[HN Gopher] Scary Fraud Ensues When ID Theft and Usury Collide
___________________________________________________________________
Scary Fraud Ensues When ID Theft and Usury Collide
Author : picture
Score : 77 points
Date : 2022-01-25 19:50 UTC (3 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| ipsin wrote:
| Why isn't the Bank of America account in his name? I was under
| the impression that know your customer laws would require them to
| match up the individual taking the loan and the individual
| holding the bank account.
|
| Is it really just a simple as an ACH transfer?
| rectang wrote:
| In a just world, companies such as this lender would not only
| lose the money they loaned, but would be liable for the vast
| amounts of time and grief they caused a completely unrelated
| individual.
|
| Only then might we get a financial system which is robust against
| ID theft. While the costs are externalized to countless
| individuals, nothing will change.
| walrus01 wrote:
| I wonder at the likelihood of success if this person were to
| sue the company in his local small claims court for a claim at
| N hours multiplied by $80 per hour to fix the problem. At the
| minimum it would require them to hire local counsel to show up
| and answer a statement of claim.
| hbrav wrote:
| There really should be an investigatory process when credit is
| fraudulently taken out in someone else's name.
|
| How did the company get duped into making the loan? If the
| answer is something like "we treated an SSN as identification",
| that company should lose the right to be a credit issuer.
| InefficientRed wrote:
| Serious question for any lawyers out there: why isn't there more
| serious recourse for consumers when credit agencies commit libel?
|
| If Equifax issues a report saying that I owe X, and I contact
| them with proof that this was a fraudulent loan, and they
| continue issuing that report... how is this not criminal libel?
| mindslight wrote:
| Regulatory capture through the "Fair" Credit Reporting Act. Go
| read it - they've legislatively exempted themselves from the
| standard time-honored tort! Similarly to how medical providers
| can nonsensically create post-facto arbitrary bills instead of
| needing to create contracts like every other industry.
|
| Curiously, political pushes for reform never advocate for
| getting rid of the corrupt laws, but rather creating a whole
| new regulatory regime whose corporate giveaways will only
| become apparent down the line.
| InefficientRed wrote:
| 15 U.S. Code SS 1681e(b) reads "Whenever a consumer reporting
| agency prepares a consumer report it shall follow reasonable
| procedures to assure maximum possible accuracy of the
| information concerning the individual about whom the report
| relates."
|
| I know that courts move slowly and judges are often
| depressingly technological illiterate, but I have absolute
| confidence that I could put together an incredibly convincing
| panel of experts who would define "reasonable procedures" in
| a way that would run wholly afoul of the SOP of the major
| credit reporting agencies.
| cperciva wrote:
| _Similarly to how medical providers can nonsensically create
| post-facto arbitrary bills instead of sticking to contracts
| like every other industry._
|
| While medical providers do seem to take this to ludicrous, my
| understanding is that there's an underlaying common law
| principle concerning actions taken on behalf of someone in an
| emergency, and it's not just medical providers to whom this
| applies.
| mindslight wrote:
| Yes, "unjust enrichment". But it doesn't entitle one to
| create arbitrarily exaggerated prices and demand
| reimbursement based on them.
| jgeada wrote:
| Being brutally honest: because Equifax and similar agencies
| _always_ engage in politics. They lobby politicians, they have
| people on staff on alert should any legislation related to this
| topic come up, etc. Angering these companies carries political
| costs.
|
| The typical individual is not engaged in the political process,
| and if they pay attention to this subject, they do so for an
| ephemeral amount of time. Individual voter's anger has no
| consequence.
|
| Our system is optimized to privatize gains and socialize
| losses.
| hbrav wrote:
| Serious answer (I am not a lawyer): partly because the
| threshold for libel is really high in the US.
|
| Partly because there is also some procedure for challenging
| credit reports. I'm going to try and find the blog post about
| it...
| ryandrake wrote:
| It's way past time for banks to start taking responsibility for
| issuing fraudulent loans. If someone else takes out a loan using
| my information, it shouldn't even remotely be my problem to help
| clean up, and it shouldn't involve me at all. This is between the
| bank and the fraudster.
|
| Even the term "identity theft" is slimy: deftly deflecting blame
| from the negligent bank, trying to draw an unrelated 3rd party
| into the mix by nominating him as the "theft victim."
| gruez wrote:
| >It's way past time for banks to start taking responsibility
| for issuing fraudulent loans.
|
| That sounds nice and all, but what would that actually look
| like in terms of legislation? Legally speaking you're already
| not responsible for fraudulent loans, and the onus is on the
| creditor to prove that the debt was actually yours.
