Online Fraud: Loophole, Soft Freeze, Hard Freeze, or Just Business in 2017?

October 19, 2017

Consumer Alert: A credit freeze may not do what one expects.

After the Equifax data loss, I promptly put a credit freeze on my unwanted “credit rating” accounts.

As you know, a consumer (even one who writes books about online fraud and lectures to law enforcement and intelligence professionals) has zero choice with regard to dealing with Equifax, Transunion, and Experian. I thought the credit freeze meant that my personal financial information would not be released to third parties.

I learned from a cheerful person named Kelly Lurz, who presumed to write me a personal and confidential email, that there is a “hard” freeze of credit information and a “soft” freeze of credit information. I did not know that. In fact, after freezing the release of my credit details, none of the documentation I received from Equifax, Transunion, and Experian used this terminology. Quite an oversight in light of the security issues related to personal credit information.

Let me share the personal email with you, gentle reader. I received this email from an outfit doing business as Pearl Solutions, an automotive technology innovator. You can find out about this marketing company at this link. Kelly Lurz does not work at Pearl. She did know enough to tell me that she was not the sender of the “personal” email to my business email address. She was, in retrospect, quite a font of information with the hard and soft freeze data and the ability to shift the blame to an outfit named Pearl, the automotive technology innovator.

First, the email has as Volvo logo. My last interaction with the Volvo dealer in Louisville was an unpleasant one, a fact I communicated when I received a $900 invoice for an annual service check. The Volvo dealer just smiled and said, “That’s what it costs.” Now this outfit wants to buy or lease another Volvo? I don’t think so.

Second, the email is sending me a “personal” note and wants to make a “private” offer. In this era of online fraud, fake news, and general duplicity—I am going to get a personal note sent to me from noreply@pearlsolutions.com. What? Personal, private, pearl? This hit me like those Backpage.com ad for personal services we have analyzed in the course of our research for CyberOSINT and the Dark Web Notebook.

Third, the letter is signed by the aforementioned “Kelly Lurz.” I called Ms. Lurz, and she informed me that I was on a list, the letter really was not “personal,” was not “private”, and was nothing more than a pitch to dump my 18 month old automobile and move into a brand new Volvo. Well, a letter using the terms “personal” and “private” from a person named Kelly Lurz (a female, by the way, judging from her voice and LinkedIn page) struck me as stupid and perilously close to harassment of a 74 year old male who is quite happy with his automobile.

Fourth—and this is the big issue, even bigger than harassment-type terminology—is the logo of Experian, one of the credit agencies whose data I froze by providing proof of my identity and paying money for the aggregator to keep my information private. (I did not choose to give Experian my information; Experian collected the information and now charges me to keep it private. Nice business model because of the hard and soft freeze distinction.) Obviously the PIN number, the information about paying money to make my credit information available, and the new approach to security were confections, mere fabrications, digital illusions designed to create a new cash stream for the credit agencies.

Let me come back to Ms. Lurz’s explanation of the “hard freeze” and a “soft freeze.” Her company, a car dealer in Louisville, was using the “soft freeze” data and was, therefore, breaking no laws. Her LinkedIn profile suggests that she has a degree in elementary education, not law. She also has a degree in biology. That’s interesting, but not directly germane to understanding the bright white lines of financial regulations. I guess I am old fashioned but dissecting a frog falls short of the standard for interpretation of statutes.

With some forcefulness in her verbal statements to me, she told me that she knew I had a Mercedes and only “wanted to offer me an opportunity” to buy a new Volvo. Right, but she knew my business email, my financial status, the type of vehicle my wife drives, and where I lived. Right. A soft freeze.

But the email was Pearl’s not hers and not the Louisville Volvo dealership. As a direct result of here unwillingness to accept responsibility for using my personal information to sell me a car I do not want, I poked into Pearl, the automotive technology innovator. (I liked that catchphrase for a company engaged in the use of personal information to sell cars.)

I called the 800 number of Pearl, the automotive technology innovator, and went to a voice recording. I left a message with whoever the operator connected me to to the effect that I was going to write about this use of personal informati0n and include the email in my next lecture to law enforcement and intelligence professionals. The reason is that the confidential information about me is in the possession of: Volvo (see the letter), Kelly Lurz (sales person), Pearl, and Experian. So much for control.

At 640 pm Eastern on October 17, 2017, I received a phone call from an alleged Pearl employee. I pointed out that I was eating dinner. The Pearl professional sounded eager to speak with me, so I left the dinner group and spoke with the Pearl professional who represented the innovator in automotive technology. On a napkin, I noted these points conveyed by the Pearl professional:

What Pearl is doing with financial data is legal. Furthermore, the Pearl professional promised to mail me the pertinent regulations. (Yes, Pearl has access to my email, but the promised information has not arrived.)
The Pearl professional told me that I should really be talking to Experian because Pearl was not responsible for the information in the email.
The Pearl professional told me that Ms. Lurz did not have access to information about the type of vehicle I had nor how I was paying for that vehicle. Unfortunately for the Pearl professional, Ms. Lurz did have that information. The possible falsehood caught my attention.
The Pearl professional insisted that somewhere along the line I had provided permission for Pearl and Ms. Lurz to contact me.

Upon reflecting about this situation, I formulated several observations:

First, the “freeze” appears to mean nothing. Zilch. The credit entities release data of individuals who have taken the steps to “freeze” data and then ignore that request. I will include this information in my next law enforcement lecture when I address online identity theft.

Second, the email letter references two companies and one individual who is writing me a private and personal letter. I find this a quick way to increase online security vulnerabilities. Experian releases the data, Pearl converts it to direct mail spam, and Ms. Lurz has her name and contact information included in a personal and private communication. Good business practice or security nightmare? My view is that it is a security problem and an illustration of poor business judgment.

Third, the no replay email does little to create the impression that Pearl, the automotive technology innovator, is a legitimate operation. We have been examining the email addresses used by Dark Web vendors. The similarities of multiple identities, the obfuscation of the email, and the effort taken to mask the identity of who uses private information jumped out at us.

Fourth, Pearl and Ms. Lurz are not signing from the same hymnal. Doesn’t this suggest a certain looseness with the facts? The one thing the two humans had in common was an eagerness to blame someone else. Now that’s accepting responsibility for one’s action handled the millennial way!

What’s the fix?

I suggest that others take a closer look at the business practices of outfits like Volvo, Pearl, and the hapless Ms. Lurz. I don’t think she really wants to have a private and personal relationship with me even thought she wrote to me in that offensive manner.

What’s clear is that what these players are delivering are ersatz pearls. Sad. Sad. Sad. Too bad I take things “personal” and “private” to heart. Others don’t. Therefore, this sad, sad, sad business anecdote.

Stephen E Arnold, October 19, 2017

Written by Stephen E. Arnold · Filed Under Marketing, News, Security

Comments

One Response to “Online Fraud: Loophole, Soft Freeze, Hard Freeze, or Just Business in 2017?”

Albert Fang on December 31st, 2017 9:06 am

Great post! Just recently discovered your blog and just wanted to say, keep it up! Liking what I am seeing thus far.

Search the site
Subscribe to Beyond Search
Feature archive
News archive

Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.