DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized

May 14, 2021

The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.

“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”

DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read. Continue reading

Microsoft Patch Tuesday, May 2021 Edition

May 11, 2021

Microsoft today released fixes to plug at least 55 security holes in its Windows operating systems and other software. Four of these weaknesses can be exploited by malware and malcontents to seize complete, remote control over vulnerable systems without any help from users. On deck this month are patches to quash a wormable flaw, a creepy wireless bug, and yet another reason to call for the death of Microsoft’s Internet Explorer (IE) web browser.

While May brings about half the normal volume of updates from Microsoft, there are some notable weaknesses that deserve prompt attention, particularly from enterprises. By all accounts, the most pressing priority this month is CVE-2021-31166, a Windows 10 and Windows Server flaw which allows an unauthenticated attacker to remotely execute malicious code at the operating system level. With this weakness, an attacker could compromise a host simply by sending it a specially-crafted packet of data.

“That makes this bug wormable, with even Microsoft calling that out in their write-up,” said Dustin Childs, with Trend Micro’s ZDI program. “Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.”

Kevin Breen from Immersive Labs said the fact that this one is just 0.2 points away from a perfect 10 CVSS score should be enough to identify just how important it is to patch.

“For ransomware operators, this kind of vulnerability is a prime target for exploitation,” Breen said. “Wormable exploits should always be a high priority, especially if they are for services that are designed to be public facing. As this specific exploit would not require any form of authentication, it’s even more appealing for attackers, and any organization using HTTP.sys protocol stack should prioritize this patch.”

Breen also called attention to CVE-2021-26419 — a vulnerability in Internet Explorer 11 — to make the case for why IE needs to stand for “Internet Exploder.” To trigger this vulnerability, a user would have to visit a site that is controlled by the attacker, although Microsoft also recognizes that it could be triggered by embedding ActiveX controls in Office Documents.

“IE needs to die – and I’m not the only one that thinks so,” Breen said. “If you are an organization that has to provide IE11 to support legacy applications, consider enforcing a policy on the users that restricts the domains that can be accessed by IE11 to only those legacy applications. All other web browsing should be performed with a supported browser.” Continue reading

Advertisement

A Closer Look at the DarkSide Ransomware Gang

May 11, 2021

The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Here’s a closer look at the DarkSide cybercrime gang, as seen through their negotiations with a recent U.S. victim that earns $15 billion in annual revenue.

Colonial Pipeline has shut down 5,500 miles of fuel pipe in response to a ransomware incident. Image: colpipe.com

New York City-based cyber intelligence firm Flashpoint said its analysts assess with a moderate-strong degree of confidence that the attack was not intended to damage national infrastructure and was simply associated with a target which had the finances to support a large payment.

“This would be consistent with DarkSide’s earlier activities, which included several ‘big game hunting’ attacks, whereby attackers target an organization that likely possesses the financial means to pay the ransom demanded by the attackers,” Flashpoint observed.

In response to public attention to the Colonial Pipeline attack, the DarkSide group sought to play down fears about widespread infrastructure attacks going forward.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” reads an update to the DarkSide Leaks blog. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.

Like other ransomware platforms, DarkSide adheres to the current badguy best practice of double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.

At its launch, DarkSide sought to woo affiliates from competing ransomware programs by advertising a victim data leak site that gets “stable visits and media coverage,” as well as the ability to publish victim data by stages. Under the “Why choose us?” heading of the ransomware program thread, the admin answers:

An advertisement for the DarkSide ransomware group.

“High trust level of our targets. They pay us and know that they’re going to receive decryption tools. They also know that we download data. A lot of data. That’s why the percent of our victims who pay the ransom is so high and it takes so little time to negotiate.”

In late March, DarkSide introduced a “call service” innovation that was integrated into the affiliate’s management panel, which enabled the affiliates to arrange calls pressuring victims into paying ransoms directly from the management panel.

In mid-April the ransomware program announced new capability for affiliates to launch distributed denial-of-service (DDoS) attacks against targets whenever added pressure is needed during ransom negotiations.

DarkSide also has advertised a willingness to sell information about upcoming victims before their stolen information is published on the DarkSide victim shaming blog, so that enterprising investment scammers can short the company’s stock in advance of the news.

“Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges,” DarkSide explains. “If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”

DarkSide also started recruiting new affiliates again last month — mainly seeking network penetration testers who can help turn a single compromised computer into a full-on data breach and ransomware incident.

Portions of a DarkSide recruitment message, translated from Russian. Image: Intel 471.

“We have grown significantly in terms of the client base and in comparison to other projects (judging by the analysis of publicly available information), so we are ready to grow our team and a number of our affiliates in two fields,” DarkSide explained. The advertisement continued:

“Network penetration testing. We’re looking for one person or a team. We’ll adapt you to the work environment and provide work. High profit cuts, ability to target networks that you can’t handle on your own. New experience and stable income. When you use our product and the ransom is paid, we guarantee fair distribution of the funds. A panel for monitoring results for your target. We only accept networks where you intend to run our payload.”

DarkSide has shown itself to be fairly ruthless with victim companies that have deep pockets, but they can be reasoned with. Cybersecurity intelligence firm Intel 471 observed a negotiation between the DarkSide crew and a $15 billion U.S. victim company that was hit with a $30 million ransom demand in January 2021, and in this incident the victim’s efforts at negotiating a lower payment ultimately reduce the ransom demand by almost two-thirds.

The DarkSide ransomware note.

The first exchange between DarkSide and the victim involved the usual back-and-forth establishing of trust, wherein the victim asks for assurances that stolen data will be deleted after payment.

Image: Intel 471.

When the victim counter-offered to pay just $2.25 million, DarkSide responded with a lengthy, derisive reply, ultimately agreeing to lower the ransom demand to $28.7 million.

“The timer it [sic] ticking and in in next 8 hours your price tag will go up to $60 million,” the crooks replied. “So, you this are your options first take our generous offer and pay to us $28,750 million US or invest some monies in quantum computing to expedite a decryption process.” Continue reading

Fintech Startup Offers $500 for Payroll Passwords

May 10, 2021

How much is your payroll data worth? Probably a lot more than you think. One financial startup that’s targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each month afterwards in which those credentials still work.

This ad, from workplaceunited[.]com, promised up to $500 for people who provided their payroll passwords, plus $25 a month for each month those credentials kept working.

New York-based Argyle.com says it’s building a platform where people who work multiple jobs and/or side hustles can improve their credit and employment options by pooling all of their gig work data in one place.

“Consumers’ access to financial security and upward mobility is dependent on their access to and control over their own employment records and how easily they can share those records with financial institutions,” Argyle explained in a May 3 blog post. “We enable access to a dataset that, for too long, has gone unstandardized, unregulated, and controlled by corporations instead of consumers, contributing to system-wide inequalities.”

Argyle’s app flow. Image: Argyle.com.

In that sense, Argyle is making a play for a discrete chunk of a much larger employment data market dominated by the major credit bureaus, which have been hoovering up and selling access to employment data for years.

The 800-lb. gorilla there is Equifax, whose The Work Number product has for years purchased employment data flows from some of the world’s largest companies (employees consent to this sharing as part of their employment contract, and The Work Number makes it fairly easy for anyone to learn how much you earn).

The Work Number is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. It also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

On its blog, Argyle imagines a world in which companies choose to integrate its application platform interface (API) and share their employee payroll data. At the same time, the company appears to be part of an effort in which non-salaried workers are prompted to repay their erstwhile employers’ trust by selling payroll credentials.

If Argyle is worried these two goals might somehow conflict, that is not obvious by looking at some of its direct-to-consumer efforts.

The website pictured below prompts visitors to “connect payroll,” and those who proceed agree to have their payroll data shared with a company called Earnin, a mobile payday loan app that lets users get an advance on their upcoming paycheck.

Clicking “Connect Payroll” brings up a list of payroll login pages for brand name companies, including Walmart, Starbucks, Amazon, Uber, Chipotle, etc., with a search feature that reveals login pages for everyone from the Federal Bureau of Investigation (FBI) to the Federal Reserve and Federal Trade Commission (FTC).

The default Argyle list of payroll login pages for major companies.

Here’s what comes up when you search by “Department of” at this site:

Drilling down into individual companies listed here produces a username and password form that in some cases is modified to request an employee identifier other than a username, such as a employee ID, associate or partner number instead. Here’s the login page for Starbucks employees:

The site pictured above actively checks if any submitted credentials are working, by submitting them directly to the employer in question. This Argyle status page indicates the system’s “data connection status” to countless employers.

