September 21, 2017

An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

Experian's page for retrieving someone's credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.

In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze. 

After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.

Here’s a sample of the KBA questions the site asked one reader:

1. Please select the city that you have previously resided in.

2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.

3. Which of the following people live or previously lived with you at the address you provided?

4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice.

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice. Image: Rob Jacques.

I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.

This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.

Experian has not yet responded to requests for comment.

While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.


189 thoughts on “Experian Site Can Give Anyone Your Credit Freeze PIN

    1. Gigi

      Equifax actually, but they appear to be only slightly worse than the others.

  1. Bill

    I WILL NOT GIVE IN TO SECURITY NIHILISM! I WON’T DO IT!!

    But this is the sort of news that makes that -really- hard to avoid.

  2. IRS iTunes Card

    The K.B.A. questions are easy to get around, as I’ve done it to access credit reports online. The questions are not a deterrent in stopping your identity from being stolen.

  3. Bob

    Regarding KBA questions – who says you have to answer them truthfully? I never do. I do keep track of how I answer.

    1. BrianKrebs Post author

      I think, Bob, you might be conflating KBA questions with security questions. The latter involve you supplying the answers to pre-selected questions, either by devising your own answer or by selecting from a drop-down list of available answers. And I’m in agreement with you on those not to answer them honestly, and basically to write down your fake answers.

      KBA questions, in contrast, draw on data from your credit file and quiz you about that. The questions will very often change each time you go through this process.

      1. Wayne

        Oh, darn. I always invent the other security question answers, but could never invent the KBA response- it’s fixed and historical.

      2. Chele

        That does assume, however, that the database the KBA options are pulled from is correct. I’m often presented with options where -none- are correct (I’ve never lived at -any- of those addresses, never lived with -any- of those people, never owned -any- of those types of cars, never had -any- of those accounts, etc).

        I’ve never been able to get my credit report from Experian for just that reason. I can’t “verify” who I am with them, even when I call or email them. My husband has the same problem with them and one of the other Big Three, too. As far as we can tell from the credit reports we can access, nothing is amiss, but it’s still worrisome. I have no clue where Experian is pulling their KBA options from and not being able to access our credit reports means we can’t freeze them.

    2. Keith Appleyard

      I agree : for Mothers Maiden Name I use the Married Surname(s) of my mothers sisters (deceased). For Date of Birth I used my brothers.

      1. Bob

        Both my parents were only children. I have no aunts, uncles, cousins, etc., dead or alive.

  4. Tom Kirkley

    The only way I know would be 2 factor verification. Then you would at least get a hit on your cell phone or email that someone was trying to break in.

  5. Javier

    Security will always take a backseat to convenience. People don’t want to wait for their snail mail pin. However, some things are worth the wait.

    Corporate America is just starting to realize the cost of convenience vs. security.

    Random thought:
    I do wonder if anyone has done any study of the ROI of Security (investment in securing data+time+value of data) vs the convenience of having the data now. How much is having the data now worth vs. securing it over a period of time? I guess it really depends on the data needed and what will be done with it.

    1. Derrick

      Yes, companies have conducted private, internal security RIO research in past 25 years. Until very recently, the consensus of most organizations has veered heavily toward customer convenience over data security. Credit card companies, for example, have in the past found it much more profitable to refund bogus charges (if you catch them in time!) than to enact more stringent measures to prevent theft.

    2. David M

      I’m of the opinion that everyone in the country should keep all of their accounts frozen all the time. Plan the times you need credit in advance and only place a temporary lift of the freeze when you need it and at the moment you need it.

      It would be a great deal more secure for the consumer, and far less profitable for the credit bureaus.

  6. Dennis

    All those credit reporting agencies are BAD. And their security model is not better than Equifax’s. it’s just that they are smaller so crooks weren’t interested in hacking their databases … yet.

  7. JCitizen

    This is truely OUTRAGEOUS!! And here I’ve been calling my congressmen to force these agencies to allow free credit freezes and maybe a few free unfreeze sessions. This news shows it is all just a waste of time!! Absolutely RIDICULOUS!

    1. TGuerrant

      Naw, it’s a *good* use of your time for at least three reasons:

      Freezes are better than leaving perps free to open scads of new bogus lines of credit without even bothering to scam PINs.

      Congress pressuring or legislating to make these companies conduct themselves properly is hugely important.

      And the loose practices like Experian’s PINs-free-to-all-perps nonsense can be cleaned up via congressional pressure or media/consumer pressure as the practices are uncovered.

      The perps aren’t gonna quit – so we can’t quit either.

      1. JCitizen

        Thanks! I bet my congressman thinks I’m some kind of a nut by now – but nothing has set me off quite as bad as this debacle! I mean, I know probably none of our information isn’t probably already out there in a stash of hundreds of other breaches in commerce everywhere, but now that it is knocking on the door of a crucial point protecting our credit lives, it is finally time to put our foot down HARD!

        The credit reporting agencies have been ducking and dodging more regulation for years with all kinds of promises to law makers, but we need to pull the rug out from under them, even if it means shutting them down, one at a time, for a month to make our point!

