Home Forums FineTunedMac Community Lounge Search engines and privacy

As previously mentioned, wouldn't locking your credit reports on the three main (only?) credit companies prevent a transaction such as you describe? Any purchase of some size (e.g., house, car) requires a credit check through one or more of the three credit companies and would be impossible if the account is locked by the individual; that same individual can unlock her or is credit account, but would then be aware that something is going on.

True, the information as you have laid it out is still available, but hopefully unusable, at least on a grand scale.

In recent cases, the information is used to pose as the SELLER not the buyer and therefore there is no credit check involved. The owner leaves their property for a short time, as short as a weekend, and returns to find the new, and completely innocent "buyer" has legally closed on the property and moved in or is demolishing the property in order to build a new home. Supposedly title insurance, and often there is either no title insurance or it too is phony as a three dollar bill, would cover this, but that may take months or even years and lots of legal fees and hotel bills to eventually straighten out. In the meantime the fraudulent seller has long since disappeared never to be seen again. So the buyer, real owner, mortgage company, and realter are victimized. The entire transaction takes place on the internet and the scammer, who may have never been seen or even talked to, walks away with the proceeds.

Thanks for the link, but the article contains no info that's new to me, nor does it answer my question, namely, what is advanced tracking and fingerprinting protection, and how does using it in Private Browsing differ from using it in all browsing?

For what it's worth, I found this at Privacy - Features - Apple:
"Fingerprinting defense

Safari works to prevent advertisers and websites from using the unique combination of characteristics of your device to create a “fingerprint” to track you. These characteristics include the device and browser configuration, and fonts and plug-ins you have installed. To combat fingerprinting, Safari presents a simplified version of the system configuration so more devices look identical to trackers, making it harder to single yours out. This protection is on by default, so there are no extra steps for you to take."

...which doesn't stop my browser's fingerprint from being unique! ¯\_(ツ)_/¯

Well, I don't own a home or even a car, so I'm safe from such exploits, but, for instance, if someone were to want to sell your home, from what source could they access, specifically, your SSN? The other data I can see, but your SSN? From what source would it be available?

I've mentioned before that the paranoia involved in using a different p/w for every site you access is wasted energy and a boon to third party developers. I use the same password for every site I visit that can't access a means to pay for whatever an intruder may try to buy, so the absolute worst that can happen is I'm vulnerable to being embarrassed, but not monetarily compromised, on eBay.

At any website that has access to money or contains critical info, I use a unique 17 digit password that would take trillions of years to brute force.

Two interesting situations regarding security:

1. Probably two years ago, I began getting notices after making purchases on eBay that my PayPal account had been linked to eBay so I wouldn't have to log in to complete future purchases, which was an astonishing and incredible security vulnerability. The notices advised that I could log in to PayPal and undo the pref, which was a giant PIA, but which I, of course, invariably did. I also complained bitterly.

The last time it happened, a week or so ago, the notice included a link to turn the pref off, so I guess they got the message.

2. This is even more astonishing!!! I recently wanted to change my Experian password, but, so I was told, because of some upcoming change to their website I was only able to do it via customer service, and in order to access them over the phone, the only way possible, I had to enter my full 9 digit SSN...over the phone...absolutely bizarre for an organization, an important part of whose business is security. (I'm a bit nervous about having entered my SSN, but I think I've got less to worry about with my phone being a land-line than I'd have were it a cell phone.)

I of course complained bitterly to the rep to whom I spoke, as well as in the follow-up satisfaction questionnaire.

Ironically, the rep to whom I spoke asked for only the last 4 digits of my SSN!

In fact I just tested Safari 17.2 in macOS 14.2 and got these results. But examined rationally that is an artifact of…

• the testing methodology
• Apple's smaller market share
• macOS 17.2 is a beta that has only been in release for a few hours
• the results are based on a relatively small, self-selected sample and therefore of questionable statistical validity

You have no insurance, have never visited a doctor, have no driver's license, passport, bank account, credit history, have never paid or recieved social security benefits, do not pay any taxes, all your financial transactions are cash only? The point is there are innumerable opportunities for your SSN to get into the records by legal requirements, institutional carelessness, etc. After the use of the SSN as an identifier it took nearly fifty years for social security to come up with their own ID number that was not the SSN with a couple of added characters. If you think it isn't out "there" you are kidding yourself.


I have not seen that, but there are sites that remember i have paid via PayPal in the past and will offer PayPal as the default. Taken together with PayPal's ability to recognize my browser's signature and automatically logging me on does make the transaction feel seamless. (That is a case where a highly distinctive and unique browser signature is highly desirable.


In the past week or so I have seen some of my accounts switching to a system where the logon procedure doesn't use a password, and instead sends you a single use key to a "known" valid email or phone number. In essence the second half of two factor authentication without the password. So there is no password. My opinion on that is still TBD.


WHAT!?! A New Yorker complain!? I never heard of such a thing.


I see that a lot along with the recent trend of requiring your billing zip code as part of your credit card verification process.

