Experian Sold Social Security Numbers To ID Theft Service

realized writes "Experian — one of the three national U.S. credit bureaus — reportedly sold SSNs through its subsidiary, Court Ventures, to the operators of SuperGet.info who then offered all of the information online for a price. The website would advertise having '99% to 100% of all USA' in their database on websites frequented by carders. Hieu Minh Ngo, the website owner, was recently been indicted for 15-counts filed under seal in November 2012, charging him with conspiracy to commit wire fraud, substantive wire fraud, conspiracy to commit identity fraud, substantive identity fraud, aggravated identity theft, conspiracy to commit access device fraud, and substantive access device fraud."

Probably a downmod coming but..

WHAT THE FUCK!!!?!!!?

Since you mentioned Experian

These are the same people who offer to counsel you for $15, with a made-up number (even more made up than FICO) with fine print like this: "your Experian Credit Score indicates your relative credit risk level for educational purposes and is not the score used by lenders". Yep, super class act all the way. Even among credit rating scams, er "agencies", they are the worst.

Re:Since you mentioned Experian

You have no idea what you're talking about. Indeed, the FICO score is strictly a model from the Fair Isaac Corporation. However, that model is licensed out to the major credit bureaus, and they will indeed provide you a FICO score. However, any FICO score is only as good as the information it's based on. Since all three credit bureaus can happen to have different info on you, you can have a different FICO score with each of them. That's why all the ads you see talk about checking your three FICO scores - the algorithm is the same in all cases, it's just coming up with different results due to different inputs.

Now as to what the GP was saying, Experian has it's own, non-FICO score too, that they'll sell you (in addition to selling you a FICO score, should you pay for that), for a price. That's the "even more made up" number the GP is referring to, which has the name VantageScore. It's not your FICO score, and due to the less licensing and federal regulation surrounding it, costs less. However, the GP is wrong in sticking this with Experian - all three major bureaus jointly use VantageScore.

And lastly, folks pulling credit history that aren't making a direct loan (ex: insurers), usually don't pull a FICO score, since it's expensive, relatively speaking, but will pull yet another number made up by the three bureaus (what it is depends on what you're looking to insure - they have separate scores for auto and homeowner's insurance). All of this has made the FICO score itself much less important than it used to be. It's still the gold standard for big, big ticket items, where a mortgage company has no problem spending the $ to get the FICO score from all three bureaus to insure their hundreds of thousands of lending to you.

Re:Since you mentioned Experian

[ShanghaiBill]

They can't use FICO because it's owned by a third party (Fair Isaac)

Wrong. They can and do give out FICO numbers. They just don't give it out to you, as an individual, when you pay $7 for your "credit score", because they don't want to pay a fee to Fair Isaac. Instead they give you a number that is just meaningless garbage. 99% of the people paying the $7 think they are are going to get their actual FICO score. I fell for this scam myself.

And when will Experian be charged?

The US Credit system is a racket designed to screw people. I have been fighting a bogus charge on my credit report for years and I would love to see the power that these behemoths lowered.

Granted, I do not know of a superior way to track people, but the amount of destruction caused by identity theft or improper billing is insane.

Re:And when will Experian be charged?

[Solarhands]

Move to California. In California the burden of proof is on them if you dispute something.

Re:And when will Experian be charged?

[bradley13]

"Granted, I do not know of a superior way to track people"

How about this for an idea: don't track them.

Let's be real: These credit reporting agencies bring zero added value to the system. If you want a loan, go to the bank, show them certified copies of your pay statements, sign a legal document listing your other debts (or whatever other information the bank needs for a decision), and that ought to be it. There is zero need for anyone to know that you were three days late on a credit card payment in March of 2007.

These agencies are a blight. They are in the same category as Facebook: you are not the customer, your personal data is a product that they sell to anyone that will pay for it.

Re:And when will Experian be charged?

The first good reason I've heard to move to California. It's like saying "move to North Korea, Experian doesn't operate in North Korea."

Re:And when will Experian be charged?

