Its Still Easy for Anyone to Become You at Experian Krebs on Security
pIn the summer of 2022 KrebsOnSecurity documented the plight of several readers who had their accounts at bigthree consumer credit reporting bureau Experian hijacked after identity thieves simply reregistered the accounts using a different email address Sixteen months later Experian clearly has not addressed this gaping lack of security I know that because my account at Experian was recently hacked and the only way I could recover access was by recreating the accountppEntering my SSN and birthday at Experian showed my identity was tied to an email address I did not authorizeppI recently ordered a copy of my credit file from Experian via annualcreditreportcom but as usual Experian declined to provide it saying they couldnt verify my identity Attempts to log in to my account directly at Experiancom also failed the site said it didnt recognize my username andor passwordppA request for my Experian account username required my full Social Security number and date of birth after which the website displayed portions of an email address I never authorized and did not recognize the full address was redacted by ExperianppI immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address a major authentication failure that was explored in last years story Experian You Have Some Explaining to Do So once again I sought to reregister as myself at ExperianppThe homepage said I needed to provide a Social Security number and mobile phone number and that Id soon receive a link that I should click to verify myself The site claims that the phone number you provide will be used to help validate your identity But it appears you could supply any phone number in the United States at this stage in the process and Experians website would not balk Regardless users can simply skip this step by selecting the option to Continue another wayppExperian then asks for your full name address date of birth Social Security number email address and chosen password After that they require you to successfully answer between three to five multiplechoice security questions whose answers are very often based on public records When I recreated my account this week only two of the five questions pertained to my real information and both of those questions concerned street addresses weve previously lived at information that is just a Google search awayppAssuming you sail through the multiplechoice questions youre prompted to create a 4digit PIN and provide an answer to one of several preselected challenge questions After that your new account is created and youre directed to the Experian dashboard which allows you to view your full credit file and freeze or unfreeze itppAt this point Experian will send a message to the old email address tied to the account saying certain aspects of the user profile have changed But this message isnt a request seeking verification Its just a notification from Experian that the accounts user data has changed and the original user is offered zero recourse here other than to a click a link to log in at ExperiancomppIf you dont have an Experian account its a good idea to create one Because at least then you will receive one of these emails when someone hijacks your credit file at ExperianppAnd of course a user who receives one of these notices will find that the credentials to their Experian account no longer work Nor do their PIN or account recovery question because those have been changed also Your only option at this point is recreate your account at Experian and steal it back from the ID thievesppIn contrast if you try to modify an existing account at either of the other two major consumer credit reporting bureaus Equifax or TransUnion they will ask you to enter a code sent to the email address or phone number on file before any changes can be madeppReached for comment Experian declined to share the full email address that was added without authorization to my credit fileppTo ensure the protection of consumers identities and information we have implemented a multilayered security approach which includes passive and active measures and are constantly evolving Experian spokesperson Scott Anderson said in an emailed statement This includes knowledgebased questions and answers and device possession and ownership verification processesppAnderson said all consumers have the option to activate a multifactor authentication method thats requested each time they log in to their account But what good is multifactor authentication if someone can simply recreate your account with a new phone number and email addressppSeveral readers who spotted my rant about Experian on Mastodon earlier this week responded to a request to validate my findings The Mastodon user Jackerbee is a reader from Michican who works in the biotechnology industry Jackerbee said when prompted by Experian to provide his phone number and the last four digits of his SSN he chose the option to manually enter my informationppI put my second phone number and the new email address he explained I received a single email in my original account inbox that said theyve updated my information after I signed up No verification required from the original email address at any point I also did not receive any text alerts at the original phone number The especially interesting and egregious part is that when I sign in it does 2FA with the new phone numberppThe Mastodon user PeteMayo said they recreated their Experian account twice this week the second time by supplying a random landline numberppThe only difference it asked me FIVE questions about my personal history last time it only asked three before proclaiming Welcome back Pete and granting full access PeteMayo wrote I feel silly saving my password for Experian may as well just make a new account every timeppppI was fortunate in that whoever hijacked my account did not also thaw my credit freeze Or if they did they politely froze it again when they were done But I fully expect my Experian account will be hijacked yet again unless Experian makes some important changes to its authentication processppIt boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian which already has a horrible track record in this regardppIn December 2022 KrebsOnSecurity alerted Experian that identity thieves had worked out a remarkably simple way to bypass its security and access any consumers full credit report armed with nothing more than a persons name address date of birth and Social Security number Experian fixed the glitch and acknowledged that it persisted for nearly seven weeks between Nov 9 2022 and Dec 26 2022ppIn April 2021 KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experians PIN retrieval page to unfreeze consumer credit files In those cases Experian failed to send any notice via email when a freeze PIN was retrieved nor did it require the PIN to be sent to an email address already associated with the consumers accountppA few days after that April 2021 story KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most AmericansppMore greatest hits from Experianpp2022 Class Action Targets Experian Over Account Security
2017 Experian Site Can Give Anyone Your Credit Freeze PIN
2015 Experian Breach Affects 15 Million Customers
2015 Experian Breach Tied to NYNJ ID Theft Ring
2015 At Experian Security Attrition Amid Acquisitions
2015 Experian Hit With Class Action Over ID Theft Service
2014 Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013 Experian Sold Consumer Data to ID Theft Servicepp
This entry was posted on Saturday 11th of November 2023 1259 PM
ppI wish someone would sue them into oblivionppIf they cant be bothered to lift a finger to secure their system they certainly should not existppAs do IppI am a strong believer in using answers to security questions that have nothing to do with the question itself Of course if you use that you probably need to keep track of themppFor example ppWhat was your first pet Answer Werewolves of London
Where were you born Answer Hollow Chocolate Bunnies of the Apocalypse
Who was your first teacher Answer Fried chicken and mashed potatoes
What was your mothers maiden name Answer Montreal CanadappDont make it easy for someone wanting to take over your accountppBut what if Experian doesnt bother restricting the response to those and simply uses whatever matchesppWhile its a good thought KBA questions are based on truth ex where you live mortgage company etc so the fake answers to questions would not work in this circumstance ppFor the identity authentication part thats true but this will work for the security questions they ask you to register when you sign upppThat would stop someone from trying to sign in to your account but as the article stated they dont need to do that and can just create a whole new account and steal yours by doing soppI use random character strings that I save in a file I often get some amused comments or chuckles when I call customer service and read them the answerppOf course in this case youre not offered that option Experian determines the questions it asks to confirm your identity because theyre setting up a new account each timeppIn this case the questions they ask are not ones you created yourself but ones theyve generated based on the information they have on file about you Things like previous employersaddresses etc Almost always multiple choice too lolppThat sounds kind of like the password scheme used for a short time at a company prior to when I began working there in 1980 Instead of actual passwords they used information from your payroll files to log you in and would ask a different question each time Sometimes the answer was something easy like your address Sometimes it was not so easy like how much was withheld for your employee insurance in 1978 You pretty much had to have a copy of your payroll records in front of you to log in From what I was told back then it didnt take them long to switch back to passwordsppI have been doing this for years I also do not use password wallets those are also vulnerable to hacking I have my own system that has protected me for years And i never ever reuse emails or portions thereofppI am not using my personal or corporate email only my gmailppWhat is your system Diana Would you prefer not to share itppThe problem is you dont get to pick the kb questions or answers They are based on your information eg addresses you have lived at for the past 5 yearsppThis is trueppI agree I always use nonsense answers to security questions and write them downppI agree Billy Jack I do that alsocreate nonsensical answers to security question and write them downppI have done that for years nowppGood taste in books ppI agree Never answer the questions with real information Not only security questions but 99 of all websites that require information I never put in valid birthdates and addresses unless of course they are mailing somethign to me
I can only think that Experian is trying to run two businesses First the socalled credit rating scam where they create a score for your benefit and then charge you money to lower it Is that not extortion Hey buddy Ill protect you if you pay me 10month The second is working to sell your data to the criminal elementsppI am a Privacy Cybersecurity and Data attorney who has worked since 2008 with medium and very large corporations to help them set up their privacy guidelines policies and compliance systems In those days it was only about security in the US but the focus started changing in 2016 It is so frustrating we are forced to use government entities we have no control over but apparently the government of both political parties also does not care about trying to control entities that harm consumers They should have shut down Experian after the 2015 fiascoppI am NOT providing my personal email for security concerns only my gmail address Sad world we live inppIm a US citizen living in the EU and will probably have dualcitizenship in the next couple years Could an EU citizen leverage GDPR to get Experian fined so that they start paying attention to these problemsppThis us terrifying because I and many others have numerous Experian accounts courtesy of major corporations who were hacked If you are gifted Experian credit monitoring you cannot add that service to an existing account but have to create a new one and thus they multiplyppI just sent Bryans article to my senator Maybe we all should do that I understand it might be in vain considering our our Congress is essentially nonfunctionalppWhy not both I will do the sameppI had two Experian accounts set up specifically to add a Freeze when that became free back in 2018 Tried to log into both today neither worked The Forgot password process indicated no match for my phone numbers on either account
