Scary fraud ensues when identity theft and usury collide – Krebs on Security
What’s worse than finding out that identity thieves have taken out a 546% interest payday loan in your name? How about a loan at 900% interest? Or how about not learning about the fraudulent loan until it’s turned over to debt collectors? A reader’s nightmarish experience sheds light on what can happen when identity thieves and hackers start targeting online payday lenders.
The reader who shared this story (and the abundant documentation that accompanies it) requested that his real name be omitted to avoid encouraging further attacks on his identity. So we’ll call him “Jim”. Last May, someone applied for a type of loan in Jim’s name. The request was likely sent to an online portal that takes the borrower’s loan request details and shares them with several potential lenders, as Jim said that over the next few days he received dozens of emails and calls from lenders wanting to approve him for a loan.
Many of these lenders were eager to give Jim money because they were charging exorbitant interest rates of 500-900% for their loans. But Jim has long had a security freeze on his credit file with all three major consumer credit bureaus, and none of the lenders seemed willing to proceed without at least taking a look at his credit history. credit.
Among the companies that checked to see if Jim still wanted that loan he never applied for last May was Mountain Summit Financial (MSF), a lending institution owned by a Native American tribe in California called Habematelol Pomo d’ Upper Lake.
Jim told MSF and others who called or emailed that identity thieves had requested the funds using his name and information; that he would never take out a payday loan; and would they like to remove his information from their database? Jim says MSF assured him that would be the case and the loan was never granted.
Jim spent months sorting out this mess with MSF and other potential lenders, but after a while the inquiries died down. Then, on November 27, Thanksgiving weekend, Jim received a series of quick emails from MSF stating that they had received his loan request, that they had approved it, and that the requested funds were now available on the specified bank account. in his MSF profile.
Curiously, the scammers had taken out a loan in Jim’s name from MSF using his real email address – the same email address the scammers had used to impersonate MSF in May 2021. Although he didn’t don’t technically have an account with MSF, their authentication system is based on email addresses, so Jim requested that a password reset link be sent to his email address. It worked, and once inside the account, Jim was able to find out more about the details of the loan:
Take a look at the 546.56% interest rate and finance charges shown on this $1,000 loan. If you pay off this loan in one year at the suggested bi-weekly payment amounts, you will have paid $3,903.57 for that $1,000.
Jim contacted MSF as soon as they opened the following week and discovered that the money had already been paid into a Bank of America account which Jim did not recognize. MSF asked Jim to complete an affidavit claiming the loan was the result of identity theft, which required filing a report with local police and a number of other steps. Jim said numerous calls to the Bank of America fraud team went nowhere because they refused to discuss an account that was not in his name.
Jim said MSF eventually agreed the loan was not legitimate, but they couldn’t or wouldn’t tell him how his information got to a loan – even though MSF was never able to pull it back. his credit report.
Then, in mid-January, Jim learned from MSF by post that they had discovered a data breach.
“We believe the stranger may have had the ability to gain access to certain customer accounts, including your account, in which case they could view that customer’s personal information and potentially obtain an unauthorized loan using the client’s credentials”, MSF mentioned.
MSF said personal information involved in this incident may include name, date of birth, government-issued identification numbers (e.g. SSN or DLN), bank account number and routing number. , home address, email address, phone number and other general loan information. information.
Never mind that his information was only in MSF’s system due to an earlier attempt by identity thieves: the intruders were able to update his existing file (never deleted) with new banking information, then push the application via MSF systems.
“MSF has been the target of a suspected attack by a third party,” the company said, noting that it was working with the FBI, the California Sheriff’s Office and the Tribal Commission in Lake County, California. “Ultimately, MSF confirmed that these trends were part of an attack that originated outside the company.
MSF did not respond to questions regarding the aforementioned third party(ies) that may be involved. But it’s possible that other tribal lenders were affected: Jim said that shortly after MSF’s bogus payday loan was granted, he received at least three inquiries in quick succession from other lenders. who were suddenly interested in offering him a loan.
In a statement sent to KrebsOnSecurity, MSF said it had been “victim of a malicious attack from outside the company, by unknown perpetrators”.
