https://krebsonsecurity.com/2023/11/its-still-easy-for-anyone-to-become-you-at-experian/ Advertisement [13] Advertisement [14] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking It's Still Easy for Anyone to Become You at Experian November 11, 2023 25 Comments In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account. [exp-forgot] Entering my SSN and birthday at Experian showed my identity was tied to an email address I did not authorize. I recently ordered a copy of my credit file from Experian via annualcreditreport.com, but as usual Experian declined to provide it, saying they couldn't verify my identity. Attempts to log in to my account directly at Experian.com also failed; the site said it didn't recognize my username and/or password. A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed portions of an email address I never authorized and did not recognize (the full address was redacted by Experian). I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year's story, Experian, You Have Some Explaining to Do. So once again I sought to re-register as myself at Experian. The homepage said I needed to provide a Social Security number and mobile phone number, and that I'd soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian's website would not balk. Regardless, users can simply skip this step by selecting the option to "Continue another way." Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we've previously lived at -- information that is just a Google search away. Assuming you sail through the multiple-choice questions, you're prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. After that, your new account is created and you're directed to the Experian dashboard, which allows you to view your full credit file, and freeze or unfreeze it. At this point, Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn't a request seeking verification: It's just a notification from Experian that the account's user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com. [expupdates] If you don't have an Experian account, it's a good idea to create one. Because at least then you will receive one of these emails when someone hijacks your credit file at Experian. And of course, a user who receives one of these notices will find that the credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves! In contrast, if you try to modify an existing account at either of the other two major consumer credit reporting bureaus -- Equifax or TransUnion -- they will ask you to enter a code sent to the email address or phone number on file before any changes can be made. Reached for comment, Experian declined to share the full email address that was added without authorization to my credit file. "To ensure the protection of consumers' identities and information, we have implemented a multi-layered security approach, which includes passive and active measures, and are constantly evolving," Experian spokesperson Scott Anderson said in an emailed statement. "This includes knowledge-based questions and answers, and device possession and ownership verification processes." Anderson said all consumers have the option to activate a multi-factor authentication method that's requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address? Several readers who spotted my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon user @Jackerbee is a reader from Michican who works in the biotechnology industry. @Jackerbee said when prompted by Experian to provide his phone number and the last four digits of his SSN, he chose the option to "manually enter my information." "I put my second phone number and the new email address," he explained. "I received a single email in my original account inbox that said they've updated my information after I 'signed up.' No verification required from the original email address at any point. I also did not receive any text alerts at the original phone number. The especially interesting and egregious part is that when I sign in, it does 2FA with the new phone number." The Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by supplying a random landline number. "The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, 'Welcome back, Pete!,' and granting full access," @PeteMayo wrote. "I feel silly saving my password for Experian; may as well just make a new account every time." [petemayo] I was fortunate in that whoever hijacked my account did not also thaw my credit freeze. Or if they did, they politely froze it again when they were done. But I fully expect my Experian account will be hijacked yet again unless Experian makes some important changes to its authentication process. It boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian, which already has a horrible track record in this regard. In December 2022, KrebsOnSecurity alerted Experian that identity thieves had worked out a remarkably simple way to bypass its security and access any consumer's full credit report -- armed with nothing more than a person's name, address, date of birth, and Social Security number. Experian fixed the glitch, and acknowledged that it persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022. In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian's PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer's account. A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans. More greatest hits from Experian: 2022: Class Action Targets Experian Over Account Security 2017: Experian Site Can Give Anyone Your Credit Freeze PIN 2015: Experian Breach Affects 15 Million Customers 2015: Experian Breach Tied to NY-NJ ID Theft Ring 2015: At Experian, Security Attrition Amid Acquisitions 2015: Experian Hit With Class Action Over ID Theft Service 2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records 2013: Experian Sold Consumer Data to ID Theft Service This entry was posted on Saturday 11th of November 2023 12:59 PM A Little Sunshine Latest Warnings Experian identity theft Scott Anderson Post navigation - Who's Behind the SWAT USA Reshipping Service? 25 thoughts on "It's Still Easy for Anyone to Become You at Experian" 1. bill_gncs November 11, 2023 I wish someone would sue them into oblivion. Reply - 1. Billy Jack November 11, 2023 If they can't be bothered to lift a finger to secure their system, they certainly should not exist. Reply - 2. Billy Jack November 11, 2023 I am a strong believer in using answers to security questions that have nothing to do with the question itself. Of course, if you use that, you probably need to keep track of them. For example, "What was your first pet?" Answer: "Werewolves of London" "Where were you born?" Answer: "Hollow Chocolate Bunnies of the Apocalypse" "Who was your first teacher?" Answer: "Fried chicken and mashed potatoes" "What was your mother's maiden name?" Answer: "Montreal, Canada" Don't make it easy for someone wanting to take over your account. Reply - 1. Phil November 11, 2023 But what if Experian doesn't bother restricting the response to those, and simply uses whatever matches? Reply - 2. RM November 11, 2023 While it's a good thought, KBA questions are based on truth (ex: where you live, mortgage company, etc) so the fake answers to questions would not work in this circumstance . Reply - 1. Jill November 11, 2023 For the identity authentication part, that's true, but this will work for the security questions