Some of you may be thinking, “How many of us actually know or have our payroll passwords?” According to Argyle, plenty of people do.

“At Argyle, we are intimately familiar with how likely someone is to know the password for their employment account or payroll system, because we’ve seen hundreds of thousands of users successfully (and unsuccessfully) provide their credentials,” Argyle’s Billy Mardsen wrote on Apr. 1. “We closely monitor their success rate—what we call conversion—because it drives the performance of the products and applications that our clients build on top of Argyle.”

Argyle’s “conversion” numbers by employer. Image: Argyle.com

Continue reading

Investment Scammer John Davies Reinvents Himself?

May 7, 2021

John Bernard, a pseudonym used by a convicted thief and con artist named John Clifton Davies who’s fleeced dozens of technology startups out of an estimated $30 million, appears to have reinvented himself again after being exposed in a recent investigative series published here. Sources tell KrebsOnSecurity that Davies/Bernard is now posing as John Cavendish and head of a new “private office” called Hempton Business Management LLP.

John Davies is a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared of murdering his wife on their honeymoon in India.

Davies’ fraud convictions stemmed from a series of U.K. companies he set up supposedly to help troubled companies reorganize their debt and turn things around. Davies ended up looting what little money his clients had left and spending it on lavish cars, home furnishings, vacations and luxury watches.

In a three-part series published last year, KrebsOnSecurity exposed how Davies — wanted by authorities in the U.K. — had fled the country, taken on the surname Bernard, remarried, and moved to his new (and fourth) wife’s hometown in Ukraine.

The scam artist John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

After eluding justice in the U.K., Davies reinvented himself as The Private Office of John Bernard, pretending to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago and who was seeking private equity investment opportunities.

In case after case, Bernard would promise to invest millions in hi-tech startups, only to insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

Bernard found a constant stream of new marks by offering extraordinarily generous finders fees to investment brokers who could introduce him to companies seeking an infusion of cash. Inside Knowledge and The Private Office both closed up shop not long after their exploits were detailed here late last year.

But it appears Davies has just assumed a new name. KrebsOnSecurity recently heard from an investment broker who previously represented multiple clients that got fleeced by Mr. Bernard/Davies over the years. That broker said he was blown away to hear Davies’ unique British accent on a recent call with a client that had been in investment talks with a Northern Ireland firm called Hempton Business Management.

This time, the source said, Davies was introduced by handlers on the call as John Cavendish.

“I just sat in on a call and John’s voice is unmistakable,” said the broker, who asked to remain anonymous. “He stumbled on the beginning of the call trying to remember which last name he was supposed to use. Immediately they go back to the standard script about the types of deals they are looking for. They want to be minority investors in private transactions and they are industry agnostic.  Their deal sizes are investments in the $5-20 million range, they prefer to not use big 4 firms for due diligence, and they have some smaller firms they use which are better suited for smaller investment deals.”

The source forwarded me some correspondence from Hempton Business Management, and I noticed it was sent from a Mariya Kulykova. This is interesting because Mr. Bernard’s personal assistant in Ukraine was a Mariya Kulikova (Ms. Kulikova deleted Bernard’s former companies from her LinkedIn profile shortly after last year’s series).

The company’s website says Hempton has been around since 2017, but the domain name was only registered in late November 2020. There is no information about who runs or owns the company on its site.

Hemptonllp[.]com was registered via Gandi, the same French registrar John Bernard/Davies has used over the years with his dozens of phantom companies.

Hempton Business Management’s only presence on LinkedIn appears to be a help wanted ad from a few weeks ago, for a marketing position at an office in Kyiv, Ukraine.

In response to an emailed request for comment on the apparent connections, Mr. Cavendish forwarded the message to a James Donohoe, who replied that he was the owner of Hempton. Donohoe said the domain was new because the company recently re-branded, although he declined to discuss the matter further.

“This sounds like an accusation of a big fraud?,” Donohoe wrote. “I have never had any dealings with a John Clifton Davies or John Bernard. You really are a cheeky little bugger aren’t you!”

Mr. Donohoe did not respond to further requests for comment. Continue reading

Malicious Office 365 Apps Are the Ultimate Insiders

May 5, 2021

Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.

