In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account.
I recently ordered a copy of my credit file from Experian via annualcreditreport.com, but as usual Experian declined to provide it, saying they couldn’t verify my identity. Attempts to log in to my account directly at Experian.com also failed; the site said it didn’t recognize my username and/or password.
A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed portions of an email address I never authorized and did not recognize (the full address was redacted by Experian).
I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Some Explaining to Do. So once again I sought to re-register as myself at Experian.
The homepage said I needed to provide a Social Security number and mobile phone number, and that I’d soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian’s website would not balk. Regardless, users can simply skip this step by selecting the option to “Continue another way.”
Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we’ve previously lived at — information that is just a Google search away.
Assuming you sail through the multiple-choice questions, you’re prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. After that, your new account is created and you’re directed to the Experian dashboard, which allows you to view your full credit file, and freeze or unfreeze it.
At this point, Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn’t a request seeking verification: It’s just a notification from Experian that the account’s user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com.
And of course, a user who receives one of these notices will find that the credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves!
In contrast, if you try to modify an existing account at either of the other two major consumer credit reporting bureaus — Equifax or TransUnion — they will ask you to enter a code sent to the email address or phone number on file before any changes can be made.
Reached for comment, Experian declined to share the full email address that was added without authorization to my credit file.
“To ensure the protection of consumers’ identities and information, we have implemented a multi-layered security approach, which includes passive and active measures, and are constantly evolving,” Experian spokesperson Scott Anderson said in an emailed statement. “This includes knowledge-based questions and answers, and device possession and ownership verification processes.”
Anderson said all consumers have the option to activate a multi-factor authentication method that’s requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?
Several readers who spotted my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon user @Jackerbee is a reader from Michican who works in the biotechnology industry. @Jackerbee said when prompted by Experian to provide his phone number and the last four digits of his SSN, he chose the option to “manually enter my information.”
“I put my second phone number and the new email address,” he explained. “I received a single email in my original account inbox that said they’ve updated my information after I ‘signed up.’ No verification required from the original email address at any point. I also did not receive any text alerts at the original phone number. The especially interesting and egregious part is that when I sign in, it does 2FA with the new phone number.”
The Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by supplying a random landline number.
“The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, ‘Welcome back, Pete!,’ and granting full access,” @PeteMayo wrote. “I feel silly saving my password for Experian; may as well just make a new account every time.”
I was fortunate in that whoever hijacked my account did not also thaw my credit freeze. Or if they did, they politely froze it again when they were done. But I fully expect my Experian account will be hijacked yet again unless Experian makes some important changes to its authentication process.
It boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian, which already has a horrible track record in this regard.
In December 2022, KrebsOnSecurity alerted Experian that identity thieves had worked out a remarkably simple way to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, and acknowledged that it persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.
In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.
A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.
More greatest hits from Experian:
2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service
I wish someone would sue them into oblivion.
If they can’t be bothered to lift a finger to secure their system, they certainly should not exist.
Or we should be able to opt out of having our information with them, AT THE VERY LEAST.
As do I
I agree with you 100%. But right now there are no statutory damages [in the US]. That means you have prove actual damages, and pay your own attorney fees. The second will eliminate most lawsuits from even starting. The first is difficult. OK, so you had a credit card applied for in your name after Experian account was taken over and your freeze was un-thawed. Experian lawyers will point to any number of breaches where your info was stolen and say it came from that instead of them, and, as much as it pains me to say it, they would have a point.
Unless police can capture the thieves and you can ask them questions in court, good luck proving anything. And even if they do catch someone using the credit card applied for with your information (again, good luck), they probably bought it off someone else, so they don’t know how the info was obtained.
Establishing evidence of this crime should be no different than an official sting operation of say illegal sale to a minor using a false ID. They are providing a controlled service with blatant negligence. If this same authentication gap occurred with an online vendor, directly costing them $$ instead of PII, the service would have been shutdown immediately.
I am a strong believer in using answers to security questions that have nothing to do with the question itself. Of course, if you use that, you probably need to keep track of them.
For example,
“What was your first pet?” Answer: “Werewolves of London”
“Where were you born?” Answer: “Hollow Chocolate Bunnies of the Apocalypse”
“Who was your first teacher?” Answer: “Fried chicken and mashed potatoes”
“What was your mother’s maiden name?” Answer: “Montreal, Canada”
Don’t make it easy for someone wanting to take over your account.
But what if Experian doesn’t bother restricting the response to those, and simply uses whatever matches?
While it’s a good thought, KBA questions are based on truth (ex: where you live, mortgage company, etc) so the fake answers to questions would not work in this circumstance .
For the identity authentication part, that’s true, but this will work for the security questions they ask you to register when you sign up.
That would stop someone from trying to sign in to your account, but as the article stated they don’t need to do that, and can just create a whole new account and steal yours by doing so.
I use random character strings that I save in a file. I often get some amused comments or chuckles when I call customer service and read them the answer.
