Experian Sold Social Security Numbers To ID Theft Service

realized writes "Experian — one of the three national U.S. credit bureaus — reportedly sold SSNs through its subsidiary, Court Ventures, to the operators of SuperGet.info who then offered all of the information online for a price. The website would advertise having '99% to 100% of all USA' in their database on websites frequented by carders. Hieu Minh Ngo, the website owner, was recently been indicted for 15-counts filed under seal in November 2012, charging him with conspiracy to commit wire fraud, substantive wire fraud, conspiracy to commit identity fraud, substantive identity fraud, aggravated identity theft, conspiracy to commit access device fraud, and substantive access device fraud."

Probably a downmod coming but..

WHAT THE FUCK!!!?!!!?

Since you mentioned Experian

These are the same people who offer to counsel you for $15, with a made-up number (even more made up than FICO) with fine print like this: "your Experian Credit Score indicates your relative credit risk level for educational purposes and is not the score used by lenders". Yep, super class act all the way. Even among credit rating scams, er "agencies", they are the worst.

And when will Experian be charged?

The US Credit system is a racket designed to screw people. I have been fighting a bogus charge on my credit report for years and I would love to see the power that these behemoths lowered.

Granted, I do not know of a superior way to track people, but the amount of destruction caused by identity theft or improper billing is insane.

Re:And when will Experian be charged?

[bradley13]

"Granted, I do not know of a superior way to track people"

How about this for an idea: don't track them.

Let's be real: These credit reporting agencies bring zero added value to the system. If you want a loan, go to the bank, show them certified copies of your pay statements, sign a legal document listing your other debts (or whatever other information the bank needs for a decision), and that ought to be it. There is zero need for anyone to know that you were three days late on a credit card payment in March of 2007.

These agencies are a blight. They are in the same category as Facebook: you are not the customer, your personal data is a product that they sell to anyone that will pay for it.

Re:And when will Experian be charged?

I have no problem with the service they provide, I only have a problem with the mechanism they use to provide it. We need a law that radically limits the usage of people's SSN. It is a government identification number and, as such, needs to be restricted to purposes that involve the government. If a company needs to deal with the IRS, Medicare, or any other government entity, they can and should use SSN for that purpose only. A private credit transaction does not involve the government, so using an SSN as an identifier in that transaction should be illegal. If Experian, TransUnion and Equifax want a unique identifier, they can create one themselves. If banks want to trust these services to determine credit eligibility, they can require that ID number rather than a SSN. It should be up to those businesses to de-dupe identities (without using SSN) when people apply for a new identification number.

And that's the kicker...de-duping identification is a hard problem, but one that's necessary for the business model of the reporting agencies. So, rather than solve the hard problem, they've pushed the responsibility onto the government since it does it anyways. The government needs to tell these companies that it's not okay for them to do this and that they need to solve the hard problem themselves.

Once you limit the use of SSN, it becomes significantly less valuable. Sure, it can be used in schemes to defraud the government or seek employment illegally, so there will be some use for criminals, but it's utility for identity theft will be drastically reduced.

Re:And when will Experian be charged?

[Cro+Magnon]

That's actually a decent reason to move to NK.

Who watches the watchers?

[gstoddart]

So if the credit bureau is selling all of the information to the identify thieves you're pretty much fucked.

Sounds like this company is playing both ends against the middle and needs to be shutdown.

Pathetic.

Re:Who watches the watchers?

[Bob+the+Super+Hamste]

Wasn't there some law that stated that when data breaches like this happen the company has to pay for credit monitoring for those affected. Given that it sounds like they may have distributed all US citizens' info it might be enough to sink their company. Then again I may only be remembering some proposed law that died a quiet death in some committee.

And no one at experian will ever be charged.

Even though Experian was selling the info, only the people who bought it will get punished.

Re:And no one at experian will ever be charged.

[PraiseBob]

an argument exists that Experian would not have had any way of realizing the nature of who they were selling it to

Excuse me? You are saying there is a valid argument that they have no way of knowing whom they are doing business with?

They have permanently compromised a system that hundreds of millions of people use every single day. They have made every single citizen subject to fraud, and have no ability to fix it, except conveniently through their business model. This breach will STILL be an issue ruining people's lives 20 years from now, and we will have to beg Experian to correct the problems they caused, and even pay them for the privilege. The economic damage could reach well into the trillions of dollars, there is virtually no cap, since it undermines the entire credit system of every citizen currently alive, for their entire lifetime. Every executive at the company should be put to a firing squad.

15 counts of wire fraud explained.

[nimbius]

If convicted in an american court those 15 counts amount to:
10 years in prison, appealed to 7
parole after 4

and experian leaving the room without ever having admitted any wrongdoing. Visa and Mastercard dont care, because the amount of credit as a balance reflected on a card is imaginary anyhow and doesnt correlate to any real value. They simply issue chargebacks against the vendors affected by fraudulent purchases.
the vendors in turn get a strike against them for accepting fraudulent transactions. cardholders get a new card, and the game resets. Consumer capitalism cannot be permitted to short-circuit at the expense of the consumer.

