KrebsOnSecurity has heard twice in the past month from readers who have their accounts at a big triple credit bureau Experian Hacked and updated with a new email address that wasn’t theirs. In both cases, readers used password managers to choose strong and unique passwords for their demo accounts. Research indicates that identity thieves were able to hijack accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.
John Turner He is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to put a security freeze on his credit profile, and that he used a password manager to identify and store a strong, unique password for his Experian account.
Turner said that in early June 2022 he received an email from Experian stating that the email address on his account had been changed. Experian’s password reset was useless at that point because any password reset links would be sent to the new (scammer’s) email address.
She reached out to an Experian Turner support person by phone after a long wait who asked for her Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his confidential questions. But the PIN and Secret Questions have already been changed by anyone who has re-registered as Experian.
“I was able to successfully answer the credit report questions, which approved me on their system,” Turner said. “At that point, the representative read me the current stored security questions and the PIN, and they were definitely not things I would have used.”
Turner said he was able to regain control of his Experian account by creating a new one. But now he wonders what else he can do to prevent another account from being hacked. This is because Experian Do not offer any kind of multi-factor authentication options on consumer accounts.
“The most frustrating part about this whole thing is that I got several ‘this is your login info’ emails later which they attributed to the original attackers who went back and tried to use the ‘forgot email/username’ flow, most likely using SSN and DOB , but it didn’t go to their email that they were expecting,” Turner said. “Because Experian doesn’t support two-factor authentication of any kind – and I don’t know how they got into my account in the first place – I’ve felt pretty helpless ever since.”
To be clear, Experian Do You have a business unit that sells one-time password services to businesses. But it does not provide this directly to consumers who have signed up to manage their credit profile on the Experian website.
Arthur Richie Musician and co-executive director of the Boston Landmarks Orchestra. Rishi said he recently found out that his Experian account had been hijacked after receiving an alert from a credit monitoring service (not Experian’s) that someone had tried to open an account in his name at JPMorgan Chase.
Rishi said the alert surprised him because his Experian credit profile was frozen at the time, and Experian did not notify him of any activity on his account. Rishi said Chase agreed to cancel the unauthorized account request and even canceled her credit inquiry (each credit pull can hurt your credit score a little bit).
But he was never able to get anyone from Experian support to answer the phone, despite spending what seemed like an eternity trying to advance through the company’s phone-based system. That’s when Rishi decided to see if he could create a new account for himself in Experian.
“I was able to open a new Experian account starting from scratch, using my SSN, date of birth, and answering some really basic questions, like what kind of car I got a loan for, or what city I used to live in,” he said. feathery.
Upon completing the recording, Rishi noticed that his balance was frozen.
Like Turner, Richie is now worried that identity thieves will hijack his Experian account again, and that there is nothing he can do to prevent such a scenario. Currently, Rishi has decided to pay Experian $25.99 per month to closely monitor his account for any suspicious activity. Even with Experian’s paid service, there were no additional multi-factor authentication options, though he said Experian sent a one-time code to his phone via SMS recently when he logged in.
“Experian now sometimes requires MFA for me now if I’m using a new browser or running my VPN,” Rishi said, but he wasn’t sure if Experian’s free service would work differently.
“I get so angry when I think about all this,” he said. “I have no confidence that this will not happen again.”
In a written statement, Experian suggests that what happened to Rishi and Turner was not an ordinary occurrence, and that their identity and security verification practices go beyond what is visible to the user.
“We believe these are individual fraud incidents using stolen consumer information,” Experian said in a statement. “Special to your question, once an Experian account is created, if someone tries to create a second Experian account, our systems will report the original email in the file.”
“We go beyond relying on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to gain access to our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytics capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our customers and to provide additional layers of protection. We take consumer privacy and security over very seriously, and we are constantly reviewing our security processes to protect against the persistent and evolving threats posed by fraudsters.”
KrebsOnSecurity sought to replicate Turner and Rishi’s experience – to see if Experian would allow me to recreate my account with my personal information but with a different email address. The experiment was conducted from a different computer and Internet address than the one that created the original account years ago.
