Twice in the last month, KrebsOnSecurity has heard from readers who have had their accounts with big-tre credit bureaus Experian hacked and updated with a new email address that was not theirs. In both cases, readers used password managers to choose strong, unique passwords for their Experian accounts. Research suggests that identity thieves were able to hijack the accounts by signing up for new accounts with Experian using the victim’s personal information and another email address.
John Turner is a Salt Lake City based software engineer. Turner said he created the Experian account in 2020 to put a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account.
Turner said that in early June 2022, he received an email from Experian stating that the email address on his account had changed. Experian̵[ads1]7;s password reset process was useless at the time because any password reset links would be sent to the new (fraudster’s) email address.
An Experian support person Turner reached by phone after a long wait asked for his social security number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN code and secret questions had already been changed by the person who re-registered as him with Experian.
“I was able to answer the credit report questions successfully, which authenticated me to their system,” Turner said. “At that time, the representative read me the current saved security questions and the PIN, and they were definitely not things I would have used.”
Turner said he was able to regain control of his Experian account by creating a new account. But now he is wondering what else he can do to prevent a new account compromise. That’s because Experian does not offer any kind of multifactor authentication options on consumer accounts.
“The most frustrating part of this whole thing is that I received several ‘here’s your login information’ emails later which I attributed to the original attackers who came back and tried to use the ‘forgotten email / username’ flow, probably using my SSN and DOB, but it did not go to their email as they expected, “said Turner.” Given that Experian does not support two-factor authentication of any kind – and that I do not know how they managed to access my account basically – I have felt very helpless ever since. “
To be clear, Experian do have a business unit that sells one-time password services to businesses. However, it does not offer this directly to consumers who sign up to manage their credit file on Experian’s website.
Arthur Rishi is a musician and co-executive director of the Boston Landmarks Orchestra. Rishi said he recently discovered that his Experian account had been hijacked after receiving a notification from his credit monitoring service (not Experians) that someone had tried to open an account in his name with JPMorgan Chase.
Rishi said the alert surprised him because his credit file with Experian was frozen at the time, and Experian did not notify him of any activity on his account. Rishi said that Chase agreed to cancel the unauthorized account application, and even canceled the credit request (each credit move can reduce your credit score slightly).
But he could never get anyone from Experian’s support to answer the phone, despite using what seemed like an eternity to try to get through the company’s phone-based system. That’s when Rishi decided to see if he could create a new account for himself at Experian.
“I was able to open a new account with Experian from scratch, using SSN, date of birth and answering some very basic questions, such as what kind of car you took out a loan for, or what city you lived in before,” in Rishi.
When he completed the registration, Rishi noticed that his credit was unfrozen.
Like Turner, Rishi is now worried that identity thieves will only hijack his Experian account once more, and that there is nothing he can do to prevent such a scenario. So far, Rishi has decided to pay Experian $ 25.99 a month to monitor his account more closely for suspicious activity. Even using the paid Experian service, there were no additional multifactor authentication options available, although he said that Experian recently sent a one-time code to his phone via SMS when he logged in.
“Experian now sometimes requires MFA for me now if I use a new browser or have a VPN on,” said Rishi, but he is not sure if Experian’s free service would have worked differently.
“I get so angry when I think about all this,” he said. “I have no confidence that this will not happen again.”
In a written statement, Experian indicated that what happened to Rishi and Turner was not a normal event, and that the practice of security and identity verification extends beyond what is visible to the user.
“We believe these are isolated incidents of fraud using stolen consumer information,” Experian said in a statement. “Specifically for your question, as soon as an Experian account is created, if someone tries to create a second Experian account, our systems will notify the original email that is registered.”
“We go beyond relying on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions in order to access our systems,” the statement continued. “We do not disclose further processes for obvious security reasons; however, our data and analytical capabilities confirm identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to protect against the constant and evolving threats of fraudsters. “
KrebsOnSecurity tried to recreate Turner and Rishi’s experience – to see if Experian would allow me to recover my account using my personal information but a different email address. The experiment was performed from a different computer and Internet address than the one that created the original account years ago.
