In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States. Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.
Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.
Dune Thomas is a software engineer from Sacramento, Calif. who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name using an address in Washington state that was tied to a vacant home for sale.
But the crooks were persistent: Earlier this month, someone unfroze Thomas’ account at Experian and promptly applied for new lines of credit in his name, again using the same Washington street address. Thomas said he only learned about the activity because he’d taken advantage of a free credit monitoring service offered by his credit card company.
Thomas said after several days on the phone with Experian, a company representative acknowledged that someone had used the “request your PIN” feature on Experian’s site to obtain his PIN and then unfreeze his file.
Thomas said he and a friend both walked through the process of recovering their freeze PIN at Experian, and were surprised to find that just one of the five multiple-guess questions they were asked after entering their address, Social Security Number and date of birth had anything to do with information only the credit bureau might know.
KrebsOnSecurity stepped through the same process and found similar results. The first question asked about a new mortgage I supposedly took out in 2019 (I didn’t), and the answer was none of the above. The answer to the second question also was none of the above.
The next two questions were useless for authentication purposes because they’d already been asked and answered; one was “which of the following is the last four digits of your SSN,” and the other was “I was born within a year or on the year of the date below.” Only one question mattered and was relevant to my credit history (it concerned the last four digits of a checking account number).
The best part about this lax authentication process is that one can enter any email address to retrieve the PIN — it doesn’t need to be tied to an existing account at Experian. Also, when the PIN is retrieved, Experian doesn’t bother notifying any other email addresses already on file for that consumer.
Finally, your basic consumer (read: free) account at Experian does not give users the option to enable any sort of multi-factor authentication that might help stymie some of these PIN retrieval attacks on credit freezes.
Unless, that is, you subscribe to Experian’s heavily-marketed and confusingly-worded “CreditLock” service, which charges between $14.99 and $24.99 a month for the ability to “lock and unlock your file easily and quickly, without delaying the application process.” CreditLock users can both enable multifactor authentication and get alerts when someone tries to access their account.
Thomas said he’s furious that Experian only provides added account security for consumers who pay for monthly plans.
“Experian had the ability to give people way better protection through added authentication of some kind, but instead they don’t because they can charge $25 a month for it,” Thomas said. “They’re allowing this huge security gap so they can make a profit. And this has been going on for at least four years.”
Experian has not yet responded to requests for comment.
When a consumer with a freeze logs in to Experian’s site, they are immediately directed to a message for one of Experian’s paid services, such as its CreditLock service. The message I saw upon logging in confirmed that while I had a freeze in place with Experian, my current “protection level” was “low” because my credit file was unlocked.
“When your file is unlocked, you’re more vulnerable to identity theft and fraud,” Experian warns, untruthfully. “You won’t see alerts if someone tries to access your file. Banks can check your file if you apply for credit or loans. Utility and service providers can see your credit file.”
Experian says my security is low because while I have a freeze in place, I haven’t bought into their questionable “lock service.”
Sounds scary, right? The thing is — except for the part about not seeing alerts — none of the above statement is true if you already have a freeze on your file. A security freeze essentially blocks any potential creditors from being able to view your credit file, unless you affirmatively unfreeze or thaw your file beforehand.
With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). It is now free to freeze your credit in all U.S. states and territories.
Experian, like the other consumer credit bureaus, uses their intentionally confusing “lock” terminology to frighten consumers into paying for monthly subscription services. A key selling point for these lock services is they can be a faster way to let creditors peek at your file when you wish to apply for new credit. That may or may not be true in practice, but consider why it’s so important for Experian to get consumers to sign up for their lock programs.
The real reason is that Experian makes money every time someone makes a credit inquiry in your name, and it does not want to do anything to hinder those inquiries. Signing up for a lock service lets Experian continue selling credit report information to a variety of third parties. According to Experian’s FAQ, when locked your Experian credit file remains accessible to a host of companies, including:
-Potential employers or insurance companies
-Collection agencies acting on behalf of companies you may owe
-Companies providing pre-screened credit card offers
-Companies that have an existing credit relationship with you (this is true for frozen files also)
-Personalized offers from Experian, if you choose to receive them
It is annoying that Experian can get away with offering additional account security only to people who pay the company a hefty sum each month to sell their information. It’s also amazing that this sloppy security I wrote about back in 2017 is still just as prevalent in 2021.
But Experian is hardly alone. In 2019, I wrote about how Equifax’s new MyEquifax site made it simple for thieves to lift an existing credit freeze at Equifax and bypass the PIN if they were armed with just your name, Social Security number and birthday.
