[HN Gopher] Scary Fraud Ensues When ID Theft and Usury Collide ___________________________________________________________________ Scary Fraud Ensues When ID Theft and Usury Collide Author : picture Score : 77 points Date : 2022-01-25 19:50 UTC (3 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | ipsin wrote: | Why isn't the Bank of America account in his name? I was under | the impression that know your customer laws would require them to | match up the individual taking the loan and the individual | holding the bank account. | | Is it really just a simple as an ACH transfer? | rectang wrote: | In a just world, companies such as this lender would not only | lose the money they loaned, but would be liable for the vast | amounts of time and grief they caused a completely unrelated | individual. | | Only then might we get a financial system which is robust against | ID theft. While the costs are externalized to countless | individuals, nothing will change. | walrus01 wrote: | I wonder at the likelihood of success if this person were to | sue the company in his local small claims court for a claim at | N hours multiplied by $80 per hour to fix the problem. At the | minimum it would require them to hire local counsel to show up | and answer a statement of claim. | hbrav wrote: | There really should be an investigatory process when credit is | fraudulently taken out in someone else's name. | | How did the company get duped into making the loan? If the | answer is something like "we treated an SSN as identification", | that company should lose the right to be a credit issuer. | InefficientRed wrote: | Serious question for any lawyers out there: why isn't there more | serious recourse for consumers when credit agencies commit libel? | | If Equifax issues a report saying that I owe X, and I contact | them with proof that this was a fraudulent loan, and they | continue issuing that report... how is this not criminal libel? | mindslight wrote: | Regulatory capture through the "Fair" Credit Reporting Act. Go | read it - they've legislatively exempted themselves from the | standard time-honored tort! Similarly to how medical providers | can nonsensically create post-facto arbitrary bills instead of | needing to create contracts like every other industry. | | Curiously, political pushes for reform never advocate for | getting rid of the corrupt laws, but rather creating a whole | new regulatory regime whose corporate giveaways will only | become apparent down the line. | InefficientRed wrote: | 15 U.S. Code SS 1681e(b) reads "Whenever a consumer reporting | agency prepares a consumer report it shall follow reasonable | procedures to assure maximum possible accuracy of the | information concerning the individual about whom the report | relates." | | I know that courts move slowly and judges are often | depressingly technological illiterate, but I have absolute | confidence that I could put together an incredibly convincing | panel of experts who would define "reasonable procedures" in | a way that would run wholly afoul of the SOP of the major | credit reporting agencies. | cperciva wrote: | _Similarly to how medical providers can nonsensically create | post-facto arbitrary bills instead of sticking to contracts | like every other industry._ | | While medical providers do seem to take this to ludicrous, my | understanding is that there's an underlaying common law | principle concerning actions taken on behalf of someone in an | emergency, and it's not just medical providers to whom this | applies. | mindslight wrote: | Yes, "unjust enrichment". But it doesn't entitle one to | create arbitrarily exaggerated prices and demand | reimbursement based on them. | jgeada wrote: | Being brutally honest: because Equifax and similar agencies | _always_ engage in politics. They lobby politicians, they have | people on staff on alert should any legislation related to this | topic come up, etc. Angering these companies carries political | costs. | | The typical individual is not engaged in the political process, | and if they pay attention to this subject, they do so for an | ephemeral amount of time. Individual voter's anger has no | consequence. | | Our system is optimized to privatize gains and socialize | losses. | hbrav wrote: | Serious answer (I am not a lawyer): partly because the | threshold for libel is really high in the US. | | Partly because there is also some procedure for challenging | credit reports. I'm going to try and find the blog post about | it... | ryandrake wrote: | It's way past time for banks to start taking responsibility for | issuing fraudulent loans. If someone else takes out a loan using | my information, it shouldn't even remotely be my problem to help | clean up, and it shouldn't involve me at all. This is between the | bank and the fraudster. | | Even the term "identity theft" is slimy: deftly deflecting blame | from the negligent bank, trying to draw an unrelated 3rd party | into the mix by nominating him as the "theft victim." | gruez wrote: | >It's way past time for banks to start taking responsibility | for issuing fraudulent loans. | | That sounds nice and all, but what would that actually look | like in terms of legislation? Legally speaking you're already | not