https://krebsonsecurity.com/2021/04/experians-credit-freeze-security-is-still-a-joke/ Advertisement [9] Advertisement [107] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking Experian's Credit Freeze Security is Still a Joke April 26, 2021 7 Comments In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer's request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States. Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian's website, and it reminded me of how truly broken authentication and security remains in the credit bureau space. [experianunfreeze] Experian's page for retrieving someone's credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches. Dune Thomas is a software engineer from Sacramento, Calif. who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name using an address in Washington state that was tied to a vacant home for sale. But the crooks were persistent: Earlier this month, someone unfroze Thomas' account at Experian and promptly applied for new lines of credit in his name, again using the same Washington street address. Thomas said he only learned about the activity because he'd taken advantage of a free credit monitoring service offered by his credit card company. Thomas said after several days on the phone with Experian, a company representative acknowledged that someone had used the "request your PIN" feature on Experian's site to obtain his PIN and then unfreeze his file. Thomas said he and a friend both walked through the process of recovering their freeze PIN at Experian, and were surprised to find that just one of the five multiple-guess questions they were asked after entering their address, Social Security Number and date of birth had anything to do with information only the credit bureau might know. KrebsOnSecurity stepped through the same process and found similar results. The first question asked about a new mortgage I supposedly took out in 2019 (I didn't), and the answer was none of the above. The answer to the second question also was none of the above. The next two questions were useless for authentication purposes because they'd already been asked and answered; one was "which of the following is the last four digits of your SSN," and the other was "I was born within a year or on the year of the date below." Only one question mattered and was relevant to my credit history (it concerned the last four digits of a checking account number). The best part about this lax authentication process is that one can enter any email address to retrieve the PIN -- it doesn't need to be tied to an existing account at Equifax. Also, when the PIN is retrieved, Experian doesn't bother notifying any other email addresses already on file for that consumer. Finally, your basic consumer (read: free) account at Experian does not give users the option to enable any sort of multi-factor authentication that might help stymie some of these PIN retrieval attacks on credit freezes. Unless, that is, you subscribe to Experian's heavily-marketed and confusingly-worded "CreditLock" service, which charges between $14.99 and $24.99 a month for the ability to "lock and unlock your file easily and quickly, without delaying the application process." CreditLock users can both enable multifactor authentication and get alerts when someone tries to access their account. Thomas said he's furious that Experian only provides added account security for consumer who pay for monthly plans. "Experian had the ability to give people way better protection through added authentication of some kind, but instead they don't because they can charge $25 a month for it," Thomas said. "They're allowing this huge security gap so they can make a profit. And this has been going on for at least four years." Experian has not yet responded to requests for comment. When a consumer with a freeze logs in to Experian's site, they are immediately directed to a message for one of Experian's paid services, such as its CreditLock service. The message I saw upon logging in confirmed that while I had a freeze in place with Experian, my current "protection level" was "low" because my credit file was unlocked. "When your file is unlocked, you're more vulnerable to identity theft and fraud," Experian warns, untruthfully. "You won't see alerts if someone tries to access your file. Banks can check your file if you apply for credit or loans. Utility and service providers can see your credit file." [experianprotection] Experian says my security is low because while I have a freeze in place, I haven't bought into their questionable "lock service." Sounds scary, right? The thing is -- except for the part about not seeing alerts -- none of the above statement is true if you already have a freeze on your file. A security freeze essentially blocks any potential creditors from being able to view your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). It is now free to freeze your credit in all U.S. states and territories. Experian, like the other consumer credit bureaus, uses their intentionally confusing "lock" terminology to frighten consumers into paying for monthly subscription services. A key selling point for these lock services is they can be a faster way to let creditors peek at your file when you wish to apply for new credit. That may or may not be true in practice, but consider why it's so important for Experian to get consumers to sign up for their lock programs. The real reason is that Experian makes money every time someone makes a credit inquiry in your name, and it does not want to do anything to hinder those inquiries. Signing up for a lock service lets Experian continue selling credit report information to a variety of third parties. According to Experian's FAQ, when locked your Experian credit file remains accessible to a host of companies, including: -Potential employers or insurance companies -Collection agencies acting on behalf of companies you may owe -Companies providing pre-screened credit card offers -Companies that have an existing credit relationship with you (this is true for frozen files also) -Personalized