April 26, 2021

In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States.  Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Dune Thomas is a software engineer from Sacramento, Calif. who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name using an address in Washington state that was tied to a vacant home for sale.

But the crooks were persistent: Earlier this month, someone unfroze Thomas’ account at Experian and promptly applied for new lines of credit in his name, again using the same Washington street address. Thomas said he only learned about the activity because he’d taken advantage of a free credit monitoring service offered by his credit card company.

Thomas said after several days on the phone with Experian, a company representative acknowledged that someone had used the “request your PIN” feature on Experian’s site to obtain his PIN and then unfreeze his file.

Thomas said he and a friend both walked through the process of recovering their freeze PIN at Experian, and were surprised to find that just one of the five multiple-guess questions they were asked after entering their address, Social Security Number and date of birth had anything to do with information only the credit bureau might know.

KrebsOnSecurity stepped through the same process and found similar results. The first question asked about a new mortgage I supposedly took out in 2019 (I didn’t), and the answer was none of the above. The answer to the second question also was none of the above.

The next two questions were useless for authentication purposes because they’d already been asked and answered; one was “which of the following is the last four digits of your SSN,” and the other was “I was born within a year or on the year of the date below.” Only one question mattered and was relevant to my credit history (it concerned the last four digits of a checking account number).

The best part about this lax authentication process is that one can enter any email address to retrieve the PIN — it doesn’t need to be tied to an existing account at Experian. Also, when the PIN is retrieved, Experian doesn’t bother notifying any other email addresses already on file for that consumer.

Finally, your basic consumer (read: free) account at Experian does not give users the option to enable any sort of multi-factor authentication that might help stymie some of these PIN retrieval attacks on credit freezes.

Unless, that is, you subscribe to Experian’s heavily-marketed and confusingly-worded “CreditLock” service, which charges between $14.99 and $24.99 a month for the ability to “lock and unlock your file easily and quickly, without delaying the application process.” CreditLock users can both enable multifactor authentication and get alerts when someone tries to access their account.

Thomas said he’s furious that Experian only provides added account security for consumers who pay for monthly plans.

“Experian had the ability to give people way better protection through added authentication of some kind, but instead they don’t because they can charge $25 a month for it,” Thomas said. “They’re allowing this huge security gap so they can make a profit. And this has been going on for at least four years.”

Experian has not yet responded to requests for comment.

When a consumer with a freeze logs in to Experian’s site, they are immediately directed to a message for one of Experian’s paid services, such as its CreditLock service. The message I saw upon logging in confirmed that while I had a freeze in place with Experian, my current “protection level” was “low” because my credit file was unlocked.

“When your file is unlocked, you’re more vulnerable to identity theft and fraud,” Experian warns, untruthfully. “You won’t see alerts if someone tries to access your file. Banks can check your file if you apply for credit or loans. Utility and service providers can see your credit file.”

Experian says my security is low because while I have a freeze in place, I haven’t bought into their questionable “lock service.”

Sounds scary, right? The thing is — except for the part about not seeing alerts — none of the above statement is true if you already have a freeze on your file. A security freeze essentially blocks any potential creditors from being able to view your credit file, unless you affirmatively unfreeze or thaw your file beforehand.

With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). It is now free to freeze your credit in all U.S. states and territories.

Experian, like the other consumer credit bureaus, uses their intentionally confusing “lock” terminology to frighten consumers into paying for monthly subscription services. A key selling point for these lock services is they can be a faster way to let creditors peek at your file when you wish to apply for new credit. That may or may not be true in practice, but consider why it’s so important for Experian to get consumers to sign up for their lock programs.

The real reason is that Experian makes money every time someone makes a credit inquiry in your name, and it does not want to do anything to hinder those inquiries. Signing up for a lock service lets Experian continue selling credit report information to a variety of third parties. According to Experian’s FAQ, when locked your Experian credit file remains accessible to a host of companies, including:

-Potential employers or insurance companies

-Collection agencies acting on behalf of companies you may owe

-Companies providing pre-screened credit card offers

-Companies that have an existing credit relationship with you (this is true for frozen files also)

-Personalized offers from Experian, if you choose to receive them

It is annoying that Experian can get away with offering additional account security only to people who pay the company a hefty sum each month to sell their information. It’s also amazing that this sloppy security I wrote about back in 2017 is still just as prevalent in 2021.