I have no problem with the service they provide, I only have a problem with the mechanism they use to provide it. We need a law that radically limits the usage of people's SSN. It is a government identification number and, as such, needs to be restricted to purposes that involve the government. If a company needs to deal with the IRS, Medicare, or any other government entity, they can and should use SSN for that purpose only. A private credit transaction does not involve the government, so using an SSN as an identifier in that transaction should be illegal. If Experian, TransUnion and Equifax want a unique identifier, they can create one themselves. If banks want to trust these services to determine credit eligibility, they can require that ID number rather than a SSN. It should be up to those businesses to de-dupe identities (without using SSN) when people apply for a new identification number.

And that's the kicker...de-duping identification is a hard problem, but one that's necessary for the business model of the reporting agencies. So, rather than solve the hard problem, they've pushed the responsibility onto the government since it does it anyways. The government needs to tell these companies that it's not okay for them to do this and that they need to solve the hard problem themselves.

Once you limit the use of SSN, it becomes significantly less valuable. Sure, it can be used in schemes to defraud the government or seek employment illegally, so there will be some use for criminals, but it's utility for identity theft will be drastically reduced.

Re:And when will Experian be charged?

[Cro+Magnon]

That's actually a decent reason to move to NK.

Who watches the watchers?

[gstoddart]

So if the credit bureau is selling all of the information to the identify thieves you're pretty much fucked.

Sounds like this company is playing both ends against the middle and needs to be shutdown.

Pathetic.

Re:Who watches the watchers?

[Bob+the+Super+Hamste]

Wasn't there some law that stated that when data breaches like this happen the company has to pay for credit monitoring for those affected. Given that it sounds like they may have distributed all US citizens' info it might be enough to sink their company. Then again I may only be remembering some proposed law that died a quiet death in some committee.

Re:Who watches the watchers?

[Ronin+Developer]

How about we make Experian liable for clearing ANY AND ALL debt incurred whose credit info was divulged by them?

Once upon a time, the SSN was to be used for Social Security Purposes only - not for ID. Then, they started asked asking for it in college (as my ID) ... now, they ask for it at the local grocery store. Seems the law was changed. Why?

At one point, when someone wrote a letter (remember those?) in the 1980's to a service member, they gave the name, rank, SSN and Fleet or APO post office number. In retrospect...WTF where they thinking? Prior to that, a service number was issued and it was NOT your SSN.

And no one at experian will ever be charged.

Even though Experian was selling the info, only the people who bought it will get punished.

Re:And no one at experian will ever be charged.

[Jason+Levine]

Sadly, the people whose identity was stolen will also be punished by having to spend time, energy, and money restoring their credit files and getting the bogus accounts removed. In some cases they will have to prove that they really didn't open the lines of credit to Experian - the very company who is responsible for the mess they are in. They will also need to watch their credit closely for the rest of their lives wondering when the next line of credit will open up or deal with the hassle of freezing their credit and not being able to open new lines of credit when they want. (Though, as an ID theft victim who did the latter, it's really not that much of a pain. Just stinks that it is necessary.)

Experian, on the other hand, will face a vicious finger wagging by Congress. At the very worst. Maybe a token fine that they can make back in 2.3 seconds of doing their normal business.

Re:And no one at experian will ever be charged.

[PraiseBob]

an argument exists that Experian would not have had any way of realizing the nature of who they were selling it to

Excuse me? You are saying there is a valid argument that they have no way of knowing whom they are doing business with?

They have permanently compromised a system that hundreds of millions of people use every single day. They have made every single citizen subject to fraud, and have no ability to fix it, except conveniently through their business model. This breach will STILL be an issue ruining people's lives 20 years from now, and we will have to beg Experian to correct the problems they caused, and even pay them for the privilege. The economic damage could reach well into the trillions of dollars, there is virtually no cap, since it undermines the entire credit system of every citizen currently alive, for their entire lifetime. Every executive at the company should be put to a firing squad.

Start the bombing now!

[Theophile]

I'm an American, so I'll admit that I couldn't find Experia on a map if I tried, but this is an outrage and I say we start bombing the Experians back to the stone age right now!