responsible for fraudulent loans, and the onus is on the | creditor to prove that the debt was actually yours. | toomuchtodo wrote: | Legally, yes. In practice, debt collectors (which originators | of debt of all sorts will quickly dump unpaid debt onto, even | medical providers who don't want to wait for patients to | cough up the funds due) will take advantage of | unsophisticated/financially illiterate citizens to coerce | payment, _even if there is no obligation to pay_. | | The fix is straightforward: require evidence of the debt | upfront, and if you're attempting to collect on debt you | can't verify was agreed to by the person you're pursuing, | damages are substantial (say, $1M per occurance). Make | reporting of violations via the CFPB frictionless. | | You will see debt originators rapidly standing up robust | identity proofing systems (having customers come into a | branch with their IDs), and asking Congress to legislate | their implementation (Login.gov and similar for private | enterprise, with the end game being a usable national ID | system such that Estonia has [1]). | | Tangentially, current risk management in this space between | identity and finance sucks. I worked with someone to get | liens off their Lexis Nexis Risk Solutions report (which | mortgage originators use for compliance purposes with | conventional mortgage underwriting guidelines as it relates | to foreclosures and real estate fraud) that were on their | report for almost 8 years in error. It took a CFPB complaint | for Lexis Nexis to remove them with citations from an | attorney to state statute, and this data isn't classified as | consumer reporting, so it's almost impossible to obtain | financial recourse/damages for these occurrences. | | [1] https://privacyinternational.org/case-study/4737/id- | systems-... | | [1] https://news.ycombinator.com/item?id=29980189 (HN thread | of the above link) | ryandrake wrote: | > Make reporting of violations via the CFPB frictionless. | | Totally agree.. but sending a debt validation letter is | already pretty simple. In most cases you can send the | scumbag collector a barely-modified form letter and that's | that. I've done this twice and it's pretty painless, but in | a perfect world, I wouldn't be involved at all! | | Banks need to be forced to stop considering | struct { name, address, | birthday, ss_number, | other_public_info } | | ...to be equivalent to a person, for the purpose of issuing | loans. It's total madness, and honestly I'm shocked that | this kind of fraud isn't even more common. | | That and struct { acct_no, routing_no } | | ...is enough to withdraw money from my bank account thru | ACH! Also lunacy. How are banks allowed to be so crappy? | | Legislation, plz. | toomuchtodo wrote: | Walk out onto a public street. Ask the first 3 people you | come across if they know how to send a debt validation | letter. Report back. One should not need to have | knowledge with consumer credit laws and regulation to | navigate exceptions; it's citizen hostile and a developed | economy anti pattern imho. Fail citizen safe. | | Agree about ACH. The Fed's FedNow instant payment system | due out next year should deprecate all that is trash | about the ACH rails (switching to a push from a pull | model being one of said deficiencies). | gruez wrote: | > Walk out onto a public street. Ask the first 3 people | you come across if they know how to send a debt | validation letter. Report back. One should not need to | have knowledge with consumer credit laws and regulation | to navigate exceptions; it's citizen hostile and a | developed economy anti pattern imho. Fail citizen safe. | | By that logic, other things that are antipatterns: | | * most laws (do you think "the first 3 people you come | across" would know the difference between murder and | manslaughter?) | | * programming APIs (ie. the trope of programmers having | to search up usages for basic library functions) | | * most basic life tasks (this can be literally anything. | even how to cook. if your parents didn't teach you, and | you couldn't search on the internet, most people would be | toast). | sailfast wrote: | The complaint system isn't too terrible to use - at least | when I last tried it out for a credit reporting dispute. | You'll likely get a reply from the institution in a week or | so, and if they don't reply in a timely manner it's a red | flag: | | https://www.consumerfinance.gov/complaint/getting-started/ | londons_explore wrote: | There are a lot of people in the USA without proper | identity documentation, or who live under the identity of | someone else. | | I know brothers who share a passport and driving license, | and do just one lot of taxes between them. | | Tightening up identify verification laws will further | exclude these people, and may be a net loss for the nation. | groby_b wrote: | How is excluding tax frauds a "net loss for the nation"? | | If you want to say that ID documents should be something | that's much less painful for individuals to acquire (and | should be free!), completely agreed. | | But the idea that a modern society can function without a | safe identification system is somewhat far fetched to me. | InefficientRed wrote: | _> How is excluding tax frauds a "net loss for the | nation"?