Advertisement

Experian flaw reveals PINs protecting credit data

For several hours, at least, Experian’s site exposed the personal identification numbers needed to thaw credit freezes after users answered their security questions with a blanket answer: None of the above.
(Smith Collection / Getty Images)
Share via
NerdWallet

Credit freezes are the best way to prevent new account fraud, where criminals open bogus accounts in your name. But on Thursday one credit bureau’s site made it distressingly easy to circumvent the security that’s supposed to keep your credit reports safe.

Experian’s site exposed the personal identification numbers — the PINs needed to thaw credit freezes — after users answered their security questions with a blanket answer: None of the above.

More than a year ago, security expert Brian Krebs reported a similar flaw. At that point, people had to correctly answer the four “knowledge-based authentication” questions used to identify them. The problem with this method, according to Krebs, is that the personal information needed to successfully guess the answers is readily available online through commercial as well as criminal sites.

Advertisement

But for several hours Thursday — and for who knows how long before that — you didn’t even have to guess.

A reader alerted us to this issue, and several of us who had credit freezes were able to replicate it. We asked our followers on Facebook and Twitter and heard from others who also got access to their PINs.

To get the numbers, people filled out the form on Experian’s PIN retrieval page with a person’s name, address, Social Security number and date of birth — exactly the kind of information that was compromised in last year’s Equifax breach, and that’s readily available for sale on the dark web. The form required an email address, which didn’t necessarily have to be the one associated with the person’s Experian account. Answering “none of the above” to the security questions — even if some of the proffered answers were correct — gave access to that person’s PIN.

Advertisement

With the PIN, anyone can thaw that person’s credit freeze and apply for credit in their name.

Consumer advocate Mike Litt was also able to retrieve his PIN using the flaw. “There is absolutely no excuse for this,” says Litt, campaign director for U.S. PIRG, a public interest advocacy organization. “How do you just leave the keys to the door on top of the welcome mat?”

An Experian spokesman issued a statement Thursday afternoon that said, “While we are confident that our authentication is secure and no credit files are at risk, we have taken additional steps to make the process more secure. We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.”

Advertisement

By late Thursday, many of us started getting the error messages that our responses should have generated in the first place. We were directed to mail Experian our identifying information, such as copies of our driver’s license, utility bills and Social Security card.

The U.S. mail, in case this needs to be said, is not a safe way to transmit such information.

This is yet another reminder that we need to keep monitoring our credit reports and scores for fraudulent accounts, even if we have credit freezes in place — as we still should.

What’s really distressing is that security freezes are supposed to be one of the few effective bulwarks people can put up against fraud. That’s why security experts have recommended them for years, and why Congress finally made freezes and thaws free starting Sept. 21.

The ease with which this essential protection could be thwarted tells us that the credit bureaus still aren’t taking the security of our information seriously enough.

Liz Weston writes a column for NerdWallet and the Money Talk feature for The Times on Sunday.

Advertisement
Advertisement