Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.
John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account.
Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian’s password reset process was useless at that point because any password reset links would be sent to the new (impostor’s) email address.
An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.
“I was able to answer the credit report questions successfully, which authenticated me to their system,” Turner said. “At that point, the representative read me the current stored security questions and PIN, and they were definitely not things I would have used.”
Turner said he was able to regain control over his Experian account by creating a new account. But now he’s wondering what else he could do to prevent another account compromise.
“The most frustrating part of this whole thing is that I received multiple ‘here’s your login information’ emails later that I attributed to the original attackers coming back and attempting to use the ‘forgot email/username’ flow, likely using my SSN and DOB, but it didn’t go to their email that they were expecting,” Turner said. “Given that Experian doesn’t support two-factor authentication of any kind — and that I don’t know how they were able to get access to my account in the first place — I’ve felt very helpless ever since.”
Arthur Rishi is a musician and co-executive director of the Boston Landmarks Orchestra. Rishi said he recently discovered his Experian account had been hijacked after receiving an alert from his credit monitoring service (not Experian’s) that someone had tried to open an account in his name at JPMorgan Chase.
Rishi said the alert surprised him because his credit file at Experian was frozen at the time, and Experian did not notify him about any activity on his account. Rishi said Chase agreed to cancel the unauthorized account application, and even rescinded its credit inquiry (each credit pull can ding your credit score slightly).
But he never could get anyone from Experian’s support to answer the phone, despite spending what seemed like eternity trying to progress through the company’s phone-based system. That’s when Rishi decided to see if he could create a new account for himself at Experian.
“I was able to open a new account at Experian starting from scratch, using my SSN, date of birth and answering some really basic questions, like what kind of car did you take out a loan for, or what city did you used to live in,’ Rishi said.
Upon completing the sign-up, Rishi noticed that his credit was unfrozen.
Like Turner, Rishi is now worried that identity thieves will just hijack his Experian account once more, and that there is nothing he can do to prevent such a scenario. For now, Rishi has decided to pay Experian $25.99 a month to more closely monitor his account for suspicious activity. Even using the paid Experian service, there were no additional multi-factor authentication options available, although he said Experian did send a one-time code to his phone via SMS recently when he logged on.
“Experian now sometimes does require MFA for me if I use a new browser or have my VPN on,” Rishi said, but he’s not sure if Experian’s free service would have operated differently.
“I get so angry when I think about all this,” he said. “I have no confidence this won’t happen again.”
In a written statement, Experian suggested that what happened to Rishi and Turner was not a normal occurrence, and that its security and identity verification practices extend beyond what is visible to the user.
“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”
“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”
ANALYSIS
KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.
After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.
Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”
After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?
To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.
How does Experian differ from the practices of Equifax and TransUnion, the other two big consumer credit reporting bureaus? When KrebsOnSecurity tried to re-create an existing account at TransUnion using my Social Security number, TransUnion rejected the application, noting that I already had an account and prompting me to proceed through its lost password flow. The company also appears to send an email to the address on file asking to validate account changes.
Likewise, trying to recreate an existing account at Equifax using personal information tied to my existing account prompts Equifax’s systems to report that I already have an account, and to use their password reset process (which involves sending a verification email to the address on file).
KrebsOnSecurity has long urged readers in the United States to place a security freeze on their files with the three major credit bureaus. With a freeze in place, potential creditors can’t pull your credit file, which makes it very unlikely anyone will be granted new lines of credit in your name. I’ve also advised readers to plant their flag at the three major bureaus, to prevent identity thieves from creating an account for you and assuming control over your identity.
The experiences of Rishi, Turner and this author suggest Experian’s practices currently undermine both of those proactive security measures. Even so, having an active account at Experian may be the only way you find out when crooks have assumed your identity. Because at least then you should receive an email from Experian saying they gave your identity to someone else.
In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.
A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.
Emory Roan, policy counsel for the Privacy Rights Clearinghouse, said Experian not offering multi-factor authentication for consumer accounts is inexcusable in 2022.
