsidy to lenders so they can profit from lower costs of not having to do proper due diligence.

If a lender claims you borrowed money, and they cannot conclusively prove it was you, it should be their problem and their problem alone.

The fact that you have to prove you did not borrow money because a lender says your social security number was inputted into a form is a travesty.


”identity theft” is the biggest pr win since “jaywalking”. Nothing has been stolen from me, I am still me. Someone claiming to have my credit history took money from a lender and they believed them.


Identity theft is private companies not doing their jobs. Pretty much no other country has this problem because in order to get credit, you need to prove who you are by providing supporting documentation which is not easy to forge and it is the responsibility of the lender to verify the documentation. And if they don’t, it’s their problem, not yours.


Also, in most other countries the government provides identity verification.

In the form of government issued IDs and lately some governments even provide something digital.

The US government doesn't provide that.


I'm sorry? Every single state in the US has government-provided identification.


None of it is mandatory - there are plenty of people in the US without any government provided identification and it costs money to acquire such an ID.

The only one you can't really dodge is a birth certificate.


Why doesn't anyone check it then?


Even with RealID, state-issued IDs aren't intended to be general proof of ID. It's pretty weird - they're ok for domestic travel and entering federal facilities, so you'd think they were a good general purpose ID, but they explicitly aren't that.


> they're ok for domestic travel

No ID is required for domestic travel, even at big airports. Just be pleasant and explain that you misplaced it. I have misplaced ID several times, and only once I signed a piece of paper which roughly said that I am I because I say so.


For now. Though that can has been kicked down the road, the latest drop dead date is May 7, 2025:

> On May 7, 2025, U.S. travelers must be REAL ID compliant to board domestic flights and access certain federal facilities.

Source: https://www.dhs.gov/real-id


I was utterly shocked 5 or 6 years ago when I somehow managed to lose my driver's license between my curbside dropoff and the airport door. To this day no idea what happened.

Normally, I'd have had my backup travel ID/credit card/cash kit but, hey, this was a last minute couple night trip so I went light.

Figured that was that. But as it turned out really wasn't a major issue much to my surprise.

What was an issue was getting checked into the hotel I had been able to find for the event near the airport (Travelodge). I even had a photo company security badge, credit cards, etc. Eventually they let me, with great reluctance pay cash, which fortunately fleabag was cheap enough that my withdrawal limit covered. Thought I was going to have to call SV friends and find somewhere to sleep--or at least pay some ridiculous amount for the last room at some hotel where I belonged to their loyalty program. But TSA was actually not a real issue.


Thanks for that link to a bureaucrat website. Where is the law? Unconstitutional laws and regulations are on the books until someone is harmed and challenges it in court.



It's not a law, it's a DHS policy.

Said DHS policy is not infringing on your right to travel. You can still hire a private jet or fly yourself. The airline companies will just simply refuse to fly you, which they have the right to do.


> It's not a law, it's a DHS policy.

What?

It's the REAL ID Act of 2005. 8 USC 1101. It's absolutely a law. (Also 49 USC 30301).


Apparently not being enforced because I can fly without ID. Until it is enforced, there is no harm so it can't be challenged. A friend flies with no ID and a court ankle bracelet.


Ennforcement has been pushed back, several times, most recently until May 2025.


Heh heh heh, I take it that you've never been through a Border Patrol checkpoint which wasn't at the border.

They checkpoint all the thoroughfares near Mexico and I reminded my Spanish fiancée to carry her passport as we traveled domestically, and I was completely correct.


What were you correct about? Non-Americans are in the country by permission, not by right. Americans who consent are on their knees.


Do you really think CBP is in the business of waving through Hispanic-looking-and-sounding people with no ID for whatever reason? I'm not saying they'd get deported, but I wouldn't be surprised at detention/questioning for a while.

Law enforcement usually has ways of checking ID by radio/computer, so it may be a short stop, but still.


So from the outside, it basically looks like this identity theft problem is self inflicted.


I think they are still better than my birth date, my mother middle name and whatever this SSN is. Which is basically something that I am barely the only person to know.


Not to mention the federal US government provides passports.