_ | | Calling this tax fraud is... I guess true, but kind of | odd and silly. | | Two people making $X/2 will in almost all cases pay | _more_ taxes while receiving _fewer_ benefits than one | person making $X. If you wanted to pay fewer taxes, you | wouldn 't use this scheme except in a few strange edge | cases. I don't think the brothers are sharing a passport, | a driver's license, and tax filings in order to reduce | their tax bill... | | (Reading between the lines, since you didn't seem to pick | up on it: one of the brothers is an undocumented | immigrant. The goal is not tax minimization... the two | brothers are paying more taxes while receiving fewer | benefits in order to avoid deportation of the | undocumented brother.) | londons_explore wrote: | Actually I think one of the brothers never got a birth | certificate because their mother didn't want to do the | paperwork. | Dma54rhs wrote: | What is the realistic solution then? Its time for | Americans do the European and developed world thing and | use IDs with proper identification methods. | | And why would you live under someone else's identity? | Isn't it identity theft? | londons_explore wrote: | Maybe because you were never given an identity at birth? | Or you are in the country illegally? Or you are trying to | escape debt or the law or someone wanting you dead? Maybe | you lost all your id documents in a fire and don't have | anything left for the government to reissue you an ID. | Maybe you've just forgotten who you are due to illness. | | Plenty of reasons, some more legit than others, but there | are a large number of people in this position. | Dma54rhs wrote: | Somehow the rest of the world can deal with these issues. | You can skip any contract the society creates with the | same reasons from paying taxes to getting a vaccine. | sailfast wrote: | Legislation to broaden access for the unbanked and legal | docs for non-citizens is the way to solve that use case, | not enabling illegal credential sharing to obtain money | as a use case (in my opinion) | lr4444lr wrote: | Very simple: any contract between a financial institution and | a third party is rescinded and null in whole if the third | party was represented by someone else, without power of | attorney. Full stop. Burden of proof on the bank to ensure | this. They already have a huge apparatus in place to verify | creditworthiness and identity. Any attempt to collect once | such a complaint is filed should be illegal before it is | resolved. | PeterisP wrote: | As far as I understand, the major effect of identity theft on | the person is the problems with their credit score and thus | all kinds of other credit-related activities while the issue | is being resolved. I think that at least in parts of Europe | the legal solution is a requirement that lenders must get | these fraudulent loans off the credit reports within a fairly | strict time limit when they're contested in a simple, | standardized way, so even if some investigation takes a long | time, that does not affect your creditworthiness during that | time. | _jal wrote: | One easy, but indirect, fix would be to remove the legal | special casing that exempts credit reporting companies from | libel laws. | | That would force a number of other changes, and I think they | would mostly be positive. Those whose businesses depend on | high-volume easy credit may disagree. | gruez wrote: | > One easy, but indirect, fix would be to remove the legal | special casing that exempts credit reporting companies from | libel laws. | | I wonder if this can be bypassed by a warrant canary (or | repayment canary)? Basically instead of having creditors | report that you defaulted on your debts, creditors will | just report whether you opened/closed a line of credit, and | whether you're current on it. If you aren't current, then | the algorithm assumes you're delinquent. Since you can't | compel speech (first amendment), you'll have a very hard | time forcing companies to do something. | vageli wrote: | Has the legality of a warrant canary ever been tested? | Commenters on this site often mention that the law is not | executed by machine, and so it seems a court would see | through this charade. | toss1 wrote: | Yup. | | And also on-point, when are management and coders going to | realize that much data should be treated as toxic waste and | destroyed, rather than kept forever, just in case we might want | it? | | This guy had an ID theft, prevented it from going forward, but | the payday lender had his info in their DB, and so the second | time around somehow actually authorized the bogus loan. If they | hadn't stored the info from this person who would NEVER | deliberately be a customer, the bogus loan would not have | happened. | | And all that trouble caused so some thief could net a measly | $1000. | gr1zzlybe4r wrote: | Completely agree, and I've worked at fintech companies that | issue credit products. | kelseyfrog wrote: | This sentiment is summed up perfectly in a Mitchell & Webb | Sound titled Identity Theft[1]. | | 1 - https://www.youtube.com/watch?v=CS9ptA3Ya9E ___________________________________________________________________ (page generated 2022-01-25 23:00 UTC)