“They compound the problem by gating the recovery process with information that’s likely available or inferable from third party data brokers, or that could have been exposed in previous data breaches,” Roan said. “Experian is one of the largest Consumer Reporting Agencies in the country, trusted as one of the few essential players in a credit system Americans are forced to be part of. For them to not offer consumers some form of (free) MFA is baffling and reflects extremely poorly on Experian.”
Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, said Experian has no real incentive to do things right on the consumer side of its business. That is, he said, unless Experian’s customers — banks and other lenders — choose to vote with their feet because too many people with frozen credit files are having to deal with unauthorized applications for new credit.
“The actual customers of the credit service don’t realize how much worse Experian is, and this isn’t the first time Experian has screwed up horribly,” Weaver said. “Experian is part of a triopoly, and I’m sure this is costing their actual customers money, because if you have a credit freeze that gets lifted and somebody loans against it, it’s the lender who eats that fraud cost.”
And unlike consumers, he said, lenders do have a choice in which of the triopoly handles their credit checks.
“I do think it’s important to point out that their real customers do have a choice, and they should switch to TransUnion and Equifax,” he added.
More greatest hits from Experian:
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service
Update, 10:32 a.m.: Updated the story to clarify that while Experian does sometimes ask users to enter a one-time code sent via SMS to the number on file, there does not appear to be any option to enable this on all logins.
So let me get this straight. Equifax was breached in 2017 and essentially the database for 147 million was stolen
As a result if this breach settlement,, Equifax gave essentially everyone four years of credit monitoring from Experian.
Now you are telling me that anyone with that hacked Equifax data can easily take over the account on Experian that was setup as a result of the breach.
Am i the only one who sees the ridiculousness of this?
PAYING $25.99 a month to have a multi-billion dollar business protect your own data?!?!? Just… Wow!
Unfortunately, it is not your data. At least that’s not they way they see it. It’s data “about” you. But it’s data generated by lenders, for lenders.
True but its frustrating the data generated about me & you ‘by lenders for lenders’ does not harm those lenders when it’s breached, leaked or stolen. It can & DOES have very real negative & sometimes disastrous consequences for us consumers.
I am with you, there is very real harm here.
The harm is still coming from other lenders who allow breached data to be good enough verification to lend money or services. Then, when the identity thieves fail to pay the lender, it ruins your credit. And ruined credit is harmful because other lenders refuse to lend money or services.
I don’t think the data is very important, rather its the 2nd and 3rd order effects. And all that harm is coming from your relationship with lenders.
You left out the part where said business never asked you for permission to create a file on you and begin collecting the data that they then want to charge you $25.99 to protect.
I don’t think we’ve ever lived in a world where someone has to ask you for permission to create a file on you.
Whenever we borrow money, or engage in any transaction, the lender will always have the right to create a record of that transaction and to communicate that record with other lenders.
Don Vito Corleone would be awestruck with admiration.
Privacy is DEAD DEAD DEAD. This article is merely further proof of what has been known for many years now. I won’t even get into the uber-nefarious implications.
This is exactly why Credit Reporting companies should be nationalized, liquidated to reimburse the victims, and then abolished entirely so no other company is allowed to create credit reporting business going forward. Obviously, this won’t happen unless French Revolution happens. So stuff like this was actually a strong argument in support of cryptocurrency, a way to safeguard your assets under your control, not under bank’s control despise what Reddit would have you believe.
There would need to be something to replace it. People aren’t going to be able to get loans for cars, school, mortgages, rent, cell phone contracts or utilities without some way for those companies to look up your history of paying debts. Crypto is a joke and only useful for evading accountability. Creditors would never agree to an anonymous system of checking credit. You think identity theft is bad now, crypto would make identity into nothing.
yeah I used to think blow them up and federalize but I saw this YouTube video and he makes a pretty sober and strong case of why the feds running this is not the solution that results in a better result
-> https://www.youtube.com/watch?v=DoqCyx4_QjM
Good arguments, but regarding the “security” criteria @9:57 he says “executives will be held accountable and fired in the event of a major breach”.
Thanks John. Good video. He was very focused on the unintended consequences aspect, which is important. But Data Privacy wasn’t addressed at all.
I found different deficiencies on various sites recently.