And a birth certificate, a passport, a marriage certificate etc. to name a few others.


Marriage license is voluntary. Read your State law about powers of clerk of court (or whoever issues that license in your State). And consider what benefit you get by paying for that license, or if you can stand on your own feet without asking for a permission slip license. Everything you listed is voluntary, at least in USA.


> Everything you listed is voluntary, at least in USA.

That isn't true:

> What Happens If You Don’t Register a Birth?

> By law, newborns must be registered within 10 days of their birth.

> In terms of legality, not registering the birth of a child is a violation of the law and a punishable crime. Depending on the state, the parents may be fined, charged with imprisonment, or have to face other legal consequences.


Yea, but that's specifically the only one that isn't optional. Almost all other forms of ID are voluntary as long as you understand that voluntary means you accept not participating in some privileged activities (like driving a car on a road for a drivers license).

The US is actually insane about how little identification they require from residents and also not great about how expensive it can be to acquire certain forms of ID.


Right. But elsewhere in comments, the parent is talking about how you just "obtain a passport, it doesn't need an SSN or home address".

I'm curious how one obtains a US passport without a birth certificate or SSN.

(But yes, issuance of a passport is "optional").


See Letter Of No Record at https://travel.state.gov/content/travel/en/passports/how-app...

Really helpful to have birth listed in a couple church public registers.

For baby passport, basically the parents attest to the child being born as American along with "hey look at this public record". And a SSN is apparently never required and State Dept should probably not being relying on a tax agency number. I mistakenly transposed and messed up the digits for the SSN box ten years ago and the passport arrived. So they didn't even do a lookup on it.


Which law in which State? How would they know for home birth, and would they arrest the baby?

There are administrative rules all over the 50 States. Most don't apply to typical Americans but nobody knows that or they don't care because 'merica#1.


> Which law in which State?

Leading with Washington, where I reside and work as a healthcare provider...

RCW 70.58A.100 (https://app.leg.wa.gov/rcw/default.aspx?cite=70.58A&full=tru...)

Specifically subsection 5:

> For an unattended live birth not reported under subsection (4) of this section, a report of live birth and an affidavit stating the facts of the birth must be filed with the department within ten calendar days of the live birth.

(whereby unattended means 'with no healthcare provider, midwife, or facility representative present or applicable'.)

(For bonus, RCW 70.58A.120 captures "delayed reporting of a live birth" and the "establishing of facts" around the birth.)

> How would they know for home birth

I was going to offer the comparison to driving, where "they" don't know you're driving without a license until there is some form of or need for government interaction. But I fear this will lead to some comment about traveling versus driving.

> and would they arrest the baby?

This is fatuous. "Depending on the state, the parents may be fined, charged with imprisonment, or have to face other legal consequences." (emphasis mine).


So parents reporting unattended live birth would get a "certificate of live birth" with first name 'baby' or whatever? That paper could actually be useful for purpose of passport.


> There are administrative rules all over the 50 States. Most don't apply to typical Americans [..]

Oof, this absolutely reeks of sovereign citizen bullshit.


Reading his other comments on such, I agree. SSN is voluntary. Birth registration is voluntary (it's not). "Just get yourself a passport, that will work for ID".

How to obtain a US passport with neither a SSN nor a birth certificate is apparently left as an exercise for the reader...


Now a marriage license and a marriage certificate are two different things, and some jurisdictions do make them optional because those jurisdictions recognize different types of marriage, such as by common law and cohabitation. But it is unimaginable to me to just shack up with a spouse without benefit of law or ceremony, and hope for the best. Because we are eventually going to get into a world of hurt, whether it is at the hospital when the HIPAA enforcers get to us, or in a criminal prosecution/incarceration for matters of spousal privilege and visiting rights, or ultimately in the event of incapacitation or death, when the next of kin swoops in, how you gonna prove that?

If I had a wife, I would ensure that she had all the rights and privileges of being my wife, and not have to jump through some ridiculous hoops made of red tape because some Sovereign Citizen told us it was optional to go see the JoP.