Re:Start the bombing now!

[freeze128]

Well....? Don't keep us all on the edge of our seats! Where in Europe is it?

15 counts of wire fraud explained.

[nimbius]

If convicted in an american court those 15 counts amount to:
10 years in prison, appealed to 7
parole after 4

and experian leaving the room without ever having admitted any wrongdoing. Visa and Mastercard dont care, because the amount of credit as a balance reflected on a card is imaginary anyhow and doesnt correlate to any real value. They simply issue chargebacks against the vendors affected by fraudulent purchases.
the vendors in turn get a strike against them for accepting fraudulent transactions. cardholders get a new card, and the game resets. Consumer capitalism cannot be permitted to short-circuit at the expense of the consumer.

The cards are commonly used to purchase web hosting or secure free trials to distribute malware as a means of garnering more legitimate cards and absolving their dependence on lucky ducks like the Experian guy. The wheel is still turning.

Re:15 counts of wire fraud explained.

[I'm+New+Around+Here]

And my understanding is that once the card is opened, it's now on the consumer to dispute everything about the card,

I never understood that line of thought. If someone, e.g. a bank, says I owe them money because I agreed to repay them money they loaned to someone who claimed to be me, my first question would be "Where is the paper I signed?". If the contract was made at a branch of the bank, such as for a loan, my next question would be "Where is the video footage of me at that bank?".

Because if they don't have those two items, and they indisputably prove it is me, they have absolutely no case to try to extort money from me. They can go after the actual person they gave money or credit to. Why should it not be that way for all cases of so-called "identity theft"? It used to be called "bank fraud", which firmly shows the bank is the victim of fraud, and should have been more diligent in its actions. Instead they now imply the party who should have been more pro-active is the person whose name was used without their knowledge.

Stop calling it ID theft, call it bank fraud, and tell the banks they can get their money from whomever they decided to give it to.

Re:15 counts of wire fraud explained.

[Bob+the+Super+Hamste]

That actually happened to my wife. She got a call from American Express stating that we were in default on a card she had taken out and bills were being sent to an address in Las Vegas. They demanded that we pay in the most aggressive legal way they could. I told them that it isn't my fault that they didn't do their due diligence in giving out credit and that since it was a credit card we were only liable for up to $50 of it and I wasn't going to even pay that since neither of us had ever been in Nevada let alone Las Vegas. I then mentioned that if I ever heard from them again I would be filing charges against them for attempting to defraud me and would also be filing a complaint with my state's attorney general. Never heard back from them. I do the same thing with the idiots who keep buying someone's bad college loan debt that was accrued 14 years before I was born who happens to share my name. Some new company seems to buy it every 2-3 years and then they start calling or sending mail so I don't know if it is a scam or not but I treat it as if it were one.

Re:And, who has the Obamacare ID validation contra

Oh god, is Slashdot now The Blaze, where everyone has Obama Derangement Syndrome and every single comment has to tie to Obama, no matter how loosely related they are?

Why is SSN secret?

[bigwheel]

I never understood why social security numbers have become secret. It was my student ID both in undergrad and grad school. Available to everyone. Once upon a time, you were even supposed to keep your social security card in your wallet. Now it needs to be kept secret, along with my mother's maiden name.

It is just a has code -- not a password.

Re:Why is SSN secret?

[ComfortablyAmbiguous]

Besides that, it's a horrible, horrible secret. Until just a few years ago the first five digits could be easily determined from your birthday and location of birth, leaving only 4 digits of somewhat randomness, and even that went in sequential order, giving you a pretty good guess at a much small range. To add insult to injury, whenever a company thinks they are helping you keep it secret they will ask you for the last four digits of the number, the only four digits that actually matter.

Re:Why is SSN secret?

[thaylin]

because with your SSN now you have access to EVERY other piece of information. Forget your password with any company that has your SSN and they will use your SSN as the ultimate password.

Re:Why is SSN secret?

And how do you keep your mothers maiden name a secret?
Do you kill her and her parents and wipe out all traces of them?
Why do they use stupid shit like this to identify someone.