The cards are commonly used to purchase web hosting or secure free trials to distribute malware as a means of garnering more legitimate cards and absolving their dependence on lucky ducks like the Experian guy. The wheel is still turning.

Re:15 counts of wire fraud explained.

[I'm+New+Around+Here]

And my understanding is that once the card is opened, it's now on the consumer to dispute everything about the card,

I never understood that line of thought. If someone, e.g. a bank, says I owe them money because I agreed to repay them money they loaned to someone who claimed to be me, my first question would be "Where is the paper I signed?". If the contract was made at a branch of the bank, such as for a loan, my next question would be "Where is the video footage of me at that bank?".

Because if they don't have those two items, and they indisputably prove it is me, they have absolutely no case to try to extort money from me. They can go after the actual person they gave money or credit to. Why should it not be that way for all cases of so-called "identity theft"? It used to be called "bank fraud", which firmly shows the bank is the victim of fraud, and should have been more diligent in its actions. Instead they now imply the party who should have been more pro-active is the person whose name was used without their knowledge.

Stop calling it ID theft, call it bank fraud, and tell the banks they can get their money from whomever they decided to give it to.

Re:And, who has the Obamacare ID validation contra

Oh god, is Slashdot now The Blaze, where everyone has Obama Derangement Syndrome and every single comment has to tie to Obama, no matter how loosely related they are?

Why do SSNs persist?

[necro81]

I have a general question: why does the Social Security Number endure as the primary key of, well, every kind of financial account or transaction in the United States. The SSN - how it's assigned, how it's revoked, the regulations regarding who can use it and for what, what necessary safeguards are in place to prevent theft or misuse, its anonymity or lack thereof - was never intended for the tasks that it is now burdened with. It's broken in so many ways that it would be hilarious - if the consequences were not so dire.

Is it just that this is the system that we in the US are stuck with, and that's that? How do other countries handle this? What are the potential alternatives? What are the true requirements for a "master identifier key", and how can they be realized in a way accessible to all people? How can we convince the business and banking community to stop using the SSN - not because they're forced to, but because it's such an awful liability?

Which politicians' identities need to be stolen in order to put such a system in place?

Re:Why do SSNs persist?

[Cro+Magnon]

The problem, IMHO, isn't SSN as an identifier. It's that SSN is used as a password! I wouldn't care if everyone knew that xxx-xx-xxxx belonged to Cro Magnon, but when someone can buy a car in my name with just that number, that's a serious problem.

What about Experian?

[gr8_phk]

Hieu Minh Ngo, the website owner, was recently been indicted for 15-counts filed under seal in November 2012, charging him with conspiracy to commit wire fraud, substantive wire fraud, conspiracy to commit identity fraud, substantive identity fraud, aggravated identity theft, conspiracy to commit access device fraud, and substantive access device fraud.

Why does someone at one level of the crime get charged but not the one at the top. Remember:

Experian — one of the three national U.S. credit bureaus — reportedly sold SSNs through its subsidiary, Court Ventures, to the operators of SuperGet.info

Why are they not being charged? Using SSNs for certain things is illegal, and selling them probably is too - otherwise what did the other guy do wrong?

Re:Why is SSN secret?

And how do you keep your mothers maiden name a secret?
Do you kill her and her parents and wipe out all traces of them?
Why do they use stupid shit like this to identify someone.

US credit reporting violates privacy of millions

[bradley13]

Credit reporting ought to have everyone up in arms anyway. Every company an American does business with sends personal, financial details to these agencies. No permission required. The agencies themselves have a shared monopoly, but the size of their market is static. So they are always looking for quasi-legal ways to make even more money by selling your personal data. Sometimes quasi-illegal.

The whole system stinks. Americans need to get themselves some privacy rights...

Re:And, who has the Obamacare ID validation contra

[mcgrew]

For fuck's sake, it has nothing to do with obamacare. Stay on topic and stop trolling.

OK, so they put the ID theft guy in prison, how about having Experian's CEO in an adjoining cell? Why is it legal for Experian to sell my SS#??? I never gave them permission for that.

Re:Experian one of the worst

[sconeu]

I've *NEVER* had to enter a credit card to get my free credit report. Where the hell are you going to get it?

Re:Can I form a subsidiary too?

Always go check for an apposite Will Rogers quotation:

"A holding company is a thing where you hand an accomplice the goods while the policeman searches you." - Will Rogers

Re:And, who has the Obamacare ID validation contra

[EMG+at+MU]

Brining Obama into it frames the discussion on partisan politics. The discussion becomes "Obama and the democrats are corrupt, look at this no bid contract" instead of "The entire goverment, regardless of political party, is corrupt; no bid contracts have been part of the goverment bidding process for years and we need to reform it now".