they ask you to register when you sign up. Reply - 3. JPA November 11, 2023 I use random character strings that I save in a file. I often get some amused comments or chuckles when I call customer service and read them the answer. Reply - 4. James Beatty November 11, 2023 Of course, in this case, you're not offered that option. Experian determines the questions it asks to "confirm" your identity... because they're setting up a new account each time. Reply - 5. Nah November 11, 2023 In this case the questions they ask are not ones you created yourself but ones they've generated based on the information they have on file about you. Things like previous employers/ addresses etc. Almost always multiple choice too lol. Reply - 1. Billy Jack November 11, 2023 That sounds kind of like the password scheme used for a short time at a company prior to when I began working there in 1980. Instead of actual passwords, they used information from your payroll files to log you in and would ask a different question each time. Sometimes the answer was something easy like your address. Sometimes it was not so easy like how much was withheld for your employee insurance in 1978. You pretty much had to have a copy of your payroll records in front of you to log in. From what I was told back then, it didn't take them long to switch back to passwords. Reply - 6. Diana Jimenez November 11, 2023 I have been doing this for years. I also do not use password wallets, those are also vulnerable to hacking. I have my own system that has protected me for years. And i never, ever re-use emails or portions thereof. I am not using my personal or corporate email, only my gmail. Reply - 1. muffin November 11, 2023 What is your system, Diana? Would you prefer not to share it? Reply - 7. Sujit November 11, 2023 The problem is you don't get to pick the kb questions or answers. They are based on your information eg addresses you have lived at for the past 5 years. Reply - 8. Muffin November 11, 2023 I agree! I always use nonsense answers to security questions and write them down. Reply - 9. muffin November 11, 2023 I agree Billy Jack. I do that also-create nonsensical answers to security question and write them down. Reply - 10. jim bruce November 11, 2023 I have done that for years now. Reply - 3. Diana Jimenez November 11, 2023 I am a Privacy, Cybersecurity and Data attorney, who has worked since 2008 with medium and very large corporations to help them set up their privacy guidelines, policies, and compliance systems. In those days, it was only about security in the US, but the focus started changing in 2016. It is so frustrating we are forced to use government entities we have no control over, but apparently the government (of both political parties) also does not care about trying to control entities that harm consumers. They should have shut down Experian after the 2015 fiasco. I am NOT providing my personal email for security concerns, only my gmail address. Sad world we live in. Reply - 4. Liz November 11, 2023 This us terrifying because I and many others have numerous Experian accounts courtesy of major corporations who were hacked. If you are "gifted" Experian credit monitoring you cannot add that service to an existing account but have to create a new one and thus they multiply. Reply - 5. muffin November 11, 2023 I just sent Bryan's article to my senator. Maybe we all should do that. I understand it might be in vain considering our our Congress is essentially non-functional. Reply - 6. PJ November 11, 2023 I had two Experian accounts set up specifically to add a "Freeze" when that became free back in 2018. Tried to log into both today, neither worked. The Forgot password process indicated no match for my phone number(s) on either account. Never fear, using Brian's on-going discovery I was able to quickly create new accounts for both, answer via KBA questions (only 1 of the 10 total applied to us at all) and I'm all set again. AND both accounts show my freezes are still in place, as Brian saw. What a cluster-f. Reply - 7. Mike Wolfe November 11, 2023 What is especially troublesome is recent letters received from our credit union about the MOVEit Breach and the compromise of our account information. As a result of this disclosure, we were offered a complimentary. one-year membership in Experian IdentityWorks Credit 3B. If anyone can assume my identity at Experian due to this grievous security hole, what value is that protection? Reply - 8. The Sunshine State November 11, 2023 If you know enough about someone , it's pretty easy to gain access to their credit report, including opening up a line of trade line credit Their is just not enough security protection on credit report access in my opinion Reply - 9. Stephanie Hall November 11, 2023 My fiance has been going through the same issue for the past 6 months. His identity was stolen and he's been having other issues as well (i.e. emails, bank and social media accounts being taken). Reply - 10. G.Scott H. November 11, 2023 I appreciate that many responders to this article understand that random answers to questions are a better option than providing the actual answer when setting up the authentication of an account. But I am dismayed that they do not understand Experian does not use that style of authentication, instead they use KBA which stands for Knowledge Based Authentication. Their variation uses information from their files. Which means you do not chose the answers, they do. So you must provide the correct answers according to their files. Another issue is their file sometimes maybe manytimes contains erroneous information. (their file on me did) If too many of the questions presented for authentication are based upon erroneous information, you may not be able to authenticate. (this happened to me) To further complicate matters, Experian has/had been a provider of KBA as a service so the reach of problem extends beyond Experian. (this also happened to me) I agree that something has to be done. Data brokers, and Experian specifically, run wild and loose with information about all of us. They have all sorts of problems (for us, not them) with securing this information. Sending this article to your representatives in congress is a good idea. Also, inform your friends, family, and others so they can also express outrage in the situation. Advise them to direct the outrage toward their representatives, in hopes it will effect a good change. Reply - 11. Aden November 11, 2023 So what's going to happen? People will just pollute Experian's DB with lots of junk. Change lots of email addresses as a denial of service variation. When that's done, credit reports are useless. Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [15] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * It's Still Easy for Anyone to Become You at Experian * Who's Behind the SWAT USA Reshipping Service? * Russian Reshipping Service 'SWAT USA Drop' Exposed * .US Harbors Prolific Malicious Link Shortening Service * NJ Man Hired Online to Firebomb, Shoot at Homes Gets 13 Years in Prison Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Internet of Things (IoT) * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Russia's War on Ukraine * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 Why So Many Top Hackers Hail from Russia [computered-580x389] (c) Krebs on Security - Mastodon