I’ve used some NSFW responses. Most amusing was one that I did not realize would be used for validation by the CSR on a live support call. It was true that my favorite hobby is fornication. Thank goodness the CSR had a sense of humor. In fact I don’t think I had to give him the actual entry, the shared amusement and commentary was sufficient validation! 🙂 Was a good reminder to keep things indecent but legal!
Another account creation generated an email to the CISO of the USPS when their website registration process refused to allow my chosen password because it was obscene. How could they tell without access to cleartext of the password, which is a security breach? And because the password should be known to no one other than me who cares if it’s obscene?
Of course, in this case, you’re not offered that option. Experian determines the questions it asks to “confirm” your identity… because they’re setting up a new account each time.
In this case the questions they ask are not ones you created yourself but ones they’ve generated based on the information they have on file about you. Things like previous employers/addresses etc. Almost always multiple choice too lol.
That sounds kind of like the password scheme used for a short time at a company prior to when I began working there in 1980. Instead of actual passwords, they used information from your payroll files to log you in and would ask a different question each time. Sometimes the answer was something easy like your address. Sometimes it was not so easy like how much was withheld for your employee insurance in 1978. You pretty much had to have a copy of your payroll records in front of you to log in. From what I was told back then, it didn’t take them long to switch back to passwords.
I have been doing this for years. I also do not use password wallets, those are also vulnerable to hacking. I have my own system that has protected me for years. And i never, ever re-use emails or portions thereof.
I am not using my personal or corporate email, only my gmail.
What is your system, Diana? Would you prefer not to share it?
The problem is you don’t get to pick the kb questions or answers. They are based on your information eg addresses you have lived at for the past 5 years.
This is true
I agree! I always use nonsense answers to security questions and write them down.
I agree Billy Jack. I do that also-create nonsensical answers to security question and write them down.
I have done that for years now.
Good taste in books 🙂
I agree. Never answer the questions with real information. Not only security questions but 99% of all websites that require information I never put in valid birthdates and addresses, unless of course they are mailing somethign to me. 🙂
I can only think that Experian is trying to run two businesses. First, the so-called credit rating scam where they create a score for your benefit and then charge you money to lower it. Is that not extortion? Hey buddy, I’ll protect you if you pay me $10/month? The second is working to sell your data to the criminal elements.
I work with pharmacists and they have to log into a website to order and approve drug orders. If they forget their password they can make their own question and answer. I tell them they can have the question “Why is the sky blue?” as they can have any answer they want, but almost all of them default to any number of the default questions and (truthful) answers that Billy Jack listed.
On the other hand, I had a client who liked playing games on Steam and he would put random answers to the security questions, but he never kept track of them so he always had to reset his whole account. He did that several times and I haven’t seen him in a while now.
I am a Privacy, Cybersecurity and Data attorney, who has worked since 2008 with medium and very large corporations to help them set up their privacy guidelines, policies, and compliance systems. In those days, it was only about security in the US, but the focus started changing in 2016. It is so frustrating we are forced to use government entities we have no control over, but apparently the government (of both political parties) also does not care about trying to control entities that harm consumers. They should have shut down Experian after the 2015 fiasco.
I am NOT providing my personal email for security concerns, only my gmail address. Sad world we live in.
I’m a U.S. citizen living in the EU and will probably have dual-citizenship in the next couple years. Could an EU citizen leverage GDPR to get Experian fined so that they start paying attention to these problems?
This us terrifying because I and many others have numerous Experian accounts courtesy of major corporations who were hacked. If you are “gifted” Experian credit monitoring you cannot add that service to an existing account but have to create a new one and thus they multiply.
I just sent Bryan’s article to my senator. Maybe we all should do that. I understand it might be in vain considering our our Congress is essentially non-functional.
Why not both? I will do the same.
I had two Experian accounts set up specifically to add a “Freeze” when that became free back in 2018. Tried to log into both today, neither worked. The Forgot password process indicated no match for my phone number(s) on either account.
Never fear, using Brian’s on-going discovery I was able to quickly create new accounts for both, answer via KBA questions (only 1 of the 10 total applied to us at all) and I’m all set again. AND both accounts show my freezes are still in place, as Brian saw.
What a cluster-f.
What is especially troublesome is recent letters received from our credit union about the MOVEit Breach and the compromise of our account information. As a result of this disclosure, we were offered a complimentary. one-year membership in Experian IdentityWorks Credit 3B. If anyone can assume my identity at Experian due to this grievous security hole, what value is that protection?
If you know enough about someone , it’s pretty easy to gain access to their credit report, including opening up a line of trade line credit Their is just not enough security protection on credit report access in my opinion
My fiancé has been going through the same issue for the past 6 months. His identity was stolen and he’s been having other issues as well (i.e. emails, bank and social media accounts being taken).
I appreciate that many responders to this article understand that random answers to questions are a better option than providing the actual answer when setting up the authentication of an account.
But I am dismayed that they do not understand Experian does not use that style of authentication, instead they use KBA which stands for Knowledge Based Authentication. Their variation uses information from their files. Which means you do not chose the answers, they do. So you must provide the correct answers according to their files.