Re:Why is SSN secret?

[Jason+Levine]

Not that mother's maiden name is any protection. When someone opened a credit card in my name, they had my name, address, social security number, and date of birth. They got the mother's maiden name wrong, though. It wasn't even close. Didn't stop Capital One from approving the card application, though, and almost giving the people a line of credit in my name. (The only thing that stopped them was a fluke where they paid for rush delivery of the card and immediately changed the address from mine to theirs. The two processes crossed paths and the card arrived on my doorstep. Had it worked as intended, they would have gotten the card and run up a huge bill under my name.)

Re:Why is SSN secret?

Here's a dirty little secret about SSN's. They were never intended to be used as unique identifiers. In fact, it says on the card For social security only, not to be used for identification. Even more, they are not secure in the least, up until recently you could get the first 3-5 numbers just by knowing a little bit about the person, see ID by state of issue, and it's pretty simple to identify the group number as well. Last 4? those were sequential. Basically, they were never designed to be secure, and now we have to treat them as such. Better keep your birthplace/birthday secret too.

Why do SSNs persist?

[necro81]

I have a general question: why does the Social Security Number endure as the primary key of, well, every kind of financial account or transaction in the United States. The SSN - how it's assigned, how it's revoked, the regulations regarding who can use it and for what, what necessary safeguards are in place to prevent theft or misuse, its anonymity or lack thereof - was never intended for the tasks that it is now burdened with. It's broken in so many ways that it would be hilarious - if the consequences were not so dire.

Is it just that this is the system that we in the US are stuck with, and that's that? How do other countries handle this? What are the potential alternatives? What are the true requirements for a "master identifier key", and how can they be realized in a way accessible to all people? How can we convince the business and banking community to stop using the SSN - not because they're forced to, but because it's such an awful liability?

Which politicians' identities need to be stolen in order to put such a system in place?

Re:Why do SSNs persist?

[Cro+Magnon]

The problem, IMHO, isn't SSN as an identifier. It's that SSN is used as a password! I wouldn't care if everyone knew that xxx-xx-xxxx belonged to Cro Magnon, but when someone can buy a car in my name with just that number, that's a serious problem.

Re:Probably a downmod coming but..

A very articulate and insightful comment. No sarcasm intended

What about Experian?

[gr8_phk]

Hieu Minh Ngo, the website owner, was recently been indicted for 15-counts filed under seal in November 2012, charging him with conspiracy to commit wire fraud, substantive wire fraud, conspiracy to commit identity fraud, substantive identity fraud, aggravated identity theft, conspiracy to commit access device fraud, and substantive access device fraud.

Why does someone at one level of the crime get charged but not the one at the top. Remember:

Experian — one of the three national U.S. credit bureaus — reportedly sold SSNs through its subsidiary, Court Ventures, to the operators of SuperGet.info

Why are they not being charged? Using SSNs for certain things is illegal, and selling them probably is too - otherwise what did the other guy do wrong?

Re:Probably a downmod coming but..

[binarylarry]

Agreed. I'd vote for hanging some of the Experian exec responsible for this.

Re:FREE AS IN BEER MARKET !!

4. Get one rifle shot shot at long range from a citizen who got screwed in the bargain. Make it a .50 caliber.

I've been saying since Enron we should add more FEAR to the "greed and fear run Wall St." aphorism...

captcha: brooms (which sweep clean)

Re:Probably a downmod coming but..

[lymond01]

WHAT THE FUCK!!!?!!!?

According to TFA, basically the company that Experian purchased had already been selling information to the notorious 24-year old cyber criminal. Once the company was purchased, Experian didn't review its own transactions closely enough and inadvertently sold our SSNs to the guy too. Monthly. The Secret Service found out, captured the 24-year old, and it's unknown if Experian, credit watchdog, will suffer for sleeping on the job.

I'm not sure who appointed Experian watchdog (though I'm certain someone on Slashdot will point out how ignorant I am for not knowing), but for a company with so much power over your own life in terms of credit, it would be nice if, with the power came some sort of responsibility -- and accountability. I suppose we'll need to off Experian's Uncle Ben to get our point across...