But Experian is hardly alone. In 2019, I wrote about how Equifax’s new MyEquifax site made it simple for thieves to lift an existing credit freeze at Equifax and bypass the PIN if they were armed with just your name, Social Security number and birthday.

Also in 2019, identity thieves were able to get a copy of my credit report from TransUnion after successfully guessing the answers to multiple-guess questions like the ones Experian asks. I only found out after hearing from a detective in Washington state, who informed me that a copy of the report was found on a removable drive seized from a local man who was arrested on suspicion of being part of an ID theft gang.

TransUnion investigated and found it was indeed at fault for giving my credit report to ID thieves, but that on the bright side its systems blocked another fraudulent attempt at getting my report in 2020.

“In our investigation, we determined that a similar attempt to fraudulently obtain your report occurred in April 2020, and was successfully blocked by enhanced controls TransUnion has implemented since last year,” the company said. “TransUnion deploys a multi-layered security program to combat the ongoing and increasing threat of fraud, cyber-attacks and malicious activity.  In today’s dynamic threat environment, TransUnion is constantly enhancing and refining our controls to address the latest security threats, while still allowing consumers access to their information.”

For more information on credit freezes (also called a “security freezes”), how to request one, and other tips on preventing identity fraud, check out this story.

If you haven’t done so lately, it might be a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annually from each of the three credit bureaus — either all at once or spread out over the year.


79 thoughts on “Experian’s Credit Freeze Security is Still a Joke

  1. Locks are Better than Freezes

    have already changed my freezes to locks. could see the writing on the wall that locks were going to be better. because that was where the credit bureaus wanted to go to make money.

  2. Diane C Auger

    My personal information was giving to a fraudulent person ( pretending to be a good friend) I changed ALL passwords , joined Identity guard, froze my credit with Experian, so what your saying is ” I should Lock it with Transunion? My email address is out there, should I delete it and create a different one that’s not associated with my name? Don’t we have any say on Businesses/ Credit Companies selling our credit reports? Hope to get answers, we horrified that our personal information is out there. Thank you

    1. R

      You should put an alert on all credit agencies separately they don’t share that information. Your email address isn’t considered a private or personal piece of identifying information so that doesn’t make a difference. You do not have any “say” on credit companies giving your details when you apply for credit. I am not sure what you mean about “selling” your credit reports though.

      If you’re concerned you should change all your recovery questions. The questions that are asked when you click the “I forgot my password” button. Things like the high school you went to, your first car, etc are typically actually pretty easy details to find. You need to change the answers to all those questions to totally nonsense answers.

      Hope that helps.

  3. asdasd

    The last time I went to annualcreditreport.com, one of the questions it asked me was what my astrological sign was. Everything other question’s correct answer was ‘none of the above.’ I was visiting my mom, where we did hers, and she got the same birth sign question.

  4. Exo

    The purple cow ought to tell you something. “We’re an entertaining purple cow, what data breaches? Look at the cow! Mooo!!!” Experian comes across as a typical disorganized mess run by marketing people expert at making chaos seem attractive. All the tip of the iceberg things detailed here; Boost implying your score’s artificially low and all you have to do is ask to raise it…chaos draws morbid curiosity.

    A last century data broker adapting well to phone culture wet rug methods doing what phone culture does best, sell jobs on gullibles.

    BUT, The Purple Cow/boy is only the face of their consumer business, a fifth of total revenue. B to B is where they make the most money by far. Experian’s data’s questionable, not surprising Experian’s consumer security is too. They know it stinks and choose to not fix it even though it would be simple to do so. Less attention is the last thing any consumer focused so called Big Tech company wants.