I had an attorney create for me: medical directive, power of attorney, trust document. The medical directive was notarized plus two non-family witnesses. Now I clone and tweak the trust document for each new asset like car or bank trust account. Other than optional husband+wife ceremony at a church, I am curious what else is needed or useful.


Right. The fact that they've somehow managed to make me the victim when I wasn't even involved is maddening.

The bank/lender/etc is the victim here. But somehow I have to take the fall. Well, next time they should ask me before lending money to "me".


> The fact that they've somehow managed to make me the victim when I wasn't even involved is maddening.

> The bank/lender/etc is the victim here.

Actually you are the victim: you are a victim of the bank/lender/etc and they should be liable to compensate you with punitive damages for your any negative consequences to you.

If the bank or lender considers this unfair, let them try to recoup the cost of compensating you by suing the alleged fraudster who they claim "stole your identity" — but not before they compensate you first.


And then the lender sent a statement to a the credit agencies stating that you'd taken money from them (libel), and those agencies believed the libel and re-published it (more libel), causing financial damage to you (inability to borrow money).

You are the victim of libel by the banks & credit agencies. They're the victims of fraud by the person(s) they lent the money to. There's no need (other than to protect the banks & credit agencies) to bundle both crimes together, call them "identity theft", and blame it on the individual victim!


And somehow it's your problem.


Identity theft is a crime meant to reframe lack of due diligence as a problem of an unrelated third party.

https://youtu.be/CS9ptA3Ya9E?si=2bpxWKWXDM4vn0iz


The credit bureaus replaced a much simpler system of "denying most Black families credit at all".


Yes, there is nothing wrong with keeping a record of how well people pay their debts, as long as they are also doing proper due diligence to ensure their record keeping is accurate instead of laying the responsibility at the feet of the public.


Yes, business interests are adept at using any sort of progress as an opportunity for instituting authoritarian frameworks to increase their centralized power. We could have had a world where racial discrimination was prohibited and financial surveillance bureaus were illegal. Instead they're just slowly remaking a stratified society in formal terms of information processing rather than ad hoc by skin color.


You said "yes" and then a series of words that were more reasonably related to what Neil Peart says in Rush lyrics than anything I said.


Well I can't play the drums. And even if I could, HN doesn't support MIDI.


I always thought they were pseudo-government entities, or at the very least a heavily regulated, government-anointed big three.

But after a quick Google right now, it looks like they're just random private companies that get to do whatever they want because they have such strong established relationships with our major financial institutions.


Oh there's way more than just the big three too. For instance, many online payday lending companies run a credit check through alternative credit bureaus. There's quite a few of these types of niche credit tracking companies that most people never run across.



We need to strengthen consumer data protection. GDPR has some good ideas; no collecting PII without permission, consumers have the right to revoke/delete, and the key piece for this thread is the requirement for the Controller to have a contract with any Subprocessors to enforce the right to deletion transitively (and inform data subjects of the list of Subprocessors with which their data is being shared).

CCPA was in the right direction, but AFAICT it explicitly carved out exemptions for credit bureaus.

We need to tighten the screws on these businesses; the only way we’ll see improvement here is if we hold them liable for damages and breaches. Right now they have very little incentive to care for this data, and all the incentive to try and monetize it as much as possible.


I know it's popular to hate on credit bureaus. And I totally agree they've been horrible stewards of personal data, and they have some messed up incentives (e.g. pushing all their "credit monitoring" products - it's like making money off the problem you created), and I think there is a fair debate whether they should be public entities.

Still, people rarely consider the very valuable service they provide: without them, credit would be much more expensive in this country, or not offered at all. Want to see what a world without credit bureaus looks like? Go to a 3rd world country where everything is paid for in cash. This is not a good thing - it doesn't mean that everyone in these 3rd world countries are great savers while those in the first world live beyond their means. In means these 3rd world countries don't have institutions that can help to ensure trust between lenders and borrowers. As distasteful as it may feel sometimes, credit bureaus help ensure that trust by giving histories of the likelihood of someone's ability to repay a loan.