Never fear using Brians ongoing discovery I was able to quickly create new accounts for both answer via KBA questions only 1 of the 10 total applied to us at all and Im all set again AND both accounts show my freezes are still in place as Brian sawppWhat a clusterfppWhat is especially troublesome is recent letters received from our credit union about the MOVEit Breach and the compromise of our account information As a result of this disclosure we were offered a complimentary oneyear membership in Experian IdentityWorks Credit 3B If anyone can assume my identity at Experian due to this grievous security hole what value is that protectionppIf you know enough about someone its pretty easy to gain access to their credit report including opening up a line of trade line credit Their is just not enough security protection on credit report access in my opinionppMy fiancé has been going through the same issue for the past 6 months His identity was stolen and hes been having other issues as well ie emails bank and social media accounts being takenppI appreciate that many responders to this article understand that random answers to questions are a better option than providing the actual answer when setting up the authentication of an accountppBut I am dismayed that they do not understand Experian does not use that style of authentication instead they use KBA which stands for Knowledge Based Authentication Their variation uses information from their files Which means you do not chose the answers they do So you must provide the correct answers according to their files ppAnother issue is their file sometimes maybe manytimes contains erroneous information their file on me did If too many of the questions presented for authentication are based upon erroneous information you may not be able to authenticate this happened to me To further complicate matters Experian hashad been a provider of KBA as a service so the reach of problem extends beyond Experian this also happened to meppI agree that something has to be done Data brokers and Experian specifically run wild and loose with information about all of us They have all sorts of problems for us not them with securing this information Sending this article to your representatives in congress is a good idea Also inform your friends family and others so they can also express outrage in the situation Advise them to direct the outrage toward their representatives in hopes it will effect a good changeppSo whats going to happen
People will just pollute Experians DB with lots of junk Change lots of email addresses as a denial of service variation
When thats done credit reports are uselessppCurrent status 111123 of trying to get an Experian credit report via annualcreditreportcom
Were sorry
A condition exists that prevents Experian from being able to accept your request at this time
To obtain your Experian annual credit report please mail your request to the address below using the Annual Credit Report Request form
Annual Credit Report Request Service
PO Box 105281
Atlanta GA 303485281ppI went through it as well where a girl in California used her own email and home address but changed my logon info with Experian So now I added the 2 step verification and will be changing my password again Also had an issue with Capital1 and recently JP Morgan What gets me is how they try to approve credit with no proof of identityppBased on this article I assume experience only offers SMS based MFAso backwardsppWe as customers when banks such as Citibank never comment even though one has substantive proof they HAVE been hacked like in May this year have no chance Not knowing whether ones
pension will be safe ever again or even deliveredppBrianppI have just tried to post a relevant comment which has not been included in your Comments SectionppRobppSounds like the trouble Ive had with Gmails webmail lackofservice First it pestered me with wanting me to go to twofactor authentication using a phone number Which I declined because Ive changed phone number at irregular intervals in my life and I dont see the need to get stuck to any one phone number if the landlord or the phone company decide they want to make my life difficultppThen it flat out refused to acknowledge my long and nonregular password and demanded I do something else question or alternative email or whatever Ive given up using the webmail until they learn some mannersppSites like Experion are the reason that where possible its best to leave a fake date of birth for an online service I like to choose something distinctive such as the first of January 1901 or January 1st 1970 Unix zero timeppI assume from this article they only have SMSbased 2FA How backwardppHas anyone filed a complaint at the CFPB
httpswwwconsumerfinancegovcomplaintppYour complaining that its possible for people to become you by learning your personal information when performing identity theft but to steal your house all you need is to take a fake ID to a notary to transfer ownership of the house to someone elseppReally the only way around this is requiring a real person to provide biometric information to another real person in a way that cant be faked such as checking for contact lenses when you sign up for worldcoin but given that the average person is not interested in sacrificing their privacy for security that seems like a pipedreamppWhat government agency regulates these businessesppIs there law currently in effect thats not being administered correctlyppIsnt there a government agency that can force Experian to implement better securityppIf not then someone in Congress should kick off a law to give this power to an existing agencyppIsnt this a national security exposure Couldnt a terrorist or foreigner national use this hole to assume another identify allowing them entry into the countryppThese systems are really frustrating to deal with add the fact that all three credit bureaus offer a paid subscription to lock your file which they market heavy saying it is better than just a freeze yet they have vulnerabilities like these Smhppupdate in kivimaki case please write about itppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