After entering my social security number (SSN), date of birth, and answering multiple-choice questions whose answers are almost exclusively from public records, Experian immediately changed the email address associated with my credit file. It did so without first confirming that the new email address could respond to messages, or that the previous email address approved the change.
Experian’s system then sent an automatic message to the original email address that was registered, stating that the account’s email address had changed. The only way Experian offered in the alert was to log in, or send an email to an Experian inbox that responds with the message “this email address is no longer monitored.”
After that, Experian asked me to select new secret questions and answers, as well as a new account PIN – which effectively deletes the account’s previously selected PIN and recovery questions. After changing the PIN and security issues, Experian’s website reminded me usefully that I have a security freeze on my file, and do I want to remove or temporarily remove the security stop?
How does Experian differ from practice? Equifax and TransUnion, the other two major consumer credit reporting agencies? When KrebsOnSecurity tried to restore an existing account with TransUnion using my social security number, TransUnion rejected the application, noticing that I already had an account and asking me to continue with the lost password. It also appears that the company is sending an email to the address of the file requesting to validate account changes.
Similarly, trying to recover an existing Equifax account using personal information associated with my existing account, asking Equifax’s systems to report that I already have an account, and using the password reset process (which involves sending a verification e-mail to the registered address).
KrebsOnSecurity has long encouraged readers in the United States to put a security freeze on their files at the three major credit bureaus. With a freeze in place, potential creditors will not be able to withdraw your credit file, making it highly unlikely that anyone will be granted new lines of credit in your name. I have also advised readers to plant their flag on the three major agencies, to prevent identity thieves from creating an account for you and taking control of your identity.
The experience of Rishi, Turner, and this author suggests that Experian’s practices are currently undermining both of these proactive safety measures. Nevertheless, Having an active account with Experian may be the only way you can find out when crooks have assumed your identity. Because then you should at least receive an email from Experian stating that they gave your identity to someone else.
In April 2021, KrebsOnSecurity revealed how identity thieves exploited lax authentication on Experian’s PIN collection page to free up consumer credit files. In these cases, Experian failed to send any email notification when a locked PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.
A few days after that story from April 2021, KrebsOnSecurity came with the news that an Experian API revealed the credit scores of most Americans.
Emory RoanPrivacy Adviser for the Privacy Rights Clearinghouse, said that Experian does not offer multifactor authentication for consumer accounts is unforgivable in 2022.
“They exacerbate the problem by closing the recovery process with information that is likely to be available or may be inferred from third-party data brokers, or that may have been disclosed in previous data breaches,” Roan said. Experian is one of the largest consumer reporting agencies in the country, which is trusted as one of the few key players in a credit system Americans are forced to be a part of. For them not offering consumers any (free) MFA is confusing and reflects extremely poorly on Experian. “
Nicholas Weavera researcher at the International Computer Science Institute at University of California, Berkeley, Experian said there is no real incentive to do things right on the consumer side of the business. That is, he said, unless Experian’s customers – banks and other lenders – choose to vote with their feet because too many people with frozen credit files have to deal with unauthorized applications for new credit.
“The actual customers of the credit service do not realize how much worse Experian is, and this is not the first time Experian has screwed up terribly,” Weaver said. “Experian is part of a triopole, and I’m sure this costs their actual customers money, because if you have a credit freeze that is lifted and someone borrows against it, it’s the lender that eats up the fraud cost.”
And unlike consumers, he said, lenders have a choice in which trio to handle their credit checks.
“I think it’s important to point out that their real customers have a choice, and they should switch to TransUnion and Equifax,” he added.
More best hits from Experian:
2017: The Experian website can give anyone your Credit Freeze PIN
2015: Experian Breach affects 15 million customers
2015: Experian Breach linked to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Middle acquisition
2015: Experian hit with class action lawsuit over ID theft
2014: Experian Lapse allowed ID theft service access to 200 million consumer records
2013: Experian sold consumer data to the ID theft service