It's interesting that the "hacker" himself was caught via hackery. When I worked on anti-cheating stuff for a game company, I was able to stop the seller of the cheat because their cheat had been stolen and resold so they had to put anti cheating tech in their cheating tech and it opened a hole I was able to exploit to detect them.
Imagine you're selling a tool that lets players win every game.
Then imagine someone else starts selling another tool. Anyone who buys that other tool is now able to beat the players you promised a win to, AND they're not giving you any money for it. This damages your reputation, which in an underground market is probably your most valuable resource. So not only are they not paying you, but they're robbing you of future sales by damaging your rep.
Wouldn't you put in something to prevent users of your newest cheat from being cheated themselves?
I wonder how much of his personal information was gleaned from "respectable" American companies like Lexis-Nexis, Equifax, and Transperian? I'm sure they gave everything and medical history for the price of a few coins. I have no respect for companies that don't respect my privacy. And I make it a habit of giving them as much useless, inaccurate information as possible.
Easy, you just lie when people ask. Apply for store loyalty cards and similar with fake information to get that associated with your data broker profiles.
You could also open phone lines with fake information, ISP accounts and so on.
A good investigator with expensive access will still be able to track you down, but automatically exploiting your data will be much more difficult if it's a mess.
We're not talking about just any data brokers though, the parent comment mentioned credit bureaus specifically.
I'm not a lawyer, but if you're applying for a line of credit with false information, I'm pretty sure that's a crime.
If you're not applying for a line of credit, I don't think credit bureaus such as Equifax or "Transperian" (which I assume is a portmanteau of TransUnion and Experian) will base anything on that data, since it's so obviously easy to manipulate.
>I'm not a lawyer, but if you're applying for a line of credit with false information, I'm pretty sure that's a crime.
I'm definitely not a lawyer, but unless your intent is to defraud I wouldn't be so sure about that. I also don't see how you'd ever end up getting prosecuted for this unless you really piss someone off, in which case I guess you could get prosecuted for just about anything.
In any case, whether or not this is legal seems utterly irrelevant.
>If you're not applying for a line of credit, I don't think credit bureaus such as Equifax or "Transperian" (which I assume is a portmanteau of TransUnion and Experian) will base anything on that data, since it's so obviously easy to manipulate.
You would be wrong. That'd be an awful way to maintain up-to-date address data on people.
Besides, the first company named was "Lexis-Nexis".
I'm currently working on a batch of information requests about myself to different data brokers and alternative credit reporting firms. I send a copy of my drivers license and a recent utility bill and they send me my records for free. It's shocking what I found the last time I did this.
> Vovnenko first came onto my radar after his alter ego Fly published a blog entry that led with an image of my bloodied, severed head and included my credit report, copies of identification documents, pictures of our front door, information about family members, and so on.
Damn. It does seem that stupid mistakes took him down. Revealing too much about himself on his forum. I mean, if he'd been careful, compromise of that forum would have revealed nothing about him. And for Dog's sake, using the same password on low- and high-security accounts!
Of course, the real story could be hidden through parallel construction. But on it's face, this does support the argument that it's stupid mistakes that take people down. Krebs' blog is full of them.
Edit: And just to be clear, I'm not even suggesting support for that Ukrainian dickhead. It's just that criminal takedowns are well reported, and so provide cautionary lessons for the rest of us.
>Damn. It does seem that stupid mistakes took him down.
One possibility on the "cautionary lessons for the rest of us" front is a classic bit of wisdom about asymmetric adversarial situations: the other party only needs to get lucky once. There is a fundamental challenge of scale and time for any entity or individual that tries to run something dealing with persistent antagonists over long time periods, it just plain becomes hard to keep track of it all without further infrastructure systems in place. And its also hard for any single human to stay in the zone persistently, we're not really wired that way, hence the need for non-human support structures.
And that in turn is the same challenge for any business dealing with significant organic growth, criminal or not, it's the classic "that TOTALLY TEMPORARY one-off excel spreadsheet someone made 15 years ago now runs hundreds of millions of dollars" issue. It's hard to know ahead what will be important and sticky or not, even if experience helps. And it's hard to decide how to allocate limited resources too. Infrastructure you build helps you scale properly in the future, but it doesn't do anything for you right now, you might not even know you could need it. And overbuilding upfront might mean there is no tomorrow to worry about anyway.
It's a tough nut, though fortunately it's one area that is probably worse on the black side of things since there is less room for recovery from mistakes. Maybe it's one of the structural forces that can help encourage law abiding behavior, legit companies can mess up badly but still potentially recover if there is enough meat to them, whereas a total opsec break for criminals can mean the end of the enterprise.
Yes. And I was thinking more of activists in repressive places. Who, notwithstanding what we might think of them, are criminals in the eyes of their governments.
I work at one of the big 3 credit bureaus so thought I’d chime in -
It is entirely possible to report inaccurate information to the bureaus. Although more often than not it’s on accident, not malicious. Additionally bureaus collect a lot of information from other sources. Some public some private. It’s possible for these datasets to be error prone themselves.
There are however official procedures for disputing/correcting errors in reporting and in my experience they do a pretty good job of validating everything (as that’s literally the business they’re in)
Our son (10 yo) had a delinquent medical bill for reasons we don't understand. The creditor can't tell us who sent the bill because we aren't the named party and I'll be damned if I put him on the phone with them, because he is a minor. So, we're at an impasse and no one can tell us anything.
Someone managed to get his name and address and did not realize he was a minor. Brilliant system you have!
hire a lawyer and write a letter. You're not at an impasse. You can have this cleared, if they don't have evidence and you write a letter, they have to shut it down.
