In the summertime of 2022, KrebsOnSecurity documented the plight of a number of readers who had their accounts at big-three shopper credit score reporting bureau Experian hijacked after id thieves merely re-registered the accounts utilizing a distinct electronic mail handle. Sixteen months later, Experian clearly has not addressed this gaping lack of safety. I do know that as a result of my account at Experian was just lately hacked, and the one approach I might get well entry was by recreating the account.
Coming into my SSN and birthday at Experian confirmed my id was tied to an electronic mail handle I didn’t authorize.
I just lately ordered a replica of my credit score file from Experian by way of annualcreditreport.com, however as standard Experian declined to offer it, saying they couldn’t confirm my id. Makes an attempt to log in to my account instantly at Experian.com additionally failed; the location mentioned it didn’t acknowledge my username and/or password.
A request for my Experian account username required my full Social Safety quantity and date of beginning, after which the web site displayed parts of an electronic mail handle I by no means licensed and didn’t acknowledge (the complete handle was redacted by Experian).
I instantly suspected that Experian was nonetheless permitting anybody to recreate their credit score file account utilizing the identical private info however a distinct electronic mail handle, a significant authentication failure that was explored in final 12 months’s story, Experian, You Have Some Explaining to Do. So as soon as once more I sought to re-register as myself at Experian.
The homepage mentioned I wanted to offer a Social Safety quantity and cell phone quantity, and that I’d quickly obtain a hyperlink that I ought to click on to confirm myself. The location claims that the telephone quantity you present can be used to assist validate your id. But it surely seems you possibly can provide any telephone quantity in america at this stage within the course of, and Experian’s web site wouldn’t balk. Regardless, customers can merely skip this step by choosing the choice to “Proceed one other approach.”
Experian then asks on your full title, handle, date of beginning, Social Safety quantity, electronic mail handle and chosen password. After that, they require you to efficiently reply between three to 5 multiple-choice safety questions whose solutions are fairly often based mostly on public data. Once I recreated my account this week, solely two of the 5 questions pertained to my actual info, and each of these questions involved road addresses we’ve beforehand lived at — info that’s only a Google search away.
Assuming you sail via the multiple-choice questions, you’re prompted to create a 4-digit PIN and supply a solution to one in all a number of pre-selected problem questions. After that, your new account is created and also you’re directed to the Experian dashboard, which lets you view your full credit score file, and freeze or unfreeze it.
At this level, Experian will ship a message to the previous electronic mail handle tied to the account, saying sure elements of the person profile have modified. However this message isn’t a request in search of verification: It’s only a notification from Experian that the account’s person information has modified, and the unique person is obtainable zero recourse right here aside from to a click on a hyperlink to log in at Experian.com.
Should you don’t have an Experian account, it’s a good suggestion to create one. As a result of at the least then you’ll obtain one in all these emails when somebody hijacks your credit score file at Experian.
And naturally, a person who receives one in all these notices will discover that the credentials to their Experian account not work. Nor do their PIN or account restoration query, as a result of these have been modified additionally. Your solely choice at this level is recreate your account at Experian and steal it again from the ID thieves!
In distinction, when you attempt to modify an current account at both of the opposite two main shopper credit score reporting bureaus — Equifax or TransUnion — they are going to ask you to enter a code despatched to the e-mail handle or telephone quantity on file earlier than any adjustments will be made.
Reached for remark, Experian declined to share the complete electronic mail handle that was added with out authorization to my credit score file.
“To make sure the safety of shoppers’ identities and knowledge, we’ve got carried out a multi-layered safety strategy, which incorporates passive and lively measures, and are consistently evolving,” Experian spokesperson Scott Anderson mentioned in an emailed assertion. “This contains knowledge-based questions and solutions, and system possession and possession verification processes.”
Anderson mentioned all shoppers have the choice to activate a multi-factor authentication methodology that’s requested every time they log in to their account. However what good is multi-factor authentication if somebody can merely recreate your account with a brand new telephone quantity and electronic mail handle?
A number of readers who noticed my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon person @Jackerbee is a reader from Michican who works within the biotechnology trade. @Jackerbee mentioned when prompted by Experian to offer his telephone quantity and the final 4 digits of his SSN, he selected the choice to “manually enter my info.”
“I put my second telephone quantity and the brand new electronic mail handle,” he defined. “I acquired a single electronic mail in my unique account inbox that mentioned they’ve up to date my info after I ‘signed up.’ No verification required from the unique electronic mail handle at any level. I additionally didn’t obtain any textual content alerts on the unique telephone quantity. The particularly attention-grabbing and egregious half is that once I register, it does 2FA with the brand new telephone quantity.”
The Mastodon person PeteMayo mentioned they recreated their Experian account twice this week, the second time by supplying a random landline quantity.
“The one distinction: it requested me FIVE questions on my private historical past (final time it solely requested three) earlier than proclaiming, ‘Welcome again, Pete!,’ and granting full entry,” @PeteMayo wrote. “I really feel foolish saving my password for Experian; could as nicely simply make a brand new account each time.”
I used to be lucky in that whoever hijacked my account didn’t additionally thaw my credit score freeze. Or in the event that they did, they politely froze it once more once they have been finished. However I absolutely anticipate my Experian account can be hijacked but once more until Experian makes some necessary adjustments to its authentication course of.
It boggles the thoughts that these elementary authentication weaknesses have been allowed to persist for therefore lengthy at Experian, which already has a horrible observe document on this regard.
In December 2022, KrebsOnSecurity alerted Experian that id thieves had labored out a remarkably easy technique to bypass its safety and entry any shopper’s full credit score report — armed with nothing greater than an individual’s title, handle, date of beginning, and Social Safety quantity. Experian fastened the glitch, and acknowledged that it persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.
In April 2021, KrebsOnSecurity revealed how id thieves have been exploiting lax authentication on Experian’s PIN retrieval page to unfreeze shopper credit score recordsdata. In these instances, Experian didn’t ship any discover by way of electronic mail when a freeze PIN was retrieved, nor did it require the PIN to be despatched to an electronic mail handle already related to the patron’s account.
Just a few days after that April 2021 story, KrebsOnSecurity broke the information that an Experian API was exposing the credit scores of most Americans.
Extra best hits from Experian:
2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service
