An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.
The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).
After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!
The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.
What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.
“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).
The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.
In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze.
After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.
Here’s a sample of the KBA questions the site asked one reader:
1. Please select the city that you have previously resided in.2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.
3. Which of the following people live or previously lived with you at the address you provided?
4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .
I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.
This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.
Experian has not yet responded to requests for comment.
While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.
A credit freeze wont stop someone from filing a fraudulent tax return for me. It won’t stop someone from obtaining a drivers license in my name. It wont stop someone from collecting social security benefits on my behalf.
got mine right away all with easy info ?’s YUK
Brian, can you comment on whether there is any notification that goes to the email/address/telephone on file with the existing Experian account?
(Will I know if my PIN has been requested?)
The problem with KBA as it is usually designed is that the relationship between the challenge and the reply is usually much too close. We can mitigate by lying, but that forces us to remember our lies, which is very hard to do!
A “flavor” of KBA that I do like is one where the user chooses BOTH the challenge AND the reply. This allows a more distant relationship between the two. Sadly, this type is very rare, in my experience.
—
Example 1: An acquaintance from Boxborough, Massachusetts was addicted to Lark cigarettes.
Challenge: “Lark”
Reply: “Boxborough”
—
Example 2: Walking to school from our home on El Camino, I had to cross a “shooting gallery” of a street, Del Paso Boulevard.
Challenge: “Del Paso”
Reply: “El Camino”
—
Example 3: A buddy bought a huge set of Noritake porcelain for his fiance. That was my introduction to the Noritake brand.
Challenge: Noritake
Reply: Nancy
You get the idea.
although not mentioned in your excellent article, i wonder if they immediately notify you at the original email address that some activity has just occurred in regard to your security freeze. when i log into, or change passwords with most players on the web, they immediately let me know to verify the authenticity of the activity….i wonder if these companies, making millions everyday from OUR personal information, have the decency to promptly send notices. re: equifax / expirian, where is the justice dept when you need them!?
I noticed these features for PIN recovery when looking for info on credit freezes and was shocked and appalled. Some systems and processes just should not be internet-facing. If a bank doesn’t allow me to view or change my ATM PIN online, then why would we expect a gateway to credit to be any different?
I can change my ATM pin online! 🙂
I have heard that “You’re entitled to receive one free credit report each year from each of the three major credit reporting agencies – TransUnion, Experian and Equifax.”
But Krebs, you have been talking about a 4th credit agency. Can you clarify this for me?
Is this 4th credit agency not a “major” agency?
Are they not included in this “free credit report once each year” offer?
Are there other credit reporting agencies (other than the 4th that you have mentioned) that we need to be aware of that crooks can use to get our credit information and that need to be “monitored”?
Isn’t this lack of “complete” information on sources hazardous to the building, maintaining, controlling and reporting of our credit information?
The fourth credit bureau Brian mentioned is Innovis. I don’t know how large they are but the government mandated site for requesting free once-per-year credit reports does not include them. You have to request the report at their site. Here’s some info and links:
http://www.creditreporting.com/innovis.html
What is a concern is that other credit reporting agencies could pop up at any time in the future with little notice.
The existence of Innovis a while back was a surprise to many, I’m sure. I had no trouble getting a freeze from them.
I second Dsastray ‘s request above
Why not implement some sort of MFA (multi-factor authentication) to retrieve pin and/or to access services to freeze/unfreeze credit reports? Seems like these guys need some real help. Not good…
Seems like they should implement some sort of MFA (multi-factor authentication) to retrieve pins and/or access freeze/unfreeze services for credit reports. These guys need some real help. Not good…
If you’ve placed credit freezes, then become incapacitated, can an agent using your durable power of attorney lift the freezes (assuming he/she has the PIN) if necessary? Anyone know?
I don’t know the answer, but I’d argue there’s no need.
A credit freeze is to prevent you from applying for credit. If you’re disabled, why do you need credit?
Would you be reasonably likely to have future income to be able to pay off such a loan?
If not, you’re probably better off allowing the state to take responsibility for your (health) needs.
The power of attorney would allow for disbursement of assets and entering an institution responsible for your health…
(The answer to the question FWIW is almost certainly “yes”, but as noted above, I don’t see why it should be done.)
POA is definitely discussed in the context of a credit freeze [1]:
«Effective January 1, 2016, a guardian or an agent under a power of attorney
(POA) can put a credit freeze in place for the principal if the principal is
“incapacitated.” N.C.G.S. §§ 75-61, 75-63.1 (2015). Many states have enacted these
“protected consumer” laws in recent years and others are considering them now.