Again, to emphasize, this is not to say there are myriad problems with the way credit bureaus are currently run. It is saying the the primary service they provide (credit histories for individuals) is a good thing for society.


You would be surprised how many 1st world countries operate just fine while having no such thing as individual credit ratings by credit bureaus.


I mean, not really. Here is an overview of how things work in some different countries: https://finmasters.com/what-countries-have-credit-scores/

Absolutely, there are significant differences, and some are quite similar to us (Canada and the UK) others differ more significantly (France and Spain). But they all essentially have ways to record any black marks from your payment history and use that to determine your credit worthiness for new loan applications.

This is exactly what I meant in my first paragraph - yes, it's absolutely the case that the US implementation has tons of problems, and I think it's fine to say these should be public or quasi-public entities (e.g. only the the country's central bank has this info, like in France), but in general, all of these countries use some sort of analogous system to credit bureaus to determine your relative risk profile.


You still have a credit rating, it just isn't being shown to you.


If you count "there is no record of this person making a late payment or defaulting on a debt" as a credit rating then sure, I do have one.

Other than that, the only other information a lender will use to decide whether to grant me a loan and under which conditions will be information that they will ask me to provide, such as age, proof of employment situation, and my last 3 payslips.


There is a website (blockshopper.com) that scrapes and indexes real estate transaction data from counties that publish it. It’s easy and free to find someone’s address and doxx them. Their policy says that they only remove your data if you are a target of harassment, under court order or law enforcement officer.


In general, property tax and ownership data is public. You can somewhat increase your privacy by purchasing property under a business name, but business formation documents are also public for the most part.

For example, I can go to the website of my county’s registrar and pull up the formation and renewal documentation of my LLC with just a last name.

I don’t think you can effectively hide ownership of property without a shell corporation. The Corporate Transparency Act passed in 2021 requires you to provide ownership records to the treasury but I believe that ownership of the corporation can stay anonymous to the general public.


It's doable, but the general consensus seems to be it's not worth doing - anyone who wants to dox you for the purposes of legal matters will get it anyway, and that's the biggest reason it's usually discussed.

If you're just trying to keep yourself off the Internet, just change your name to John Smith or Michael Jackson.


At least in the US, it's very common to for major assets (especially real estate), owned by a trust.

Although a trust is different from a corporation in many ways, they're similar in that they are both legal entities distinct from the people involved (and can both have their own tax ID numbers, also distinct from those people). They're primarily created for estate planning purposes, but public records will typically show only the name of the trust, not the people who live there.


This doesn't seem very comprehensive. As far as I'm aware, every county publishes this information. If I go to my own tax authority's website and search for myself, all of my property tax records come up. But if I enter in my name here, only one state shows up and whoever this is is not me. My name is pretty common, too, so this guy is definitely not the only US homeowner other than me who has this name.


When I go to a free people search website (I usually use fastpeoplesearch.com) and search for myself, the only accurate information there is from real estate data (and USPS address changes). But reading the article, I have reason to believe that if we were to pay a people finder website, it could be having better data sources such as credit file header information.


Hmmm, so I should be doing USPS change of address every year or so to random apartments in various locales.


I tried it, it has no data from my zip.


When I read all this, I can't help but thinking that Europe is doing better in this respect. Policies like GDPR help to prevent such large scale personal data collection and hence abuse.

Also, things like scores and rankings to get a loan/mortgage are not what I ever experienced. The procedure basically is, you take your last 3 salary slips and shop a few banks. You take the one with the lowest rent. Done. After all, you sign a document that states that the bank might sell your property if you do not pay off (for quite some months)

Or do I see it wrong?


In Finland, you can get credit data of a person from official source (or service resellers) for ~9 EUR. You need to know their social security number though. It's used by landlords (private and corporate) to vet potential tenants.

Not sure if there's a telegram bot for that yet :D


Somewhere in the neighborhood zero knowledge proofs and homophobic encryption is a way to evaluate creditworthiness predicates on data that's encrypted and in the open without revealing the underlying details.

Let's use math to obsolete FICO and shut down these parasites.


Home address and phone number?!?! The horror! (Did people forget yellow pages existed?)