Also in 2019, identity thieves were able to get a copy of my credit report from TransUnion after successfully guessing the answers to multiple-guess questions like the ones Experian asks. I only found out after hearing from a detective in Washington state, who informed me that a copy of the report was found on a removable drive seized from a local man who was arrested on suspicion of being part of an ID theft gang.
TransUnion investigated and found it was indeed at fault for giving my credit report to ID thieves, but that on the bright side its systems blocked another fraudulent attempt at getting my report in 2020.
“In our investigation, we determined that a similar attempt to fraudulently obtain your report occurred in April 2020, and was successfully blocked by enhanced controls TransUnion has implemented since last year,” the company said. “TransUnion deploys a multi-layered security program to combat the ongoing and increasing threat of fraud, cyber-attacks and malicious activity. In today’s dynamic threat environment, TransUnion is constantly enhancing and refining our controls to address the latest security threats, while still allowing consumers access to their information.”
For more information on credit freezes (also called a “security freezes”), how to request one, and other tips on preventing identity fraud, check out this story.
If you haven’t done so lately, it might be a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annually from each of the three credit bureaus — either all at once or spread out over the year.
I have been researching for a different password manager and someone suggested to use a random word generator instead of providing real answers for the security questions.
You misunderstand their authentication system. You do not choose the questions nor provide the answers on registering like financial sites do. They choose the questions supposedly ones only you should know the answers to, from information in your credit file that they have.
What Mr. Krebs covered in the article, is the fact that these lines of questions have devolved to be largely meaningless and useless for authentication. I have witnessed five out of five being “none of the above”. The situation is so bad they might as well present “none or more of the above” which would semantically be the correct answer all the time.
Authentication systems like this are so horrible because of a chicken and egg paradox.
Credit reporting bureaus are different from most sites including financial sites.
YOUR CREDIT REPORT / HISTORY EXISTS LONG BEFORE YOU EVER CREATE AN ACCOUNT.
So essentially, these credit reporting bureaus have to create a quasi-authentication scheme for your account without you having to actually provide any information or secrets. So the knowledge base authentication is derived from real world facts about your life.
The real problem is, if the credit reporting agencies know it, then it’s easy for a thief to learn it without too much trouble too.
What they should be doing is letting users update their authentication with secrets provided by you, allowing multi-factor authentication and moving away from this kind of Open source knowledge.
Of course you and I are not their customers. We are the products they sell. Your credit history is what they’re selling to their real customers, the lenders.
All Experian is asking for with their lies and very questionable marketing is more stringent legislation and regulation. I, for one, am forwarding this to my Congressional representatives. Thanks, Brian!
If there isn’t a congressional investigation into this issue (I may have missed it), I would like to know why. Unlike when I set up an account online and choose to risk it being there, I have no choice in my data being on these credit-reporting agencies. If they have it without my permission, then they are similar to the government and should be treated with governmental oversight. I shouldn’t have to pay for my financial data to be locked down, and any credit agency that allows criminals to access it should be punished.
I know it may seem like your credit history is something that belongs to you. And I agree, it very well should be.
But this data belongs to the lenders. Creditors who lend money to borrowers,… It’s actually their data. And maybe tied to your social security number, but it unfortunately belongs to them.
That’s why we will continue to be treated not as customers, but as products.
Credit Bureau’s need to be abolished permanently
Along with extraneous apostrophe’s.
That made my day!
I agree with that. I have a “Freeze” on mine due to ID Thief. But it continues. So I got life lock.
I’ve got an annual subscription to Experian for $99.95 per year. Currently, my file has a security freeze and is locked on top of that. I don’t have to pay a monthly fee for CreditLock. Maybe it’s because I’ve been with them for quite a while? Not sure.
…I currently pay a big fat $0.0 – you are being ripped off if you pay anything…
If you are unable to lock and freeze your credit report, you are the one who is being ripped off. Read the article, please.
You are the sucker born every minute. Paying for a service that should be free and is mostly just marketing fluff.
“I pay 99.95 per year, but otherwise I don’t pay anything”
Did I get that right? 🙂
I’m replying to the article, which says that you have to pay monthly fees that amount to a lot more than 99.95. Read the article, please.
So because you pay $99 instead of $180 for these magic beans… You think you got a good deal?
This is absolutely ridiculous: “when the PIN is retrieved, Experian doesn’t bother notifying any other email addresses already on file for that consumer.” They don’t have to forward the new PIN to the old email address, but they should certainly send a notification to it for any PIN retrieval or change in security profile.