For an overview of the state statutes, see Heather Morton, “Consumer Report
Security Freeze State Laws,” National Conference of State Legislatures, October
12, 2016 [2]»
[1] http://elder-clinic.law.wfu.edu/files/2016/09/Protected-Consumer-Security-Freeze-.pdf
[2] http://www.ncsl.org/research/financial-services-andcommerce/consumer-report-security-freeze-state-statutes.aspx
Just to clarify a comment you made about a disabled person’s need for credit: If you are disabled, you STILL need a place to live. I know of very few landlords or rental agencies who would neglect to get a credit report on a prospective renter. My adult disabled son has his own separate bank accounts that I manage for him as his legal guardian. I applied for a Visa credit card in his name so that he can build credit (for future housing) and so that it is easier to conduct day-to-day transactions, similar to non-disabled people like you and me.
Thanks for the information.
The purpose of a credit freeze is to prevent OTHER people from obtaining
credit in your name so that you do not become a victim of fraud!
It is NOT to prevent you from obtaining credit for yourself!
I also easily obtained the pin. I have contacted Experian agent to complain such insecure practice and ask them to escalate to the top management to fix it as soon as possible. Let’s see how soon that they can fix it. Hoping that not much damage can be done on top of Equifax has done to us.
Just when this whole credit-reporting debacle can’t seem to get any worse …
… IT DOES.
WTF.
I’m appalled to find that Experian’s site is still “up” nearly a WEEK after being reported here.
All of the credit reporting agency buffoons should be prosecuted for gross negligence.
Ok, this might be a really dumb question, but is it possible (and does it make sense) to have both a freeze and fraud alerts set up on our credit reports? I’m thinking then you would at least know when someone was trying to get your credit report. I’m not sure you would know if you only had a freeze. Make sense?
Yes, you can do more than one [1]:
«And for maximum protection, we recommend using both freezes and fraud alerts. As the Equifax breach showed, you can’t be too careful.»
[1] https://www.consumerreports.org/consumer-protection/security-freeze-vs-fraud-alert-deciding-the-best-option/
https://identitytheft.gov/Info-Lost-or-Stolen
Or Google “identity theft ftc .Government stolen”
And click on data breach/Equifax or other options.
Note the .GOV
I contacted the big 3 via phone. Only Experian allowed me to freeze my info via the phone. The other 2 refused. I went online and froze my info with Equifax, was given a 10 digit pin which wasn’t date based. Email not required (one less bit of info for thieves to use). I got a pdf from them which I saved, it contains the pin and confirmation of my freeze.
TransUnion wants an email address so I’ll have to set one up just for them, it will never be used for anything else so if it gets compromised I know who is to blame.
Feel a lot better with the freezes but there is so much data floating around out there and so many ways to use/exploit it, that one must be vigilant – forever.
A question for anyone who can answer it. All three companies list at least two home addresses for me, I only have one. Even when I had moved in the past I never offically noted such. No records exist.
On one report it’s as simple as listing, 123 Smith “Street” as my address but also showing, 123 Smith “St” as an address on their records. This I can understand.
But two reports show two different addresses, same town, same street, different house number. It belongs to a business which one report lists as a multi family residence!
One report lists an address that doesn’t exist! There simply is no such address, street.
How does one correct such stupidity? They changed my SS number in the past, finally got that corrected. I also had them remove a family member’s credit info from my report at one point.
Can’t get them to list my correct name as the only entry though. They have first, middle, last but also middle, first, last and last, middle, first all as names I’ve used.
https://www.consumer.ftc.gov/articles/0151-disputing-errors-credit-reports
In a written letter, tell them of their errors a ND include copies of whatever reports you used to discover the error.
They’re required to investigate and correct any errors brought to their attention.
Placed a freeze with big three and Innovis ten days ago. Equifax and Experian provided immediate PIN, TransUnion by mail arriving a few days later. Nada so far from Innovis, despite statement would mail PIN. Cannot get through to them on phone to inquire. Their website says I can apply for a replacement PIN, but looks to have same vulnerability as Experian. Has anyone else had this problem with Innovis, and were you able to resolve it? Also I agree with Mika above; the bureaus should implement multi-factor ID!
Sessie:
FYI, I too “froze” my Innovis credit report online on Tuesday, 9/12.
The promised “PIN Letter” arrived on Saturday, 9/23.
I filed for a freeze online at Innovis on 9/8 and got the PIN in the mail 9/25. Be patient a few more days and it will probably show up.
Sort of the dumb and dumber solutions from Equifax. I find it difficult to believe a freeze now will help much. I would rather see any potential institution getting false applications for credit under my name to verify better. Otherwise, this information has been out there for months.
So, to disable the possibility of someone obtaining your Security Freeze PIN, go to Experian’s site and deliberately give all the wrong answers to the KBA questions. This locks the possibility and requires a more secure process whereby your PIN will be mailed to your address on file. Yes, a bit of additional work, but far better than having your file unfroze and suffering the consequences.
JLynn:
That’s actually a fairly decent idea IF — AND ONLY IF — doing so actually locks-out any/all subsequent attempts to obtain the PIN.
(i.e. from different sessions initiated from different computers / IP addresses.
Do you have any evidence that it will do so?