| toomuchtodo wrote:
| Legally, yes. In practice, debt collectors (which originators
| of debt of all sorts will quickly dump unpaid debt onto, even
| medical providers who don't want to wait for patients to
| cough up the funds due) will take advantage of
| unsophisticated/financially illiterate citizens to coerce
| payment, _even if there is no obligation to pay_.
|
| The fix is straightforward: require evidence of the debt
| upfront, and if you're attempting to collect on debt you
| can't verify was agreed to by the person you're pursuing,
| damages are substantial (say, $1M per occurance). Make
| reporting of violations via the CFPB frictionless.
|
| You will see debt originators rapidly standing up robust
| identity proofing systems (having customers come into a
| branch with their IDs), and asking Congress to legislate
| their implementation (Login.gov and similar for private
| enterprise, with the end game being a usable national ID
| system such that Estonia has [1]).
|
| Tangentially, current risk management in this space between
| identity and finance sucks. I worked with someone to get
| liens off their Lexis Nexis Risk Solutions report (which
| mortgage originators use for compliance purposes with
| conventional mortgage underwriting guidelines as it relates
| to foreclosures and real estate fraud) that were on their
| report for almost 8 years in error. It took a CFPB complaint
| for Lexis Nexis to remove them with citations from an
| attorney to state statute, and this data isn't classified as
| consumer reporting, so it's almost impossible to obtain
| financial recourse/damages for these occurrences.
|
| [1] https://privacyinternational.org/case-study/4737/id-
| systems-...
|
| [1] https://news.ycombinator.com/item?id=29980189 (HN thread
| of the above link)
| ryandrake wrote:
| > Make reporting of violations via the CFPB frictionless.
|
| Totally agree.. but sending a debt validation letter is
| already pretty simple. In most cases you can send the
| scumbag collector a barely-modified form letter and that's
| that. I've done this twice and it's pretty painless, but in
| a perfect world, I wouldn't be involved at all!
|
| Banks need to be forced to stop considering
| struct { name, address,
| birthday, ss_number,
| other_public_info }
|
| ...to be equivalent to a person, for the purpose of issuing
| loans. It's total madness, and honestly I'm shocked that
| this kind of fraud isn't even more common.
|
| That and struct { acct_no, routing_no }
|
| ...is enough to withdraw money from my bank account thru
| ACH! Also lunacy. How are banks allowed to be so crappy?
|
| Legislation, plz.
| toomuchtodo wrote:
| Walk out onto a public street. Ask the first 3 people you
| come across if they know how to send a debt validation
| letter. Report back. One should not need to have
| knowledge with consumer credit laws and regulation to
| navigate exceptions; it's citizen hostile and a developed
| economy anti pattern imho. Fail citizen safe.
|
| Agree about ACH. The Fed's FedNow instant payment system
| due out next year should deprecate all that is trash
| about the ACH rails (switching to a push from a pull
| model being one of said deficiencies).
| gruez wrote:
| > Walk out onto a public street. Ask the first 3 people
| you come across if they know how to send a debt
| validation letter. Report back. One should not need to
| have knowledge with consumer credit laws and regulation
| to navigate exceptions; it's citizen hostile and a
| developed economy anti pattern imho. Fail citizen safe.
|
| By that logic, other things that are antipatterns:
|
| * most laws (do you think "the first 3 people you come
| across" would know the difference between murder and
| manslaughter?)
|
| * programming APIs (ie. the trope of programmers having
| to search up usages for basic library functions)
|
| * most basic life tasks (this can be literally anything.
| even how to cook. if your parents didn't teach you, and
| you couldn't search on the internet, most people would be
| toast).
| sailfast wrote:
| The complaint system isn't too terrible to use - at least
| when I last tried it out for a credit reporting dispute.
| You'll likely get a reply from the institution in a week or
| so, and if they don't reply in a timely manner it's a red
| flag:
|
| https://www.consumerfinance.gov/complaint/getting-started/
| londons_explore wrote:
| There are a lot of people in the USA without proper
| identity documentation, or who live under the identity of
| someone else.
|
| I know brothers who share a passport and driving license,
| and do just one lot of taxes between them.
|
| Tightening up identify verification laws will further
| exclude these people, and may be a net loss for the nation.
| groby_b wrote:
| How is excluding tax frauds a "net loss for the nation"?
|
| If you want to say that ID documents should be something
| that's much less painful for individuals to acquire (and
| should be free!), completely agreed.
|
| But the idea that a modern society can function without a
| safe identification system is somewhat far fetched to me.
