Experian API Exposed Credit Scores of Most Americans

tsu doh nimh writes: Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau. Bill Demirkapi, an independent security researcher who's currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.

Demirkapi encountered one lender's site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API -- a capability that allows lenders to automate queries for FICO credit scores from the credit bureau. "No one should be able to perform an Experian credit check with only publicly available information," Demirkapi said. "Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian's system." Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the "date of birth" field let him then pull a person's credit score. He even built a handy command-line tool to automate the lookups, which he dubbed "Bill's Cool Credit Score Lookup Utility."

Shocker

[Osgeld]

Not like its hidden anyway any child can look your score up and happens all the time

More credit offers.

[Ostracus]

OK, so what's the worse that can happen when you find I have a good rating?

Re:More credit offers.

[jwhyche]

OK, so what's the worse that can happen when you find I have a good rating?

You become a prime target for scammers and identify thieves. They already know you have good credit. The only thing left is to find out the rest of your information.

Re:

[fred6666]

so that leak is actually worse for those with good credit?

Re:More credit offers.

[jwhyche]

Yeah, it could be. If I'm a scammer or a identity thief my prime goal is to find people with good credit that I can steal from. Good credit indicates that you have money. Bad credit can indicate you have no money and are not worth bothering with.

Re:

[Mononymous]

Good credit indicates that you borrow money.

Fixed that for you.

Re:

[jwhyche]

Good credit indicates that you borrow money, at reasonable interest.

There, I fixed that for you. Good credit, bad credit, or no credit, doesn't mean there isn't someone out there that won't lend you money. In my experience you can always find you someone to lend you money.

What good credit gives you is better interest and a easier time of it.

Re:

[Cmdln Daco]

So, if you have good credit they will make it easier for you to accrue greater debt.

Re:

[tempest69]

Good credit means that they pay you to open up a CC.. So and careful management of the score can net some good "cash"

Re: More credit offers.

[peragrin]

Good credit means you borrow money and pay it back promptly.

It doesn't mean you have cash on hand.

Re:

[whoever57]

I think it actually has more to do with what cash you can borrow. Having a credit limit that is much larger than you use is what seems to push your credit score up.

However, there are multiple credit scores, not just one score, each with slightly different criteria.

Re:

[sjames]

...Easily. So your ID will be perfect for taking out a big loan against without too many questions.

Re:

[Ostracus]

Well except for one tiny flaw which spam illustrates perfectly. Being a criminal is cheap. Very cheap. One doesn't need to go to the trouble of looking up scores, when everyone can be a victim at no cost to the scammer or identity thief. If they get no money from you, what have they lost?

Re:

[jwhyche]

The spam argument is flawed, with the flaw being that spam is very cheap to send. I can run a grep/awk on the linux kernel mailing list, drumming up a few hundred good email address, and piping that in to sendmail. That will literally cost me nothing but a few minutes of time. An there are low volume scammers out there that do that.

But there is an entire market out there where they harvest this information, build a list, then sell it to the highest bidder. Then the individuals that buy this informat

Re:

[tlhIngan]

The problem is the numbers don't mean crap.

Sure they're a summary of your credit history - or are they?

You would think that if it was, it would be the same everywhere, yet experiments have proven that your credit score can vary by 200 points depending on who's asking.

Turns out, there's a secret score that is what lenders actually get - the number you and I and everyone else sees is just some random thing.

Lenders pay $$$ to get at the secret score. The secret score takes a lot more into account than the publ

Re:

[sjames]

Also Experian "helpfully" verified your address.

Re:

[whitroth]

Y'know, you might consider not posting until you're at least 18, kid.

I mean, any adult (except some two-toothed IQ 45 supporters know that if they can get your credit score, they also have your address, and social security number (US), and with that can open accounts left and right... leaving you charged.

Go back to your video games.

Re:

[maxeji9815]

Um, what? It doesn't require a SS to look up a credit score and it doesn't return a SS. Just a name and one of the addresses of the person is required to look up a score (usually just an address is really required).

Re:

[Cmdln Daco]

Social Security numbers should be public record anyway. It's not supposed to be a secret passkey that unlocks personal information about US citizens. In fact, when I was in college in the early 1980s the college used our SSN as our Student ID number.

It's only in a world where Big Credit wants to be able to put people into debt by granting them 'credit' right at the checkstand at a department store that the 'secrecy' of your SSN is important.

