Experian, you have some explanation to do – Crips on security

KrebsOnSecurity has heard twice in the past month from readers who have their accounts at a big triple credit bureau Experian Hacked and updated with a new email address that wasn’t theirs. In both cases, readers used password managers to choose strong and unique passwords for their demo accounts. Research indicates that identity thieves were able to hijack accounts simply by signing up for new accounts in Experian using the victim’s personal information and a different email address.

John Turner He is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to put a security freeze on his credit profile, and that he used a password manager to identify and store a strong, unique password for his Experian account.

Turner said that in early June 2022 he received an email from Experian stating that the email address on his account had changed. Experian’s password reset was useless at that point because any password reset links would be sent to the new (scammer’s) email address.

An Experian Turner support person was reached by phone after a long wait asking her for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his confidential questions. But the PIN and Secret Questions have already been changed by anyone who has re-registered with Experian.

“I was able to successfully answer the credit report questions, which approved me on their system,” Turner said. “At that point, the representative read me the current stored security questions and the PIN, and they were definitely not things I would have used.”

Turner said he was able to regain control of his Experian account by creating a new one. But now he’s wondering what he can do to prevent another account from being hacked. This is because Experian Do not offer any kind of multi-factor authentication options on consumer accounts.

“The most frustrating part about this whole thing is that I got several ‘this is your login info’ emails later which they attributed to the original attackers who went back and tried to use the ‘forgot email/username’ flow, most likely using SSN and DOB , but it didn’t go to their email that they were expecting,” Turner said. “Because Experian doesn’t support two-factor authentication of any kind – and because I don’t know how they got into my account in the first place – I’ve felt pretty helpless ever since.”

To be clear, Experian Do It has a business unit Sells one-time password services to businesses. But it does not provide this directly to consumers who have signed up to manage their credit profile on the Experian website.

Arthur Richie Musician and co-executive director of the Boston Landmarks Orchestra. Rishi said he recently found out that his Experian account had been hijacked after receiving an alert from a credit monitoring service (not Experian’s) that someone had tried to open an account in his name at JPMorgan Chase.

Rishi said the alert surprised him because his Experian credit profile was frozen at the time, and Experian did not notify him of any activity on his account. Rishi said Chase agreed to cancel the unauthorized account request and even canceled her credit inquiry (each credit pull can hurt your credit score a little bit).

But he was never able to get anyone from Experian support to answer the phone, despite spending what seemed like an eternity trying to advance through the company’s phone-based system. That’s when Rishi decided to see if he could create a new account for himself in Experian.

“I was able to open a new Experian account starting from scratch, using my SSN, date of birth, and answering some really basic questions, like what kind of car I got a loan for, or what city I used to live in,” he said. feathery.

Upon completing the recording, Rishi noticed that his balance was frozen.

Like Turner, Richie is now worried that identity thieves will hijack his Experian account again, and that there is nothing he can do to prevent such a scenario. Currently, Rishi has decided to pay Experian $25.99 per month to closely monitor his account for any suspicious activity. Even with Experian’s paid service, there were no additional multi-factor authentication options, though he said Experian sent a one-time code to his phone via SMS recently when he logged in.

“Experian now sometimes requires MFA for me now if I’m using a new browser or running my VPN,” Rishi said, but he wasn’t sure if Experian’s free service would work differently.

“I get so angry when I think about all this,” he said. “I have no confidence that this will not happen again.”

In a written statement, Experian suggested that what happened to Rishi and Turner was not an ordinary occurrence, and that their identity and security verification practices go beyond what is visible to the user.

“We believe these are individual fraud incidents using stolen consumer information,” Experian said in a statement. “Special to your question, once an Experian account is created, if someone tries to create a second Experian account, our systems will report the original email in the file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to gain access to our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytics capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our customers and to provide additional layers of protection. We take consumer privacy and security over very seriously, and we are constantly reviewing our security processes to protect against the persistent and evolving threats posed by fraudsters.”

Analytics

KrebsOnSecurity sought to replicate Turner and Rishi’s experience – to see if Experian would allow me to recreate my account with my personal information but with a different email address. The experiment was conducted from a different computer and Internet address than the one that created the original account years ago.

