#equifux

 

By now you probably heard about #Equifux. Err, I mean Equifax.

For those outside North America, that’s a consumer credit reporting agency. What’s that, you ask? It’s a private entity that collects, maintains and provides information about consumer credit to other entities (individuals, but also public and private institutions).

See, my European friends, here in the Great White North (and in the U. S. of A.) we have this retarded system where your ability to apply for a credit card or a loan does not depend on sensible things like how much you’ve been making over the last 12 months, how long your work contract is, what collateral you can provide in case of default, or what any of these elements are for your co-signer.

Naaah, that would make way too much sense.

So instead we have credit scores. Back in 2014 when I first arrived in Canada, I was introduced to the concept in the following manner (conversation abridged and paraphrased) while opening a bank account:

Bank: You’ll probably also want to have a credit card.

Me: No, thanks. I already have one.

Bank: Yes, but that is with a European bank. You’ll need one with a Canadian bank, otherwise you won’t have a credit score in Canada.

Me: What is that and why do I need it?

Bank: Well, you won’t be able to apply for loans without one.

Me: That’s ok. I never had a loan and I don’t intend to have one.

Bank: No, you don’t understand. You need a credit score, otherwise you won’t be able to have a mortgage or finance your car. You won’t be able to have any type of credit product, really, without building your credit score first.

At this point in the conversation, I am Jack’s puzzled neo-cortex. I thought to myself, “Wait, I need to borrow money to be able to borrow more money”?

A very sensible rationale, of course.

By now it should be evident that this rant is not, in fact, about Equifax. They’ve been beaten down enough already. They obviously have the ITSec capacity of a tadpole drowning in ethanol, which was made obvious when they made a separate site to handle the inquiries of people affected by the breach with a domain name straight from a Sakawa playbook, then proceeded to tweet out the URL for a spoof site that a security researcher set up to prove the point above. And there was that thing with the executives supposedly selling stock after the breach

Just sigh and facepalm, people. Sigh and facepalm. The only competent department in this company seems to be Public Relations. Hell of a job cleaning a mess of these proportions the way they did it.

No, this rant is about why these things are even allowed to exist to begin with.

As stated above, I’m originally from Europe. Portugal to be exact. We do not have credit scores there. Hell, we barely have credit cards accepted anywhere except the major stores. Most merchants will only take debit or cash.

Asking for a loan over there is something more involved and arcane than checking a magic number on a sheet of paper provided by a company staffed by tadpoles, but it does have it’s own set of merits:

  • ability to pay for the loan is checked against current – not past – information;
  • there is no centralized source of credit information (read, no private entity to hack).

“But Davide”, say the FICO luddites, “that is worse than a credit score because some people just won’t have access to credit!”

Of course not, because they can’t pay it back. I have a magic number for you, too: 2008. Remember that?

“Well, you’re also forgetting that without credit scores you have to share your information with any institution that you inquire for credit. That’s actually more possibilities to hack.”

Cute argument, but that is not the way it works. Unlike here in North America, where the Social Security Number is sacred and must be kept safe and away from prying eyes (yet all past employers and possibly your mobile phone provider will ask for it, fuck logic…), in Portugal at least our ID numbers are just that: a number. They aren’t used for security anywhere relevant. You actually have to provide your ID card (not any card with a photo, the actual, only ID card) when your identity is to be verified. And usually you have to be at the bank or store in person when applying for financing of any type.

So, while in theory more institutions with my salary info and full name, address, etc. is not exactly the best scenario ever, the fact is that even if those data points were to be compromised, the identity thief’s options are quite narrow. Identity theft is not something Europeans lose their sleep over, because North America is the lowest hanging fruit in this case.

Here’s a fun fact, though. I ended up getting a credit card in Canada and canceling all others (for practical reasons). And, since I was told that using the card consistently builds credit score, I thought “why not, it can’t hurt, and I’m getting cashbacks anyway”. Fast forward 3 years, and our credit monitoring friends cannot calculate my credit score. The reason is very simple: I never borrowed money (I pay everything on the card immediately, so the balance is always 0). According to the rules, if you pay all your invoices within 30 days, you’ll have a top credit score. But pay them before, and the system cannot say that you have good credit.

This system is broken beyond repair. None of it’s premises make any sense.

Given recent events and the fact that credit scores aren’t actually needed, what I’d really like to know is:

  • why are credit reporting companies allowed to collect this much information without VERY explicit consent?
  • why aren’t credit reporting bureaus a public institution, rather than private?

And for fuck’s sake, find a way to make the SSN a normal identifier, instead of a magic-confidential-but-not-really predictable series of digits.

At least the OPC is launching a probe into the Equifax hack. Maybe something good will come out of this mess after all.