It's Still Too Easy for Anyone to 'Become You' at Experian (krebsonsecurity.com) 36
An anonymous reader shared this report from security research Brian Krebs:
In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account...
The homepage said I needed to provide a Social Security number and mobile phone number, and that I'd soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian's website would not balk.
One user said they recreated their account this week — even though the phone number they'd input was a random number. "The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, 'Welcome back, Pete!,' and granting full access," @PeteMayo wrote. "I feel silly saving my password for Experian; may as well just make a new account every time."
And Krebs points out that "Regardless, users can simply skip this step by selecting the option to 'Continue another way.'" Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we've previously lived at — information that is just a Google search away...
Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn't a request seeking verification: It's just a notification from Experian that the account's user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com. And of course, a user who receives one of these notices will find that the credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves!
Experian's security measures "are constantly evolving," insisted Experian spokesperson Scott Anderson — though Krebs remains unsatisfied. Anderson said all consumers have the option to activate a multi-factor authentication method that's requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?
The homepage said I needed to provide a Social Security number and mobile phone number, and that I'd soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian's website would not balk.
One user said they recreated their account this week — even though the phone number they'd input was a random number. "The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, 'Welcome back, Pete!,' and granting full access," @PeteMayo wrote. "I feel silly saving my password for Experian; may as well just make a new account every time."
And Krebs points out that "Regardless, users can simply skip this step by selecting the option to 'Continue another way.'" Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we've previously lived at — information that is just a Google search away...
Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn't a request seeking verification: It's just a notification from Experian that the account's user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com. And of course, a user who receives one of these notices will find that the credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves!
Experian's security measures "are constantly evolving," insisted Experian spokesperson Scott Anderson — though Krebs remains unsatisfied. Anderson said all consumers have the option to activate a multi-factor authentication method that's requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?
How to fix (Score:1)
A good way to fix this issue with credit companies having this weird power over you is too not pay bills and so on. I have a bunch of bills from services not rendered. Such as ambulances who came to a minor car accident and did nothing, contractors who didn't finish the job and illegal fees and taxes my county created to cover miscellaneous overruns my taxes already paid for and to pad their buddies pockets.
Re: (Score:2)
A good way to fix this issue with credit companies having this weird power over you is to not pay bills and so on.
How does this work, and why isn't your credit ruined by not paying bills you have chosen to dispute?
It's not like any of us *chooses* or wants to actively do business with the likes of Experian.
Re: (Score:1)
I don't use credit or debt.
Re: (Score:3)
Here's my front-page submission do-over: (Score:3)
Here's the scam, now that I understand better: North Korean agents set up shop in eithe
Re: (Score:2)
Re: (Score:3)
Credit freeze is free in the US. There are bureau-specific alternatives to freezing that they may try to sell you on instead, but a credit freeze is free by law in all 50 states.
It also wouldn’t help here. Someone would still be able to hijack your account at the bureau and then lift your freeze.
Re: (Score:1)
Re: (Score:1)
Liability is urgently needed (Score:3)
Say, $500 to anybody that has their data stolen, as default, no court proceedings and no proof of damage needed. If more damage, tripple damages to be paid.
Maybe that would make cretins like these pay some attention to security. As it is, nothing seems to happen even for having the most shoddy security imaginable.
Re: Liability is urgently needed (Score:2)
Re: (Score:2)
As Frank Abagnale has made clear, once identity has been established, there is no longer any reason to keep any of this information on file.
"But I lost my phone. And I forgot my password. Can't you puleeeze help me out just this once?" [Sounds of woman sobbing, dog barking, numerous hungry children crying in the background].
"Well, OK. Just this once."
[I got your identity, sucka!]
Re: (Score:2)
I have a new phone number every time I move (so 1 or 2x a year for the past 13 years; except the last 2 -- no idea where to move next).
I really wish that companies would stop tying things to phone numbers.
Re:What on Earth is an "Experian"? (Score:4, Informative)
Experian [wikipedia.org] is a multinational company that is one of the "Big Three" credit bureaus in the US. The Big Three make most of their money from selling a rating individuals' credit worthiness to companies that are considering a loan to the individual, with a secondary line of business supporting employment screening. Individuals who have accounts with these companies typically use them to monitor the information underlying the company's credit rating (loans, employment, address, and similar) for that individual.