I’ve not yet tried … but I will later today … will apprise.
JLW,
No, I’m not 100% certain, from the response I received, it led me to believe the online PIN availability for me is no longer available.
JLynn Cooper’s idea seems very effective: deliberately give incorrect answers to Experian’s KBA questions for changing the PIN to unlock your security freeze. According to JLynn, failing the KBA questions causes your account to be treated using a more secure process, involving mail (not email!) to your address on file. Forcing Experian to use a more secure process is exactly what I want; I don’t actually care about the PIN at all, so long as nobody else can change it. Can anyone see any reason not to use this technique widely?
I combined a freeze with an extended fraud alert that requires I be called and authenticated. But let’s be honest, with the millions that will do nothing why put in the effort against we few who do something.
Ok folks, as promised, here are my test results.
At about 12:30 PM, I attempted to obtain my PIN. I answered all 4 questions incorrectly. PIN was denied; told to mail-in ID.
I then got on a plane and flew to another location.
Using the same computer w/ a different IP (confirmed geolocated to a different state), different e-mail, but using the same laptop …
… I attempted again about 4:30 PM.
This time I answered ONLY TWO of the four questions properly.
AMAZINGLY … I SUCCESSFULLY RECEIVED MY “Freeze” PIN from Experian !!!
This KBA system appears to be MAJORLY FLAWED; and it appears Experian is just as clueless as Equifax.
I’m appalled but unfortunately, not at all surprised.
I’ll try again tomorrow from a 3rd location … in a yet again different state using a completely different computer and post my result.
How much is the IT budget at these financial firms? Not nearly high enough is my guess.
Folks, don’t forget to place a freeze at ChexSystems as well. Most banks in the US rely on them for account opening. Think of it as a credit bureau for your checking account. https://www.chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze/placefreeze/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8ziDRxdHA1Ngg18_D1CjAwcXV193I2NvA3dLY31w_EqcDXUj6JEf6AJifrdA_zdgAp8_SyCQ32MDAzMKbMfqACsHwdwNADqj8JrBSgE8CoAeRFVARY_EHJFQW5oaGiEQaZnuqIiAPFFG7E!/dz/d5/L2dBISEvZ0FBIS9nQSEh/
Sharok:
Re: “… Don’t foget ChexSystems … ”
Many thanks for this.
I’d never heard of them before this latest Equifax debacle.
Υou recognbize what Pastror Johansson told uus օn Sunday is that
God really likes worship. Daddy added.
My web sitee :: Jack
As of Monday, 25-Sept, the Experian PIN recovery site is still working.
One way around the issue of KBA — if you use a password management tool that allows for logging of comments, then the tool can be used with KBA questions. It’s really easy to log all the questions and answers, and then select nonsense answers. For that matter, if you want, you can use a password generator to set the answers to be random strings of characters.
With this approach, it doesn’t matter if the answers to the questions are illogical, just so long as *you* know how to answer them. And with the password keeper, you don’t even have to remember answers.
Zork:
Unfortunately these KBA answrers are not “made up” by us, but are tied to our credit report.
For example, some sites may ask for your first car. You answer Lamborgini and you’re up and running w/ a totally ficticious answer.
These ctedit agencies for example ask the model yesr of the car you took out a loan for between 2000 and 2007.
There’s no changing it. There’s no altering it. It IS whatever your loan company reported.
Of course your family and friends know it too … which is a major flaw in this sort of verification.
It won’t help a lot of people and I still loathe KBA’s myself however the system I use is one in conjunction with my password safe.
I attach notes to the safe entries of the questions and answers to reply with..
E.G. What was your Mothers Maiden Name? Real name was say Simpson the answer I put it might be ‘slartybardfast the 42’nd’
It isn’t much, but in my belief helps ameliorate the issue that KBA’s present.
Just saw the comment above mine and noted that this system won’t work in this case.. Le sigh, sorry..
Has anyone been successful at getting equifax to change their security freeze pin post breach?
I tried putting a freeze on all three bureau’s and had no trouble until I got to Experian. I did notice that an earlier post said that they were glad that they “failed” the security questions to verify who they were……. I understand that EXCEPT that I shouldn’t fail my own test? I did. I waited on the phone for over an hour two days in a row. The first day the guy said “our system just went down” can’t help you today, call back !!!!!! Today the young lady couldn’t answer my questions about how I could “fail” my own test, yet I find it disturbing that thieves have no problem pretending that they are me. I verified each answer on two separate tests. Failed both. The second test was with their representative listening to me fill it out. I looked up each answer to be sure that I was answering correctly. I printed out the questions and the answers so that I could be sure that I did it right. The Experian site said ….SORRY…. So the representative said, just wait until you get your pin in the mail. My response was, what if it gets delivered to the neighbor behind me that gets all of my mail????? Then how do I lift the freeze…….GOODNESS GRACIOUS!!!!! This has become CRAZY!