Nuke the entire Experian site from orbit
It's the only way to be sure.
Experian's website exposed to world-plus-dog the PINs needed to unlock frozen accounts, allowing crooks to potentially apply for loans and credit cards as their victims. The credit-monitoring agency lets people freeze their account using a PIN that has to be submitted in when applying for stuff like loans: it's a mechanism …
Because you live in the USA? The mere concept of credit rating is so alien and scary to me. When I need a credit, the bank asks me for my records, and I bring them personally. What Experian & friends do is so illegal here, it boggles the mind it can happen somewhere else.
because they have wiggled their way into the national and international-scale position of trust (lol), and you haven't. And now they're too big to fail while you, little man...
Sigh. You might think it's all "by design", rather than chance. Where's me tinfoil hat... :/
"Sigh. You might think it's all "by design", rather than chance. Where's me tinfoil hat... :/"
Yet, now that it exists--why would they give it up?
It occurred to me (during just this morning's commute) that, while this situation may have been subject to a certain amount of intentional design, this situation has certainly undergone a fair amount of evolution. And, then it occurred to me that this observation could well fall under Daniel Dennet's concept of the "free floating rationale", which essentially claims (though much debated) that things can have purpose as if they were designed despite not actually being designed. And yes, I know this is a topic that is debated at high academic levels, but I'm more interested in the implications for those who let a precarious economic system be at risk because of poor security practices.
So, what is the moral imperative for those who profit from a flawed system that is a threat to the well being of the market, most people, the nation, and possibly humanity as a whole? If they knowingly continue to profit from it, knowing it works against survival, then does the claim that it's natural because it evolved this way really count as a reasonable moral choice? Remember, there are species that went extinct simply because they failed to adapt to a change in environment. Yet, we supposedly evolved big brains to overcome such possibilities. Apparently, our big "uh-brains" aren't yet big enough.
I'll give you the "ability to get a place to live", because credit checks are done on both renters and people taking a mortgage.
However, EVERYTHING else you state is either a) optional in that process or b) you expecting people to give you free money to do so.
To get a mobile phone? Nope. I have one. No credit check. I bought it.
To get a phone connection? Nope. I have one. No credit check.
To get a credit card? Yes. To get a card that functions like a credit card? No.
What I'll add to your list is "bank account" but - again - you don't really need them unless you want them to give you free money - overdraft or loans.
If you want people to give you free money, yes, that person will use a service like this to check who you are.
If you don't want people to give you free money, you don't interact with them.
And the only time the average person NEEDS (not chooses to) someone to give them free money is... when applying for a mortgage or possibly a rental agreement.
I hate them with a vengeance, and credit ratings are the most backwards things I've ever seen in my life. But the way to stop them is to NOT borrow money, and then pay them the interest for having done so. Then they lose not only your applications to them, but also all the money they would have made from you.
That we live in a society where people are perfectly happy to give away their information and sign up to a loan in order to purchase an over-priced luxury that they use barely 1/10th of its capabilities... that's just a sign of the times. There are perfectly viable alternatives called "save up" / "buy outright" / "live within your means".
That we live in a society where people are perfectly happy to give away their information and sign up to a loan in order to purchase an over-priced luxury
Not just luxuries. Don't forget that gas, electricity and water bills usually involve a credit check unless you're on a pre-payment meter. If you're paying by instalment, then even dull stuff like home and car insurance is credit. Most but not all big telcos will credit check you for telephones, mobile or broadband, and some shitty MVNOs will even credit check you for SIM only deals.
Anywhere that a business is incurring costs before payment or runs a smoothed direct debit system, they are extending credit. If you were running one of those businesses, you'd want to check that new customers didn't have a dreadful history of credit defaults.
My credit score from one of these numpty companies is 100% (999/999) from another it's not even 60%. When I enquired with my financial adviser as to why this might be he said they have different factors that they use. It might be because I don't have a mobile phone contract, a landline, regular broadband etc. This despite the fact that I've never missed a payment on anything in my life. Companies make their own minds up as to whether to lend you money based on the info they can see on your report. Your score means bugger all to them apparently but can be useful in massaging your ego.
There's no such thing as a credit score.
It's literally a number made up by a single entity, and has no standardisation or correlation to any other number. You can't compare them, you can't predict them, you can't even choose a threshold (GDPR says that a human must now evaluate if the customer demands, not a computer score). They are literally a fabrication and any website that claims to tell you your credit score is no different one telling you how many you rate out of ten on the sexiness scale.
As such, no credit decision is taken on the basis of "at least 900 on your credit score". It doesn't exist like that, and isn't processed like that, and when you do a minimal/statutory/DPA request from the credit agency, that number never appears.
Because the data they hold (what you pay for, when you pay it, how much you owe to whom) is the data that decisions are based on and every single credit-giving entity has their own criteria based on that data that has nothing to do with the credit reference agencies or any made-up "score".
The reason they won't lend to someone like you with 999/999 is precisely stated in your comment: You don't have any credit, and "You're never missed a payment". You're not profitable to them. And even no credit history at all is a red-flag so they won't lend to anyone who doesn't already have some form of credit history. It's a reputation score of "would he pay me back" - when someone who's never needed credit in their life suddenly asks for a loan, the risk is enormous - you have no idea if they're just gonna cut-and-run.
I made my "score" on one website drop from 700 to 100 by asking for a Vodafone SIM three times, and never receiving / activating any of them. Literally, I did nothing else, owe nobody any money, never even got to give payment details but "multiple credit requests" is considered a sign of desperation, so they hurt you for it so they don't put themselves at risk.