  5. Chris

    Courts should hold credit bureaus strictly liable for the losses caused by their data breaches and security practices. In fact they should hold any entity holding other people’s personal information strictly liable for the loss of data held in computers with network connections – including the government agencies like OPM. When they are forced to pay for the financial losses, inconvenience, pain, suffering, mental anguish and punitive damages to any person whose data has been hacked, they will quickly change their practices.

    1. security vet

      …in the case of the OPM hack – “…Embattled Office of Personnel Management Director Katherine Archuleta…resigned…”…

      …and i got free credit monitoring for what is now effectively for life…

      …although in that case it was the chinese mss…

      1. Roger Nebel

        …anecdotally it’s been reported that the opm hack cost the us gov a billion dollars…

        …your tax dollars at work…

        1. Keyser Soze

          Stupid cheap shot when corporate types do no better.

          If you’re so good why aren’t you fixing it?

          1. security vet

            …if you read the comment i replied to you’d know what i said…

            …but perhaps you were sleeping when they covered critical thinking in school?…

  6. Wastrel

    “The best part about this lax authentication process is that one can enter any email address to retrieve the PIN — it doesn’t need to be tied to an existing account at Experian. Also, when the PIN is retrieved, Experian doesn’t bother notifying any other email addresses already on file for that consumer.”

    For some values of “best.” 🙂

    This is why I pay no attention to my so-called “credit rating” and deal in an old-school way with people I know and trust, and who know and trust me.

  7. timeless

    Dune Thomas (Sacramento, CA) is well placed to reach out to California Attorney General Rob Bonta [1]. Bonta replaced Xavier Becerra. Becerra had gone up against Equifax [2] in the past…

    Here’s the mailing address for them [3]:
    Attorney General’s Office
    California Department of Justice
    Attn: Public Inquiry Unit
    P.O. Box 944255
    Sacramento, CA 94244-2550

    I look forward to another round of penalties against all of these callous data brokers.

    [1] https://oag.ca.gov/
    [2] https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-settlement-against-equifax-providing-600
    [3] https://oag.ca.gov/contact

  8. Lori

    I let my boss know about this, she is a financial advisor and helps our clients freeze their credit. She told me to try and unfreeze her personal account, having only her name, address & SS#. I was able to get in, 1st try, using my email address and she was not notified. This is SCARY. thank you Brian for letting us know. I wish there was someone we could report this to but I doubt anyone is going to take it seriously.

  9. A

    This should be reported to FTC for unfair and/or deceptive practice.

  10. G.Scott H.

    Credit Freezes only exist because of laws. First a few states passed them. Then others followed. Most states passed laws requiring the “three” credit bureaus to freeze a consumers credit report upon their request. Few states demanded no-cost freezes. Now there is a federal law for freezes and they are to be no-cost.

    The “three” responded almost in sync by offering the “better” locks for usually a renewing subscription fee. At the same time their administration of the freezes became fairly shoddy. I do not believe there is any specific mention of the quality of a freeze in the law(s). There is an obvious intent in the law(s) for providing protection. I say “law(s)” because I do not know if the federal law fully superseded the various laws or only on the topic of cost and the availability to all even if a state did not have a freeze law. Experian therefore is in violation of the intent of the law(s) but maybe not the letter.

    There are more than the “three” now. The credit bureaus are now considered part of a larger category of data brokers. In a sense Google, Amazon, et. al. are also data brokers in the advertising universe. The business model is to collect data on consumers and sell access for various purposes.

  11. Michael Downey

    How many folks out there are even aware that there are more than the big three Credit agencies they must worry about?
    There are resellers of information out there in fact the consumer credit protection Bureau has 35 pages of those secondary sellers of our information!
    I recently learned this when I applied for credit to buy a mobility van. I was initially refused credit by a secondary marketer of information by the name of Sage Stream they are headquartered in San Diego California. Sage stream claimed that they did not recommend the credit be extended for three reasons one my telephone number and my address were too far apart I’m not even sure what that means. Secondly said the number of credit requests against my record in the past year was excessive. And lastly they claim that I had no credit history at my present address I had lived there for too short a period. I cut my top three Credit Bureau reports all locked down so I contacted each of them and I got my credit report and in my hand there is evidence goes back over 12 years. We don’t know anybody anything except our mortgage. Our credit ratings the top three varied between $770 and 815. It’s Sage stream had recommended disapproval of the loan. We got a copy of the sage stream report and it contained one entry only one that being for an existing Auto lease which was being paid off and terminated as part of the deal to buy the mobility van. So essentially Sage stream was collecting money in a transaction by returning information to A lender about an account the lender already held and that’s all they had on the report that’s it nothing else. Something needs to be done and quickly to rain in all of these credit sales. They drive the cost of credit up and they only increase the possibility of personal information compromise by exchanging this data between themselves without our knowledge.