COMMENT:

I know a lot of smart people including Apple, Google, and Microsoft, are working on a universal password system but I wish they would hurry.

Innovis - <https://www.innovis.com> - to which Google pointed me, is, in their own words, "considered the fourth largest consumer credit reporting agency in the United States." (I suppose, then, that there are other small ones.)

I suppose it would be beneficial for a buyer to run a credit check on the seller, but I think that's asking for an awful lot of sophistication.

"...it took nearly fifty years for social security to come up with their own ID number...."

You meant to say Medicare.

Of course my SSN is out there, but unlike every other identifying characteristic you've ever mentioned, it's not accessible in the ordinary course of business. I can't think of any source from which my SSN is accessible other than via a data breach (and while I've got a two or three organizations cruising the dark web looking for my number, there's nothing I can do about it other than cringe if they find it).

Your life appears to be far more complicated than mine is, so perhaps you're more vulnerable than I am.

As appealing as a seamless transaction may be, why on Earth do you consider it highly desirable for someone who gains access to your computer to have access to your money, i.e., PayPal, without entering a password? It's 100% diametrically contrary to your going to the extreme of protecting every website you visit with a unique password.

Is that a reasonable assumption?

I'm not a fan of that at all, because it leaves you vulnerable to someone who gains physical control of your device. In effect, your bank/whatever is gifting them your password.

I've seen ZIP code entry as a requirement too, but my point was that Experian's phone ID check asked me to enter my full 9 digit SSN with my phone keypad, while the rep asked for only the last 4 digits. The former is clearly a major security lapse, whereas the latter is long accepted security.

That information is available, at a price, from any one of thousands of data brokers. Congress has ignored that for decades and has only recently begun the process of attempting legislation to regulate the data brokerage industry. Given there are billions of dollars in profit involved, i am not holding my breath waiting for effective legislation.


My point exactly. And remember this, the information held by data brokers is LEGAL and therefore not reported by the various insurance/security agencies.


to paraphrase Albert Einstein, it is all relative to your viewpoint in space and time.


Convenience and security are inevitably in conflict and the only certainties are death and taxes.


Yes, IF YOU INITIATE THE CALL..


Given the number of data breaches that are occuring, this seems safer than having your account password stored in the merchant's database. It would require the scammer to have physical access to a device whose verified MAC address or phone number is associated with your account.

I've seen ZIP code entry as a requirement too, but my point was that Experian's phone ID check asked me to enter my full 9 digit SSN with my phone keypad, while the rep asked for only the last 4 digits. The former is clearly a major security lapse, whereas the latter is long accepted security. [/quote]

Asking for the full SSN is a de facto violation of federal statutes, and an argument can be made that so is asking for the last four digits of the SSN. But, in my experience the last four digits of the SSN has always been asked as part of a series of identifying factors such as date of birth, address, phone number, zip code [i]etc.]/i] and therefore a reasonably precise identification procedure widely used in the health care industry. However, in the case of health care, it is common that to be in compliance with one federal statute places you, by definition, in violation of another statute.

I don't follow your last point about "LEGAL."

But we're back to my point that data has got to be scraped from somewhere, and SSNs are, almost universally, available only as a result of data breaches, so are you saying that data brokers are scraping illegally obtained info from the dark web? In that case, though, wouldn't it be totally illegal for them to sell it? How do data brokers legally obtain data that can be obtained only illegally?

I feel like I've swallowed my own tail!

Inescapably, but I'm shocked that you, of all people, have come out on the side of convenience rather than security.

That's reassuring. I did initiate the call. I don't know how common they are, but I've never gotten a phishing call.

In combination, we've just established the desirability of, if not necessity for, two-factor authentication.

I wasn't aware of that, but I did make my feelings know in no uncertain terms, both to the rep, who included them in his notes on the call, and in the post-call satisfaction questionnaire as well. It's really bizarre that Experian, whose business is so tied to security, is that clueless.

In Canada, it's not illegal but the government "discourages it". Hmmmm. You can be sure that whenever anyone asks for mine, they are definitely "discouraged" by me, and not likely to ask again..

1. The data brokers quite legally purchase data from a variety of legal sources such as stores, financial institutions, government agencies, medical practices, Google, search engines, etc. along with permission to use/resell that data to third parties. That data may contain social security numbers and so long as the SSN is not used as an identifying link no law has been broken. (The law prohibiting the use of the SSN as an unique identifier was written in the punch card era and lawmakers could not comprehend the analytical capability computers would have.)
2. Once another entity has your information it could be argued that data is theirs to do with as they please and while i am not an attorney that could make an interesting case for the Supreme Court
3. Many jurisdictions have passed laws requiring their public records to be available online and those records contain SSNs.
4. No dark web data is needed.

Apparently so do a lot of Congressional Representatives and Senators.


I did not intend to indicate approval. I just acknowledged a human fact.


We quit answering our landline phone because ~95% of the calls we received were spam of one sort or another, but most phishing attempts per. se. are via email, and some of those have become frighteningly sophisticated.


Yes but it is still a PITA and I believe there is a better way using one way encryption, lock key hashing, and switching the identification responsibility to the user rather than the site.