NCTUE KBA requiring me to enter wrong info pertaining to history associated with my mom’s identity thief. I failed this several times because I didn’t know some of the associated answers. Finally succeeded when the set of 4 questions had 3 from me and one from the thief which I knew (their address). This exercise was part of requesting a report, which would have been sent to the thief’s address had the system not generated a pdf letter (showing theirs address) as a receipt for test lifting the freeze.
NCTUE agent allowed me to essentially update my moms address before asking if I could bring my mom in to give verbal authentication and authorization to proceed.
TransUnion is always problematic. “Forgot p/w” results in no p/w being sent to e/m address of record. So many failures over time where even phone agents fail and have to apologize.
Most sites have portals others (Annual Credit Report, Chex & NCTUE) just a long screen to fill in information before performing an operation. In the latter two cases, it’s not possible to see what contact info is in their record (even partially masked would be helpful), so it’s not possible to easily detect bogus info.
One site has a ca. 10-digit freeze PIN that is partially protected by a 4-digit PIN used to verify to the call-in agents.
Of Annual Credit Report, (ChexSystems offers no login), Equifax, Experian, Innovis, (NCTUE offers no login), TransUnion, only Innovis uses 2FA.
Experian has TWO different sites for a credit freeze. Their primary site tries to constantly get you to sign up for their “CreditLock” service, which is expensive. The free site is https://usa.experian.com/member/security-freeze.
I could not find a way to get to the free site via their regular login. Plus, when you do log in to the regular site, they make it look like your existing credit freeze is not on because everything refers to their CreditLock service. All those references say my credit file is unfozen. But when I look at the free site, mu freeze is still on. Very deceptive. All in the name of signing people of for their very expensive CreditLock service.
Also, as for MFA options, which they definitely SHOULD offer for free, they’re not the only institution that does not offer it. Truist bank also does not offer it. How crazy is that?
After far too many emails trying to sell me “CreditLock” and such, with no way to unsubscribe, all email from experian is now filtered directly to my trash folder. Guess I need to reconsider that.
Can you say class action lawsuit, boys and girls?
Only the lawyers make money. Nothing effective came out of the Equifax settlement.
I agree this exactly what’s needed!!
This happened to me also. Got an email that the email address hooked to my Experian account was changed. I immediately emailed them to find out what was going on and got the “not monitored” email.
I was lamenting to my wife about in (she handles our “books”) and she said, “Oh… that was me. I put the password in our vault”.
Lucky for me it was just my wife hacking me!
I would like to hope that this is one issue that politicians could agree on and apply pressure to Experian to get their act together. This is completely unacceptable on Experian’s part.
I’m afraid the only likely way we see their involvement is if one or more of them get hacked. Then I’d expect furious rhetoric and swift action.
It’s amazing how sloppy they’ve been for years. My father was an attorney, and back a few decades ago when Experian was called TRW, they used to send people to courthouses to hoover up data on lawsuits. At some point they screwed up my father’s credit report by associating a business bankruptcy filing in federal court with him. He tried to get them to fix it by sending letters and calling them and they ignored him. He didn’t want to, but he ultimately sued them in federal court. He told me it would cost them so much simply to respond that he figured it would work. It did. They fixed it asap.
Should you be able to use a SS# and create a new account but with a different email address? I just did…..didn’t think this was possible. So one SS# can have more than one account?
That’s one detail that wasn’t clear from Experian’s response. But from my testing, it appears that the existing account just gets overwritten with the new settings when you sign up (or are signed up) a second time at Experian.
Do not trust any of the credit bureaus. I’ve worked for one of them & they are NOT secure or client centred. They couldn’t give two hoots about what happens to your data & do not for one second think that they care about you. They are all a bunch of absolute corrupt cowboys. There’s no such thing as SECURE DATA!
Correct me if I’m wrong(I usually am), they are client centered, but we the people are NOT their Clients.
This is so far outside of sensible security that it seems unbelievable in this day and age.
