Houston, Texas, USA : Credit bureau Experian’s process to retrieve a PIN that safeguards a frozen Experian credit report had a security defect, making it easier for a fraudster to potentially get the PIN, unfreeze the report and open new accounts in someone else’s name, the company said in a statement. .
“While we are confident that our authentication is secure and no credit files are at risk, we have taken additional steps to make the process more secure,” the company said . “We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.”
NerdWallet first reported on the flaw after one of its readers alerted the personal finance website.
Experian has since addressed the issue, the company said. But the company has not said how long the defect was in place or whether it will issue new PINs.
Experian’s site exposed the personal identification numbers — the PINs needed to thaw credit freezes — after users answered their security questions with a blanket answer: None of the above.
But for several hours Thursday — and for who knows how long before that — you didn’t even have to guess.
A reader alerted us to this issue, and several of us who had credit freezes were able to replicate it. We asked our followers on Facebook and Twitter and heard from others who also got access to their PINs.
To get the numbers, people filled out the form on Experian’s PIN retrieval page with a person’s name, address, Social Security number and date of birth — exactly the kind of information that was compromised in last year’s Equifax breach, and that’s readily available for sale on the dark web. The form required an email address, which didn’t necessarily have to be the one associated with the person’s Experian account. Answering “none of the above” to the security questions — even if some of the proffered answers were correct — gave access to that person’s PIN.
With the PIN, anyone can thaw that person’s credit freeze and apply for credit in their name.
Consumer advocate Mike Litt was also able to retrieve his PIN using the flaw. “There is absolutely no excuse for this,” says Litt, campaign director for U.S. PIRG, a public interest advocacy organization. “How do you just leave the keys to the door on top of the welcome mat?”
An Experian spokesman issued a statement Thursday afternoon that said, “While we are confident that our authentication is secure and no credit files are at risk, we have taken additional steps to make the process more secure. We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.”
By late Thursday, many of us started getting the error messages that our responses should have generated in the first place. We were directed to mail Experian our identifying information, such as copies of our driver’s license, utility bills and Social Security card.
The U.S. mail, in case this needs to be said, is not a safe way to transmit such information.
This is yet another reminder that we need to keep monitoring our credit reports and scores for fraudulent accounts, even if we have credit freezes in place — as we still should.
What’s really distressing is that security freezes are supposed to be one of the few effective bulwarks people can put up against fraud. That’s why security experts have recommended them for years, and why Congress finally made freezes and thaws free starting Sept. 21.
The ease with which this essential protection could be thwarted tells us that the credit bureaus still aren’t taking the security of our information seriously enough.
A credit freeze prevents lenders from pulling a person’s credit report, an essential part of the approval process for a credit card or loan. Freezing your credit reports at Experian, Equifax and TransUnion – the national credit bureaus – helps thwart criminals from opening fraudulent accounts in your name.
When you put a credit freeze in place, you’re either issued or you choose a PIN. At Experian, you need this PIN to unfreeze your credit if you want to apply for new credit such as a mortgage. If you’ve forgotten your PIN, Experian allows you to retrieve it by answering four security questions based on information the company has on file for you, such as:
• What year is the model of the car you purchased or leased before March 2018?
• Which one of the following streets have you lived on?
• How much do you pay each month for your mortgage?
Each question has four possible answers including “None of the above.”
Because of the flaw, if you – or say, a fraudster – answered all four questions with “None of the above,” Experian spit out the PIN, said Mike Litt, consumer campaign director at U.S. PIRG, a consumer advocacy organization.
“At first I thought: ‘You’ve got to be kidding me,’ and then I tried it myself,” Litt said. “What’s concerning about this is that one of our best lines of defense (against identity theft) has a flaw.”
Now that the flaw’s been addressed, if you answer “None of the above” to all the security questions, Experian generates a message that it can’t process the request. The company instead instructs you to mail copies of identifying documents such as your driver’s license, utility bills or bank statement, and social security card to get your PIN.
TransUnion and Equifax recently did away with PINs. While they both give a PIN after you freeze your credit report, you just need an account username and password to unfreeze their reports online.
Even though Experian quickly responded to the PIN issue once it was raised, Litt worries the defect could have been around for quite some time.
There’s also no indication Experian will issue new PINs.
“If you can’t request a new PIN, that means consumers continue to be at risk,” Litt said. “We don’t know how long thieves had been harvesting these PINs and sitting on them.”
The flaw’s discovery comes just over year after Equifax disclosed a massive data breach that compromised personal data of 148 million Americans. It also follows the enactment of a new federal law on Sept. 21 mandating free credit freezes for everyone.
More than a year ago, security expert Brian Krebs reported a similar flaw. At that point, people had to correctly answer the four “knowledge-based authentication” questions used to identify them. The problem with this method, according to Krebs, is that the personal information needed to successfully guess the answers is readily available online through commercial as well as criminal sites.