Class Action Alleges Experian Didn't Stop Identity Thieves from Hijacking Accounts (krebsonsecurity.com) 16
"A class action lawsuit has been filed against big-three consumer credit bureau Experian," reports Krebs on Security, "over reports that the company did little to prevent identity thieves from hijacking consumer accounts.
The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim's personal information and a different email address. The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian's documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes is a violation of the Fair Credit Reporting Act.
The lawsuit even cites a July blog post from Krebs on Security. The blog post's title? "Experian, You Have Some Explaining to Do." After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change... After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account's previously chosen PIN and recovery questions. Once I'd changed the PIN and security questions, Experian's site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?
Experian did send an automated message to the account's original email address when a new one was added, Krebs wrote, but wondered what good that would actually do. "The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, 'this email address is no longer monitored'..."
"I could see no option in my account to enable multi-factor authentication for all logins..."
And Krebs added Friday that "Since that story ran I've heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account."
The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim's personal information and a different email address. The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian's documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes is a violation of the Fair Credit Reporting Act.
The lawsuit even cites a July blog post from Krebs on Security. The blog post's title? "Experian, You Have Some Explaining to Do." After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change... After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account's previously chosen PIN and recovery questions. Once I'd changed the PIN and security questions, Experian's site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?
Experian did send an automated message to the account's original email address when a new one was added, Krebs wrote, but wondered what good that would actually do. "The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, 'this email address is no longer monitored'..."
"I could see no option in my account to enable multi-factor authentication for all logins..."
And Krebs added Friday that "Since that story ran I've heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account."
Experian... I recall that name... (Score:2, Funny)
From the LAST class action. They still owe me like $100.
Re: (Score:1)
(I am frequently modded down by members of the same group in case that's not obvious to everyone yet.)
Re: (Score:3)
Sounds like the CEO and CIO are criminally stupid. They are literally too dumb to compete with ... let's not call them hackers... kids?
They are incapable of doing their jobs and it's time for law to do it for them.
Oh wait. There is a law.
Yeah just fire their butts.
there is no reason for them to care (Score:5, Interesting)
experian has never faced any significant consequences for lapses in security so there is almost no incentive to fix anything. it is almost like they need a “credit score” of their own.
Re: there is no reason for them to care (Score:1)
You are not a customer of Experian (Score:5, Interesting)
The only job of Experian is to let the bankers to sue you even if someone else has impersonated you. If the lenders want to lend to everyone and his brother without any verification, checks or anything that might trip up the lending process.
What would happen if the borrower provides fake info and runs away with the money? That's where Experian comes in. It tells the lender, "Go ahead and lend, I will tell you who you can sue if the borrower, real or fake, runs away with the cash
It is not in the best interest of the lender to do any serious verification, because they own the law makers, they wrote the law completely skewed to favor the lenders. You have to prove you were not the person who borrowed. Lender does not have to prove they actually lent money to you and not some random fake. As long as this is the law, the only job for these credit bureaus is to provide some claim to due diligence on the part of the lender, and to provide a chump to be sued ...
Meanwhile (Score:2, Offtopic)
Stupid ass steam asks me for a verification code every time I log in going to an email that went dead ... requires blood sample, receipt of last purchased game, and credit card number from 12 years ago
Re: Meanwhile (Score:2)
See, What a Shock (Score:5, Interesting)
It's a federal crime for you to lie to a Credit Bureau.
It is no crime whatsoever for them to lie to you.
Bigcorporatios have even convinced you that their mistakes. "Your identity" wasn't stolen. They didn't do their due diligence and because of this, they gave their money to a criminal..
Why would they need to beef up security, though? Why would they bother when you're the one running around screaming about "your identity being stolen", and spending your time and money trying to rectify their mistake. They don't need to force the issue, you willingly agreed to tae responsibility for their mistakes.
Do you folks have any idea, any idea at all, how little regard the "Credit Bureaus" have for you? They are not the slightest bit concerned, they own own your government.
Hell, the've been pushing conformity down your throat so they don't have to go through the trouble of hiding it. Just this weekend, Congress Passed the "Inflation Reduction Act". You know, the one where the President gives $80 Billion to the IRS and tells them to take more of the people's money, but he pinkie swears that he's only going to send the IRS after the "rich"? It's a ruse they've pulled over and over and over again, and you fall for it every fucking time.
The hugely unpopular Federal Income Tax finally went through because it was supposed to be temporary and "only apply to the rich". So, how did that work out? Remember Executive Order 6102? The one where they went after people "hoarding gold"? Having seen this movie before, some folks know how it ends:
Sen. Michael Crapo offered an unsuccessful amendment that would have prohibited the IRS from using the $80 billion in new funding to audit taxpayers earning less than $400,000 a year. Democrats voted it down along party Ines, making certain that they would in no way have to keep their promise, as they never intended to do in the first place.
For fuck's sake, they just thumbs-down a bill to enforce their promise, in your face. Not all amendments failed, though. The Senate did vote 57-43 in favor of an amendment aimed at reducing the 15% minimum corporate minimum tax on private equity firms.
Folks, you've all been had.
Lied to.
Led astray.
Hoodwinked.
Bamboozled.
It's too painful to realize it, and you're likely powerless to stop it anyway, so you and your peer groups will get busy creating your own realities ... one whee you insist that the powerless members of the opposing party are the true villains. After all, you actually have a chance at causing them some pain. For their part, the oligarchs in your chosen party will be the right beside you, cheering you on, telling you how fucking brave and awesome you are for going after those working-class monsters. And shit, you'll believe every word of it! OMG, affirmation feels so good! Those dopamine receptors light up like a motherfucking Christmas tree, they do! Just one more retweet! Just one more like! What? No I'm not, I can stop whenever I want to! Now hit that "thumbs up" will you, momma needs some more self-esteem!
And after you're done hanging the country's problems on the terrible others, don't forget to get out there and buy some credit monitoring. You don't want someone to steal your identity do you?
Re: (Score:2)
Bombastic, much?
Setting aside most of your post, I'll note that the IRS is only able to enforce the taxes already "on the books." The IRS does fewer tax audits today than 20 or 30 years ago, because the IRS has been deliberately starved for funding [propublica.org]. As a result, there is a great deal of "non-compliance," a polite term for "underpaying taxes," or, in more extreme forms, "cheating."
In 2020, the CBO estimated [cbo.gov] that if the IRS was given an extra $40M, they would likely raise an additional $103M in taxes. That's
Re: (Score:2)
>
As for the $400,000 amendment, I'd ask: who defines "$400k of income?" If this amendment passed, and some rich cheater makes $500k, s/he will certainly fudge his/her taxes to show $300k of income, auto-magically exempting them from audits. This sounds unworkable to me.
Also the $400,000 figure is ridiculously high. The median income of a US worker in full time employment in Q1 2022 was $54,000.
A limit on prosecutions for trivial amounts would make more sense then going after smaller tax payers who can't afford a legal defense, just because that's easier than pursuing larger targets.
Is there any way (Score:3)
for the outcome of a class action suit to be execution??