Another issue is their file sometimes maybe manytimes contains erroneous information. (their file on me did) If too many of the questions presented for authentication are based upon erroneous information, you may not be able to authenticate. (this happened to me) To further complicate matters, Experian has/had been a provider of KBA as a service so the reach of problem extends beyond Experian. (this also happened to me)
I agree that something has to be done. Data brokers, and Experian specifically, run wild and loose with information about all of us. They have all sorts of problems (for us, not them) with securing this information. Sending this article to your representatives in congress is a good idea. Also, inform your friends, family, and others so they can also express outrage in the situation. Advise them to direct the outrage toward their representatives, in hopes it will effect a good change.
So what’s going to happen?
People will just pollute Experian’s DB with lots of junk. Change lots of email addresses as a denial of service variation.
When that’s done, credit reports are useless.
Current status 11/11/23 of trying to get an Experian credit report via annualcreditreport.com:
We’re sorry
A condition exists that prevents Experian from being able to accept your request at this time.
To obtain your Experian annual credit report, please mail your request to the address below using the Annual Credit Report Request form.
Annual Credit Report Request Service
P.O. Box 105281
Atlanta, GA 30348-5281
I went through it as well where a girl in California used her own email and home address but changed my logon info with Experian. So, now I added the 2 step verification and will be changing my password again. Also, had an issue with Capital1 and recently JP Morgan. What gets me is how they try to approve credit with no proof of identity.
Based on this article, I assume experience only offers SMS- based MFA…so backwards.
We as customers, when banks such as Citibank never comment even though one has substantive proof they HAVE been hacked (like in May this year), have no chance. Not knowing whether one’s
pension will be safe ever again or even delivered.
Brian,
I have just tried to post a relevant comment which has not been included in your Comments Section
Rob
Sounds like the trouble I’ve had with Gmail’s webmail lack-of-service. First it pestered me with wanting me to go to two-factor authentication using a phone number. Which I declined, because I’ve changed phone number at irregular intervals in my life, and I don’t see the need to get stuck to any one phone number if the landlord or the phone company decide they want to make my life difficult.
Then it flat out refused to acknowledge my long and non-regular password, and demanded I do something else – question, or alternative email or whatever. I’ve given up using the webmail until they learn some manners.
Sites like Experion are the reason that, where possible, it’s best to leave a fake date of birth for an online service. I like to choose something distinctive, such as the first of January 1901 or January 1st 1970 (Unix zero time)
I assume from this article they only have SMS-based 2FA. How backward.
Has anyone filed a complaint at the CFPB?
https://www.consumerfinance.gov/complaint/
Yes, just now. Trouble is Experian will claim a person has no trouble getting their report because they could just make a new account. Round and round she goes…
Your complaining that its possible for people to “become you” by learning your personal information, when performing identity theft, but to steal your house all you need is to take a fake ID to a notary, to transfer ownership of the house to someone else.
Really, the only way around this is requiring a real person to provide biometric information to another real person, in a way that cant be faked (such as checking for contact lenses when you sign up for worldcoin), but given that the average person is not interested in sacrificing their “privacy” for security, that seems like a pipedream.
What government agency regulates these businesses?
Is there law currently in effect that’s not being administered correctly?
Isn’t there a government agency that can force Experian to implement better security?
If not, then someone in Congress should kick off a law to give this power to an existing agency.
Isn’t this a national security exposure? Couldn’t a terrorist or foreigner national use this hole to assume another identify, allowing them entry into the country?
These systems are really frustrating to deal with, add the fact that all three credit bureaus offer a paid subscription to “lock” your file which they market heavy saying it is better than just a freeze, yet they have vulnerabilities like these. Smh.
update in kivimaki case, please write about it
I assume that Experian has someone who calls themselves CSO. Whomever they are, I would never hire them.
But as a non-American, I am surprised these types of companies are not better regulated and required to adhere to modern security practices.
Dozens of people over the years have used my gmail address (which I do not use for any legit email) to sign up for various bogus accounts. So there are a lot of different addresses, phone numbers, and unknown-to-me passwords floating around associated with my gmail address. Every once in a while a site comes up that lets me recover a lost password via email address only, and I amuse myself by locking the account with a new password.
When I first landed on Krebs’ website, I saw the headline and immediately closed the browser. I opened another browser and searched Experian and clicked on the link. I clicked on Sign In and a
login box never appeared. After a couple of more tries I looked at the URL and after …login/index? \XXXX… and about 20 more X’s. Months ago I learned to go to the end of a URL like that and delete everything up to and including the question mark. I signed in and changed my password with another
that is again 20-30 characters long courtesy of my password manager.
This article reminded me to change passwords more than 6 months/year.
Thanks for the article Brian! I’ve been following you for many years!
The majority of the CISOs/CSOs in the US are blatantly incompetent. Only companies like Google, Amazon, Microsoft have competent ones who understand Security Engineering plus the needed basics and not some useless certifications.
When there is a lot of software development outsourced to so-called cheap labor countries over more than 2 decades, you are left with someone with a Music degree, passed CISSP, with some good connections becomes a CISO! You think you can compete with China with such incompetence? They will laugh at you.
Thanks for the information keep sharing such informative post keep suggesting such post. Looking for the same issue. Bumped into your thread.