Print

[cubbiesnextyr]

How does this attempt to protect you make them wrong?   If someone had your SSN an was setting up and account, it is likely they have other information on you and could attempt to wipe out your account. 

I think this sounds like they were trying to do the RIGHT thing.   

I don't know why I bother, but for those who can't read... the email was sent to the new account, NOT the old one.

Which means, if you had been paying attention, that someone with nefarious intent could register an account, and then get an email that the social security number was already in use. No notification of any kind was sent to my existing account that someone tried to use the same ss# to get a new account.

But your existing, lending account was put on hold.   Which is where you lending funds, are.  SO (and I will refrain from snippy as you were) they kept that from being compromised.   When you tried to go on there, it tells you that there was an issue and you needed to contact them.  I still don't see the big whoop or the serious breach of security.

They sent an e-mail that was worded like it was intended to be sent to the OLD account to the WRONG e-mail address (the one on the NEW account) and it had the FULL NAME of the OLD account in it.

This means that I (or any nefarious person) could shut down the entire Prosper platform by locking out every single user's account, and get Prosper to e-mail me the SSN and FULL NAME of all of its users.  And all this by just writing a program that will try and create a borrower account for every possible SSN (000-00-0000 through 999-99-9999).

I don't think Prosper is wrong here.

If you wrote a program to do this, as long as the program kept track of what SSN was tied to whatever User Name/Email Address you used to attempt to create an account, even if Prosper just sent you an email back saying the account registration failed because of a duplicate SSN without the actual number, you would still know what SSN's were in their system.

As it is, they sent you back the SSN you entered with the second account.  Whoever attempted to create the account already has this number.

Granted they could send you a denial and give you no reason but I think you would complain about that as well. You still would know that the likely reason was a duplicate SSN if you were a criminal with a(your) stolen SSN.  Based upon the membership numbers on Prosper's home page, you have about a 0.07% chance of randomly picking a valid SSN in their system.  So it is highly likely that a duplicate SSN is someone trying to create a second account; not fraud.  If it is fraud, it is one unlucky criminal.

Are we all at risk because our SSN's are in multiple databases? Yes, but this is not a Prosper created issue. A big reason I use a credit monitoring service.

But they send the full name too.  So if someone was to do the program noted, they'd end up with a SSN and the name that belongs to it.  I think I'm going to create a bogus account with my SSN and see what happens.

[Staneslav]

a

[NewHorizon]

Dear Staneslav,

Your account will be suspended for violating our revised policies to be released at a later date.

Regards,
Prosper Shira

[traveler505]

But they send the full name too. 

Ummmm.... did they send the full name that the OP used when he originally registered, or the full name that he used when he registered the second time?  Or did the OP use the same name both times, in which case this question is unanswerable.

ETA:  The correct procedure would be to notify both Cowdog1 and Cowdog2, using the full name suppled by each.  If Cowdog1 is a legitimate user, he needs to know that someone else is trying to register with his SSN. If Cowdog2 is  a legitimate user, he needs to know that someone has already used his SSN to register. 

[Beachey]

poof

[traveler505]

ETA:  The correct procedure would be to notify both Cowdog1 and Cowdog2, using the full name suppled by each.  If Cowdog1 is a legitimate user, he needs to know that someone else is trying to register with his SSN. If Cowdog2 is  a legitimate user, he needs to know that someone has already used his SSN to register. 

But what if the first account (Cowdog1) was the non-legitimate user.  Now you are tipping him off that his fraud has been exposed.

I think it is reasonable to freeze both accounts which is what I think happened (if I follow this thread correctly).  A PITA to clear up if it is an honest mistake but a reasonable response on Prosper's part.

Prosper has no way of knowing (at least initially) which account is legitimate, and can't jump to a conclusion based solely on which one found Prosper first.  I'd say it's more important to alert the victim than to avoid alerting the perpetrator.

[Beachey]

poof

[raalcala]

ETA:  The correct procedure would be to notify both Cowdog1 and Cowdog2, using the full name suppled by each.  If Cowdog1 is a legitimate user, he needs to know that someone else is trying to register with his SSN. If Cowdog2 is  a legitimate user, he needs to know that someone has already used his SSN to register. 

But what if the first account (Cowdog1) was the non-legitimate user.  Now you are tipping him off that his fraud has been exposed.

I think it is reasonable to freeze both accounts which is what I think happened (if I follow this thread correctly).  A PITA to clear up if it is an honest mistake but a reasonable response on Prosper's part.

Prosper has no way of knowing (at least initially) which account is legitimate, and can't jump to a conclusion based solely on which one found Prosper first.  I'd say it's more important to alert the victim than to avoid alerting the perpetrator.

I don't disagree but I would think Prosper would email you if they put your account on hold so they are notifying both parties anyway.

I do think emails without freezing the accounts could do more harm than good.

If I read this correctly, Cowdog did not receive an e-mail for the original account.  So if the 1st account was the legitimate person, they would never know until they go to log in (which could be months).

[Mtnchick]

I have about 1000 affiliate accounts. Many which are tied to my SS# for tax purposes. If someone tries to use my username, affiliate ID, SS#, email or anything that is tied to my original account the 2nd process DOES NOT GO THROUGH AT ALL and an alert is sent to my original account.

That's been happening for well over 12 years now. I'm just shocked that P------r would send an email with the SS# and the real name (and I'm assuming the username since they claim no email is from them without both real and user) to someone who might be trying to hack the system. My original accounts have never been locked either.

[112233]

I didn't see where prosper sends a SSN in the email, but it doesnt matter. The number is obviously known already by virtue of signing up with it.

But I suppose you could phish out Valid SSNs using prosper. Someone suggested that all the accounts could be locked with a script. Well, you would also know that each SSN that get's back one of those emails is a valid and live SSN.

Huge Huge security hole IMHO

[Xenon481]

I didn't see where prosper sends a SSN in the email, but it doesnt matter. The number is obviously known already by virtue of signing up with it.

But I suppose you could phish out Valid SSNs using prosper. Someone suggested that all the accounts could be locked with a script. Well, you would also know that each SSN that get's back one of those emails is a valid and live SSN.

Huge Huge security hole IMHO

Look at Cowdog's description of the e-mail he received.  (Emphasis mine)

Social Security Number Used Again
     
Dear xxx,

Our system has detected another registration attempt using your Social Security Number. Prosper policy restricts individuals to one account.

If you attempted to register another account, please refrain from doing this in the future. If you have forgotten your sign-in information or wish to change the email address associated with your account, please contact customer service.

Edit:  Nevermind, I misinterpreted Cowdog's quote.  "Social Security Number Used Again" is the title of the e-mail.

[Senator]

This means that I (or any nefarious person) could shut down the entire Prosper platform by locking out every single user's account, and get Prosper to e-mail me the SSN and FULL NAME of all of its users.  And all this by just writing a program that will try and create a borrower account for every possible SSN (000-00-0000 through 999-99-9999).

Perhaps this thread shouldn't be in the Lobby.