My company uses an Experian product, “One source”. I’m a field tech and when I’m not out in the field I’m helping the service desk. Someone needed an account made for One Source and I went to make it. I used a random password generator to get the user a password and when they tried to login, they got an error. “No biggie” I thought, I probably just need to clear cache. Issue persists. I look further into the error and for some reason it thinks XSS is going on, I look in further and the error shows what was put in the password field in plain text. I tested it with multiple other passwords and got a small write up going on it. It took Experian 2 months to get with me and tell me the issue had been found and fixed. It was a very specific problem too. Here’s the write up in case anyone is interested or wanted to better understand what I’m talking about. (No passwords stated in writeup are being used to my knowledge. Attempting to recreate the error may not work as I did say, Experian finally got with me after a couple months to tell me they fixed it. I confirmed myself.)
One source error “Server Error in ‘/_members/Home’ Application.”
Error popped up while I was assisting a user who was locked out of their one source account.
I changed their password to “<77YA<sa" and had them try again. The error showed up as shown in the image provided.
I cleared the users chrome cache twice, and the error persists. User is on site off vpn
Reading into the error, it looks like it is a "barrier" (for lack of a better term) to prevent Cross Site Scripting (XSS)
Exception details says "A potentially dangerous Request.Form value was detected from the client (OSAuthLoginPWD="<77YA<sa")."
Showing the password used, possibly because its trying to show the possible "code" being used
Showing the password could be determined as "Accepted Risk" with this error message, as it seems intentional
Putting in the characters provided below that prompt the error even when they are not your password, still prompts the error
Putting in the characters provided below that prompt the error will yeild the same result when put in the username field
Testing on my account here is a list of passwords I tried
<1fdsjg! – no error
<77YA<sa – error (showing it's not just a fluke but this password is bugged)
<55Gr<Ja – error (showing it maybe the format in how the password is created)
<55GrJa< – no error (showing that having those two symbols need to be in a specific place)
<55<GrJa – error (possibly showing the second < can't be at the end)
<55GrJ<a – error (confirming the suspicion of having the second < anywhere but the end of the password)
<55GrJ – error (showing more than 2 symbols did not make a difference)
– no error (Having corresponding brackets does not yeild suspicion to pop the error)
&55Gr$Ja> – no error (showing so far, this only happens with the ” – no error (confirming suspicion provided just above)
$55Gr$Ja> – No error (One more test run with another set of symbols yeild same results)
Further testing could be required to prompt this error in different ways, but the methods I have provided above
are what have been tried and which ones brought up the error, and which ones did not.
In conclusion, While my testing was partly to see how I could recreate the error in different ways and which ways worked
as well as confirming how to resolve it, I also thought it important to bring up to someone in Security the error, due to showing
the password used in plain text, no matter if it is a correct or incorrect password. While I’m sure “Risk acceptance” is a
contributing factor as to why it shows what was input in the password field in plain text, and is a preventative measure
for XSS, I also feel like there could be another way of showing this error, or preventing certain symbols from being used
in passwords within one source.
How to reproduce: Go to the OneSource login screen> input any of the text combinations that prompt the error in the password field>
The error should come up and you can see within the error, the password provided is being shown in plain text.
That error looks exactly like an old Microsoft aspx WebForms error. It thinks you’re trying to load HTML into a field that uses the default WebForms postback content validation. Microsoft declared it a “problem” because if it’s allowed and the value is then displayed on the page, then it could potentially be used as a method to inject malicious code into said web page. It has to do with use of the greater-than and less-than symbols. If you eliminate any special symbols that are used in HTML code, there will be no error.
this would be a good use of our Government stepping and regulating consumers data privacy but alas our Government has failed us….
Agreed. Businesses only invest in areas that will produce money or prevent from dramatic loss of money. Regulation is needed, but it needs to come with a massive stick. The fines cannot be the size of a rounding error the balance sheet.
Just checked all three credit bureaus and I noticed a change at Transunion. If you google “transunion” it takes you to https://www.transunion.com/ but to login to your member account you need to go to service.transunion.com. Trying to login at the home page produces errors saying your credentials are incorrect.
@J Alas, it’s not *our* government.
Curious as to what implications this might have with FCRA and CDIA needing to establish precedence for consumer securities. Maybe they should standardize requirements in the vain of METRO2 etc?