  8. Matthew

    Just another example of not thinking it through….

    Brian,

    Have you thought about posting this information on Linked In?

    Matt

  9. Wayne

    Separate of the freeze I placed and extended fraud alert on my Experian credit file that requires them to call me for verification prior to allowing access, even when the freeze is temporarily turned off. I know it works because trying to get a credit card approved and set the number for my home number and they are calling while I am at work and not reaching me and BoA rejecting credit card application.

    1. John

      I have used the extended fraud alert in the past. Actually worked very well. Sat in a bank to re-finance home and an auto dealership to purchase a car while they submitted the credit requests. My phone rang within a minute or two to confirm. If I recall correctly, you only have to file with one bureau and they are responsible for notifying the others. It is free also.

      You can read more about it on the FTC website. The catch is that you have to have filed an Identity Theft Report which I’m not sure a breach actually qualifies you for (but should). In summary, from the FTC site, this is what you get:

      “If you’ve created an Identity Theft Report, you can get an extended fraud alert on your credit file. When you place an extended alert, you can get 2 free credit reports within 12 months from each of the three nationwide credit reporting companies, and the credit reporting companies must take your name off marketing lists for prescreened credit offers for 5 years, unless you ask them to put your name back on the list. The extended alert lasts for 7 years.”

      1. Paul

        So the credit reference company called your cellphone to confirm. How did they confirm they were talking to you? Scammers already know how to transfer your number to their phone, so that is just another step for them to go through as part of a fraud.

        1. Aaron J Courtney

          Not if it’s a Google Voice number (especially with MFA enabled on your Google account)!

        2. JCitizen

          I think it is ridiculous to wait until you are already screwed to get this kind of service – after all it was THEIR fault this happened, THEY need to pay for it! Why wait for ID theft to affect you life, when you know that NOW, it damn sure can?

  10. Carol

    With the Equifax issue, another site strongly a need for anyone receiving Social Security benefits to create an online account. When doing so, I found the account could not be created. When calling the phone number for the help desk I was informed that an account could not be created for anyone having their credit frozen.
    I will be checking back with the Social Security Office in case this information is incorrect. If the information given by Social Security Help Desk is accurate, this makes no sense to me and seems to be another open door for stolen information. By the time an individual would find out about the changes made to their Social Security such as payments mailed elsewhere it is to late and this would cause an immense financial strain on many individauls if there was no savings to cover until the matter could be cleared.

  11. Michele T Smith

    This is the result of excellent lobbying on the part of the Credit Reporting Agencies. We, the people, have no choice as to which CRA we use. Users of credit have no protection if the CRA is hacked, this is a case in point.

    1. Randy Gerdes

      I’d like to see legislation that allows individuals to choose the credit bureau they want to have their data. I’d even support a small annual subscription fee and an included insurance policy to pay for consequences of any theft or breach. I don’t see why we ALL have to have our data with ALL the bureaus. Introduce some competition for the fee and the security, and have them rated every year by Consumer Reports.

  12. vladumir

    im sure people in america dont protect their identy info so well.
    and how anyone know your ssn number or etc? Only if you give your info,too bad who to blame?? Only yourself. You are careless americans.why in eu and russia dont have this kind frauds?? only in usa

    1. Gigi

      Every government agency, the IRS, employers, all financial institutions, and virtually all other forms of personal transaction are BASED on, REQUIRE disclosure of your SS # as a default for any access, accounts, or use. Americans do not have the option of asking for a new SS#, nor would it matter I suspect, since these entities can’t even manage the info they have on us with any degree of competency. Money first (budgets, profits); security last.

      1. lobuxracer

        Yes, you can request a change of your SSAN under specific conditions. But, your original number is still linked to the new number so it isn’t exactly starting from a clean slate.

        faq.ssa.gov/link/portal/34011/34019/article/3789/can-i-change-my-social-security-number

  13. Ninja

    Basically services that hoard tons of info on everybody and can effectively screw your life if compromised have lousy cardboard security at best. And they won’t be punished for putting millions of people at risk. Got that.

  14. Johann

    yeah you really should have to mail in proof of ID to retrieve a lost PIN number. There just isn’t any other safe way to do it.

    I really hope this screw up will finally lead to the US creating an actual citizen ID number and a separate secret tax code #. It wasn’t fun proving to the IRS last year that I’m me.

    1. Paul

      The idea of Experian having a high resolution scan of my ID documents on file does not fill me with a warm fuzzy feeling.

    2. snic

      So, let’s say you mail a copy of your drivers license to Experian. How do you think they verify it beyond looking at it and saying “yup, that’s him”? A thief can make a fake drivers license with your name on it pretty easily. Unless they look the number up in a database, the mail-in system for verifying identity is just as broken as the online system.