US credit reporting violates privacy of millions

[bradley13]

Credit reporting ought to have everyone up in arms anyway. Every company an American does business with sends personal, financial details to these agencies. No permission required. The agencies themselves have a shared monopoly, but the size of their market is static. So they are always looking for quasi-legal ways to make even more money by selling your personal data. Sometimes quasi-illegal.

The whole system stinks. Americans need to get themselves some privacy rights...

Experian one of the worst

[Lysol]

My family and I were looking to move recently. Of course, we have to print out our credit reports. It used to be nice years ago when Yahoo had a service where you could easily get all 3 in just a few mins. But I'm sure since that was actually useful in real life, someone had to end it. So now, you have to log into the big 3 separately and request your 'free' report.

Of course, it's not 'free' since there's quite a bit of time involved in just getting it. You have a right by law to get this information once a year, but in order to do so, you have to put in your credit card. Red flag right there. This 'entitles' you to a free month of credit 'protection'.

After your done with your 'free' month, you have to call and cancel or else they'll charge you. Yup, you're right, no easy way to do that, no cancel account link or button to click - you gotta get on a phone and do an old school call. To keep the good times rolling, once you're actually off hold and connected to someone, it's some call center in another country. Mine happened to be India. What ensued next was back and forth on just getting the fucking thing canceled. There were many "just a moment" pauses and even a few upsells. I had to tell the guy 3 times I want to cancel. Just click the cancel button in your crappy web app.

30 mins later, I was off the phone. This company and the people that work for it are trash, plain and simple. They are a scourge on society and a drain on humanity. And along with banking (and warring I guess), credit 'scoring' and manipulation has to be one of the worst human endeavors ever. I don't understand how these people sleep at night and I'm not surprised they're selling people's info to whomever will pay.

Re:Experian one of the worst

Stop spreading FUD. No credit card info is required to get your free annual credit report.
You don't have to agree to upsell features like FAKO credit score and credit monitoring.

Re:Experian one of the worst

[HeavyD14]

Next time, go to http://annualcreditreport.com/ for your free report. No credit card or trial required. Takes care of all three agencies at once.

Re:Experian one of the worst

[Solandri]

That's the official (and only) government site for getting your free credit reports. All the sites asking for your credit card are scam sites (usually run by the credit bureaus themselves) which automatically sign you up for a credit monitoring service and charge your card if you forget to cancel.

All of this confusion and scamming could be eliminated if the government would just move the real site to the .gov domain. Then it'd be easy. .gov = real, .com = fake.

Re:And, who has the Obamacare ID validation contra

[mcgrew]

For fuck's sake, it has nothing to do with obamacare. Stay on topic and stop trolling.

OK, so they put the ID theft guy in prison, how about having Experian's CEO in an adjoining cell? Why is it legal for Experian to sell my SS#??? I never gave them permission for that.

I'm Dead

[Princeofcups]

These are the same fuckers who insisted that I was dead because someone had mistyped a social security number. Therefore they rejected all credit requests (I was trying to get financing on a car) until I could prove that I was still alive. That's right. If they make a mistake, the victim, errr, customer, has to correct it.

Re:And, who has the Obamacare ID validation contra

[EMG+at+MU]

Brining Obama into it frames the discussion on partisan politics. The discussion becomes "Obama and the democrats are corrupt, look at this no bid contract" instead of "The entire goverment, regardless of political party, is corrupt; no bid contracts have been part of the goverment bidding process for years and we need to reform it now".

We get nowhere when we fight about one party over another. But thats how all the debates are framed, and partisan drones are programmed to jump all over the opportunity to blame opposing party while ignoring the same transgressions when it is their party being bad.

Re:Probably a downmod coming but..

[Scutter]

At the very least, Experian's board should be held accountable by its shareholders for gross negligence in failing to do its due diligence during the purchase.

Solution: Make SSNs Public Record

The solution to this issue is for the Social Security Administration to publish EVERY SSN along with name in a big set of phone type books, and online. The SSN was never intended to be a secret number.

