Hackers can use credit bureaus to dox nearly anyone in America

It&#x27;s definitely worth taking the time to set up a credit freeze with the three big agencies (Experian, TransUnion, Equifax). Initially setting it up is a pain in the butt and is rage-inducing, as you have to provide a bunch of personal data when the whole problem in the first place is that they&#x27;re careless with your data.<p>However, once you&#x27;ve got it set up, it&#x27;s very easy to freeze and unfreeze them. Just keep all the URLs, usernames, and passwords in a secure note somewhere, and any time you need to apply for credit, unfreeze them for a day or a week.<p>I used to have all sorts of identity theft problems (people taking out credit in my name) but freezing my credit has solved it.<p>Experian: <a href="https:&#x2F;&#x2F;www.experian.com&#x2F;freeze&#x2F;center.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.experian.com&#x2F;freeze&#x2F;center.html</a><p>TransUnion: <a href="https:&#x2F;&#x2F;www.transunion.com&#x2F;credit-freeze" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.transunion.com&#x2F;credit-freeze</a><p>Equifax: <a href="https:&#x2F;&#x2F;www.equifax.com&#x2F;personal&#x2F;credit-report-services&#x2F;credit-freeze&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.equifax.com&#x2F;personal&#x2F;credit-report-services&#x2F;cred...</a><p>I truly hate these companies but holding my nose and going through the process was worthwhile and I&#x27;d recommend it to anyone.

Save you a click: the secret weapon is paying a criminal on a Telegram group $15 to dox someone. The article is mostly about where the doxxing services are getting their data, which changes. TransUnion&#x27;s TLOxp is a popular service right now.

Wrong approach. Person&#x27;s identity and authentication should not be based on the immutable and public information like social security number, driver&#x27;s license number, address history, etc. There are many ways such information can leak and when it does its stays there forever. We need a proper digital ID, certification and conflict resolution mechanisms. It would not be cheap but the alternatives are costlier in the long run.

<i>&gt; “On the very rare occasion where we confirm misuse of TLOxp, we coordinate with law enforcement to help prosecute those responsible,” TransUnion added.</i><p>This is categorically false.<p>I&#x27;ve had transunion hand my entire credit report over to hackers who had nothing but public information, and transunion <i>absolutely do not give a shit.</i>

Here is another thing I despise about these Credit Bureaus.<p>Ive walked into Commercial Real Estate brokerages where every single broker had a license to a credit bureau - with many of the junior brokers using it daily to look up real estate owners to call their mobile phones.<p>Obviously TLO <i>knows</i> theres no way a huge chunk of the CRE brokerage industry should be in their product on a daily basis if they were actually using a GLBA compliant use case... and they look the other way and find a way to monetize.<p>You really dont need to go digging in some dark corner of the internet to obtain this information... you can walk in through the front door

&quot;It&#x27;s not a data breach if you collect money from the criminals for the data. Then it&#x27;s a service offering.&quot;<p>- Credit bureaus

Just a reminder to never give private info to someone who calls you, even if they seem to have a lot of your private data already to &quot;prove they are legit&quot;.<p>Always call back on a number <i>you</i> look up, not one that they give you.

IMHO this is only going to get worse from here. There are piles of data that simply have not been categorized because noone cared enough about it. now a good llm will do that for you.

That whole industry needs to be banned. Courts should record loan defaults, and make that information available to creditors. Nothing else should be in the report.<p>Lenders already require independent verification of income and (for mortgages) monthly expenses.<p>The rest of the information that’s in your report and that is used to compute your credit score seems to be there to force people to get credit cards and to perpetuate systemic racism.

This stuff was apparent 20 years ago when PIs gave talks at hacker cons telling them all the legal ways you could get any information you ever wanted. If you Google around there are 500 online services (public companies, not hackers) to dig up private info for a small fee. I guess somebody just finally made a bot to make it easier.<p>Articles like this read to a hacker like an article that door locks aren&#x27;t secure.

Has anyone ever used that DeleteMe [1] service the article mentions? It&#x27;s not very cheap, and I&#x27;m wondering the value or if anyone has any first hand 2 cents on using it?<p>[1]: <a href="https:&#x2F;&#x2F;joindeleteme.com&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;joindeleteme.com&#x2F;</a>

Interestingly, you actually never get signed up for these credit services until you get a credit card. So all the things people tell you “build credit” (eg: pay your bills on time, pay your rent, etc.) don’t actually “do” anything. There’s no credit score to attach to them, so they just go off into the ether. I built credit a bit late in life and it was a struggle to get started. At this point, I kind of wish I’d just avoided building credit altogether. I wouldn’t be in any of these systems.

Drivers license ID numbers in many states are almost public: they&#x27;re deterministically generated from basic personal information. You therefore can&#x27;t use a drivers license ID number as a secure identifier anyways.

The more you use your own identity, the more possibilities there are for an attacker to compromise you. So ideally.. don’t use credit. But even criminals need credit too, so they craft synthetic identities and use these as proxies to operate in, without ever using their real identity. The entire system is broken, and at this point you’re better off joining the criminals in using synthetic identities too.