Credit scores are made-up nonsense. Credit references are basically subjective and there to profit companies giving credit. Actual credit for daily life shouldn't be required except for the major unaffordable items (housing is about the only thing). That someone asks for credit for home or car insurance - that's a red-flag. They can't afford to pay an annual lump sum, but they're keeping their car in good nick are they? Credit shouldn't be required for that. But we've taught our kids that that's okay (I blame Direct Debit a bit, but most essential DD's are actually zero-interest and cheaper than the annual payment). Telephones and mobile - I covered that. No. Buy.
But in all these other places you're ASKING for credit, when you could operate without credit. You're asking the gas company to lend you £200 for gas and you'll "pay them back next month". That's what you're doing. It's perfectly justified but also not strictly necessary. Nowadays pre-pay with a smart meter means you are on a monthly recurring pre-pay "contract" that you can cancel at any time and never get into debt for. That's no worse than a DD of credit on your account, in effect.
I'm not saying it's not the norm. I'm saying all those things - apart form housing - you do actually have a choice on, but instead choose to pay money to credit reference agencies and credit middle-men who are paying for your car / phone / etc. and then taking their percentage on top.
100 years ago, you literally didn't have a choice. You had the money or not, and lenders were not to be used for minor things. Nowadays, every 18-year-old fights for a credit card, phone contract, monthly car insurance deal, car finance, etc. the second they are of age to do so. Sorry... no sympathy.
(P.S. I have credit agreements. I'm no martyr here. But I do everything I can to ensure they're affordable, as well as ensure they are necessary and that I have a backup plan should something happen - lose my job, etc. And, no, that doesn't mean payment protection insurance! If you said to me tomorrow that you're cancelling all my credit agreements that I have in place... you'd take my car from me and have to give me back more than enough to buy several new cars, or I could dip into what I have and buy it from you - and even that is *literally* because I was forced to move out and live on my own, doubling my expenditure, and therefore spending the money I had put aside to pay off the rest of the car... halfway through the credit term).
I agree with most of your points, however, once I swapped my bank (savings only), and they spent ages giving back my personal details, so I went into complain, and they said they were sorry, but they were waiting for a credit check to complete.
When I asked them why that was needed as it was only a savings account, they said it was in because they were also offering a non-savings account at the same time (which I didn't want, and didn't ask for), so there's no guarentee this wont happen when you open a normal account.
Are they TRYING to make things easier for hackers ?
Nobody thought this through at all. Nobody wondered what could happen if "none of the above" was selected across the board, and obviously nobody tested the final result beyond making sure it didn't crash on first try.
There certainly are a few more niggles I could have, but the big one is allowing another email address. For frak's sake, nobody does that. There is no reason to, you already have the subscribers' address.
Welcome to software development in the 2010s. It's not even "compile it, ship it" any more, it's "if some PHP or Java-based monstrosity doesn't spaff too much crap to the logs then deploy it to production".
Also, Experian don't necessarily have your e-mail address, they just collect details about you while you go about your life hence the difficulty of proving that you're you to them. Perhaps if everyone got a "welcome to Experian, these are your account details" letter on their 18th birthday it might concentrate a few minds as to what's happening.
"Perhaps if everyone got a "welcome to Experian, these are your account details" letter on their 18th birthday it might concentrate a few minds as to what's happening."
Actually, it would need to be issued upon birth, since people open bank accounts, etc. for their minor children, and have been known to open utilities accounts, etc., in their child's name because they blotted their own copybook. I agree with the poster above, nuke them from orbit, and salt the ground with the salt of the tears of their executives and investors.
Also, Experian don't necessarily have your e-mail address, they just collect details about you while you go about your life hence the difficulty of proving that you're you to them.
Considering this is about unlocking accounts that people have frozen with a pin, I would think it is reasonable to expect Experian in this situation to have email address and other information relating to that account for the people to be able to manage their account.
"its customers were never in any danger of having their personal information stolen via the PIN hack"
But they were in danger of having loans fraudulently taken out in their name, which is the main reason people are worried about having their personal information.
Or do they mean that 15 million people don't have to worry about their personal information being stolen from experian because it already happened in 2015?
UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.
Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.
In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].
In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.
Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said.
Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.
A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.
In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.
"Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.
Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.
Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.
StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.
Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.
The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.
The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.
The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.
Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.
According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.
India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.
The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."
Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.
Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.
"We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."
The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.
Intuit is being sued in the US after a security failure at its Mailchimp email marketing business allegedly led to the theft of cryptocurrency from one or more digital wallets.
In a proposed class-action lawsuit [PDF] filed in federal court in northern California on Friday, the plaintiff – Alan Levinson of Illinois – claimed he and potentially others fell victim to a sophisticated phishing attack in which their Trezor cryptocurrency wallets were unlawfully accessed and funds siphoned.
Someone earlier stole from Mailchimp details of Trezor's mailing-list subscribers, and used this information to reach out to those users with an email engineered to trick them into installing malware designed to hijack their digital wallets. Levinson said he believes millions of dollars in crypto-coins were stolen in this attack, including $87,000 from his own wallet.
Analysis GitHub says it has identified and alerted developers who have had their private repositories accessed and downloaded via stolen authentication tokens.
In this multifaceted fiasco, Microsoft-owned GitHub insisted its security was not breached. Instead, we're told, "compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps."
Salesforce-owned Heroku confirmed someone compromised an OAuth token – presumably an internal staffer's token – to get into Heroku's GitHub account and rifle through, and potentially update, users' GitHub repositories "using OAuth tokens issued to Heroku’s OAuth integration dashboard hosted on GitHub."
Biting the hand that feeds IT © 1998–2022