Interview with the Guy Who Tried to Frame Me for Heroin Possession(krebsonsecurity.com) |
Interview with the Guy Who Tried to Frame Me for Heroin Possession(krebsonsecurity.com) |
Then imagine someone else starts selling another tool. Anyone who buys that other tool is now able to beat the players you promised a win to, AND they're not giving you any money for it. This damages your reputation, which in an underground market is probably your most valuable resource. So not only are they not paying you, but they're robbing you of future sales by damaging your rep.
Wouldn't you put in something to prevent users of your newest cheat from being cheated themselves?
How do you do this? (Specifically, with the companies you mentioned.)
Also, Krebs is a hell of a guy.
Of course, the real story could be hidden through parallel construction. But on it's face, this does support the argument that it's stupid mistakes that take people down. Krebs' blog is full of them.
Edit: And just to be clear, I'm not even suggesting support for that Ukrainian dickhead. It's just that criminal takedowns are well reported, and so provide cautionary lessons for the rest of us.
One possibility on the "cautionary lessons for the rest of us" front is a classic bit of wisdom about asymmetric adversarial situations: the other party only needs to get lucky once. There is a fundamental challenge of scale and time for any entity or individual that tries to run something dealing with persistent antagonists over long time periods, it just plain becomes hard to keep track of it all without further infrastructure systems in place. And its also hard for any single human to stay in the zone persistently, we're not really wired that way, hence the need for non-human support structures.
And that in turn is the same challenge for any business dealing with significant organic growth, criminal or not, it's the classic "that TOTALLY TEMPORARY one-off excel spreadsheet someone made 15 years ago now runs hundreds of millions of dollars" issue. It's hard to know ahead what will be important and sticky or not, even if experience helps. And it's hard to decide how to allocate limited resources too. Infrastructure you build helps you scale properly in the future, but it doesn't do anything for you right now, you might not even know you could need it. And overbuilding upfront might mean there is no tomorrow to worry about anyway.
It's a tough nut, though fortunately it's one area that is probably worse on the black side of things since there is less room for recovery from mistakes. Maybe it's one of the structural forces that can help encourage law abiding behavior, legit companies can mess up badly but still potentially recover if there is enough meat to them, whereas a total opsec break for criminals can mean the end of the enterprise.
It is entirely possible to report inaccurate information to the bureaus. Although more often than not it’s on accident, not malicious. Additionally bureaus collect a lot of information from other sources. Some public some private. It’s possible for these datasets to be error prone themselves.
There are however official procedures for disputing/correcting errors in reporting and in my experience they do a pretty good job of validating everything (as that’s literally the business they’re in)
Someone managed to get his name and address and did not realize he was a minor. Brilliant system you have!
Anecdotally, I can't agree with this.
I'm six months in to trying to convince Equifax that I exist. Apparently they accidentally registered me as dead in their system, which has caused background checks on me, like when I registered my ABN, to fail. Turns out there are a number of government systems that have been outsourced to them.
They have twice manually intervened, and twice their automated processes have "corrected" their information and relisted me as deceased. And getting a manual intervention is a lot of complaints, and a lot of escalations.
I'd disagree with that. The three agencies have a couple of names I've never gone by (I go by my middle name, so I expect "Middle Last" and "First Last" but I never went by "First Mother's-Maiden-Name"), and a couple addresses I've never lived at on my records for 20 years. They refuse to remove them.
Here's the translated PDF. Either the original Russian was hacked up already, or this translation is very iffy.
You could also open phone lines with fake information, ISP accounts and so on.
A good investigator with expensive access will still be able to track you down, but automatically exploiting your data will be much more difficult if it's a mess.
I'm not a lawyer, but if you're applying for a line of credit with false information, I'm pretty sure that's a crime.
If you're not applying for a line of credit, I don't think credit bureaus such as Equifax or "Transperian" (which I assume is a portmanteau of TransUnion and Experian) will base anything on that data, since it's so obviously easy to manipulate.