Once again KrebsOnSecurity.com validates my decision to create a Desktop file folder titled “Read Again Folder”. When signing up initially with KrepsOnSecurity.com I found I was reading articles that without question necessitated “reading again”. The articles are so informative and full of links and suggested actions one should take that you cannot read the article one time like all of my other Newsletter subscriptions. Brian Krebs has helped me understand many important things of which everyone needs to be aware. These articles I suspect have saved my bacon as I followed many of the suggestions over the years and likely I have been kept safer by doing so. I make donations every year to KrebsOnSecurity.com and feel they are well worth the investment so that Brian Krebs keeps on with his service to us.
Happened to me this morning.
Yup, after 6-7 identity thefts and scares, I froze and locked down my account. Recently checking with Experian it showed it “thawed” or it was available. I get so pissed off at these weasels, it’s my life and credit history they collect and sell and my best efforts fail because they do business as usual. Lawsuits always get their attention, and why people resort to it.
Really this type of business should be outlawed. They traffic in users’ private data – or rather, data that OUGHT to remain private, but thanks to the likes of Equifax and many other actors, have ended up publicly available.
I recently went on Experian to check my credit report, and found that although I had locked my account with all 3 bureaus after Equifax’ disastrous data breach. To my surprise, my credit file was unlocked again. No explanation given as to why, how, with whose authorization, or when the account was unlocked.
Bottom line: don’t ever trust these fuckers.
I would include any government in your “bottom line” especially the feds.
Just checked my Experian log-ins. When I go to https://experian.com, I log in with just a user name and password, nothing else required.
When logging in on https://experianidworks.com, after entering user name and password, I get asked for a code that is sent by text, phone call or email to what is on file (MFA).
The first is the free site and the second is the service offered by the Equifax settlement. Both can be used to view and lock/unlock my credit file. Experian definitely needs to do something to clear that up this discrepancy.
this is what i found, i am confused. i have the experian ID works. That login does generate an authentication code, either to the phone or to email.
SO, to clarify, experian has two methods of login, one that has less crappy security (ID-works), and one other method with MORE-CRAPPY security (regular login)? this is absurd, that experian has the ABILITY to require two factor authentication, but does not enforce this across all logins.
as others have noted, there should be a class action suit against al of these companies, to require them to NOT allow new account setups where data already exists in EXISTING accounts.
Experian was already on my naughty list due to a recent incident. A month or so back, I logged into their service to routinely verify my credit freeze is still in place (apparently it’s a good thing I do this!). Somehow, that action prompted Experian to add me to a marketing email recipient list somewhere. I became upset by this because their emails did not contain working opt-out links. Thankfully, I’m a California resident and have some amount of additional recourse through the CCPA.
I sent Experian a CCPA deletion request. A few weeks later, they sent me an email notifying me that my CCPA deletion request was “complete” on June 17. The status, which I checked on their website, says: “Experian does not have any of your data that is subject to deletion under the CCPA. Your request for deletion has been processed and is now closed. If you would like to make another request to opt-out please do so by selecting the “Make a new request” button on the right.”
So, Experian claimed to me that they did not have any data subject to deletion. Interesting!
Well, fast forward to JUST SIX DAYS LATER and Experian sent me yet another marketing email. Amazing! They followed that one up a week later with yet another marketing email with no opt-out (they claim these aren’t marketing emails and were related to my account, but they advertise credit reporting and monitoring services in them, so you can be the judge of that).
At this point, I was getting pretty upset. I decided to call Experian. Unfortunately, Experian have decided that the best way to deal with people calling their phone number is to put them in an infinite IVR loop. Giving accurate answers to their IVR questions, I was completely unable to speak to a human being. I tried to exit the IVR by pressing zero, mashing the phone key pad, and giving nonsense answers but they still would not forward me to an actual human to discuss their failure to properly comply with CCPA deletion requests. At that point, I decided to submit a complaint with the Attorney General’s office. As far as I’m concerned, Experian is actively hostile to consumers and should not be allowed to operate their business as they do.
