[LONG] How flaws in the US Credit Reporting System are allowing criminals to Dox any US Citizen

[rcmaehl]

Summary

Poor identity verification, and third party data reselling, of financial tools such as Transunion's TLOxp allow criminals to easily obtain Current (and Previous) names, addresses, associated phone numbers, along with birthdate, last 4 of SSN with as little as a Name or Phone number.

 

Media

 

 

Quotes

Quote

A secret weapon criminals are selling access to online that appears to tap into an especially powerful set of data: the target’s credit header. This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. That data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement. Criminals have managed to tap into that data supply chain, in some cases by stealing former law enforcement officer’s identities, and are selling unfettered access to their criminal cohorts online. The tool 404 Media tested has also been used to gather information on high profile targets such as Elon Musk, Joe Rogan, and even President Joe Biden, seemingly without restriction. The communities where this tool is advertised include chat rooms focused on swatting,... SIM swapping,... and physical violence. “These companies have demonstrated that they can't control who has access to their data products. The government needs to stop these companies from packaging and selling our personal information, and the senior executives that put profit over national security and Americans' safety should be punished accordingly.” Eighty-two percent of American adults had a credit card in 2022. In other words, the majority of the adult population... will have their personal information collected and stored. The bureaus made some of the data provided by consumers—known as credit header information—available to other companies. The portion of a consumer’s credit report that typically contains the person’s name, birth date, current and prior addresses, Social Security number, and telephone number. While credit reports themselves are limited... under the Fair Credit Reporting Act (FCRA), credit bureaus and data brokers generally believe credit header falls under a different piece of legislation: the Gramm-Leach-Bliley Act (GLBA). This law gives the credit bureaus room to sell credit header information to third parties under a set of use cases that are much broader than the full credit report. Beyond TLO, criminals have... multiple different companies... they... use: Data-Trac, SearchBug, and USinfoSearch among them. Data-Trac told 404 Media that someone gained access to its tool by stealing the identity of a former law enforcement officer and private investigator in Florida. The criminal then opened an account with those credentials, which included a drivers’ license. Data-Trac... said at the time of the criminal gaining access, the company only performed “remote confirmation,” where the applicant is asked to provide various pieces of identity and security verification virtually rather than in-person. CEO of SearchBug, confirmed his tool had been used to look up around half a dozen names 404 Media identified as being targets of criminals. In response to 404 Media’s findings, Wieder said SearchBug will now perform those blocks itself. The same day Wieder said SearchBug would introduce those limits, one bot seller said on Telegram their bot would now face restrictions. USinfoSearch, told 404 Media in an email that “the security and protection of our licensed databases and information is at the very top of our priorities and our systems are monitored continuously.” “It should absolutely not be allowed,” Rob Shavell, CEO of DeleteMe said of credit bureaus feeding credit header data to wider industries. Of all the entities that are the root cause of this data, “the credit bureaus are number one.” In March, the CFPB put out a request for information about data brokers, where organizations can write-in with their concerns about the trade of data. Last week, the CFPB announced it was proposing new rules that would change the regulation of credit header data.

 

My thoughts

It appears this isn't the first time this tool and others have been criticized, abused, or partially dumped of their contents. Just last year even, TLOxp was partially scraped by a real estate firm and left open to the public internet. Other cases before that include Spying on a now member of the British Royal Family, $4 Million COVID benefits fraud by a rap crew, and many more. It is a constant shame to see how far behind the US data privacy sector is compared to the EU and other countries. Hopefully, the CFPB inquiry and proposed new rules will help curtail this issue.

 

Sources

Transunion TLO

1997 FTC Inquiry

404 Media Investigation (404 Media is a spin off of, now bankrupt, Vice)

Consumer Finance Protection Bureau Inquiry and Request for Comment

[Alex Atkin UK]

Not surprised, out of curiosity I have tried to find details on people in the US by simple Google searches and its amazing how much you can find without any special tools by simply knowing their current first, last name and approximate location.  They seem to have very lax data protection laws.

[Fasterthannothing]

Not even surprising I mean look at Equifax it's disgusting how little they actually are required to secure.

[SpaceGhostC2C]

2 hours ago, Alex Atkin UK said:

Not surprised, out of curiosity I have tried to find details on people in the US by simple Google searches and its amazing how much you can find without any special tools by simply knowing their current first, last name and approximate location.  They seem to have very lax data protection laws.

... and very poor enforcement.

 

Quote

This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards.

 

Well, if Equifax has it, this may as well be public data by now...

 

[StDragon]

They're honeypots of information. Not really news.

[Kisai]

14 hours ago, Alex Atkin UK said:

Not surprised, out of curiosity I have tried to find details on people in the US by simple Google searches and its amazing how much you can find without any special tools by simply knowing their current first, last name and approximate location.  They seem to have very lax data protection laws.

Oh, it's the tip of the iceberg. Anyone with access to Lexisnexis (Paypal does) knows every address, phone number, and email you've ever had.

 

Credit Reporting Bureaus get all their information from banks and credit-related utilities, and they are linked by the taxpayer identification.

 

Real Estate (Property and Vehicles) have access to this information, usually unfettered.

[ouroesa]

On 9/12/2023 at 11:19 PM, rcmaehl said:

That data trickles down from the credit bureaus to other companies who offer it to debt collectors

There is your problem. Hold those asshats accountable. 

[Mark Kaine]

To the surprise of *no one*.

 

On 9/12/2023 at 8:38 PM, StDragon said:

They're honeypots of information. Not really news.

i also doubt this is news, likely known for decades ~

 

[TetraSky]

Just another reason why selling personal identifiable information should be illegal.

[williamcll]

Does this impact debit card holders too?