These attacks begin with an emailed link that when clicked loads not a phishing site but the user’s actual Office 365 login page — whether that be at microsoft.com or their employer’s domain. After logging in, the user might see a prompt that looks something like this:

These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in. Also, the apps will persist in a user’s Office 365 account indefinitely until removed, and will survive even after an account password reset.

This week, messaging security vendor Proofpoint published some new data on the rise of these malicious Office 365 apps, noting that a high percentage of Office users will fall for this scheme [full disclosure: Proofpoint is an advertiser on this website].

Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy, said 55 percent of the company’s customers have faced these malicious app attacks at one point or another.

“Of those who got attacked, about 22 percent — or one in five — were successfully compromised,” Kalember said.

Kalember said Microsoft last year sought to limit the spread of these malicious Office apps by creating an app publisher verification system, which requires the publisher to be a valid Microsoft Partner Network member.

That approval process is cumbersome for attackers, so they’ve devised a simple work around. “Now, they’re compromising accounts in credible tenants first,” Proofpoint explains. “Then, they’re creating, hosting and spreading cloud malware from within.” Continue reading

The Wages of Password Re-use: Your Money or Your Life

May 4, 2021

When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. When cybercriminals develop the same habit, it can eventually cost them their freedom.

Our passwords can say a lot about us, and much of what they have to say is unflattering. In a world in which all databases — including hacker forums — are eventually compromised and leaked online, it can be tough for cybercriminals to maintain their anonymity if they’re in the habit of re-using the same unusual passwords across multiple accounts associated with different email addresses.

The long-running Breadcrumbs series here tracks how cybercriminals get caught, and it’s mostly through odd connections between their online and offline selves scattered across the Internet. Interestingly, one of the more common connections involves re-using or recycling passwords across multiple accounts.

And yes, hackers get their passwords compromised at the same rate as the rest of us. Which means when a cybercrime forum gets hacked and its user databases posted online, it is often possible to work backwards from some of the more unique passwords for each account and see where else that password was used. Continue reading

Task Force Seeks to Disrupt Ransomware Payments

April 29, 2021

Some of the world’s top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.

In a 81-page report delivered to the Biden administration this week, top executives from Amazon, Cisco, FireEye, McAfee, Microsoft and dozens of other firms joined the U.S. Department of Justice (DOJ), Europol and the U.K. National Crime Agency in calling for an international coalition to combat ransomware criminals, and for a global network of ransomware investigation hubs.

The Ransomware Task Force urged the White House to make finding, frustrating and apprehending ransomware crooks a priority within the U.S. intelligence community, and to designate the current scourge of digital extortion as a national security threat.

The Wall Street Journal recently broke the news that the DOJ was forming its own task force to deal with the “root causes” of ransomware. An internal DOJ memo reportedly “calls for developing a strategy that targets the entire criminal ecosystem around ransomware, including prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns.”

According to security firm Emsisoft, almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020.

“The costs of ransomware go far beyond the ransom payments themselves,” the task force report observes. “Cybercrime is typically seen as a white-collar crime, but while ransomware is profit-driven and ‘non-violent’ in the traditional sense, that has not stopped ransomware attackers from routinely imperiling lives.”

A proposed framework for a public-private operational ransomware campaign. Image: IST.

It is difficult to gauge the true cost and size of the ransomware problem because many victims never come forward to report the crimes. As such, a number of the task force’s recommendations focus on ways to encourage more victims to report the crimes to their national authorities, such as requiring victims and incident response firms who pay a ransomware demand to report the matter to law enforcement and possibly regulators at the U.S. Treasury Department.

Last year, Treasury issued a controversial memo warning that ransomware victims who end up sending digital payments to people already being sanctioned by the U.S. government for money laundering and other illegal activities could result in hefty fines.

Philip Reiner, CEO of the Institute for Security and Technology and executive director of the industry task force, said the reporting recommendations are one of several areas where federal agencies will likely need to dedicate more employees. For example, he said, expecting victims to clear ransomware payments with the Treasury Department first assumes the agency has the staff to respond in any kind of timeframe that might be useful for a victim undergoing a ransomware attack.