&gt;A short while later, the bot spat out a file containing every address that person had ever lived at in the U.S., all the way back to their college dorm more than a decade earlier. The file included the names and birth years of their relatives. It listed the target’s mobile phone numbers and provider, as well as personal email addresses. Finally, the file contained information from their drivers’ license, including its unique identification number. All of that data cost $15 in Bitcoin. The bot sometimes offers the Social Security number too for $20.<p>Other than SSN, I don&#x27;t find most of the information listed very concerning. Addresses, phone numbers, emails are semi-public anyways, considering that you hand them out anytime you make a purchase online. I&#x27;m not sure what bad stuff you can do with a drivers license id. Date of birth&#x2F;relatives seems like something that can be sourced from public records (eg. voter roll). I&#x27;d prefer it if there weren&#x27;t a telegram bot that dispenses all this for $15, but it&#x27;s not exactly super privileged either.

&quot;...the target’s credit header. This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement.&quot;<p>...<p>&quot;“Of all the entities that are the root cause of this data, “the credit bureaus are number one,” Shavell added. “They are the ones that should be subject to the strictest compliance and ultimately be held to a higher privacy standard by the federal government and by state governments than they are being,” he said.&quot;<p>TLDR: People are using social engineering attacks to gain access to data brokers&#x27; tools that tap credit bureaus&#x27; profiles of everyone. There are no incentives for the companies in this supply chain to perform adequate due diligence before granting access to the data.

I am from India and the credit bureau world here is Kafkaesque.<p>Even to get the attention of a credit bureau you’ve to be their paid customer. A new loan in your name which didn’t even turn up in your dream? They helpfully tell you to contact the org that issued the loan. A card that’s not yours? Nope, not your problem. You can’t even tell them to delete your data altogether even if you’re fine working zero credit history.<p>Even to get your own data that they got without your informed consent you’ve pay!<p>There seem to be no venue! And suddenly one day I realise there’s yet another credit bureau and they have all my data! Amazing!<p>Their infra even feels so sketchy that you kinda know it can be hacked the moment someone tries.<p>As for freezing as some suggest, unfreezing is even worse. Besides it just doesn’t protect in case of data breach in any shape or form.<p>This is one field where I hope government regulates deep and hard into their collective bottom.

&gt; <i>Senator Ron Wyden told 404 Media in a statement that “These companies have demonstrated that they can&#x27;t control who has access to their data products. The government needs to stop these companies from packaging and selling our personal information, and the senior executives that put profit over national security and Americans&#x27; safety should be punished accordingly.”</i><p>I&#x27;m amazed that the <i>quote from a politician</i> is the most even handed substantive part of this article. The rest of the article is essentially scaremongering a misguided narrative around &quot;criminals&quot; gaining access to surveillance databases, when the real problem is the uncontrollable and unaccountable surveillance databases existing in the first place. The US desperately needs a port of the GDPR to give us data subjects the rights to control and prevent dossiers being kept on us.

Credit bureaus should be illegal. You can’t opt out of them and they take no responsibility in protecting you. How is it that every tech company has to abide by all kinds of rules re: PII, but they get to do whatever they like?

There is a website (blockshopper.com) that scrapes and indexes real estate transaction data from counties that publish it. It’s easy and free to find someone’s address and doxx them. Their policy says that they only remove your data if you are a target of harassment, under court order or law enforcement officer.

When I read all this, I can&#x27;t help but thinking that Europe is doing better in this respect. Policies like GDPR help to prevent such large scale personal data collection and hence abuse.<p>Also, things like scores and rankings to get a loan&#x2F;mortgage are not what I ever experienced. The procedure basically is, you take your last 3 salary slips and shop a few banks. You take the one with the lowest rent. Done. After all, you sign a document that states that the bank might sell your property if you do not pay off (for quite some months)<p>Or do I see it wrong?

In Finland, you can get credit data of a person from official source (or service resellers) for ~9 EUR. You need to know their social security number though. It&#x27;s used by landlords (private and corporate) to vet potential tenants.<p>Not sure if there&#x27;s a telegram bot for that yet :D

Somewhere in the neighborhood zero knowledge proofs and homophobic encryption is a way to evaluate creditworthiness predicates on data that&#x27;s encrypted and in the open without revealing the underlying details.<p>Let&#x27;s use math to obsolete FICO and shut down these parasites.

Home address and phone number?!?! The horror! (Did people forget yellow pages existed?)<p>I suppose email and SSN are yikes inducing but after a decade of having my email sold to the political parties, I don&#x27;t treasure it. SSN? Haven&#x27;t we moved beyond SSN for security purposes?

The cat has been out of the bag for a while. We need legal changes to how personal information is used <i>after</i> it has been acquired. It doesn&#x27;t make sense any longer for it to be so easy to open lines of credit or otherwise apply stolen info.

&gt;$15 per search<p>What chumps, just use <a href="https:&#x2F;&#x2F;freepeoplesearch.com" rel="nofollow noreferrer">https:&#x2F;&#x2F;freepeoplesearch.com</a><p>Ya it has ads but out of all the hundreds of &quot;free&quot; sites it has actually the most amount of free information.

I&#x27;ve had friends who got swatted very recently, and I wouldnt be surprised if the ones responsible for it went through that sort of services.

It’s time for a Privacy Bill of Rights, and to eliminate credit systems that operate without explicit permission of the individual.

I can use a couple free searches to dox nearly anyone in America...

What information do they need to supply in the Telegram group?<p>Edit: Name and state.

Running background checks to dox people is a tale as old as time.

Make doxxing punishable by huge fines

What a dystopia. I guess I never appreciated GDPR as it deserve.