There should be fines for this kind of half-baked security, plain and simple. If they do the same thing for EU citizens, perhaps they could be fined under the GDPR.
Amen. I would like to add that “annualcreditreport.com” is also a joke. Routinely, a response comes back saying that the Experian credit report is not available, without a clear reason. Thus, I’ve been forced to go to the wacky Experian website in order to get it. It’s as if Experian is ignoring the govt mandate to provide a free credit report through annualcreditreport.com, although it can be obtained once you login to their own website.
I’ve also had trouble getting Equifax reports in the past. Transunion is the one to provide credit reports most reliably, in my experience.
One time, I was asked to send via snailmail a copy of my driver’s license and social security card and other sensitive stuff to a PO Box for Equifax. This was listed in print and I sent the items to that exact location. When I hadn’t heard anything for some weeks, I called the company and I was told that is the wrong PO Box. When I explained that’s the one I was told to send it to, the person told me to send the things to another PO Box. And that one worked. I still don’t know where in the world are my sensitive items. The incompetence continues at Equifax, even after the massive breach that affected me.
It’s absurd that Experian will reset your security PIN without asking you to confirm at the existing email address associated with your Experian account. For a company that is supposedly protecting your valuable credit information, their security is pathetic.
What can we (the general public) do to help change the current state of affairs? It would be very useful if you started including that information… You have educated us about the problem, now educate us about how we can help correct it.
Yes, Mr. Krebs, please do include this kind of information. I’m sometimes able to figure out what I can do myself from your fine reporting, but other times I struggle to figure out the best steps to take.
I am suing TransUnion (again) after they illegally removed my freeze in 2018. I found the problem in 2018 because of my annual (or as needed) requests for all my files from TransUnion, Innovis, Experian, Lexis/Nexis and Equifax. This year I added a freeze to my NCTUE file (NCTUE-another group of real prizes in bed with Equifax). In 2018 I sued TransUnion in Small Claims Court-cheap-fast-effective. The issue I pressed that they created in 2018 went my way and fast.
Now I am suing them again because as of January 2021 I see the freeze was removed again, but doubling my demand for financial compensation. The best part-they refused to reply to my 4 written inquires sent Certified Mail/Return Receipt Requested to re-freeze my file. Great evidence to support proving a “Willful” denial as opposed to a “Negligent” denial. In my State the difference between a Willful vs. Negligent determination by the Court opens the door to up to triple damages, Attorney fees and possibly Punitive damages. So right now I will sue for $4,000 (4 letters x $1,000), prove Willful if I can plus all costs. Sum sought will be at least $12,000. And this is in Small Claims not a higher Court.
I learned a long time ago to sue for the max. of $1,000 PER denial of a written request as provided for both under my State law (Consumer Protection Act) and the Fair Credit Reporting Act/FCRA. Whether or not you get it doesn’t matter-you certainly won’t get it if you don’t ask for it. So ask in your Complaint. All the Judge can say is no and award a smaller sum assuming you win.
There is much I could write here about the credit reporting industry but let me make these points that will help those to whom these may apply:
1) Stop complaining and start suing them in Small Claims Court; a powerful tool is to FIRST create a paper trail that cannot be denied when trying to correspond with them. Lay out what you want in clear terms then send it 2-3-4-5 times Certified/Return Receipt Requested not just Certified. Give them a month to reply to each one. The green card you get back is better proof-of-delivery/POD that the printout from the USPS website that shows it was delivered with a date and time. Hardcore Defense lawyers will sometimes claim that the USPS Certified Mail printout is not enough for POD. Whether a Judge agrees or not is irrelevant so don’t even let them get their foot in the door;
2) I’ve also sued these companies when I have to make request after request after request after request-just to GET my credit report and it’s getting worse over the years. I have another Small Claims suit I am filing now over this very issue (again); I don’t want to but what choice do I have?;
3) Do not let any of them add a Confidentiality clause to any out-of-court settlement; they don’t like the spotlight at all and this is one way to muzzle consumers;
4) Do not do ANY business using their website-why? Ever read the Terms & Conditions attached to requesting service through their website? Some if not all force you to WAIVE your right to go to Court and thus end up in their dream world-Arbitration; I saw this ugly stab in the back to doing the right thing a few years ago when I thought I’d make a request via their website for my file until I literally read the fine print. No way in the world would I agree to arbitration. If arbitration didn’t favor them in a BIG WAY they would not insist you agree to it JUST to get information over the Net;
Always use letters and track them well (when it was mailed, when it was received, when you gave up trying and then wrote them again). All of this is compelling evidence in (any) Court that supports your case;
5) Clown College: I have seen people show up in Small Claims Court representing major Credit Reporting companies who were grossly un-prepared, were not dressed for the occasion, literally mumbled, had to step out of the Court to call their handler etc. when the Judge asked them a question they couldn’t answer. Once in a while a real Attorney will appear but don’t be surprised if the person they send is not an Attorney.