offers from Experian, if you choose to receive them It is annoying that Experian can get away with offering additional account security only to people who pay the company a hefty sum each month to sell their information. It's also amazing that this sloppy security I wrote about back in 2017 is still just as prevalent in 2021. But Experian is hardly alone. In 2019, I wrote about how Equifax's new MyEquifax site made it simple for thieves to lift an existing credit freeze at Equifax and bypass the PIN if they were armed with just your name, Social Security number and birthday. Also in 2019, identity thieves were able to get a copy of my credit report from TransUnion after successfully guessing the answers to multiple-guess questions like the ones Experian asks. I only found out after hearing from a detective in Washington state, who informed me that a copy of the report was found on a removable drive seized from a local man who was arrested on suspicion of being part of an ID theft gang. TransUnion investigated and found it was indeed at fault for giving my credit report to ID thieves, but that on the bright side its systems blocked another fraudulent attempt at getting my report in 2020. "In our investigation, we determined that a similar attempt to fraudulently obtain your report occurred in April 2020, and was successfully blocked by enhanced controls TransUnion has implemented since last year," the company said. "TransUnion deploys a multi-layered security program to combat the ongoing and increasing threat of fraud, cyber-attacks and malicious activity. In today's dynamic threat environment, TransUnion is constantly enhancing and refining our controls to address the latest security threats, while still allowing consumers access to their information." For more information on credit freezes (also called a "security freezes"), how to request one, and other tips on preventing identity fraud, check out this story. If you haven't done so lately, it might be a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annually from each of the three credit bureaus -- either all at once or spread out over the year. This entry was posted on Monday 26th of April 2021 05:58 PM A Little Sunshine Latest Warnings CreditLock Dune Thomas Equifax Experian security freeze TransUnion [109] Post navigation - Note to Self: Create Non-Exhaustive List of Competitors 7 thoughts on "Experian's Credit Freeze Security is Still a Joke" 1. Mike M April 26, 2021 I have been researching for a different password manager and someone suggested to use a random word generator instead of providing real answers for the security questions. Reply - 2. PetePall April 26, 2021 All Experian is asking for with their lies and very questionable marketing is more stringent legislation and regulation. I, for one, am forwarding this to my Congressional representatives. Thanks, Brian! Reply - 3. Maureen April 26, 2021 If there isn't a congressional investigation into this issue (I may have missed it), I would like to know why. Unlike when I set up an account online and choose to risk it being there, I have no choice in my data being on these credit-reporting agencies. If they have it without my permission, then they are similar to the government and should be treated with governmental oversight. I shouldn't have to pay for my financial data to be locked down, and any credit agency that allows criminals to access it should be punished. Reply - 4. Philip April 26, 2021 Credit Bureau's need to be abolished permanently Reply - 5. James Schumaker April 26, 2021 I've got an annual subscription to Experian for $99.95 per year. Currently, my file has a security freeze and is locked on top of that. I don't have to pay a monthly fee for CreditLock. Maybe it's because I've been with them for quite a while? Not sure. Reply - 6. Bill April 26, 2021 This is absolutely ridiculous: "when the PIN is retrieved, Experian doesn't bother notifying any other email addresses already on file for that consumer." They don't have to forward the new PIN to the old email address, but they should certainly send a notification to it for any PIN retrieval or change in security profile. There should be fines for this kind of half-baked security, plain and simple. If they do the same thing for EU citizens, perhaps they could be fined under the GDPR. Reply - 7. twib April 26, 2021 Amen. I would like to add that "annualcreditreport.com" is also a joke. Routinely, a response comes back saying that the Experian credit report is not available, without a clear reason. Thus, I've been forced to go to the wacky Experian website in order to get it. It's as if Experian is ignoring the govt mandate to provide a free credit report through annualcreditreport.com, although it can be obtained once you login to their own website. I've also had trouble getting Equifax reports in the past. Transunion is the one to provide credit reports most reliably, in my experience. One time, I was asked to send via snailmail a copy of my driver's license and social security card and other sensitive stuff to a PO Box for Equifax. This was listed in print and I sent the items to that exact location. When I hadn't heard anything for some weeks, I called the company and I was told that is the wrong PO Box. When I explained that's the one I was told to send it to, the person told me to send the things to another PO Box. And that one worked. I still don't know where in the world are my sensitive items. The incompetence continues at Equifax, even after the massive breach that affected me. Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] Advertisement [11] Advertisement [110] Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * Experian's Credit Freeze Security is Still a Joke * Note to Self: Create Non-Exhaustive List of Competitors * Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020? * Microsoft Patch Tuesday, April 2021 Edition * ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users Spam Nation Spam Nation A New York Times Bestseller! All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security