2017 Experian Site Can Give Anyone Your Credit Freeze PIN
2015 Experian Breach Affects 15 Million Customers
2015 Experian Breach Tied to NYNJ ID Theft Ring
2015 At Experian Security Attrition Amid Acquisitions
2015 Experian Hit With Class Action Over ID Theft Service
2014 Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013 Experian Sold Consumer Data to ID Theft Servicepp
This entry was posted on Saturday 11th of November 2023 1259 PM
ppI wish someone would sue them into oblivionppIf they cant be bothered to lift a finger to secure their system they certainly should not existppAs do IppI am a strong believer in using answers to security questions that have nothing to do with the question itself Of course if you use that you probably need to keep track of themppFor example ppWhat was your first pet Answer Werewolves of London
Where were you born Answer Hollow Chocolate Bunnies of the Apocalypse
Who was your first teacher Answer Fried chicken and mashed potatoes
What was your mothers maiden name Answer Montreal CanadappDont make it easy for someone wanting to take over your accountppBut what if Experian doesnt bother restricting the response to those and simply uses whatever matchesppWhile its a good thought KBA questions are based on truth ex where you live mortgage company etc so the fake answers to questions would not work in this circumstance ppFor the identity authentication part thats true but this will work for the security questions they ask you to register when you sign upppThat would stop someone from trying to sign in to your account but as the article stated they dont need to do that and can just create a whole new account and steal yours by doing soppI use random character strings that I save in a file I often get some amused comments or chuckles when I call customer service and read them the answerppOf course in this case youre not offered that option Experian determines the questions it asks to confirm your identity because theyre setting up a new account each timeppIn this case the questions they ask are not ones you created yourself but ones theyve generated based on the information they have on file about you Things like previous employersaddresses etc Almost always multiple choice too lolppThat sounds kind of like the password scheme used for a short time at a company prior to when I began working there in 1980 Instead of actual passwords they used information from your payroll files to log you in and would ask a different question each time Sometimes the answer was something easy like your address Sometimes it was not so easy like how much was withheld for your employee insurance in 1978 You pretty much had to have a copy of your payroll records in front of you to log in From what I was told back then it didnt take them long to switch back to passwordsppI have been doing this for years I also do not use password wallets those are also vulnerable to hacking I have my own system that has protected me for years And i never ever reuse emails or portions thereofppI am not using my personal or corporate email only my gmailppWhat is your system Diana Would you prefer not to share itppThe problem is you dont get to pick the kb questions or answers They are based on your information eg addresses you have lived at for the past 5 yearsppThis is trueppI agree I always use nonsense answers to security questions and write them downppI agree Billy Jack I do that alsocreate nonsensical answers to security question and write them downppI have done that for years nowppGood taste in books ppI agree Never answer the questions with real information Not only security questions but 99 of all websites that require information I never put in valid birthdates and addresses unless of course they are mailing somethign to me
I can only think that Experian is trying to run two businesses First the socalled credit rating scam where they create a score for your benefit and then charge you money to lower it Is that not extortion Hey buddy Ill protect you if you pay me 10month The second is working to sell your data to the criminal elementsppI am a Privacy Cybersecurity and Data attorney who has worked since 2008 with medium and very large corporations to help them set up their privacy guidelines policies and compliance systems In those days it was only about security in the US but the focus started changing in 2016 It is so frustrating we are forced to use government entities we have no control over but apparently the government of both political parties also does not care about trying to control entities that harm consumers They should have shut down Experian after the 2015 fiascoppI am NOT providing my personal email for security concerns only my gmail address Sad world we live inppIm a US citizen living in the EU and will probably have dualcitizenship in the next couple years Could an EU citizen leverage GDPR to get Experian fined so that they start paying attention to these problemsppThis us terrifying because I and many others have numerous Experian accounts courtesy of major corporations who were hacked If you are gifted Experian credit monitoring you cannot add that service to an existing account but have to create a new one and thus they multiplyppI just sent Bryans article to my senator Maybe we all should do that I understand it might be in vain considering our our Congress is essentially nonfunctionalppWhy not both I will do the sameppI had two Experian accounts set up specifically to add a Freeze when that became free back in 2018 Tried to log into both today neither worked The Forgot password process indicated no match for my phone numbers on either account