I suppose email and SSN are yikes inducing but after a decade of having my email sold to the political parties, I don't treasure it. SSN? Haven't we moved beyond SSN for security purposes?


There are other services which rely on this header’s information for authentication (which of these addresses did you live at in 2021?) so for approximately $15, you can dramatically increase the effectiveness of an attack on those services.

Unlisted numbers have been a white pages paid feature for a very long time. Very similar incentives in both directions compared to these headers, I’m sure. (Yellow pages were pay for inclusion, iirc.)


The criticism here should be that the starting point is 'name & state' (wouldn't 'doxing' normally be determining name/identity or more from believed-anonymous online interactions?) but otherwise yes whatever you think of how important it is that is doxing?

But it's more than you cherry-picked anyway:

> The file included the names and birth years of their relatives. It listed the target’s mobile phone numbers and provider, as well as personal email addresses. Finally, the file contained information from their drivers’ license, including its unique identification number.

Plus 'sometimes' Social Security Number as you said.


Are you willing to provide your address and phone number in this thread, then? My guess is "no", but why not? Might other people not want their home address and phone number made public?


When this discussion comes up, I think some people forget the context is online fraud. The attacker likely has other information on you, so a lookup service that helps them stitch it together with your real name and number is not good. The yellow pages is not a lookup service like that, it can't connect you from other information to a name and phone number, so having a book of names unlinked to the data you have gets you nowhere.


People also forget (or may not know, since they post-date the use of print telephone directories) that you could opt out of being in the Yellow Pages. You can't do that with credit headers, or even, practically speaking, with credit cards.


> or even, practically speaking, with credit cards.

Yes you can opt out even with credit cards, and you can also do it for minor children in 5 easy steps: 1 clone your trust document 2 IRS.com and get TIN for trust 3 open trust savings account at bank 4 put funds in account 5 get the bank's 'secured credit card' offer in which they lock the funds

If you quibble that a secured credit card is not a real credit card, then just get the debit card.


They also forget that it was the White Pages for personal listings, and the Yellow Pages for business listings.


Fair point!


I think that given all of this information, they could run a very convincing scam either against you, or a service you interact with.

From what I can tell, SSN is still somehow considered a form of identification in the US.

Edit: Commented too early.


As much as WFH is a thing forever, whenever I do high stakes things, they require me to come in + show my drivers license.

Seems like there are basically no exceptions when it comes to banking.


> basically no exceptions when it comes to banking.

That depends on your megabank. KYC and what staff will do over the phone is about relationships. I get things done over the phone at local credit unions and even mid-size regional banks. Banking and identity regulations allow a lot to happen, and your personal relationships make a difference.

The back offices of mega-banks generally prevent personal service. Choose a different banker.


How might someone acquire a drivers license with your name on it? Having your SSN helps a lot!


> SSN? Haven't we moved beyond SSN for security purposes?

No, the banks haven't, which means you haven't, bucko.


Honestly, the shortest solution to these problems would be to reshape the law so that banks are 100% responsible for fraud. As in, if they open an account tied to somebody and it turns out to be tied to somebody else? 100% on them, the person who they were deceived into believing they were doing business with is fully protected by the law from any ramifications.

Of course, this would completely change the risk model banks operate under and fundamentally reshape commerce as we know it. Thanks would become hypersensitive, all business would be conducted in person, banks would reserve the right to tie up your money for years if you couldn't prove who you were (think getting your Google account unlocked when Google suspects fraud, except now it's your money in the bank down the street...).


You haven't moved on because of your parents.

SSN is voluntary. If parents would stop opting-in their babies into this data scheme, Americans could grow up without these numbers.

After ominous threats about 'must choose name for baby' my wife and I left the hospital with our baby. Health insurer sent new member card with name 'baby girl' which worked great for all the follow-ups. And nobody from big government forced me to apply for SSN. We did get a passport (SSN on that application is optional) and travelled internationally before the first birthday.

Most of this nonsense data collection is voluntary. More and more in life I say "No thank you" and move on. Many Americans get a warm blanket feeling by putting their children into voluntary data schemes.