In my State if you are not an Attorney and will be appearing on behalf of (enter company here) you must file what is basically a sworn statement on a Court supplied form 3 or 4 pages long that says you have the legal authority to represent the Company and have the ability to bind the Company to any agreement. It must be signed by Corporate Officers which is a HUGE effort to get done. You may see some lower level corporate hack who tries to cut corners by signing it when they have no such authority. Use this against them. Print out a list of the Corporate Officers from their website-it’s there if you look. If it’s not, go the website for the Secretary of State in your State, pull up the Company’s latest Annual Report and see who they are. Compare that to the person who signed the document I just described. Names don’t match? Depending on the Judge that could be another HUGE problem for the Defendant, possibly game over.
What I do when I see these people show up is demand right out of the gate that they produce this critical document and if they can’t, I move for a Default Judgment meaning technically, they didn’t show for the Hearing and thus I win on the spot. This can be a very effective way to knock the legs out from under a Defendant.
I hope this has helped.
Did you actually win any money from TransUnion?
In this example, there is no incentive or motivation for Experian to change its behavior. First, recall that consumers are not the customers of Experian. Experian customers are businesses. The person is very wrong who suggested that Experian is “protecting your valuable credit information”. Experian collects and sells information, for the benefit of businesses. Consumer problems are nothing but an annoyance to Experian. Consumers are mostly cost and little profit, except for small stuff like credit locking. There will never be market pressure on Experian to address consumer problems because consumers are not part of Experian’s marketplace. This is where government regulations are the only answer (e.g. GDPR).
Exactly.
It’s the basic economics that result in this kind of thing.
We are not their customers. Therefore, we do not have any leverage.
We don’t have any choice in which credit reporting agency is used by the creditors/lenders we use.
The choice falls on banks, mobile carriers, utilities, etc.. and it’s not like we can tell them which credit reporting agencies they should use.
Good luck even asking which ones they do use. I’ve had a few tell me to unfreeze all of the agencies just to be sure, even though only one or two were actually checked.
Irrespective of Experian’s business model, if you have a credit freeze in place, “protecting your valuable credit information” is exactly what they are supposed to be doing. (According to the FTC, a credit freeze “lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name.”)
“Experian only provides added account security for consumers who pay for monthly plans.”
Otherwise known as extortion.
Experian is a typical example of a company that sweeps up information about you, largely without your consent or knowledge, assembles that that information in ways that make it more valuable, and then sells it for a profit. However, if they loose that information they don’t want to be held responsible for that or be held accountable for the damage they caused.
Data vulture is probably the wrong name for a business like this. Data predator may be more apt.
Time for much better privacy laws!
I now classify Experian as a protection racket that is practicing extortion.
Nice credit you have there — it would be a shame if something were to happen to it.
Here is where you should send complaints: https://www.consumerfinance.gov/
This is the outfit Elizabeth Warren designed. The Senate wouldn’t confirm her to be its head, so she ran for a Senate seat and won it. The T**** administration put Mick Mulvaney in charge to try to cripple it. Pres. Biden has put Kathy Kraninger in charge, so it has an opportunity to go back to work. Send your complains there, as well as to your Congressperson, for a better chance to get the credit bureaus reined in.
CCPA allows for a private right of action. $750 per violation might get their attention.
Brian, ask the FTC (Federal Trade Commission) why they haven’t fined Experian for this.
The FTC fined LifeLock service $100 million for its garbage security.
Brian, consider asking the FTC (Federal Trade Commission) why they haven’t fined Experian for this.
The FTC fined lousy LifeLock $100 million for completely pathetic security.
Groan. The opposite situation – you’ve placed a freeze with Experian, and you want to lift it temporarily – can also be problematic. I’m an American citizen, and I lived in the USA when I placed a freeze with Experian. However, in 2018, I moved to Canada. I have the PIN for the freeze, but in order to lift the freeze, Experian demands my address, which their incompetently designed web form presumes is in the USA – it demands an American ZIP code. Moreover, entering my address at the time I placed the freeze or my last address in the USA doesn’t work. The Experian website responds by telling me to collect and send a pile of paper documentation to an address in Texas. Calling them yields the same. As obnoxious as Equifax and TransUnion can be, I haven’t had this much trouble with either of them.
