In the summer time of 2022, KrebsOnSecurity documented the plight of a number of readers who had their accounts at big-three shopper credit score reporting bureau Experian hijacked after id thieves merely re-registered the accounts utilizing a unique e mail tackle. Sixteen months later, Experian clearly has not addressed this gaping lack of safety. I do know that as a result of my account at Experian was not too long ago hacked, and the one manner I might get well entry was by recreating the account.
Entering my SSN and birthday at Experian confirmed my id was tied to an e mail tackle I didn’t authorize.
I not too long ago ordered a replica of my credit score file from Experian through annualcreditreport.com, however as normal Experian declined to offer it, saying they couldn’t confirm my id. Attempts to log in to my account instantly at Experian.com additionally failed; the location stated it didn’t acknowledge my username and/or password.
A request for my Experian account username required my full Social Security quantity and date of beginning, after which the web site displayed parts of an e mail tackle I by no means licensed and didn’t acknowledge (the complete tackle was redacted by Experian).
I instantly suspected that Experian was nonetheless permitting anybody to recreate their credit score file account utilizing the identical private info however a unique e mail tackle, a serious authentication failure that was explored in final 12 months’s story, Experian, You Have Some Explaining to Do. So as soon as once more I sought to re-register as myself at Experian.
The homepage stated I wanted to offer a Social Security quantity and cell phone quantity, and that I’d quickly obtain a hyperlink that I ought to click on to confirm myself. The web site claims that the cellphone quantity you present will likely be used to assist validate your id. But it seems you might provide any cellphone quantity within the United States at this stage within the course of, and Experian’s web site wouldn’t balk. Regardless, customers can merely skip this step by choosing the choice to “Continue another way.”
Experian then asks to your full identify, tackle, date of beginning, Social Security quantity, e mail tackle and chosen password. After that, they require you to efficiently reply between three to 5 multiple-choice safety questions whose solutions are fairly often primarily based on public data. When I recreated my account this week, solely two of the 5 questions pertained to my actual info, and each of these questions involved avenue addresses we’ve beforehand lived at — info that’s only a Google search away.
Assuming you sail via the multiple-choice questions, you’re prompted to create a 4-digit PIN and supply a solution to one among a number of pre-selected problem questions. After that, your new account is created and also you’re directed to the Experian dashboard, which lets you view your full credit score file, and freeze or unfreeze it.
At this level, Experian will ship a message to the outdated e mail tackle tied to the account, saying sure elements of the consumer profile have modified. But this message isn’t a request searching for verification: It’s only a notification from Experian that the account’s consumer information has modified, and the unique consumer is obtainable zero recourse right here apart from to a click on a hyperlink to log in at Experian.com.
If you don’t have an Experian account, it’s a good suggestion to create one. Because not less than then you’ll obtain one among these emails when somebody hijacks your credit score file at Experian.
And after all, a consumer who receives one among these notices will discover that the credentials to their Experian account not work. Nor do their PIN or account restoration query, as a result of these have been modified additionally. Your solely choice at this level is recreate your account at Experian and steal it again from the ID thieves!
In distinction, in the event you attempt to modify an current account at both of the opposite two main shopper credit score reporting bureaus — Equifax or TransUnion — they may ask you to enter a code despatched to the e-mail tackle or cellphone quantity on file earlier than any modifications might be made.
Reached for remark, Experian declined to share the complete e mail tackle that was added with out authorization to my credit score file.
“To ensure the protection of consumers’ identities and information, we have implemented a multi-layered security approach, which includes passive and active measures, and are constantly evolving,” Experian spokesperson Scott Anderson stated in an emailed assertion. “This includes knowledge-based questions and answers, and device possession and ownership verification processes.”
Anderson stated all shoppers have the choice to activate a multi-factor authentication methodology that’s requested every time they log in to their account. But what good is multi-factor authentication if somebody can merely recreate your account with a brand new cellphone quantity and e mail tackle?
Several readers who noticed my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon consumer @Jackerbee is a reader from Michican who works within the biotechnology trade. @Jackerbee stated when prompted by Experian to offer his cellphone quantity and the final 4 digits of his SSN, he selected the choice to “manually enter my information.”
“I put my second phone number and the new email address,” he defined. “I received a single email in my original account inbox that said they’ve updated my information after I ‘signed up.’ No verification required from the original email address at any point. I also did not receive any text alerts at the original phone number. The especially interesting and egregious part is that when I sign in, it does 2FA with the new phone number.”
The Mastodon consumer PeteMayo stated they recreated their Experian account twice this week, the second time by supplying a random landline quantity.
“The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, ‘Welcome back, Pete!,’ and granting full access,” @PeteMayo wrote. “I feel silly saving my password for Experian; may as well just make a new account every time.”
I used to be lucky in that whoever hijacked my account didn’t additionally thaw my credit score freeze. Or in the event that they did, they politely froze it once more after they had been carried out. But I absolutely count on my Experian account will likely be hijacked but once more except Experian makes some necessary modifications to its authentication course of.
It boggles the thoughts that these elementary authentication weaknesses have been allowed to persist for thus lengthy at Experian, which already has a horrible monitor document on this regard.
In December 2022, KrebsOnSecurity alerted Experian that id thieves had labored out a remarkably easy strategy to bypass its safety and entry any shopper’s full credit score report — armed with nothing greater than an individual’s identify, tackle, date of beginning, and Social Security quantity. Experian mounted the glitch, and acknowledged that it persevered for almost seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.
In April 2021, KrebsOnSecurity revealed how id thieves had been exploiting lax authentication on Experian’s PIN retrieval web page to unfreeze shopper credit score recordsdata. In these circumstances, Experian didn’t ship any discover through e mail when a freeze PIN was retrieved, nor did it require the PIN to be despatched to an e mail tackle already related to the buyer’s account.
A number of days after that April 2021 story, KrebsOnSecurity broke the information that an Experian API was exposing the credit score scores of most Americans.
More biggest hits from Experian:
2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service