I'm definitely not a lawyer, but unless your intent is to defraud I wouldn't be so sure about that. I also don't see how you'd ever end up getting prosecuted for this unless you really piss someone off, in which case I guess you could get prosecuted for just about anything.
In any case, whether or not this is legal seems utterly irrelevant.
>If you're not applying for a line of credit, I don't think credit bureaus such as Equifax or "Transperian" (which I assume is a portmanteau of TransUnion and Experian) will base anything on that data, since it's so obviously easy to manipulate.
You would be wrong. That'd be an awful way to maintain up-to-date address data on people.
Besides, the first company named was "Lexis-Nexis".
The next time they call, tell them that the person they are looking for is a minor and you are their guardian and because of that you are required to speak on their behalf.
Immediately inform them that all further communication must be done in writing and that you are requesting that they validate the debt in writing. They are required by law to communicate in writing if you request it and to also validate the debt.
If the next letter from them is not a debt validation, you should send them a simple cease and desist response stating they have not validated the debt and may no longer contact you. Send it certified, return receipt requested. Keep a copy for yourself.
If it doesn't stop at that point, you will need a lawyer, but it will most likely be at no cost to you:
If they send you another letter or call you again attempting to collect, get their information and if you are inclined, contact a debt collection attorney. You would be able to sue them for up to $1,000 per incursion plus the fees from your lawyer. Provided you collected their information and have your initial letter, it should require very little time from you to go through the legal process.
This is not true. And the system works fine. But you'll have to do some work (write a few letters and maybe a bit more). Here's how:
0. Open a chronological paper file. Copies of all correspondence with dates clearly marked/stamped will go into this file. Put the file into a file cabinet: put a copy of every letter, note or form, including the creditors' initial complaint, into it in time order. Also put notes about any phone conversations into it. Put dates on everything.
1. Talk to your local police department and, with your son, file a report with them if possible. They'll view it as a waste of time but it helps by putting you on "the right side of the law." Do it just to have a police report on file locally.
2. Have your son write a letter to the creditor (not the credit bureau) explaining that your son is a minor, the debt is not his, he did not purchase the item and asking them to remove the invalid entry from his credit report. Add a page with your adult names and signatures explaining that he is your legal son. Send those two letters along with a copy of the chronological file to the the creditor, all via registered mail if you're paranoid.
3. Wait. They _will_ respond. Usually they'll cave at this point. Sometimes they'll call and ask that a police report be filed in _their_ jurisdiction (usually by phone) or some such. Do what they ask within reason. Make sure they (creditor, police) send you copies of everything. Follow up if they don't.
4. Wait. _They_ (the creditors, NOT you) should, after brief investigation, notify the credit bureau to remove the item from your son's credit report. If they don't do so within a few months, send follow-up second and third letters if necessary, reminding them.
5. If you get no response from the creditor after two months, copy the chronological file and send it via registered mail to the credit bureau adding a cover letter explaining that you have exhausted the legal means of redress with the creditors and they have refused to respond appropriately. Ask the credit bureau to investigate the creditor's item on your son's credit report.
This sounds like a lot of trouble but it really isn't and it would be a great lesson for you son, since it shows how most of the world works.
Correction involves loosely-coupled organizations and persons. Nothing in this happens at Internet speed. Each contact must have the situation explained from the beginning. It teaches a person how to order events in time, how to narrate a story consistently and how to be patient.
> it shows how most of the world works.
It certainly does, but not in the way you meant. :/
[0]I'm aware this is not legally possible; I mean "should" in a moral sense.
Collection agencies are not evil. If you've ever been a landlord or had someone fail to pay a debt, a collection agency may be a godsend b/c they buy your debt (you get something at least; they get the paper debt, valid or not). Is that not a valid capitalistic risk-taking venture?
The credit bureau can't be charged with fraud: their data is from legitimate businesses (creditors); any fraud would apply to the creditor.
This system has and still works well. Most everyone reading this has made good use of our current credit system. We all understand how it works but are impatient with the slowness of the system. But it is a mistake to confuse slowness with malintent.
And resolving an unfair situation by working within the absurd system without screaming about it just means that people will continue to be hurt by it.