I filed a complaint with the CFPB, which (to the credit of the agency) led to a call from Experian about two weeks later. Unfortunately, I wasn’t available to take the call, and when I called back the next day, I was informed that the employee handling my case would be out of the office until May 10. Sooo typical …
None of this nonsense would be happening if these companies treated the PIN for a freeze appropriately: if you have it, then it should be all you need; if you don’t, then you should have to provide serious documentation to get another one, not just go through some rinky-dink online “PIN recovery” process.
Of course, none of this nonsense would be happening if the whole shady industry were shut down, either.
///
I also use the totally free credit monitoring and FICO score (change reporting) service at https://www.creditkarma.com/ to monitor my credit, plus I have a CREDIT FREEZE at all 3 major credit bureaus.
///
…i also use creditkarma – it’s free and highly recommended by many…
…i also get alerts from my free services from several hacks…
…one should never pay, never, ever…
If you’re not paying for it, you’re the product.
…sure, but if buy a paid service you get the same data, less the ads for a new credit card or loan…
…if credit karma makes money by showing me the ads i’m fine with that tradeoff…
Nothing about CreditKarma is free, you are the product. If your employer uses ADP, there is a decent chance they are sending all of your paycheck info to CK, which of course is selling it.
Get your report from an Equifax company called The Work Number. You might find CK is getting all of your salary data. My HR department was totally unaware of this; ADP was doing it.
Yup. For some more background on The Work Number and how easy it’s been for anyone to glean your salary data, see:
https://krebsonsecurity.com/?s=equifax+salary
The US needs a stonger Data Protection Commissioner to advocate for consumer credit data protections. However it’s unlikely to happen given the influence of lobby groups over decision makers in in DC. The EU has penalties for businesses that are careless with customer data. The most severe is a fine of four per cent of the annual turnover of the business. The EU moved to chip and pin credit card security years ago. But many US retailers are still using mag stripe and carbon copy technology from the 1960’s. Why is that?
If US retailers are still using mag stripe then the retailer eats the loss on fraud, not you or the bank that your card with with.
…well, eventually the merchant has to pass on the costs to the consumer in the form of higher prices…
These companies and your financial institutions need to make something like Yubi Key the default way to access an account. Most of those ‘knowledge’ questions are common knowledge to anyone who wants to put minimum effort into them.
Making up answers rather than supplying the true answers is a whole lot more secure. Just be sure to write down the answers or you’re screwed.
Maybe we should get Congress to pass a law that would make the credit reporting bureaus financially responsible for lines of credit/loans opened due to their lax security. That way they would have an incentive to make sure you really unfroze your report, rather than some criminal. Might make it a little more inconvenient to unfreeze your report, but would allow all of us to sleep a little better at night.
No different than paying protection to the Mafia, what a despicable organization.
Well that would explain some things… I had my info stolen during the big breach at Equifax and I’ve had payday loans taken out in my name and oddly deposited into my checking account. Changed all that info and locked my report but when I went back to dispute something I found it unlocked.
This is just part of business in the US nowadays. Companies keep taking more from the consumer and giving less. Hotel or car reservations, oops sorry we’ve given the room/car to other people. Pay a resort fee but get no/reduced resort amenities due to covid.
Technology firms pay little penalties so many minimize security. Medical places are among the worst.
Experian has been a mess for years. People can’t get into accounts and then have to spend time mailing or hours on the phone trying to resolve issues. And constantly trying to push you to buy stuff that should not be needed.
I disagree that Experian’s PIN recovery security is inadequate.
It requires one to certify that the PIN reminder is for a freeze on one’s own personal credit report. This is surely enough to stymie evildoers.
Dirk – lol.
Isn’t this actually criminal extortion? Experian sets up weak protection to the unlock mechanism, but will sell the strong protection?
I appreciate some very astute comments on here.
Here’s one for the attorneys: Since this is clearly a protection racket in practice that the credit bureaus are running, isn’t there a basis for a class-action lawsuit for violation of RICO?
In my experience, the Experian PIN doesn’t matter anyway because it never works. Their unfreeze form always tells me it is wrong and I end up having to use the multiple choice questions. Over the last few years, I have updated/reset my PIN multiple times and none of them have ever worked. The same hold true for my wife’s PIN.