Banks and credit organisations who use the SSN as some sort of secret code can find some other real authentication method. Publishing them all at once would 'shock' the system into the fix that is needed.

Re:Solution: Make SSNs Public Record

[careysb]

+1 I've had to argue with more than one health insurance company to get them to not use my SSN as an ID number. Tell you what, along with publishing numbers lets also guarantee duplicate SSNs. That'll fix 'em.

Re:And, who has the Obamacare ID validation contra

[GodfatherofSoul]

healthcare.gov uses Experian to validate registrants. Experian sells account information to whoever will pay for it. You're saying there's no relationship???

NOT ENUF!

[TiggertheMad]

Hanging's too good for him. Burning's too good for him! He should be torn into little bitsy pieces and buried alive!

Re:And, who has the Obamacare ID validation contra

[Bite+The+Pillow]

What did you read?

"The work on Healthcare.gov grew out of a contract for open-ended technology services first issued in 2007 with a place-holder value of $1,000. There were 31 bidders. An extension, awarded in September 2011 specifically to build Healthcare.gov, drew four bidders, the documents show, including CGI Federal."

Search for part or all for source. Now, last you read it was a bid contract, invalidating your point.

Re:Probably a downmod coming but..

[Solandri]

I'm not sure who appointed Experian watchdog (though I'm certain someone on Slashdot will point out how ignorant I am for not knowing), but for a company with so much power over your own life in terms of credit, it would be nice if, with the power came some sort of responsibility -- and accountability.

Nobody "appointed" Experian watchdog over this information. Many companies (banks, lenders, credit card companies, etc) needed reliable information on a customer's past creditworthiness. Experian (and TransUnion and Equifax) collected and provide this information in sufficient quality for these companies' needs, and so they've become the watchdogs.

The problem is a subtle one I've noticed in several fields (mainly HR and hiring). The credit agencies protect against a false positive - one where an individual who is a high credit risk is incorrectly determined to be a low credit risk, and thus the bank gives them a loan. This protects the companies who seek this information before lending out money or equipment.

They do very little to protect against false negatives - one where an individual with low credit risk is incorrectly flagged as a high credit risk. The companies who use the credit bureaus don't really care about this case because it's a "safe" error for them. If they refuse a loan to someone who would've paid it back, they just lose out on the interest. So there's less incentive to verify the accuracy of negatives on someone's credit report. (Incidentally, low interest rates exacerbate this situation. If interest rates are higher, the interest on a loan can exceed the principal, and thus a false negative could become a greater financial loss than a false positive.)

(In the HR case, a HR department which carelessly culls out job applicants based on keywords and unrealistic years of experience is lowering their risk of false positives. But they're also increasing their risk of false negatives and weeding out a lot of qualified people. From management's standpoint, they can see the direct negative consequences of a bad hire. The negative consequences of failing to hire someone who was a good fit for the job are not so obvious. To correct for this, companies should regularly test their HR departments by submitting applicants who are "perfect" for a job and seeing how many of them get asked for interviews.)

Re:Probably a downmod coming but..

[HiThere]

Not much. Harsh punishments are less effective at deterring crime than are moderate punishments that are more likely to happen...unless, of course, you are likely to be punished even if innocent. To be effective the punishment only needs to be sufficient that the net benefit of an act is negative...but they need to be expected to happen if you are guilty. And sooner is much more effective than later.

Yeah, I know these requirements are in conflict. If it were simple, someone would have had a decent government by now.

Re:And, who has the Obamacare ID validation contra

[lgw]

Usually I laugh at claims that the CEO should be in jail when a company does something bad, but in this case there are laws with teeth about credit report info. Unless this was some case where he could not reasonably have known that this was going on, there must be some crime here, times 300 million counts.

Re:Probably a downmod coming but..

[synapse7]

So are all SSNs compromised?

Re:Probably a downmod coming but..

[gsgriffin]

They're up 24 points, 2% right now. Don't think investor care so long as they make money. $1,224/share is pretty staggering.