> You would be wrong. That'd be an awful way to maintain up-to-date address data on people.
Okay, could you cite this, please? I've been very clear that I'm just speculating, but if you're so sure maybe you have some insider information I don't?
My credit reports don't have my up-to-date address, so whatever they are doing is an awful way to maintain an up-to-date address.
I don't know of public sources to cite, but I've seen the data. If there exists good public material about how these companies source their data, I haven't seen it.
These companies will accept data from essentially anywhere they can get it, not all of that will affect your credit score but it'll certainly affect your person profile. Name(s!),addresses,ssn(s!),dob(s!) and whatnot associated with an individual "person" id.
FWIW, the credit bureaus are not just credit bureaus:
https://www.tlo.com/law-enforcement
https://www.experian.com/consumer-information/right-party-co...
So, it sounds like you're speculating.
> These companies will accept data from essentially anywhere they can get it, not all of that will affect your credit score but it'll certainly affect your person profile. Name(s!),addresses,ssn(s!),dob(s!) and whatnot associated with an individual "person" id.
Look, I'm sure you're right, they do collect all the data they can. However, there are two caveats:
1. Implicitly or explicitly, they're also assigning confidence values to the accuracy of that data. They know that data you're legally obligated to be truthful about is more accurate than data you aren't. So if you're lying to them on store loyalty cards where no credit is being issued, that data gets prioritized somewhere between "useful for printing out and using as toilet paper" and "actual toilet paper". Data from your actual lines of credit is worth more and they know it.
2. While the credit bureaus have incentives to take whatever info they can get, loyalty card issuers don't necessarily have incentives to give them that info. I have a discount card for a local grocery chain. They could give my data to a credit bureau, but then the other two local grocery chains would be able to buy that data. That's their competitive advantage, gone. Why would they do that? I guess there's some value in protecting your data from a local grocery chain, but it's unlikely that fake data gets back to the credit bureaus anyway.
What I'm saying is that I don't think the steps you are taking are an effective means of protecting your data.
But I really don’t know, because I’m also not a lawyer and therefore do not give people legal advice on the internet.
I can't see anyone getting in trouble for this unless they're creating fake credit profiles or not paying their debts, the credit bureau dbs are chock-full of garbage data from garbage sources.
How would you even get caught in the first place?
I just can’t see a scenario where some info is fake and other info is real (necessary bc you’re using and paying the loan) that’s both kosher with the bank and gives you the obscurity you’re looking for. Is this something you can actually speak to from experience, or are we both spitballing? Because I’m happy to be wrong, but if we’re both making this up as we go then the conversation is pretty pointless.
In this case it's very unlikely they would need to hire a lawyer anyway.
A perfect or at least more ideal solution would be a response asking for age verification and not ignoring the parents because it's not their name.
The solution here is to do what one of the posters above me said to do. Dispute the claim, inform the collector that they are going after a minor, demand all further communications be made via mail.
So, it sounds like you’re calling me a liar.
But how? Realistically the worst case scenario here is that you get denied the loan because the computer says no, after the initial application nobody cares unless you owe an outrageous amount and stop paying.
>Is this something you can actually speak to from experience, or are we both spitballing?
Yeah, when companies or governments ask me for my "home address" I definitely don't tell them where I live. I also go out of my way to corrupt my name whenever possible. Phone numbers? Usually just random numbers unless I know for sure I'm going to get a call I need to answer.
And yes, I have credit cards.
>Identity fraud is the use by one person of another person's personal information, without authorization, to commit a crime or to deceive or defraud that other person or a third person
That does not even sound similar to what is being discussed here.
It'd be useful if you could name at least some of the numerous laws that the discussed behaviour might violate.
Please rate my work on a scale 1-5
This is a huge document that doesn't really seem to contain anything relevant to what we're discussing here.
The euro laws I was able to check seem to have clear caveats like the british fraud act "intends, by making the representation— (i)to make a gain for himself or another, or (ii)to cause loss to another or to expose another to a risk of loss."
I really don't see the usual definitions of fraud applying here so I'm very curious as to which legislation actually might.