| InefficientRed wrote:
| _> How is excluding tax frauds a "net loss for the
| nation"?_
|
| Calling this tax fraud is... I guess true, but kind of
| odd and silly.
|
| Two people making $X/2 will in almost all cases pay
| _more_ taxes while receiving _fewer_ benefits than one
| person making $X. If you wanted to pay fewer taxes, you
| wouldn 't use this scheme except in a few strange edge
| cases. I don't think the brothers are sharing a passport,
| a driver's license, and tax filings in order to reduce
| their tax bill...
|
| (Reading between the lines, since you didn't seem to pick
| up on it: one of the brothers is an undocumented
| immigrant. The goal is not tax minimization... the two
| brothers are paying more taxes while receiving fewer
| benefits in order to avoid deportation of the
| undocumented brother.)
| londons_explore wrote:
| Actually I think one of the brothers never got a birth
| certificate because their mother didn't want to do the
| paperwork.
| Dma54rhs wrote:
| What is the realistic solution then? Its time for
| Americans do the European and developed world thing and
| use IDs with proper identification methods.
|
| And why would you live under someone else's identity?
| Isn't it identity theft?
| londons_explore wrote:
| Maybe because you were never given an identity at birth?
| Or you are in the country illegally? Or you are trying to
| escape debt or the law or someone wanting you dead? Maybe
| you lost all your id documents in a fire and don't have
| anything left for the government to reissue you an ID.
| Maybe you've just forgotten who you are due to illness.
|
| Plenty of reasons, some more legit than others, but there
| are a large number of people in this position.
| Dma54rhs wrote:
| Somehow the rest of the world can deal with these issues.
| You can skip any contract the society creates with the
| same reasons from paying taxes to getting a vaccine.
| sailfast wrote:
| Legislation to broaden access for the unbanked and legal
| docs for non-citizens is the way to solve that use case,
| not enabling illegal credential sharing to obtain money
| as a use case (in my opinion)
| lr4444lr wrote:
| Very simple: any contract between a financial institution and
| a third party is rescinded and null in whole if the third
| party was represented by someone else, without power of
| attorney. Full stop. Burden of proof on the bank to ensure
| this. They already have a huge apparatus in place to verify
| creditworthiness and identity. Any attempt to collect once
| such a complaint is filed should be illegal before it is
| resolved.
| PeterisP wrote:
| As far as I understand, the major effect of identity theft on
| the person is the problems with their credit score and thus
| all kinds of other credit-related activities while the issue
| is being resolved. I think that at least in parts of Europe
| the legal solution is a requirement that lenders must get
| these fraudulent loans off the credit reports within a fairly
| strict time limit when they're contested in a simple,
| standardized way, so even if some investigation takes a long
| time, that does not affect your creditworthiness during that
| time.
| _jal wrote:
| One easy, but indirect, fix would be to remove the legal
| special casing that exempts credit reporting companies from
| libel laws.
|
| That would force a number of other changes, and I think they
| would mostly be positive. Those whose businesses depend on
| high-volume easy credit may disagree.
| gruez wrote:
| > One easy, but indirect, fix would be to remove the legal
| special casing that exempts credit reporting companies from
| libel laws.
|
| I wonder if this can be bypassed by a warrant canary (or
| repayment canary)? Basically instead of having creditors
| report that you defaulted on your debts, creditors will
| just report whether you opened/closed a line of credit, and
| whether you're current on it. If you aren't current, then
| the algorithm assumes you're delinquent. Since you can't
| compel speech (first amendment), you'll have a very hard
| time forcing companies to do something.
| vageli wrote:
| Has the legality of a warrant canary ever been tested?
| Commenters on this site often mention that the law is not
| executed by machine, and so it seems a court would see
| through this charade.
| toss1 wrote:
| Yup.
|
| And also on-point, when are management and coders going to
| realize that much data should be treated as toxic waste and
| destroyed, rather than kept forever, just in case we might want
| it?
|
| This guy had an ID theft, prevented it from going forward, but
| the payday lender had his info in their DB, and so the second
| time around somehow actually authorized the bogus loan. If they
| hadn't stored the info from this person who would NEVER
| deliberately be a customer, the bogus loan would not have
| happened.
|
| And all that trouble caused so some thief could net a measly
| $1000.
| gr1zzlybe4r wrote:
| Completely agree, and I've worked at fintech companies that
| issue credit products.
| kelseyfrog wrote:
| This sentiment is summed up perfectly in a Mitchell & Webb
| Sound titled Identity Theft[1].
|
| 1 - https://www.youtube.com/watch?v=CS9ptA3Ya9E
___________________________________________________________________
(page generated 2022-01-25 23:00 UTC)