The flaw that allows you to access other peoples credit files

cjv

I suggested to my girlfriend that it would be a good idea for her to sign up to the free credit report services, to keep an eye on things and see how she could improve her credit history.

During the signup, it occurred to me that I knew all the answers to her security questions. At this point I stopped her and for "science" asked her if I could try and sign up on her behalf to see if I could. She agreed and I started the signup process again, from scratch.

Sure enough, after using a throw away email address, her name, d.o.b., address history and some questions about when accounts were opened etc (I guessed these from the choices available and partial information I already knew)... I was granted full access to her credit history!

This scenario was fine, no harm done as it was all consensual, but how many people out there know small financial details, clues even, to gain access to others credit reports? I was even given "another attempt" at selecting certain financial accounts/dates after failing the first time.

Just something I thought I would share with the forum, to start a discussion.

What are your thoughts and opinions on this, is this a worrying thing that needs to be fixed or something that can be brushed under the carpet?

(note MSE credit club was one of the reports I gained access to)

spadoosh

You are committing identity fraud. Yes, its perfectly possible to do, however it is illegal. Its like murder, you can physically do it, well because people murder others every day, just if youre caught youre going to get in big trouble for it.

boo_star

cjv wrote: »

I suggested to my girlfriend that it would be a good idea for her to sign up to the free credit report services, to keep an eye on things and see how she could improve her credit history.

During the signup, it occurred to me that I knew all the answers to her security questions. At this point I stopped her and for "science" asked her if I could try and sign up on her behalf to see if I could. She agreed and I started the signup process again, from scratch.

Sure enough, after using a throw away email address, her name, d.o.b., address history and some questions about when accounts were opened etc (I guessed these from the choices available and partial information I already knew)... I was granted full access to her credit history!

This scenario was fine, no harm done as it was all consensual, but how many people out there know small financial details, clues even, to gain access to others credit reports? I was even given "another attempt" at selecting certain financial accounts/dates after failing the first time.

Just something I thought I would share with the forum, to start a discussion.

What are your thoughts and opinions on this, is this a worrying thing that needs to be fixed or something that can be brushed under the carpet?

(note MSE credit club was one of the reports I gained access to)

If I have your personal information I can get access to your credit file. If I have access to your key I can open your front door, etc etc.

Outside of giving a DNA sample every time I want access to something what do you suggest these companies do?

cjv

Agreed!

I just think there should be some other verification steps, it will never prevent it completely but inputting a credit/debit card details, a mobile sms verification etc. as the minimum?

If I wanted to I could access my siblings, parents accounts right now without any problem. (obviously I have no intention of doing this)

[Deleted User]

cjv wrote: »

Agreed!

I just think there should be some other verification steps, it will never prevent it completely but inputting a credit/debit card details, a mobile sms verification etc. as the minimum?

If I wanted to I could access my siblings, parents accounts right now without any problem. (obviously I have no intention of doing this)

Not always.

Sometimes the verification questions are "you recently opened a current account with" or "you recently took a phone contract with"...

So unless you 100% knew that information from a sibling, parent, significant other etc. then you wouldn't be able to access their reports

boo_star

cjv wrote: »

Agreed!

I just think there should be some other verification steps, it will never prevent it completely but inputting a credit/debit card details, a mobile sms verification etc. as the minimum?

If I wanted to I could access my siblings, parents accounts right now without any problem. (obviously I have no intention of doing this)

Any steps that you introduce will just be copied within months, at best.

It's like the CVV number on the back of your credit/debit cards. It helped for a few months and then companies that were being hacked were storing that number anyway and you're back to square one.

cjv

!!! wrote: »

Not always.

Sometimes the verification questions are "you recently opened a current account with" or "you recently took a phone contract with"...

So unless you 100% knew that information from a sibling, parent, significant other etc. then you wouldn't be able to access their reports

I thought the same too Gary, I was shocked that it gave me another attempt after getting the answer wrong! On a question exactly the same as your example.

I answered correctly the second time and it granted me access. (I made an educated guess)

spadoosh

Its very easy to commit fraud, the only thing that guarantees prevention of fraud are the morals of the individual.

I can walk in to a number of houses on my street that will not be locked. I will not do that because it would be really rude, and probably get me in bother.

Ive got access to card printers where i can print myself a driving licence that would get past most high street retailers levels of security when taking credit applications. Ive got access to every person who works for the company i do: address details, bank details including bank name, marital status, previous addresses in some instances. I could in the next ten minutes go out and spend thousands of pounds in other peoples names. I dont because i think that would be wrong not because there is a law or anything else in place preventing me from doing so because im certain i can work a way around any block put in place.

cjv

spadoosh wrote: »

Its very easy to commit fraud, the only thing that guarantees prevention of fraud are the morals of the individual.

I can walk in to a number of houses on my street that will not be locked. I will not do that because it would be really rude, and probably get me in bother.

Ive got access to card printers where i can print myself a driving licence that would get past most high street retailers levels of security when taking credit applications. Ive got access to every person who works for the company i do: address details, bank details including bank name, marital status, previous addresses in some instances. I could in the next ten minutes go out and spend thousands of pounds in other peoples names. I dont because i think that would be wrong not because there is a law or anything else in place preventing me from doing so because im certain i can work a way around any block put in place.

I do agree with what you are saying. If someone is that way inclined with the intention of fraud, but surely the simple step of asking for a cc/dc verification would be a step above what is needed currently to access these reports, would be better.

I assume you don't hold full card details of people? without being governed by data protection etc.

Willing2Learn

It is not actually a flaw. It is just a weakness in their identity verification process. It is equally as weak as the identity verification process used when you apply for a new credit card.

spadoosh

cjv wrote: »

I do agree with what you are saying. If someone is that way inclined with the intention of fraud, but surely the simple step of asking for a cc/dc verification would be a step above what is needed currently to access these reports, would be better.

I assume you don't hold full card details of people? without being governed by data protection etc.

No but i know where they are a lot of the time and would assume they carry their wallets/purse with them.

Would holding cc and dc details not contravene data protection from the credit reference point of view? (i dont know if they keep details of bank cards?). Then youve got the fact that your putting every single persons card details in the country on a database, that will definitely be able to get hacked or accessed illegally.

And then for people like me who lose/misplace their bank cards on a regularly basis its not offering much in the way of protection or accessibility should i need it. I mean order a new bank card and you cant access your credit file for a few months whilst it all gets updated.

Most of our society is set up on the basis of playing the game. The notes in your pocket mean nothing apart from 'i promise to pay the bearer on demand the sum of £xx'. The laws you adhere to are reactive, ie they can and do get broken every single day, they never stop someone from actually carrying them out.

Even the laws we have have little intrinsic value unless theyre being enforced. Im sure you wouldnt have to walk too far before coming across someone with illicit drugs on them.

Its similar with taxation. Youre expected to be open and honest with them. You dont have to be. However they make the consequences of not being particularly bad so as to encourage honesty. It doesnt always work though.

Essentially all youve done as well is access the information of someone close to you of which you knew most/all of the information to access it. I can imagine theres many parents, wives, husbands, ex's, children who can do that with or without bank card authentication.