  15. Gigi

    Have spent 2 weeks trying to accomplish Brian’s recommendations, hours on the phone. Fortunately, already had SS acct +pw set up. (Do that FIRST, can’t do it with Freezes in place!). Got my Equifax freeze confirmation with my pin snail mail yesterdat – here’s how bad these idiots are: The envelope plainly states: EQUIFAX Security Freeze and of course my name, address in the address window. Well, thank you very much Equifax, now the old school mail thieves can pilfer my mail box and get my pin no problem, do a quick white pages search and start the Fraud! JEEZ, I’m sure some USPS mail delivery person (employee or contract) could have a field day with this one!!!!! Now I’m off to get a PO Box to prevent home mail delivery thefts, but won’t stop internal thefts of the mail/parcels by UPSP employees or contractors (which I read about at least once a year it seems). Do any of these morons at EQUIFAX live in the real world? They made no attempt at all to anonymize an official security snail mail! It was like a golden invitation to steal my identity and PINs. What if someone hacked their identities and screwed their credit to hell and back like the rest of us poor suckers who have no input or control over their lousy data practices? Oh, and maybe Congress and most of the US government agency officials would enjoy this experience too. Wonder how they’d like forever living in ID Fraud purgatory!

  16. michael pechner

    And of course since I have a freeze on my credit, credit monitoring systems cannot tell me there has been activity. I have to hope for a hit based on SS# or driver license# to give some warning.

    1. JCitizen

      Credit monitoring is no where as good as a freeze though. I have credit monitoring through my password manager, but I do know it cant cover every condition of ID theft. I’m afraid a freeze is as good as it gets.,

  17. DonFG

    For KBA Questions, I do not give the standard answers. If it asks for place of birth, I type in something else. Unless it is giving you a defined set of answers, use whatever you want.

    1. Darron Wyke

      That’s not how these work. They use public records to give you question-based response. Stuff like “what streetname have you lived on in the last 7 years” with 3 (or possibly all 4) wrong answers and a right one.

      1. George G

        Often all the possible answers are wrong ones and you have to select none.

    2. Nicole Price

      KBA is knowledge based, which is based on information IN your credit file. Not something you input.
      If you enter made up stuff, you too shall not pass.

      It’s not even like Mr. Krebs post was TL:DR worthy either.

  18. Darron Wyke

    I used to work for Experian in the past.

    None of this surprises me.

  19. Gary

    I did a freeze via fraud.transunion.com. Well not exactly. I registered there but the final step to do the freeze kept crashing. I used their phone service and am hoping for the best.

    A freeze at one should propagate to all. I refuse to pay for locks. That is rewarding incompetence.

  20. Eliza

    Innovis has a very similar “vulnerability.” Just ordered a report from them. To order a credit report over the phone from Innovis nothing is required other than name, address, date of birth, and social security number of the person in question! Wow.

  21. SteveH

    If ever there was an industry shooting itself in the foot, this is it. Un-f’ing-believable.

  22. Scott

    I can see why you would want to freeze your credit file. But it’s kind of like freezing your life. For example, I’m in the middle of a housing loan refi so I can’t freeze. Are people expecting that they will freeze their credit for good or waiting for a better solution e.t.c. It seems like kind of waiting for Godot, doesn’t it?

    –Scott

    1. SteveH

      You can’t reasonably freeze your credit in the middle of getting a mortgage, but once that’s done, how often will you need to apply for credit? I’ve applied for one new credit card in the past 15 years.

    2. David M

      You CAN freeze your account and release it only when needed. I refinanced my house last year and coordinated with the mortgage company about the unfreeze. I asked which bureau they would be using and told them to contact me when they needed access. They did, I unfroze the account for one week for everyone, and they did their thing. If you have multiple mortgage companies checking your credit (i.e. shopping for a loan), everyone can access it at the same time.

      Yes, it’s not as convenient but it’s not like you refinance (or buy) a house every day. Same goes for a car or new credit card.

  23. Ellen Rainford

    So, how much will it cost to freeze the other bureaus, if Equifax is the only one admitting to being compromised?

    1. David M

      For now, it’s likely they will charge their usual fees. It depends on where you live. For me, $10 per bureau (except Innovis, they were free).

      If Congress does anything about this mess, they might make it illegal for the credit bureaus to charge for freezes/unfreezes. Here’s hoping.

  24. jon bondy

    The way I deal with KBA questions is by fabricating ridiculous answers, and keeping track of my answers. So my previous location might be “neptune” and my favorite teacher might be “burnt toast”.

  25. Jake

    I just used the online request to order my free credit report from Innovis. The only personally identifying information it required was my name address and Social Security number. They are in now mailing my credit report to me. Any. potential thief with access to my mailbox could do the same and intercept my entire credit bureau report!

    1. timeless

      The US Code covers mail theft [1]. And the USPS has its own investigative service [2] …

      While it does suck that confidential material is being sent via USPS, it’s better than it being sent by email.

      Personally, as long as that letter can only go to my last known address, I’m fairly happy w/ that behavior.

      Also, keep in mind that most people can pay to access your credit file, so you’re not really getting “confidential material”, you’re getting a reduced rate for generally available material….

      [1] https://www.law.cornell.edu/uscode/text/18/1708
      [2] https://postalinspectors.uspis.gov/investigations/MailFraud/fraudschemes/mailtheft/ReportMailTheft.aspx

  26. Carolyn Lambert

    I need help with this as I don’t understand it & what to do to be safe.

Comments are closed.