“As soon as the problem was discovered, the company initiated cybersecurity incident response measures to protect and secure its information; and informed law enforcement and regulators,” MSF wrote. “In addition, the company has notified individuals whose personally identifiable information may have been affected by this crime and is actively working with law enforcement in its investigation. As this is an ongoing criminal investigation, we cannot make any further comments at this time.
According to Native American Financial Services Association (NAFSA), a trade group in Washington, D.C. representing tribal lenders, the short-term installment loan products offered by NAFSA members are not payday loans but rather “installment loans” – which are amortized, have a set loan term, and require payments that not only serve interest, but also repay the principal of the loan.
NAFSA did not respond to multiple requests for comment.
Almost all US states have usury laws that limit the amount of interest a business can charge on a loan, but these limits generally do not apply to tribal lenders.
Leslie Bailey is an attorney at Public Justice, a nonprofit legal defense organization in Oakland, California. .
“The reason is clear: genuine tribal businesses are entitled to ‘tribal immunity,’ which means they cannot be sued,” Bailey wrote in a blog post. “If a payday lender can shield itself from tribal immunity, it can continue to make loans with illegally high interest rates without being held liable for violating state usury laws.”
Bailey said that in a common type of arrangement, the lender provides the capital, expertise, staff, technology and corporate structure needed to run the lending business and retains most of the profits. In return for a small percentage of revenue (usually 1–2%), the tribe agrees to help draft documents naming the tribe as the owner and operator of the lending business.
“Then, if the lender is sued by a state agency or group of deceived borrowers, the lender relies on those documents to claim that he is entitled to immunity as if he were himself. even a tribe,” Bailey wrote. “This type of arrangement – sometimes called ‘leasing a tribe’ – has worked well for lenders for a time, as many courts have taken company documents at face value rather than looking behind them. the curtain on who really gets the money and how the business is actually run. But if recent events are any indication, the legal landscape is moving towards greater accountability and transparency.
In 2017, the Consumer Financial Protection Bureau sued four tribal online lenders in federal court — including Mountain Summit Financial — for allegedly misleading consumers and collecting debts that weren’t legally owed in multiple states. All four companies are owned by Habematolel Pomo of Upper Lake.
The CFPB later dropped this investigation. But a class action lawsuit (PDF) against those same four lenders is pending in Virginia, where a group of plaintiffs have alleged that the defendants violated the Racketeer Influenced and Corrupt Organizations Act (RICO) and the Virginia usury by charging interest rates between 544 and 920. percent.
According to Buckley LLP, a Washington, D.C.-based financial services law firm, a district court denied RICO’s claims but denied the defense’s motion to compel arbitration and dismiss the case, holding that the arbitration clause was unenforceable as a potential waiver by the borrowers. ‘ federal rights and that the defendants could not claim tribal sovereign immunity. The district court also “held the loan agreements’ tribal choice of law to be unenforceable as a violation of Virginia’s firm public policy against unregulated loansharking loans.”
Buckley notes that on November 16, 2021, the United States Court of Appeals for the Fourth Circuit upheld the district court’s decision, finding that arbitration clauses in loan agreements “impermissibly require borrowers to waive their substantial federal rights under federal consumer protection laws, and contained an unenforceable tribal provision on choice of law, as Virginia law caps general interest rates at 12%.
Jim said he only heard about the Thanksgiving weekend MSF loan because the hackers apparently thought it was easier to get loans using existing MSF client account information than to change anything. it is in records other than the bank account to receive the funds.
But if the hackers had changed the email address, Jim might have first discovered the loan when the collection agencies came calling. And by then, his exorbitant loan would be in default and racking up heavy charges in arrears.
Jim says he’s still mad at MSF, and these days he’s just waiting for the other shoe to drop.
“They issued this loan in my name without verification and without even checking my credit, even though they were already warned that they should not have dealt with me since the incident in May,” Jim said. “I always feel like I’m going to get that call at some point from a collection agency asking me why I didn’t make payments on an installment loan that I never asked for.”