Never fear using Brians ongoing discovery I was able to quickly create new accounts for both answer via KBA questions only 1 of the 10 total applied to us at all and Im all set again AND both accounts show my freezes are still in place as Brian sawppWhat a clusterfppWhat is especially troublesome is recent letters received from our credit union about the MOVEit Breach and the compromise of our account information As a result of this disclosure we were offered a complimentary oneyear membership in Experian IdentityWorks Credit 3B If anyone can assume my identity at Experian due to this grievous security hole what value is that protectionppIf you know enough about someone its pretty easy to gain access to their credit report including opening up a line of trade line credit Their is just not enough security protection on credit report access in my opinionppMy fiancé has been going through the same issue for the past 6 months His identity was stolen and hes been having other issues as well ie emails bank and social media accounts being takenppI appreciate that many responders to this article understand that random answers to questions are a better option than providing the actual answer when setting up the authentication of an accountppBut I am dismayed that they do not understand Experian does not use that style of authentication instead they use KBA which stands for Knowledge Based Authentication Their variation uses information from their files Which means you do not chose the answers they do So you must provide the correct answers according to their files ppAnother issue is their file sometimes maybe manytimes contains erroneous information their file on me did If too many of the questions presented for authentication are based upon erroneous information you may not be able to authenticate this happened to me To further complicate matters Experian hashad been a provider of KBA as a service so the reach of problem extends beyond Experian this also happened to meppI agree that something has to be done Data brokers and Experian specifically run wild and loose with information about all of us They have all sorts of problems for us not them with securing this information Sending this article to your representatives in congress is a good idea Also inform your friends family and others so they can also express outrage in the situation Advise them to direct the outrage toward their representatives in hopes it will effect a good changeppSo whats going to happen
People will just pollute Experians DB with lots of junk Change lots of email addresses as a denial of service variation
When thats done credit reports are uselessppCurrent status 111123 of trying to get an Experian credit report via annualcreditreportcom
Were sorry
A condition exists that prevents Experian from being able to accept your request at this time
To obtain your Experian annual credit report please mail your request to the address below using the Annual Credit Report Request form
Annual Credit Report Request Service
PO Box 105281
Atlanta GA 303485281ppI went through it as well where a girl in California used her own email and home address but changed my logon info with Experian So now I added the 2 step verification and will be changing my password again Also had an issue with Capital1 and recently JP Morgan What gets me is how they try to approve credit with no proof of identityppBased on this article I assume experience only offers SMS based MFAso backwardsppWe as customers when banks such as Citibank never comment even though one has substantive proof they HAVE been hacked like in May this year have no chance Not knowing whether ones
pension will be safe ever again or even deliveredppBrianppI have just tried to post a relevant comment which has not been included in your Comments SectionppRobppSounds like the trouble Ive had with Gmails webmail lackofservice First it pestered me with wanting me to go to twofactor authentication using a phone number Which I declined because Ive changed phone number at irregular intervals in my life and I dont see the need to get stuck to any one phone number if the landlord or the phone company decide they want to make my life difficultppThen it flat out refused to acknowledge my long and nonregular password and demanded I do something else question or alternative email or whatever Ive given up using the webmail until they learn some mannersppSites like Experion are the reason that where possible its best to leave a fake date of birth for an online service I like to choose something distinctive such as the first of January 1901 or January 1st 1970 Unix zero timeppI assume from this article they only have SMSbased 2FA How backwardppHas anyone filed a complaint at the CFPB
httpswwwconsumerfinancegovcomplaintppYour complaining that its possible for people to become you by learning your personal information when performing identity theft but to steal your house all you need is to take a fake ID to a notary to transfer ownership of the house to someone elseppReally the only way around this is requiring a real person to provide biometric information to another real person in a way that cant be faked such as checking for contact lenses when you sign up for worldcoin but given that the average person is not interested in sacrificing their privacy for security that seems like a pipedreamppWhat government agency regulates these businessesppIs there law currently in effect thats not being administered correctlyppIsnt there a government agency that can force Experian to implement better securityppIf not then someone in Congress should kick off a law to give this power to an existing agencyppIsnt this a national security exposure Couldnt a terrorist or foreigner national use this hole to assume another identify allowing them entry into the countryppThese systems are really frustrating to deal with add the fact that all three credit bureaus offer a paid subscription to lock your file which they market heavy saying it is better than just a freeze yet they have vulnerabilities like these Smhppupdate in kivimaki case please write about itppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap