Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsExperian, You Have Some Explaining to Do : Krebs On Security
https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasnt theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victims personal information and a different email address.
ANALYSIS
KrebsOnSecurity sought to replicate Turner and Rishis experience to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.
After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.
Experians system then sent an automated message to the original email address on file, saying the accounts email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, this email address is no longer monitored.
KrebsOnSecurity sought to replicate Turner and Rishis experience to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.
After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.
Experians system then sent an automated message to the original email address on file, saying the accounts email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, this email address is no longer monitored.
Emory Roan, policy counsel for the Privacy Rights Clearinghouse, said Experian not offering multi-factor authentication for consumer accounts is inexcusable in 2022.
They compound the problem by gating the recovery process with information thats likely available or inferable from third party data brokers, or that could have been exposed in previous data breaches, Roan said. Experian is one of the largest Consumer Reporting Agencies in the country, trusted as one of the few essential players in a credit system Americans are forced to be part of. For them to not offer consumers some form of (free) MFA is baffling and reflects extremely poorly on Experian.
Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, said Experian has no real incentive to do things right on the consumer side of its business. That is, he said, unless Experians customers banks and other lenders choose to vote with their feet because too many people with frozen credit files are having to deal with unauthorized applications for new credit.
The actual customers of the credit service dont realize how much worse Experian is, and this isnt the first time Experian has screwed up horribly, Weaver said. Experian is part of a triopoly, and Im sure this is costing their actual customers money, because if you have a credit freeze that gets lifted and somebody loans against it, its the lender who eats that fraud cost.
And unlike consumers, he said, lenders do have a choice in which of the triopoly handles their credit checks.
I do think its important to point out that their real customers do have a choice, and they should switch to TransUnion and Equifax, he added.
They compound the problem by gating the recovery process with information thats likely available or inferable from third party data brokers, or that could have been exposed in previous data breaches, Roan said. Experian is one of the largest Consumer Reporting Agencies in the country, trusted as one of the few essential players in a credit system Americans are forced to be part of. For them to not offer consumers some form of (free) MFA is baffling and reflects extremely poorly on Experian.
Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, said Experian has no real incentive to do things right on the consumer side of its business. That is, he said, unless Experians customers banks and other lenders choose to vote with their feet because too many people with frozen credit files are having to deal with unauthorized applications for new credit.
The actual customers of the credit service dont realize how much worse Experian is, and this isnt the first time Experian has screwed up horribly, Weaver said. Experian is part of a triopoly, and Im sure this is costing their actual customers money, because if you have a credit freeze that gets lifted and somebody loans against it, its the lender who eats that fraud cost.
And unlike consumers, he said, lenders do have a choice in which of the triopoly handles their credit checks.
I do think its important to point out that their real customers do have a choice, and they should switch to TransUnion and Equifax, he added.
InfoView thread info, including edit history
TrashPut this thread in your Trash Can (My DU » Trash Can)
BookmarkAdd this thread to your Bookmarks (My DU » Bookmarks)
1 replies, 708 views
ShareGet links to this post and/or share on social media
AlertAlert this post for a rule violation
PowersThere are no powers you can use on this post
EditCannot edit other people's posts
ReplyReply to this post
EditCannot edit other people's posts
Rec (1)
ReplyReply to this post
1 replies
= new reply since forum marked as read
Highlight:
NoneDon't highlight anything
5 newestHighlight 5 most recent replies
Experian, You Have Some Explaining to Do : Krebs On Security (Original Post)
erronis
Jul 2022
OP
brush
(53,759 posts)1. What a horrible weakness in their system.
Last edited Mon Jul 11, 2022, 02:35 PM - Edit history (1)
You expect one of the major credit agencies, which can have a huge impact on peoples' lives, to have a much more secure system that can't be worked around in such an easy manner.