If 10% of the public openly disclosed their SSN, it would overnig

Re:

[jbengt]

True, in fact, when I got my Social Security original card it said right on there that it was not for identification purposes. It's just a convenient number for Social Security to look up your file with. Also, it's not random, so if you know when and where someone was born, you can figure some of their SSN digits.

Re:

[The-Ixian]

If this counts as a query of your credit report, then it could negatively affect the person's credit score.

Re:

[iikkakeranen]

Your phone becomes useless for voice calls because you have to permanently silence it or suffer constant scam attempts and robo-advertising for credit cards. This is my experience, anyway.

News for Noobs

[geekmux]

...he was able to see it invoked an Experian Application Programming Interface or API

These newfangled API things, sound kinda cool.

Anyone here ever hear of this?

Re:News for Noobs

[BeerFartMoron]

...he was able to see it invoked an Experian Application Programming Interface or API

These newfangled API things, sound kinda cool.

Anyone here ever hear of this?

I read a few articles about them on Slashdot. Turns out they are all broken.

Re:

[geekmux]

broken you say...reminds me of the old greybeard tale of the F-Unicode Outlaw Gang that rode in one day...

And stayed.

Re:

[gtall]

Oracle. Though it ended in tears.

Why is this still legal?

[bored]

When will we in the US get up the balls to make the commercial collection and resale of personal information illegal?

This is fusking ridiculous, and you can bet when I get my personal information stolen, and I end up on the hook for some bill, I'm going to be getting an attorney to shift the responsibility to these guys.

Re:

[gtall]

Making it illegal, while a nice thought, is unenforceable, realistically. How about rather we make the loss of personal information subject to significant fines. Of course this will spawn a New Insurance Policy Scam whereby the insurance companies, recognizing a lucrative new scam when they see it, will be offering policies that payout should you lose someone's PII and get fined for it. Companies keeping the PII will only be too happy to sign on the dotted line.

We need a better solution. Making it a felony

Forget shares, bring on the stocks

[Anne Thwacks]

Now is the time to put the directors of credit rating companies in stocks and let the public throw things at them.

Don't limit the fun to Experian execs - all of rating agency execs should be allowed to join in.

Re:

[Mitreya]

Now is the time to put the directors of credit rating companies in stocks and let the public throw things at them.

Yep. Totally. They will be sure to suffer consequences this time.
I like how they paid $700M to FTC (not even to the people affected?) to make a breach for 150M people go away. https://nypost.com/2019/07/19/... [nypost.com]
It's a brilliant scam.

Re:

[inode_buddha]

Good luck with that. My own NY State Motor Vehicles sells info from their databases to third parties. As if they weren't making enough money from the taxes and fees here.

Frozen credit bureau accounts...

[mprindle]

The reason I could not test Demirkapi’s findings on my own credit score is that we have a security freeze on our files at the three major consumer credit reporting bureaus, and a freeze blocks this particular API from pulling the information.

This is just one more reason why I have all of my credit bureau accounts frozen. If I have an express need to access my account, I'll go unfreeze it, do what needs to be done and then freeze it again.

Re:

[millert]

Except that Experian's crappy security makes it trivial for anyone to unfreeze your credit [krebsonsecurity.com].

Transparency needed

[MooseTick]

None of this would be an issue if credit scoring mechanisms were transparent and it didn't need to be kept a secret for some reason. It doesn't take a rocket scientist to figure out who has money and can get easy loans.

Pedant post

[93 Escort Wagon]

According to the most recent census, the US population is in the ballpark of 330 million people.

As bad as this breach is, "tens of millions" does not equate to "most" Americans.

Re:

[kungfool]

Sure it does. Sixteen "tens of millions" is "most" Americans.

Re:

[93 Escort Wagon]

I guess, technically speaking, they even could've said "dozens of Americans".

It's just a whole, whole lot of dozens!

Cold comfort

[NicknamesAreStupid]

These vanity credit 'scores' are a joke, at least the ones we see. The 'score' that counts is the one that goes to companies that pay for your credit history report, which has information that you cannot see, like salary history.

Re:

[Cederic]

That varies by jurisdiction and by the nature of the check.

For instance in the UK salary information is not shared - I don't think the CRAs even have access to it.

Disclosure: Have worked for a CRA.