Credit freezes are the best way to prevent new account fraud, where criminals open bogus accounts in your name. But one credit bureau’s site made it distressingly easy to circumvent the security that’s supposed to keep your credit reports safe.
Experian’s site exposed the personal identification numbers — the PINs needed to thaw credit freezes — after users answered their security questions with a blanket answer: None of the above.
More than a year ago, security expert Brian Krebs reported a similar flaw. At that point, people had to correctly answer the four “knowledge-based authentication” questions used to identify them. The problem with this method, according to Krebs, is that the personal information needed to successfully guess the answers is readily available online through commercial as well as criminal sites.
But for several hours Thursday — and for who knows how long before that — you didn’t even have to guess.
A reader alerted us to this issue, and several of us who had credit freezeswere able to replicate it. We asked our followers on Facebook and Twitter and heard from others who also got access to their PINs.
Flaw in the normal process
To get the numbers, people filled out the form on Experian’s PIN retrieval page with a person’s name, address, Social Security number and date of birth — exactly the kind of information that was compromised in last year’s Equifax breach, and that’s readily available for sale on the dark web. The form required an email address, which didn’t necessarily have to be the one associated with the person’s Experian account. Answering “none of the above” to the security questions — even if some of the proffered answers were correct — gave access to that person’s PIN.
With the PIN, anyone can thaw that person’s credit freeze and apply for credit in their name.
Consumer advocate Mike Litt was also able to retrieve his PIN using the flaw. “There is absolutely no excuse for this,” says Litt, campaign director for U.S. PIRG, a public interest advocacy organization. “How do you just leave the keys to the door on top of the welcome mat?”
An Experian spokesman issued a statement Thursday afternoon that said, “While we are confident that our authentication is secure and no credit files are at risk, we have taken additional steps to make the process more secure. We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.”
Error messages kick in
By late Thursday, many of us started getting the error messages that our responses should have generated in the first place. We were directed to mail Experian our identifying information, such as copies of our driver’s license, utility bills and Social Security card.
The U.S. mail, in case this needs to be said, is not a safe way to transmit such information. But since these details are likely in criminal hands already, we’ll leave that for now.
This is yet another reminder that we need to keep monitoring our credit reports and scores for fraudulent accounts, even if we have credit freezes in place — as we still should.
What’s really distressing is that security freezes are supposed to be one of the few effective bulwarks people can put up against fraud. That’s why security experts have recommended them for years, and why Congress finally made freezes and thaws free starting Sept. 21.
The ease with which this essential protection could be thwarted tells us that the credit bureaus still aren’t taking the security of our information seriously enough.
Staff writer Bev O’Shea contributed to this report.