“That’s why we were so dead set in putting forward comprehensive framework,” Reiner said. “That way, Department of Homeland Security can do what they need to do, the State Department, Treasury gets involved, and it all needs to be synchronized for going after the bad guys with the same alacrity.” Continue reading

Experian API Exposed Credit Scores of Most Americans

April 28, 2021

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Bill Demirkapi, an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.

Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi said. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”

Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

Demirkapi’s Experian credit score lookup tool.

KrebsOnSecurity put that tool to the test, asking permission from a friend to have Demirkapi look up their credit score. The friend agreed and said he would pull his score from Experian (at this point I hadn’t told him that Experian was involved). The score he provided matched the score returned by Demirkapi’s lookup tool.

In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.

For example, in my friend’s case Bill’s tool said his mid-700s score could be better if the proportion of balances to credit limits was lower, and if he didn’t owe so much on revolving credit accounts.

“Too many consumer finance company accounts,” the API concluded about my friend’s score.

The reason I could not test Demirkapi’s findings on my own credit score is that we have a security freeze on our files at the three major consumer credit reporting bureaus, and a freeze blocks this particular API from pulling the information. Continue reading

Experian’s Credit Freeze Security is Still a Joke

April 26, 2021

In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States.  Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Dune Thomas is a software engineer from Sacramento, Calif. who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name using an address in Washington state that was tied to a vacant home for sale.

But the crooks were persistent: Earlier this month, someone unfroze Thomas’ account at Experian and promptly applied for new lines of credit in his name, again using the same Washington street address. Thomas said he only learned about the activity because he’d taken advantage of a free credit monitoring service offered by his credit card company.

Thomas said after several days on the phone with Experian, a company representative acknowledged that someone had used the “request your PIN” feature on Experian’s site to obtain his PIN and then unfreeze his file.

Thomas said he and a friend both walked through the process of recovering their freeze PIN at Experian, and were surprised to find that just one of the five multiple-guess questions they were asked after entering their address, Social Security Number and date of birth had anything to do with information only the credit bureau might know.

KrebsOnSecurity stepped through the same process and found similar results. The first question asked about a new mortgage I supposedly took out in 2019 (I didn’t), and the answer was none of the above. The answer to the second question also was none of the above.

The next two questions were useless for authentication purposes because they’d already been asked and answered; one was “which of the following is the last four digits of your SSN,” and the other was “I was born within a year or on the year of the date below.” Only one question mattered and was relevant to my credit history (it concerned the last four digits of a checking account number).

The best part about this lax authentication process is that one can enter any email address to retrieve the PIN — it doesn’t need to be tied to an existing account at Experian. Also, when the PIN is retrieved, Experian doesn’t bother notifying any other email addresses already on file for that consumer.

Finally, your basic consumer (read: free) account at Experian does not give users the option to enable any sort of multi-factor authentication that might help stymie some of these PIN retrieval attacks on credit freezes.

Unless, that is, you subscribe to Experian’s heavily-marketed and confusingly-worded “CreditLock” service, which charges between $14.99 and $24.99 a month for the ability to “lock and unlock your file easily and quickly, without delaying the application process.” CreditLock users can both enable multifactor authentication and get alerts when someone tries to access their account.

Thomas said he’s furious that Experian only provides added account security for consumers who pay for monthly plans.

“Experian had the ability to give people way better protection through added authentication of some kind, but instead they don’t because they can charge $25 a month for it,” Thomas said. “They’re allowing this huge security gap so they can make a profit. And this has been going on for at least four years.”

Experian has not yet responded to requests for comment.

When a consumer with a freeze logs in to Experian’s site, they are immediately directed to a message for one of Experian’s paid services, such as its CreditLock service. The message I saw upon logging in confirmed that while I had a freeze in place with Experian, my current “protection level” was “low” because my credit file was unlocked.

“When your file is unlocked, you’re more vulnerable to identity theft and fraud,” Experian warns, untruthfully. “You won’t see alerts if someone tries to access your file. Banks can check your file if you apply for credit or loans. Utility and service providers can see your credit file.”

Experian says my security is low because while I have a freeze in place, I haven’t bought into their questionable “lock service.”

Sounds scary, right? The thing is — except for the part about not seeing alerts — none of the above statement is true if you already have a freeze on your file. A security freeze essentially blocks any potential creditors from being able to view your credit file, unless you affirmatively unfreeze or thaw your file beforehand. Continue reading