I recently rec’d a notice from Experian Identity Works that my email & password data had surfaced associated with a data breach, and recommending that I change my password. I called to ask which account was compromised, and they would not tell me … I have many accounts that use my email account, and going through potentially 100+ websites to change every one is simply not feasible. Again, they notified me of a compromise, but wouldn’t go the next step to help me remedy the issue. Insane “empty gesture” business practice, especially given they are supposed to be protecting me with credit monitoring. Grrr.
It’s good practice to use the “emailname+uniquetoacct@emailprovider.com” format.
It allows for any number of unique email addresses for a single mailbox. This way, if you start receiving automated spam or a notice of a breach, you can track down which online service sold/lost your email address.
If you have your own domain, check out Google Domains as a registrar. They will give you a free 100 aliases with a registration. I randomly generate addresses for all financial accounts. SimpleLogin and AnonAddy are another couple of good options, but it will cost more.
Questionable advice, at best. Reconsider the suggestions you are making, perhaps. This practice is frequently flagged or raises your threat score depending on the risk model. Please advise, thank you
There are no additional risks to this method. If you don’t have proof that someone is flagging this fairly common practice or raising a ‘threat score’, then you should not bother throwing shade.
I’ve done this for years, and nobody has said this is bad.
“I’ve done this for years, and nobody has said this is bad.”
Who exactly would be telling you that if it were? If you think that plus sign email addresses don’t indicate risk, you have a simple mind. People have been abusing this trick to defraud companies offering sign-up bonuses, referrals, as well as subvert restrictions, blocks, bans, and a million other deliberate indiscretions. Using freshly created contacts, especially those from complimentary service providers, will also contribute to negatively impacting your risk level. Sorry if you are not familiar with the rudimentary procedures used for fraud prevention this side of the 20th century.
Anyone who thinks each user having a unique email address is a security control, is an idiot and needs to be fired.
An alias is the equivalent as just another free email address, which anyone can get
It’s easy for you to prove, just post a terms of service that prohibit email aliasing. Until then, you’re just talking nonsense.
What kind of fool would assume the process is prohibitive? Businesses are in no way obligated to disclose proprietary risk management controls. You do understand that would be antithetical, do you not? Feel free to die on your hill of stupidity, charlatan.
Haha, so you got caught with some BS speculation just so you can sound smart contradicting some pretty good advice. That’s what happens when someone calls you out and you need to put up proof.
https://aws.amazon.com/blogs/machine-learning/prevent-fake-account-sign-ups-in-real-time-with-ai-using-amazon-fraud-detector/
come again?
Is that egg on your face, or something else?
https://aws.amazon.com/blogs/machine-learning/prevent-fake-account-sign-ups-in-real-time-with-ai-using-amazon-fraud-detector/
https://kount.com/glossary/email-tumbling/
https://www.lexisnexis.com/legalnewsroom/financial-fraud-law/b/blog/posts/what-is-email-address-tumbling-and-why-is-it-financial-fraud
https://fraud.net/d/email-tumbling/
Haha. Your links just proved my point.
There’s no prohibition on email aliases. You should read your own links next time.
It’s not questionable. It is official supported by many email providers.
https://support.google.com/mail/answer/22370?hl=en#zippy=%2Cfilter-using-your-gmail-alias
If anyone is flagging this behavior, that’s good. That means when there is a data breach, they can’t hide the source of the breach.
Thank you for the additional information.
I read through your links and concur that some organizations / online services, would see this as “potential” fraud or abuse. Just like really long passwords, or passwords with special characters like quotes… Yes, it COULD be a sign of sql injection. This is the reason why some really secure online sites don’t allow long passwords and are strict about which characters are allowed.
My advice is still sound for most, or nearly all, situations we’re a consumer is not trying to create multiple user accounts, but rather label their singular account to distinguish the type of service.
For any fraud departments tracking or flagging this behavior, this is a good thing for the consumer. It may flag, but as long as the user isn’t creating multiple, it won’t violate the policy.
Even the AWS blog acknowledges that this is optional and for the purpose of tracking multiple accounts for the same user. AWS accounts themselves allow email aliases, so it’s pretty clear that although it can be used by fraudsters, it’s still perfectly fine for regular users.
So the only caveat to my advice would be, if they allow it, go ahead and use it. It’s still a benefit to the consumer to know where a breach might originate from.