Re: (Score:2)
Experian is a legal and professional doxing service bureau. They collect data on people all over this nation and everywhere I'm sure, and then lose (loose? lil both?) it to the internet to be published for all to see your domestic and financial details.
All the banks love it so you know it will make you wealthy. You want to be wealthy and have the latest things don't you? Gotta put a little in the Experian, Equifax and TransUnion kitty and then let them have their way with you. Grease that social----
Re: (Score:3)
Your complaining that its possible for people to "become you" by learning your personal information, when performing identity theft, but to steal your house all you need is to take a fake ID to a notary, to transfer ownership of the house to someone else.
Really, the only way around this is requiring a real person to provide biometric information to another real person, in a way that cant be faked (such as checking for contact lenses when you sign up for worldcoin), but given that the average person is not i
Re: (Score:2)
The mark on the hand and forehead should work well enough.
I'm not complaining that (Score:2)
I'm overexaggerating for effect that a company that is "trusted" with your information is still respected by financial institutions that lend money. Doesn't seem all that sound. Also, that if they lose this information or make it free then they're giving away some of their proprietary IP.
My infos been release several times now. I accept it (why I should have to is the infuriating part) and hope for the best. Clearly, the companies that hold all that data aren't interested in keeping to themselves. N
Re: (Score:2)
a company that is "trusted" with your information is still respected by financial institutions that lend money.
That's their problem. not mine.
Bring it up sometime in a secure banking situation, say while getting a loan.
Why would I? The bank can read chicken entrails for all I care.
If the bank thinks they can collect on a load that I didn't take out, that's between them and Experian.
Re: (Score:2)
load
loan.
Although I'm not certain they are exclusive.
Re: (Score:2)
Hehe. Yes. I got no argument with that.
Re: (Score:2)
They normally flip it, to take money from some poor fool (or hedge fund), and then take off with the money.
Re: (Score:2)
It sounds more like blackmail to me.
"Either you create an account and establish a business relationship with us (including the onerous TOS which allows us to sell your data and prohibits you from filing suit for damages) or we'll look the other way while some offshore scammer grabs your identity."
‘Constantly evolving” (Score:2)
At this point, I’ve concluded that the small criminal gangs engaging in this stuff are actually doing us a favor. Without them, companies and governments would engage in near-zero effort to improve their systems. Basically, they’re providing immune-system training services to our computational ecosystem.
Re: (Score:2)
Means “we only fix stuff after there’s a big enough problem to cause real trouble.
Big enough to cause trouble equates to " We only care when the cost of a potential lawsuit exceeds the costs necessary to fix the problem. "
Re: (Score:2)
Corporate Personhood (Score:5, Insightful)
Re: (Score:3)
Experian should have gotten the corporate death penalty during their first breach. Unfortunately they do actually provide an important service. It is easy to complain about how much power they have, but nobody has figured out a better solution.
I say this after my wife's credit score was decimated yesterday because a store's credit card issuer only allows direct payment after the second billing cycle, even if you have electronic statements. In this case it is the card issuer that is corrupt, not the credit b
Paper (Score:2)
Signing up, and submitting information over the net to get my 'free credit report' just sounded brok
So the issue is... (Score:2)
So the issue is if a "bad actor" has your SS# and a passing knowledge of your history (former employers, residences,etc) they can "trick" the credit bureaus into sharing your private financial records, right?
In other words, just a SS# along won't suffice...
I mean, it's not great, but they have to start with your correct SS#, without your SS# they can't get anything on you, right?
Re: (Score:3)
Not likely. Take a look at Spokeo and the like and what you can dig up on someone with only their name and a vague idea where they live currently. That's all the answers to the "security" questions. It also narrows down the possibilities for the first 5 digits of their SSN to at most two dozen, all I need from there is to find the last 4 in one of the data-breach databases floating around out there. That's assuming their full SSN hasn't made it's way into one of those databases, if that's happened I don't e