I'll do no such thing. Someone else made a mistake and therefore I have to pay a lawyer to fix it? It's not a legitimate debt, but it goes to show how anyone can put anything in anyone's file and these information brokers will suck it up and pass it around without even the most basic sanity checks. The FCRA was a good start but an American GDPR would be better.
You shouldn't need a lawyer, but it may require a couple hours of time (but not all at once).
The next time they call, tell them that the person they are looking for is a minor and you are their guardian and because of that you are required to speak on their behalf.
Immediately inform them that all further communication must be done in writing and that you are requesting that they validate the debt in writing. They are required by law to communicate in writing if you request it and to also validate the debt.
If the next letter from them is not a debt validation, you should send them a simple cease and desist response stating they have not validated the debt and may no longer contact you. Send it certified, return receipt requested. Keep a copy for yourself.
If it doesn't stop at that point, you will need a lawyer, but it will most likely be at no cost to you:
If they send you another letter or call you again attempting to collect, get their information and if you are inclined, contact a debt collection attorney. You would be able to sue them for up to $1,000 per incursion plus the fees from your lawyer. Provided you collected their information and have your initial letter, it should require very little time from you to go through the legal process.
yardie says> So, we're at an impasse and no one can tell us anything.*
This is not true. And the system works fine. But you'll have to do some work (write a few letters and maybe a bit more). Here's how:
0. Open a chronological paper file. Copies of all correspondence with dates clearly marked/stamped will go into this file. Put the file into a file cabinet: put a copy of every letter, note or form, including the creditors' initial complaint, into it in time order. Also put notes about any phone conversations into it. Put dates on everything.
1. Talk to your local police department and, with your son, file a report with them if possible. They'll view it as a waste of time but it helps by putting you on "the right side of the law." Do it just to have a police report on file locally.
2. Have your son write a letter to the creditor (not the credit bureau) explaining that your son is a minor, the debt is not his, he did not purchase the item and asking them to remove the invalid entry from his credit report. Add a page with your adult names and signatures explaining that he is your legal son. Send those two letters along with a copy of the chronological file to the the creditor, all via registered mail if you're paranoid.
3. Wait. They _will_ respond. Usually they'll cave at this point. Sometimes they'll call and ask that a police report be filed in _their_ jurisdiction (usually by phone) or some such. Do what they ask within reason. Make sure they (creditor, police) send you copies of everything. Follow up if they don't.
4. Wait. _They_ (the creditors, NOT you) should, after brief investigation, notify the credit bureau to remove the item from your son's credit report. If they don't do so within a few months, send follow-up second and third letters if necessary, reminding them.
5. If you get no response from the creditor after two months, copy the chronological file and send it via registered mail to the credit bureau adding a cover letter explaining that you have exhausted the legal means of redress with the creditors and they have refused to respond appropriately. Ask the credit bureau to investigate the creditor's item on your son's credit report.
This sounds like a lot of trouble but it really isn't and it would be a great lesson for you son, since it shows how most of the world works.
Correction involves loosely-coupled organizations and persons. Nothing in this happens at Internet speed. Each contact must have the situation explained from the beginning. It teaches a person how to order events in time, how to narrate a story consistently and how to be patient.
It's obscene that this burden falls on these folks because someone else falsely used this kid's name. The police report should be filed against the collection agency and the credit bureau, for fraud.[0] We may not have debtor's prisons anymore, but we certainly have guilty-by-default for finance.
> it shows how most of the world works.
It certainly does, but not in the way you meant. :/
[0]I'm aware this is not legally possible; I mean "should" in a moral sense.
They didn't mention a collection agency, nor is one likely involved with this case yet. Collection agencies enter the picture usually long after an incident and much neglect by various parties.
Collection agencies are not evil. If you've ever been a landlord or had someone fail to pay a debt, a collection agency may be a godsend b/c they buy your debt (you get something at least; they get the paper debt, valid or not). Is that not a valid capitalistic risk-taking venture?
The credit bureau can't be charged with fraud: their data is from legitimate businesses (creditors); any fraud would apply to the creditor.
This system has and still works well. Most everyone reading this has made good use of our current credit system. We all understand how it works but are impatient with the slowness of the system. But it is a mistake to confuse slowness with malintent.
If the goal is to get it off the credit report then #2 needs to be addressed to the CRA, not the furnisher/creditor. Please see the safe harbor (for the CRA) language in the FCRA.
Debt will automatically fall off son's report after 7 years. They can ignore it without consequences. (assuming kid isn't getting a mortgage at 17 years old, haha)
> There are however official procedures for disputing/correcting errors in reporting and in my experience they do a pretty good job of validating everything (as that’s literally the business they’re in)
Anecdotally, I can't agree with this.
I'm six months in to trying to convince Equifax that I exist. Apparently they accidentally registered me as dead in their system, which has caused background checks on me, like when I registered my ABN, to fail. Turns out there are a number of government systems that have been outsourced to them.
They have twice manually intervened, and twice their automated processes have "corrected" their information and relisted me as deceased. And getting a manual intervention is a lot of complaints, and a lot of escalations.
> There are however official procedures for disputing/correcting errors in reporting and in my experience they do a pretty good job of validating everything (as that’s literally the business they’re in)
I'd disagree with that. The three agencies have a couple of names I've never gone by (I go by my middle name, so I expect "Middle Last" and "First Last" but I never went by "First Mother's-Maiden-Name"), and a couple addresses I've never lived at on my records for 20 years. They refuse to remove them.
The most important and missing information at the start of the article is _why_ the OP had their information posted on the forum, why they were getting sent this package.