After providing my SSN, date of birth, and answering several multiple-choice questions whose answers are drawn almost entirely from public records, Experian immediately changed the email address associated with my credit profile. I did this without first confirming that the new email address can respond to messages, or that the previous email address agreed to change.

The Experian system then sent an automated message to the original registered email address, stating that the account’s email address had been changed. The only recourse Experian offered in the alert was to log in or send an email to an Experian mailbox replying with “This email address is no longer being monitored”.

Next, Experian asked me to select new secret questions and answers, as well as a new account PIN – effective PIN erasure and recovery questions for the account. Once I changed my PIN and security questions, Experian helpfully reminded me that I had a security freeze on the file, and would I like to remove or temporarily lift the security freeze?

How Experian differs from the practices Equifax And the TransUnionThe other two big consumer credit reporting bureaus? When KrebsOnSecurity attempted to recreate an existing TransUnion account using my Social Security number, TransUnion rejected the application, stating that I already had an account and prompted to proceed with the lost password flow. It also appears that the company is sending an email to the registered address to request validation of the account changes.

Likewise, attempting to recreate an existing Equifax account using personal information associated with my existing account prompts Equifax systems to report that I already have an account, and to use their password reset process (which involves sending a verification email to the address on file).

KrebsOnSecurity has always urged US readers to put it somewhere Security freeze of their files with the three major credit bureaus. With a freeze in place, potential creditors cannot withdraw your credit file, making it less likely that anyone will be granted new lines of credit in your name. I also advised readers They planted their flag in the three main officesto prevent identity thieves from creating an account for you and taking control of your identity.

The experiences of Richie, Turner, and this author indicate that Experian’s practices are currently undermining each of these proactive security measures. even so, Having an active Experian account may be the only way to find out if scammers have assumed your identity. Because at least after that you should get an email from Experian saying that they gave your identity to someone else.

In April 2021, KrebsOnSecurity revealed how identity thieves were Exploiting lax authentication on Experian’s PIN retrieval page To unfreeze consumer credit files. In these cases, Experian failed to send any email notification when the Freeze PIN was retrieved, and did not require that the PIN be sent to an email address already associated with the consumer account.

A few days after that April 2021 story, Krebs on Security published the news that Experian API was revealing credit scores for most Americans.

Emory Roanpolicy advisor to Privacy Rights ClearinghouseExperian said that not introducing multifactor authentication for consumer accounts is not justified in 2022.

“They compound the problem by briefing the recovery process on information that may or may not have been inferred from third-party data brokers, or that could have been exposed in previous data breaches,” Rowan said. “Experian is one of the largest consumer reporting agencies in the country, and is trusted as one of the few major players in the credit system that Americans are forced to join. For them, not offering some form of MFA (free) is a Mystifying and reflects very poorly on Experian.”

Nicholas Weaveris looking for International Institute of Computer Science in University of California, BerkeleyHe said Experian has no real incentive to do things right on the consumer side of its business. That means, he said, unless Experian customers — banks and other lenders — choose to vote with their feet because so many people with frozen credit files have to deal with unauthorized requests for new credit.

“Real customers of the credit service don’t realize how bad Experian’s condition is, and this isn’t the first time Experian has failed horribly,” Weaver said. “Experian is part of a trio company, and I’m sure this costs their actual customers money, because if you have a credit freeze that gets lifted and someone loanes it off, it’s the lender who eats up that fraud cost.”

Unlike consumers, he said, lenders have a choice in which of the three companies handle their credit checks.

“I think it’s important to note that real customers have a choice, and they should switch to TransUnion and Equifax,” he added.

More Greatest Songs From Experian:

2017: Experian can give anyone your PIN to freeze your credit
2015: Test Breach Affects 15 Million Customers
2015: Trial breach linked to NY-NJ ID theft episode
2015: In Experian, the security drain amid acquisitions
2015: Experian hit with mass action service on identity theft
2014: Experian Lapse allows identity theft service to access 200 million consumer records
2013: Experimental consumer data sold to identity theft service