After reading this article I tried to login to my Experian credit freeze account (just to check on it). Curiously, I cannot. It claims I don’t have one, even though I have screen-shots, going back a few years, where I thawed and re-froze my credit on multiple occasions. Attempting to re-create access to the account resulted in “Sorry we were unable to verify your identity” and encouraged me to call-in or mail proof. Calling was a waste. I found no option that fit and attempts to bypass to a Customer Service agent resulted in a frustrating loop to nowhere. I have no confidence mailing proof will do anything either. This is frustrating. Senators and House Reps need to be chasing Experian down on meaningful governance issues like this, rather than their other favorite dog-and-pony shows.
Equifax are no better. In 2017 they announced they had experienced a data breach. I joined a class action suit and since I already had credit monitoring services, I opted for the $125 cash payment, not expecting more than a few cents in reality. I’m still waiting for the “review” to complete, which will probably take until the end of this year. The lack of real accountability by these huge companies is appalling.
Same issues happened to be on June 1. I received an automated email stating “This email address is no longer monitored, but we’d like to help by providing you with answers to the questions we’re asked most.” which has some FAQ links. I was able to call in and verify my self, after which they provided me the email address it was moved to ( a variation of my first and last name @ gmail) to get control of the account back the customer service rep helped me to change the user ID and password then update the sec questions and so on.
I found it odd that even with “recommended” steps taken after previous ID theft attempt they were able to do this process with no validation needed from me in any from. Not even a -verify your email address change link ?
Previous steps include: full freeze at all 3 credit reporting agencies, alerts on all credit agencies and 7 year alert setup on FDIC, NCUA and FTC.
Thanks for sharing your experience here, Not J.
“7 year alert setup on FDIC, NCUA, and FTC” – would you care to share any links/references? I don’t see any reference to this capability on this site and googling gets me alphabet soup. I’ve had a freeze since Brian recommended it in 2015 and *surprise* I can’t get into Experian’s site today! Suddenly my email address doesn’t exist at Experian.
Would appreciate insight into your other countermeasures while I get that unsnarled. Thanks!
AL
It’s really ironic that today I got a suspicious email from Experian wanting me to click on a link. So I wanted to run it by Experian and see if it’s legit. But their website has no mention that I could find of where to send a spoofed email. I called them and asked and the person, of course, had no idea if Experian is sending out these emails or even if it was a legit email header. The fact we are forced to have our information on this site even though I don’t want it there is atrocious. And they don’t have two-factor identification? That’s insane. I thought the US Civil Service Retirement site was the last major site to get two factor identification after all these many years, and yet here I find Experian still doesn’t have it!
That’s why you file incorporation papers, so that you can screw the customer and personally legally get away with it. It’s almost like Experian is brazen about it, or negligent in a gross fashion that invites legal liability…
PS: Thanks to this article today I went to check on all 3 of my accounts at the 3 bureaus. Two of them were “not recognized”. Now I established them in about 2016 so apparently as I’d not logged in they had expired or something, so I re-established them. Crazy. You create an account and then later it’s not there anymore?
Given the info in this article, I tested it by creating an account for a family member who previously didn’t have one (or the family member lost track of the prior account?). The account asked for the person’s email and mobile phone numbers, but verified neither of them. I created the account on my computer and didn’t even have to ask my relative for their phone to get the verifications. Since I strongly suspect this person had lost track of an earlier account, this “bug” was useful to get this person’s account verified, strong password assigned, and properly entered into our family password vault.
The knowledge questions nearly threw me again. Just a few years ago, our state reissued all vehicle license plates with new numbers. But the KYC questions keep presenting the old plate numbers as if they are current. Since I don’t have any of those plates anymore, I don’t remember them very well. This time, I was able to recognize one of the old plate numbers and “get in.”
I am also frustrated with the number of emails being sent by Experian (and only Experian–the other two aren’t sending me anything). I looked at the communication preferences, and I am only getting “Credit Alerts.” What kind of credit alerts do I get multiple times a month? Well, every time I pay my mortgage or the revolving balance on my credit card, I get a “credit alert email.” There is no setting to turn these off. Sigh…