We get nowhere when we fight about one party over another. But thats how all the debates are framed, and partisan drones are programmed to jump all over the opportunity to blame opposing party while ignoring the same transgressions when it is their party being bad.

Re:Probably a downmod coming but..

[Scutter]

At the very least, Experian's board should be held accountable by its shareholders for gross negligence in failing to do its due diligence during the purchase.

Re:And, who has the Obamacare ID validation contra

[cayenne8]

Brining Obama into it frames the discussion on partisan politics. The discussion becomes "Obama and the democrats are corrupt, look at this no bid contract" instead of "The entire goverment, regardless of political party, is corrupt; no bid contracts have been part of the goverment bidding process for years and we need to reform it now".

We get nowhere when we fight about one party over another. But thats how all the debates are framed, and partisan drones are programmed to jump all over the opportunity to blame opposing party while ignoring the same transgressions when it is their party being bad.

I think it frames it in terms of arguments of a federal website and program that is going to be gathering unprecedented personal and medical information on US citizens, and that is showing incredible ineptness of design and implementation through its first website portal is a fair argument to be brought up by anyone remotely concerned about their information, the safety of the information...and well frankly, what the govt does with that info.

It is now called Obamacare...because he owned the name itself awhile back....so, the ACA is synonymous with Obamacare.

No matter what you call it....there is justifiable cause for concern. Remember the other day about the code viewable in the source of the ACA website about "no expectation of privacy"?

Re:And, who has the Obamacare ID validation contra

[EMG+at+MU]

I think it frames it in terms of arguments of a federal website and program that is going to be gathering unprecedented personal and medical information on US citizens, and that is showing incredible ineptness of design and implementation through its first website portal is a fair argument to be brought up by anyone remotely concerned about their information, the safety of the information...and well frankly, what the govt does with that info.

Nothing is unprecedented. The government has been collecting all of your data for years, regardless of if the President has a (R) or a (D) next to his name. Bringing Obama into the discussion distracts from the fact that it doesn't matter who the president is, the government will continue being the government and continue doing whatever it wants.

No matter what you call it....there is justifiable cause for concern. Remember the other day about the code viewable in the source of the ACA website about "no expectation of privacy"?

Yes I do, and in that discussion everyone whined about Obama and missed the opportunity to discuss the fact that the government and corporations have always acted as if you "have no expectation of privacy". Hence the fucking story we should be talking about here.

Re:And, who has the Obamacare ID validation contra

[GodfatherofSoul]

healthcare.gov uses Experian to validate registrants. Experian sells account information to whoever will pay for it. You're saying there's no relationship???

Re:Probably a downmod coming but..

[Solandri]

I'm not sure who appointed Experian watchdog (though I'm certain someone on Slashdot will point out how ignorant I am for not knowing), but for a company with so much power over your own life in terms of credit, it would be nice if, with the power came some sort of responsibility -- and accountability.

Nobody "appointed" Experian watchdog over this information. Many companies (banks, lenders, credit card companies, etc) needed reliable information on a customer's past creditworthiness. Experian (and TransUnion and Equifax) collected and provide this information in sufficient quality for these companies' needs, and so they've become the watchdogs.

The problem is a subtle one I've noticed in several fields (mainly HR and hiring). The credit agencies protect against a false positive - one where an individual who is a high credit risk is incorrectly determined to be a low credit risk, and thus the bank gives them a loan. This protects the companies who seek this information before lending out money or equipment.

They do very little to protect against false negatives - one where an individual with low credit risk is incorrectly flagged as a high credit risk. The companies who use the credit bureaus don't really care about this case because it's a "safe" error for them. If they refuse a loan to someone who would've paid it back, they just lose out on the interest. So there's less incentive to verify the accuracy of negatives on someone's credit report. (Incidentally, low interest rates exacerbate this situation. If interest rates are higher, the interest on a loan can exceed the principal, and thus a false negative could become a greater financial loss than a false positive.)

(In the HR case, a HR department which carelessly culls out job applicants based on keywords and unrealistic years of experience is lowering their risk of false positives. But they're also increasing their risk of false negatives and weeding out a lot of qualified people. From management's standpoint, they can see the direct negative consequences of a bad hire. The negative consequences of failing to hire someone who was a good fit for the job are not so obvious. To correct for this, companies should regularly test their HR departments by submitting applicants who are "perfect" for a job and seeing how many of them get asked for interviews.)

Re:And, who has the Obamacare ID validation contra

[lgw]

Usually I laugh at claims that the CEO should be in jail when a company does something bad, but in this case there are laws with teeth about credit report info. Unless this was some case where he could not reasonably have known that this was going on, there must be some crime here, times 300 million counts.

Here's a thought

[g0bshiTe]

How about penalizing Experian for selling the information in the first place.