Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security United States

Identity Thieves Bypassed Experian Security To View Credit Reports (krebsonsecurity.com) 40

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureausBrian Krebs reported Monday. From the report: Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian's website allowed anyone to bypass these questions and go straight to the consumer's report. All that was needed was the person's name, address, birthday and Social Security number. In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.

"I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle," Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. "If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others." Kushnir said the crooks learned they could trick Experian into giving them access to anyone's credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian's identity verification process.

This discussion has been archived. No new comments can be posted.

Identity Thieves Bypassed Experian Security To View Credit Reports

Comments Filter:
  • I think I predicted this one.

    • Do you also like bragging that you predicted the sun would come up tomorrow?

      • For the benefit of idiots, or the complicit, who either way would say it's impossible, yes, it's important to remind them of the score.

  • by Software ( 179033 ) on Monday January 09, 2023 @10:27AM (#63191928) Journal
    Experian and Equifax both make credit freezes simple to set up (I had less luck with TransUnion). It takes about 10 minutes for each site and they can be unfrozen very quickly (from my recent experience, within 1 business day). They are now free for everyone.
    • Re: (Score:3, Interesting)

      by Scutter ( 18425 )

      Credit freezes wouldn't be necessary if the bureaus were doing their jobs. And at this point, I have no reason to believe that they're actually freezing it or that it can't just as easily be unfrozen by a threat actor.

      • Credit freezes wouldn't be needed if I could invoke some rights and have privacy. There is no reason for credit agencies to have a record on me. I do not use nor do I need credit.

        • Many people would be better off without access to credit other than a home mortgage. About 40% of consumers are unable to use credit responsibly. They get into debt, buying things they don't need, and then pay exorbitant rates to keep from falling further behind.

      • Comment removed based on user account deletion
        • At some point, the only proper approach for governments to ensure proper security practices are implimented and followed when someone screws up this badly is to jail the responsible executives for criminal negligence, and shut the offending company down permanently.

          Hear hear! I'd take a more graduated response - jail the first time and dissolve the company the second time - but I could be talked into your plan.

          Yes, sadly, that ends up putting a lot of innocent people out of work...

          I'm not sure that's true. Presumably there's an ongoing demand for the service, so most of the people who get their walking papers should be able to find jobs with existing competitors and/or whoever starts a new company to fill the void.

        • by dfm3 ( 830843 )

          Everyone with an Experian account, time to update your password...

          you actually have an account with them? I'm going to bet that the vast number of consumers don't. Oh, right, we're not their customers, we're their product...

          Besides, how can I change my "password" when in Experian's eye's my password is "name, address, birthday and Social Security number"?

    • by Maven0 ( 1673268 ) on Monday January 09, 2023 @10:51AM (#63192024)

      You should look into what it takes to unfreeze the credit. I recently needed to unfreeze mine after 7 years and I found out that it no longer required the pin number that they told me was required 7 years ago when i set it up. I am very disappointed. all 3 credit bureaus. This is all so much Bullshit... I hate that we are so exposed to things we have zero control over and have a huge impact on our lives.

      • You could reframe credit as a shortcut with a high cost.

        Both in terms of privacy and financial ruin.

        Faster, easier, more seductive.

      • Curious, what did you provide that allowed an unfreeze without the pin? I to was under the impression you had to have the pin short of showing up in person with ID to prove you wanted to unfreeze.
    • by thomn8r ( 635504 )

      Experian and Equifax both make credit freezes simple to set up (I had less luck with TransUnion). It takes about 10 minutes for each site and they can be unfrozen very quickly (from my recent experience, within 1 business day). They are now free for everyone.

      Found the damage-control drone.

      From my personal experience, it's a lot bigger PITA than "about 10 minutes for each site," particularly to un-freeze it.

    • I do not deal with extortion racketeers. Equifax is a criminal organization, plain and simple. The entire credit industry is. I will have nothing to do with it. Give them nothing. Never, ever visit their website or call them. Give them zero data. Zero!
  • Is that all? (Score:5, Interesting)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday January 09, 2023 @10:54AM (#63192038) Homepage Journal

    All that was needed was the person's name, address, birthday and Social Security number.

    Experian refuses to give me my credit report as legally mandated because they don't agree with my current or former addresses, due to identity theft. When I try to get my free credit report, they show me a bunch of addresses I'm supposed to verify, and I haven't lived at any of them: literally none. Experian is a libel factory.

    • Who's modding to defend the criminals at Experian? Kanye, is that you?

      • Probably the same guy who mods me down whenever I point out conspicuous incidents of the FBI committing crimes.

      • by khchung ( 462899 )

        There are mods who mod down based on poster, regardless of the content of the post.

        I have been modded down more than once for posting facts with links before.

        • I was downmodded for a different comment around the same time, I'm pretty sure that person decided I needed another downmod. It's a common pattern, and a convenient way to use up mod points.

          I've also long noticed that comments critical of anything even related to capitalism get moderated down here, it's something of a tradition.

    • I'm sorry this happened to you. It's possible to fix, but it will take time and effort. Roughly, you need to send them snail mail to their legal department threatening action under the Fair Credit Reporting Act in order to get the attention of someone who will actually fix it. Patrick McKenzie goes into more details in this article [kalzumeus.com].

  • I keep getting phishing spam like this:

    Unbelievable News! Your New January 2023 Scores just hit an all-time high

    The fact they haven't been shut down yet after many months is (well not really) baffling.
  • by SoCalChris ( 573049 ) on Monday January 09, 2023 @11:41AM (#63192244) Journal

    We've all got another $5 check coming in several years from the upcoming class action against them. That'll show these credit reporting companies that they need to be careful with our information!

    • by PPH ( 736903 )

      To you and I it's $5. To the attorneys running the class action suit, its several hundred million.

      • by Slayer ( 6656 )

        If those 8 digit numbers had to be paid by these companies, they might eventually stop their malpractice. What I am afraid of, though: they don't even pay all that much to these lawyers and effectively get off scott free.

        • by G00F ( 241765 )

          worse, it's the cost of doing business and they just fine ways to extract more money ... and the bottom of that pyramid is you and me

  • they could probably reset your account, so who cares? If theives have your name, SSN and birthday, it's game over. They probably aren't going to access your credit report first, they are going to open up as many credit accounts as they can and steal money.
    • by guruevi ( 827432 )

      You shouldn't be able to open credit accounts with publicly available information. I have never been able to open a credit line without a much higher level of authentication, you don't even need a valid SSN to open many bank/credit accounts although it helps in the stack of authentications.

      • You can get into most websites with that info, sure most people have SMS auth, so they will be able to detect an intrusion but still, you have that and you are good to go.
  • That's It! (Score:5, Insightful)

    by organgtool ( 966989 ) on Monday January 09, 2023 @01:17PM (#63192666)
    I'm ceasing all business I have with Experian!

    Oh, that's right - I don't choose to do business with them but they're allowed to demand access to my sensitive financial data and are almost completely devoid of consequences when they divulge that data to unauthorized parties. Why are any of these clowns allowed to operate when they consistently prove that they can't be trusted to secure our data? Nevermind, we all know why.
  • by Anonymous Coward

    https://innovis.com/ [innovis.com]

  • Experien needs to be shut down already. I never got my 125 dollars from.the last breech. This company is just a security mess
  • Susan Mauldin is a Music composer who ran equfax and as cio

  • There should be a law:

    IF you have data that can be used for identity theft
    AND you let it leak
    THEN you owe the government a fine of (say) $100 per data set leaked

    No class action lawsuit, no pay for a year of credit monitoring and get off scot free.

  • ..are calculated differently by each company, using a proprietary algorithm you are not allowed to know
    They have been shown to be biased, with no consequences .. and if they get anything wrong then there is no comeback ...

    They are sitting on a licnece to print money, and screw anyone they want to

The best defense against logic is ignorance.

Working...