After providing my SSN, date of birth, and answering several multiple-choice questions whose answers are drawn almost entirely from public records, Experian immediately changed the email address associated with my credit profile. I did this without first confirming that the new email address can respond to messages, or that the previous email address agreed to change.
The Experian system then sent an automated message to the original registered email address, stating that the account’s email address had been changed. The only recourse Experian offered in the alert was to log in or email an Experian mailbox replying with “This email address is no longer being monitored”.
Then, Experian asked me to select new secret questions and answers, as well as a new account PIN – effective PIN erasure and recovery questions for the account. Once I change my PIN and security questions, Experian helpfully reminded me that I have a security freeze on the file, and do I want to remove or temporarily lift the security freeze?
How Experian differs from the practices Equifax And the across the unionThe other two big consumer credit reporting bureaus? When KrebsOnSecurity attempted to recreate an existing TransUnion account using my Social Security number, TransUnion rejected the application, stating that I already had an account and prompted to proceed with the lost password flow. It also appears that the company is sending an email to the address on file asking to validate the account changes.
Likewise, attempting to recreate an existing Equifax account using personal information associated with my existing account prompts Equifax systems to report that I already have an account, and to use their password reset process (which involves sending a verification email to the address on file).
Krebs On Security has long urged readers in the United States to freeze their files with the three major credit bureaus. With a freeze in place, potential creditors cannot withdraw your credit file, making it less likely that anyone will be granted new lines of credit in your name. I also advised readers to place their flag in the three main offices, to prevent identity thieves from creating an account for you and controlling your identity.
The experiences of Richie, Turner, and this author indicate that Experian’s practices are currently undermining each of these proactive security measures. even so, Having an active Experian account may be the only way to find out if scammers have assumed your identity. Because at least after that you should get an email from Experian saying that they gave your identity to someone else.
In April 2021, KrebsOnSecurity revealed how identity thieves exploited lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In these cases, Experian failed to send any email notification when the Freeze PIN was retrieved, and did not require that the PIN be sent to an email address already associated with the consumer account.
A few days after that April 2021 story, KrebsOnSecurity broke the news that the Experian API was revealing credit scores for most Americans.
Emory RoanExperian, a policy advisor to Privacy Rights Clearinghouse, said failing to introduce multi-factor authentication for consumer accounts is inexcusable in 2022.
“They exacerbate the problem by briefing the recovery process on information that may or may not be inferred from third-party data brokers, or that could have been exposed in previous data breaches,” Rowan said. “Experian is one of the largest consumer reporting agencies in the country, and is trusted as one of the few major players in the credit system that Americans are forced to join. For them, not offering some form of MFA (free) is baffling. And it reflects very poorly on Experian.”
Nicholas WeaverResearch fellow at the International Institute of Computer Science in University of California, BerkeleyHe said Experian has no real incentive to do things right on the consumer side of its business. That means, he said, unless Experian customers — banks and other lenders — choose to vote with their feet because so many people with frozen credit files have to deal with unauthorized requests for new credit.
“Real customers of the credit service don’t realize how bad Experian’s condition is, and this isn’t the first time Experian has failed horribly,” Weaver said. “Experian is part of a trio company, and I’m sure this is costing their actual customers money, because if you have a credit freeze that gets lifted and someone loaned it off, it’s the lender who eats up that fraud cost.”
Unlike consumers, he said, lenders have a choice in which of the three companies to handle their credit checks.
“I think it’s important to note that real customers have a choice, and they should switch to TransUnion and Equifax,” he added.
More Greatest Songs From Experian:
2017: The demo site can give anyone a PIN to freeze your credit
2015: Test Breach Affects 15 Million Customers
2015: Trial breach linked to New York NJ ID theft episode
2015: At Experian, the security drain amid acquisitions
2015: Pilot Strike with Mass Identity Theft Service
2014: Identity Theft pilot service reaches 200 million consumer records
2013: Selling experimental consumer data to an identity theft service
#Experian #explanation #Crips #security