Experian credit freeze unfrozen by hackers?

Stop using PINs and passwords!

Another week, another sorry tale of poor identification. This time, it’s Experian that failed to properly secure users’ PINs.

People who froze their credit reports discovered hackers could unfreeze them—even though a PIN was supposed to stop that. But Experian says it’s “confident that our authentication is secure.” OK then.

It turns out Experian had a bug in its PIN-recovery system. This was a bug so simple to exploit, it was barely a speedbump to a hacker who wanted to open credit in a victim’s name.

How simple? Ridiculously simple. In this week’s ID Blogwatch, we let it go.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Ultimate cat video

What’s the craic?
Janna Herron Experian credit freeze flaw may have revealed your PIN to fraudsters:

It’s Experian’s turn to be in the hot seat.

[The] process to retrieve a PIN that safeguards a frozen Experian credit report had a security defect. … The company has not said how long the defect was in place. … There’s also no indication Experian will issue new PINs. Experian has not responded to [my] request for further comment.

A credit freeze prevents lenders from pulling a person’s credit report, an essential part of the [credit] approval process. … Freezing your credit reports at Experian, Equifax and TransUnion … helps thwart criminals from opening fraudulent accounts in your name. … At Experian, you need [a] PIN to unfreeze your [report] if you want to apply for new credit.

“While we are confident that our authentication is secure and no credit files are at risk, we have taken additional steps to make the process more secure,” the company said.

What, so thieves could unfreeze my report?
Yep. Shaun Nichols explains how the Hack to thaw account freezes worked:

It’s a mechanism that’s supposed to stop fraudsters from exploiting stolen personal information, such as names and social security numbers, to obtain credit using someone else’s identity. [But] a glitch in [the] online account recovery process … could leak [the] PIN. A miscreant could then use that number to reverse an account freeze.

[It] would allow anyone who knew a person’s name, address, social security number, and date of birth to have a PIN code sent [in] email. … Armed with that PIN, the attacker would then be able to break the credit freeze and apply to open new accounts in the victim’s name.

In other words, if your personal info was leaked online … and you set up a credit freeze to stop it being exploited, that same publicly available data could have been used to undo the freeze anyway. … The findings will no doubt cause discomfort for the millions of people who have had to freeze their credit in recent years due to data breaches.

Yeah, you could say that.
We first heard about this Experian Flaw from Liz Weston and Bev O’Shea:

One credit bureau’s site made it distressingly easy to circumvent the security that’s supposed to keep your credit reports safe. … Experian’s site exposed … the PINs needed to thaw credit freezes, after users answered their security questions with a blanket answer: None of the above.

More than a year ago, security expert Brian Krebs reported a similar flaw.

Several of us who had credit freezes were able to replicate it. We asked … on Facebook and Twitter and heard from others who also got access. … This is yet another reminder that we need to keep monitoring our credit reports and scores for fraudulent accounts, even if we have credit freezes in place.

What’s really distressing is that security freezes are supposed to be one of the few effective bulwarks people can put up against fraud. … The credit bureaus still aren’t taking the security of our information seriously enough.

Are you feeling a touch of déjà vu?
Lisa Vaas explains why, going on to pick more holes in the Swiss cheese:

In an aftershock following the epic Equifax data-quake last year, it was revealed that the PINs used to protect frozen credit files … were woefully bad. … To put a rancid cherry on top of that unpleasant credit reporting company cupcake … Experian is also undermining its own PIN security.

As many privacy/security experts have pointed out, this is a lousy technique to use in authentication, for the simple fact that people tend to answer the questions truthfully. Unfortunately, the answers to many such questions – What’s your dog’s name? What’s your grandfather’s first name? Where did you go to high school? Where did you meet your partner? – are easy to find via social media or other publicly available information.

So true.
And Stewart Twynham cuts to the chase:

Broken authentication is a common security failing. Here, all you had to do was set the account recovery answers to “None of the above” and enter any … e-mail address you please.

Wait, pause.
Did you say the email address could have been different from the one on file? Pascal Monett is beside himself:

Are they TRYING to make things easier for hackers? Nobody thought this through at all. … And obviously nobody tested the final result beyond making sure it didn’t crash on first try.

The big one is allowing another email address. … Nobody does that. There is no reason to, you already have the subscribers’ address.

To which
the obvious reaction comes from people like Matthew Woodyard—@Kintarotpc:

When do we set fire to Experian and put all of these people in jail forever?

A strange game, Prof. Falken.
How about a nice game of chess? Thrakkorzog asks an important question:

This is like the movie War Games where the only solution is not to play. How to I remove myself from this … system?

Lee D opines a broader angle:

If you don’t want people to give you free money, you don’t interact with [credit rating agencies]. … The only time the average person NEEDS [to] is when applying for a mortgage or possibly a rental agreement.

Credit ratings are the most backwards things I’ve ever seen in my life. … Credit scores are made-up nonsense. … But the way to stop them is to NOT borrow money.

100 years ago, you literally didn’t have a choice. You had the money or not.

We live in a society where people are perfectly happy to give away their information … in order to purchase an over-priced luxury that they use barely 1/10th of its capabilities. [But] there are perfectly viable alternatives called “save up” / “buy outright” / “live within your means.”

Oh, I see, it’s our own fault?
Veridium CMO Lori Cohen doesn’t share that PoV:

Seriously consider putting a freeze or lock on your credit report with each of those bureaus … Equifax … Experian … TransUnion … Innovis … PRBC … SageStream … ARS.

Locking and freezing your credit file are two ways to help reduce the damage done by identity theft. … Taking action before someone steals your identity makes it a lot easier and takes less time than doing it after.

If only it were more common for identity to be tied to who you are — your biometrics — instead of what you know, life would be easier. … I wish I could turn back the clock and have my identity protected by my biometrics. Instead, I’ll be waiting for the other shoe to drop.

@TinkerSec postulates a philosophical point to ponder: [You’re fired—Ed.]

When a breach claims “stolen data” nothing is stolen. Stolen implies that the original content is no longer available. Data is copied.

Identity Thieves that copy data from [these] companies are doing the same thing: … using data of our lives against us without our input or control. … In the case of credit score companies, the analysis of the data … seems the be the core product.

ID Theft (by malicious hackers & corporations) does take from the people. They lose their agency. [But] copying by malicious hackers does not take anything from the corporations.

Words do matter.

Yes, and passwords matter, too. You can’t rely on them—not without a strong second factor, such as biometrics.

And Finally…

The ultimate cat video

[Hat tip: u/trumlen]

You have been reading ID Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Jorge Guillen (cc:0)

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

The Largest Internet Company in Mexico Taps Tec360 and Veridium for Trusted Phishing Resistant Passwordless Authentication and to secure Okta SSO A top provider of


Veridium The True Passwordless Enterprise

Veridium The True Password-less Enterprise In February 2017 when I joined Veridium as CPO, I recognised and appreciated one of the biggest challenges for Enterprise