The only thing you are achieving is to add extra paperwork and hassle to your daughter's future when she later has a job or opens a bank account.


The only thing you are achieving is to add extra paperwork and hassle to your daughter's future when she later has a job or opens a bank account.


You are going to get a lot of people telling you that you're a libertarian nutjob. Even here, which touts itself as a bastion of internet privacy champions and "experts".

But you, you're walking the walk. Asking the hard questions and accepting the consequences. There is only one way to make things change.

Don't let any little pedants tell you "how your daughter is going to grow up", either. Or that they somehow know how she'll feel about you.

FWIW: my kids have SSN's and that is just as dangerous as what you've chose.


Yes, the big brain types sometimes get really pissed off when they find out they were tricked into voluntarily consenting into a bunch of stuff.

When you get/renew passports, leave the SSN box blank. It will become second nature to ignore these data requests.


> You are going to get a lot of people telling you that you're a libertarian nutjob.

No, just making life more difficult for his child, who has no say in the matter.

Some people are bad at seeing children as humans, as opposed to appendages of the parent.


Do you see the irony in your first statement?

Or have you already resolved to believe that person is your "some people"?


> SSN is voluntary.

"Voluntary" but required to live like a normal human being isn't very "voluntary" in reality.

Get a job without an SSN.


Employer is required to verify citizen or immigration status. For an American with a passport, the passport works okay.

Passport works great for ID all around, because it does not require SSN and does not have home address.

Many things, like TSA (Soviet era) checkpoints don't actually require ID. People seemingly prefer to act like cattle and show IDs everywhere and voluntarily consent to full body scans. Then people complain that their bits of privacy got leaked. Of course it leaked, and you voluntarily consented.


Elsewhere in this thread you're talking about birth certificates being voluntary (they're not). How are you proving citizenship for your passport without one?


Every address you've lived at... frequently this plus a SSN is all you need to completely take over someone's identity.


> Home address and phone number?!?! The horror! (Did people forget yellow pages existed?)

Are you absolutely sure that people who had real concerns about their privacy and safety allowed their phone number and address to be published in the book? Also, it was the White Pages, btw.


The cat has been out of the bag for a while. We need legal changes to how personal information is used after it has been acquired. It doesn't make sense any longer for it to be so easy to open lines of credit or otherwise apply stolen info.


Other countries have national ID cards that must be presented to get credit. If there is no universal and secure way to prove you are you then identity can always be stolen. No amount of duct taping the credit system can fix that.


Printing a physical ID for everyone seems like an outdated solution. I'd sooner support biometric hardware on every connected device.


> I'd sooner support biometric hardware on every connected device.

Ah yes, biometrics, the password that you can't change and you leave behind everywhere you go and on everything you touch.

Cloning a fingerprint is trivial. They're not secure.


Face and iris are additional options. I'd be shocked if there weren't more than those in production at this point.

You know what's really trivial? Buying a fake ID.


>$15 per search

What chumps, just use https://freepeoplesearch.com

Ya it has ads but out of all the hundreds of "free" sites it has actually the most amount of free information.


Egads what an awful user experience. Slow, lots of ads, dumb questions. Just use http://truepeoplesearch.com if you want to stalk someone. More information, no built-in delays to make you think they're doing something hard, etc.


Speaking of awful user experience...

> Sorry, you have been blocked

> You are unable to access truepeoplesearch.com

> Why have I been blocked?

> This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.


credit data is quite a bit more detailed than that.


I've had friends who got swatted very recently, and I wouldnt be surprised if the ones responsible for it went through that sort of services.


It’s time for a Privacy Bill of Rights, and to eliminate credit systems that operate without explicit permission of the individual.


I can use a couple free searches to dox nearly anyone in America...


What information do they need to supply in the Telegram group?

Edit: Name and state.


Running background checks to dox people is a tale as old as time.


Make doxxing punishable by huge fines


“Punishable by fine means legal for a price”


Time in jail or prison puts more fear in people than a fine even a big fine.


No if you have reading well your Machiavelli.


What a dystopia. I guess I never appreciated GDPR as it deserve.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: