Identity Thieves Bypassed Experian Security To View Credit Reports (krebsonsecurity.com) 40
Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureausBrian Krebs reported Monday. From the report: Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian's website allowed anyone to bypass these questions and go straight to the consumer's report. All that was needed was the person's name, address, birthday and Social Security number. In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.
"I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle," Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. "If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others." Kushnir said the crooks learned they could trick Experian into giving them access to anyone's credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian's identity verification process.
"I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle," Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. "If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others." Kushnir said the crooks learned they could trick Experian into giving them access to anyone's credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian's identity verification process.
Did I predict this one? (Score:1)
I think I predicted this one.
Re: (Score:2)
Do you also like bragging that you predicted the sun would come up tomorrow?
Re: (Score:1)
For the benefit of idiots, or the complicit, who either way would say it's impossible, yes, it's important to remind them of the score.
Credit freezes are easy and you should do one (Score:4, Informative)
Re: (Score:3, Interesting)
Credit freezes wouldn't be necessary if the bureaus were doing their jobs. And at this point, I have no reason to believe that they're actually freezing it or that it can't just as easily be unfrozen by a threat actor.
Re: (Score:2)
Credit freezes wouldn't be needed if I could invoke some rights and have privacy. There is no reason for credit agencies to have a record on me. I do not use nor do I need credit.
Re: (Score:3)
Many people would be better off without access to credit other than a home mortgage. About 40% of consumers are unable to use credit responsibly. They get into debt, buying things they don't need, and then pay exorbitant rates to keep from falling further behind.
Re: (Score:2)
Re: (Score:2)
At some point, the only proper approach for governments to ensure proper security practices are implimented and followed when someone screws up this badly is to jail the responsible executives for criminal negligence, and shut the offending company down permanently.
Hear hear! I'd take a more graduated response - jail the first time and dissolve the company the second time - but I could be talked into your plan.
Yes, sadly, that ends up putting a lot of innocent people out of work...
I'm not sure that's true. Presumably there's an ongoing demand for the service, so most of the people who get their walking papers should be able to find jobs with existing competitors and/or whoever starts a new company to fill the void.
Re: (Score:1)
Re: (Score:2)
Everyone with an Experian account, time to update your password...
you actually have an account with them? I'm going to bet that the vast number of consumers don't. Oh, right, we're not their customers, we're their product...
Besides, how can I change my "password" when in Experian's eye's my password is "name, address, birthday and Social Security number"?
Re: (Score:1)
Re:Credit freezes are easy and you should do one (Score:5, Interesting)
You should look into what it takes to unfreeze the credit. I recently needed to unfreeze mine after 7 years and I found out that it no longer required the pin number that they told me was required 7 years ago when i set it up. I am very disappointed. all 3 credit bureaus. This is all so much Bullshit... I hate that we are so exposed to things we have zero control over and have a huge impact on our lives.
Re: (Score:2)
You could reframe credit as a shortcut with a high cost.
Both in terms of privacy and financial ruin.
Faster, easier, more seductive.
Re: (Score:2)
Re: (Score:3)
Experian and Equifax both make credit freezes simple to set up (I had less luck with TransUnion). It takes about 10 minutes for each site and they can be unfrozen very quickly (from my recent experience, within 1 business day). They are now free for everyone.
Found the damage-control drone.
From my personal experience, it's a lot bigger PITA than "about 10 minutes for each site," particularly to un-freeze it.
Re: (Score:2)
Is that all? (Score:5, Interesting)
All that was needed was the person's name, address, birthday and Social Security number.
Experian refuses to give me my credit report as legally mandated because they don't agree with my current or former addresses, due to identity theft. When I try to get my free credit report, they show me a bunch of addresses I'm supposed to verify, and I haven't lived at any of them: literally none. Experian is a libel factory.
wtf (Score:1)
Who's modding to defend the criminals at Experian? Kanye, is that you?
Re: (Score:1)
Probably the same guy who mods me down whenever I point out conspicuous incidents of the FBI committing crimes.
Re: (Score:2)
There are mods who mod down based on poster, regardless of the content of the post.
I have been modded down more than once for posting facts with links before.
Re: (Score:2)
I was downmodded for a different comment around the same time, I'm pretty sure that person decided I needed another downmod. It's a common pattern, and a convenient way to use up mod points.
I've also long noticed that comments critical of anything even related to capitalism get moderated down here, it's something of a tradition.
Re: (Score:2)
I'm sorry this happened to you. It's possible to fix, but it will take time and effort. Roughly, you need to send them snail mail to their legal department threatening action under the Fair Credit Reporting Act in order to get the attention of someone who will actually fix it. Patrick McKenzie goes into more details in this article [kalzumeus.com].
Not hard to do... (Score:2)
Unbelievable News! Your New January 2023 Scores just hit an all-time high
The fact they haven't been shut down yet after many months is (well not really) baffling.
We've got another $5 coming (Score:3)
We've all got another $5 check coming in several years from the upcoming class action against them. That'll show these credit reporting companies that they need to be careful with our information!
Re: (Score:2)
To you and I it's $5. To the attorneys running the class action suit, its several hundred million.
Re: (Score:2)
If those 8 digit numbers had to be paid by these companies, they might eventually stop their malpractice. What I am afraid of, though: they don't even pay all that much to these lawyers and effectively get off scott free.
Re: (Score:2)
worse, it's the cost of doing business and they just fine ways to extract more money ... and the bottom of that pyramid is you and me
If they have all that info (Score:2)
Re: (Score:1)
You shouldn't be able to open credit accounts with publicly available information. I have never been able to open a credit line without a much higher level of authentication, you don't even need a valid SSN to open many bank/credit accounts although it helps in the stack of authentications.
Re: (Score:2)
That's It! (Score:5, Insightful)
Oh, that's right - I don't choose to do business with them but they're allowed to demand access to my sensitive financial data and are almost completely devoid of consequences when they divulge that data to unauthorized parties. Why are any of these clowns allowed to operate when they consistently prove that they can't be trusted to secure our data? Nevermind, we all know why.
Big three?? You mean Big FOUR (Score:2, Informative)
https://innovis.com/ [innovis.com]
Sue Experian to Oblivion (Score:1)
Does this mean Susan Mauldin is needing a new job (Score:2)
Susan Mauldin is a Music composer who ran equfax and as cio
We need statutory damages (Score:2)
There should be a law:
IF you have data that can be used for identity theft
AND you let it leak
THEN you owe the government a fine of (say) $100 per data set leaked
No class action lawsuit, no pay for a year of credit monitoring and get off scot free.
We need statutory jail terms (Score:2)
That's just "the cost of doing business. Jail terms gor the C-suite might work, though.
Credit Scores ... (Score:2)
..are calculated differently by each company, using a proprietary algorithm you are not allowed to know .. and if they get anything wrong then there is no comeback ...
They have been shown to be biased, with no consequences
They are sitting on a licnece to print money, and screw anyone they want to