  12. Paul R. Dittrich

    The old question “Qui bono?” and the modern instruction to “Follow the money!” still hold true.

    Who are the customers of these credit bureaus? (hint: it’s not you.) None of us are direct customers of their services. None of us (directly) pay them a penny. This is why all of your complaints to them are futile.

    I would like to see us adopt something similar to the EU’s privacy model and put some teeth into enforcement.

  13. Shade

    Like capitalistic “feudalists” give a damn about someones security.This system is rotten the biggest criminals are running countries

  14. Stan Stahl

    Thanks Brian for continuing to tell people how “seriously” companies like Experian really take their customers’ personal information. We’ll post this … like most of your stories … in the SecureTheVillage Cybersecurity News of the Week. Keep up the good work. Cheers – Stan

  15. Denis Hanley

    Experian routinely inserts fraudulent personal information and fraudulent claims of debts not owed into my personal credit file about once a year or so in an ongoing attempt to promote their “credit repair” scam. When forced to access their website to confront this fraudulent information, Experian then relentlessly pounds the unwitting consumer with monthly subscription “fees” for all eternity to remove the same fraudulent information they just added.
    As a retired commercial mortgage banker and former business owner, my FICO score would plummet over 100+ points in a single afternoon – due to completely fraudulent and easily refuted fraudulent information Experian post as a matter of routine.
    The CFPB publicly displays at least part of complaints filed against Experian, as well as others, for these fraudulent representations.

    I bet you could write a whole new story just on those public CFPB complaints alone. And I hope you do because this is the classic definition of a criminal “conflict of interest.”

  16. JT TechnoPeasant

    Last week I unfroze Transunion for the first time since freezing the “big 4” back when one had to pay $10 for the privilege.
    The authentication process/questions were several and much better than Experian’s apparently are and I was immediately notified of it . I logged back in later and the freeze had been automatically re-applied on the date expected. Was not offered any fear-based upsells either.

    If only Experian would follow suit.

    =========================== Email =================
    Dear XXXXXXXXXX

    Your TransUnion Credit report is unfrozen for the time period you specified.
    How it Works:
    Remember, during this period your credit report isn’t blocked. When you are ready to block access to your report again, you can log back in to restore your freeze, or simply wait until the period you specified has passed.
    If you have freezes with the other credit bureaus, reach out to them directly for help with those freezes.
    You’ve got questions. We’ve got answers. Visit our FAQ to learn more. Please contact us if you have any questions.

    Sincerely,
    Your TransUnion Support Team

  17. jason

    Just got 2 of 3 reports from the annual report site, Experian was having problems so I have no clue what they think of me.
    I wonder why Trans union wants to let double click and google monitor my browsing, good thing I run Noscript to block those sites.

  18. Fed Up

    “Experian had the ability to give people way better protection through added authentication of some kind, but instead they don’t because they can charge $25 a month for it,” Thomas said. “They’re allowing this huge security gap so they can make a profit. And this has been going on for at least four years.”

    Uh oh, someone is onto the whole “credit monitoring” scam.

    Until criminal penalties and major fines that make the victims whole occur, this crap will continue. The fines levied (if at all) are a fraction of the profits made from this negligence. Article like this are just one more cost of doing business in the USA – bad press doesn’t matter to credit reporting agencies, because we aren’t their customer, we’re their product offering.

  19. Get overit

    Has anyone actually received any part of the settlement? (Other than the “monitoring). Thanks Brian for your excellent coverage of security.

Comments are closed.