For much of what Experian does, the full SSN is essential and its use is permitted. That said even the full SSN is not enough for complete information, but taken together with other somewhat unique identifiers such as d.o.b., zip code, street address, and the last four digits of the SSN you can arrive at an acceptable degree of certainty.

Thanks for that. OK, I think I'm now as clear about how SSNs are obtained as I'll ever be, and from where I stand, I think I'm as safe as I could possibly be.

I think that people who aren't in constant need of credit checks would do themselves a favor by locking their credit reports. Equifax, TransUnion, and Innovis allow it for free, while Experian, in a blatant display of corporate greed, charges for the privilege, which I've got only because I got three free years of Experian credit monitoring as a result of the 2017 Equifax data breach. Hmmm... I wonder if I'll renew it for a fee when it expires

Sorry for misunderstanding. Your having posted "That is a case where a highly distinctive and unique browser signature is highly desirable" without qualification seemed to indicate personal approval.

I'm not knowledgeable enough to understand your proposed solution, but I'll buy into it if it ever comes to pass, as two-factor authentication is, indeed a PITA.

Indeed, but that certainly doesn't extend to telephonic account verification, particularly when a live person is going to reverify with only the last 4 digits when you get through to one.

You can run, but you can't hide!

Credit monitoring and locking your credit report is no protection against today's illegal property sales scams. They are carefully orchestrated so that YOUR credit records are not involved so there is nothing to trigger an alarm. I suspect that also means the "$2,000,000 credit insurance" is also invalid in those cases as well.

No offense taken, I only wanted to clarify my position.

It is just an idea and I only understand enough to know that while it may be relatively simple in concept it will be enormously complex in implementation.

If ONLY the last four digits were used, i would agree. Personally I have never encountered them being used along with three or more other quasi-unique identifying factors.

i understand that, but while your point is well directed at property owners, I'm not the least bit at risk.

My faith in your judgement is restored!

That is what my wife's grandmother said before one of her grandsons started stealing her social security checks and cashing them.

Why on Earth was she still getting checks in this day and age? It's open invitation to a thief.

Be that as it may, though, I suppose that if someone really wanted to target me, my brokerage/bank accounts may be at risk, but with their 16 character, highly complex p/ws and locked credit files, I'm not sure how.

1. Because she did not trust banks
2. There was no bank within walking distance of her house
3. That was the way her mother had always done it
4. The thieving grandson was her financial advisor
5. She trusted everyone
6. God was watching over her safety

So the front door has a decent lock but there are lots of clever thieves working full time on opening that lock. But who says thieves have to use the front door — or any door for that matter.

Now, there's a laundry list of lousy logic for you!

In the end, though, it still comes down to someone specifically targeting a person, which, at least in my case, is highly unlikely.

I just came across This Malwarebytes article describing the various types of exploits, several I was aware of but maybe not the latest variants, some of which I have encountered, some I was completely unaware of, and some I didn't know were in a class their own. I thought it was interesting and apropos to this thread.

Thanks for the link.

I don't know if I'll ever actually read the entire article, but the headers have induced me to buy a Standard One Device subscription. (I wonder why they don't offer the VPN as an option?)

Your recommendation of a product is always a good reason to give it some serious thought, even if no more...even for us stubborn people.

They do! I just found it on a different page.

Just did some searching and found Bitdefender. Have you got any input to offer on it?

Thanks.

I have no experience with it. Much of what they offer duplicates services that are already built into macOS and iOS and I started using Malwares to eliminate adware when it first came out, and I have never felt a need for more protection. After starting with ARC, I added Privacy Badger as it offers unique anti-tracking protections but Safari's APIs do not allow it to work there — yet.

I actually have access to four VPNs, Malware Bytes, Plume Router, DuckDuckGo, and CyberGhost but I was a very early subscriber to CyberGhost so I have a lifetime subscription and they have the most relays in the market so that is the only one I use — when I use VPN at all. Apple's Private Relay, Hide my Email, provide 80% of the features of a VPN with no detectable performance hit, so I save CyberGhost to use for additional security on the road, especially when I am out of the U.S. Did I mention that my Plume Router not only provides mesh routing WI-FI but it also provides its own firewall with site filtering. I also subscribe to an use OpenDNS.

You inadvertently solved my conundrum by mentioning Apple Private Relay. Since I use only Safari, its $0.99/month cost, which is cheaper than Malwarebytes's $1.25/month VPN option, is my most beneficial option, because - even though I may never use them - it gives me an assortment of other useful benefits.

So Standard Malwarebytes plus iCloud+ looks like the direction in which I'll go.

I'm aware of Privacy Badger, but I'm not about to switch browsers to get it, so I'll just wait. I believe I've read that they're working on a Safari compatible version...whatever that entails.

Case in point: I recently applied for a Land's End card, and the bank asked me to unlock Experian, Equifax, Innovis, and... SageStream / LexisNexis Risk Solutions.

(That seems to be digging awfully deep for a store card that will undoubtedly have a very low credit line attached to it.)