In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had accounts with the three major consumer credit reporting bureaus Experian Identity thieves can simply re-register an account with a different email address to be hijacked. Sixteen months later, it is clear that Experian has not addressed this severe lack of security. I know this because my account with Experian was recently hacked, and the only way I could regain access was to re-create the account.
I recently ordered a copy of my credit file from Experian through Annualcreditreport.com, but as usual, Experian refused to provide it, saying they could not verify my identity. Attempts to log into my account directly at Experian.com also failed; the site said it did not recognize my username and/or password.
A request for my Experian account username required my full social security number and date of birth, after which the site displayed parts of an email address I had never authorized and didn’t recognize (the full address had been redacted by Experian).
I immediately suspected that Experian was still allowing anyone to re-establish their credit file account using the same personal information but a different email address, a major authentication failure explored in last year’s story “Experian, you have some explaining to do” . Therefore, I am again seeking to re-register myself with Experian.
The homepage said I needed to provide my social security number and cell phone number, and I would soon receive a link that I should click to verify myself. The website claims that the phone number you provide will be used to help verify your identity. But it seems you can provide any phone number in the US at this stage of the process, and Experian’s website won’t hesitate. Regardless, users can skip this step by selecting the “Continue Otherwise” option.
Experian will then ask for your full name, address, date of birth, Social Security number, email address and password of choice. Afterwards, they ask you to successfully answer three to five multiple-choice security questions, the answers to which are often based on public records.當我本週重新創建我的帳戶時,五個問題中只有兩個與我的真實信息有關,而這兩個問題都與我們以前居住過的街道地址有關- 只需通過Google 搜索即可獲得的information.
Assuming you successfully complete the multiple choice questions, you will be prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. Afterwards, your new account will be created and you will be directed to the Experian dashboard where you can view your complete credit file and freeze or unfreeze it.
At this time, Experian will send a message to the old email address associated with the account indicating that certain aspects of the user’s profile have changed. But this message isn’t a request for verification: it’s simply a notification from Experian that the account’s user profile has been changed, and the original user has zero recourse here other than to click the link to log in to Experian.com.
Of course, users who receive one of these notifications will find that the credentials for their Experian account are no longer valid. There are no issues with their PIN or account recovery either, as these have also been changed. Your only option at this point is to re-establish your account with Experian and steal it back from the ID thieves!
Conversely, if you try to modify an existing account with either of the other two major consumer credit reporting agencies – Ikefax or TransUnion — They will ask you to enter a code sent to an email address or phone number on file before they can make any changes.
I reached out to Experian for comment, but he declined to disclose the full email address that was added to my credit file without authorization.
An Experian spokesperson said: “To ensure the protection of consumers’ identities and information, we have implemented a multi-layered security approach that includes both passive and proactive measures and is constantly evolving.” Scott Anderson said in an emailed statement. “This includes knowledge-based questions and answers, as well as device ownership and ownership verification processes.”
Anderson said all consumers will have the option to activate the multi-factor authentication method that will be required every time they log into their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?
Earlier this week, some readers discovered my rant about Mastodon’s Experian, and they responded to a request to verify my findings. Mastodon user @Jackerbee is a reader from Michigan who works in the biotech industry. @Jackerbee stated that when Experian prompted him to provide his phone number and the last four digits of his SSN, he selected the “Manually enter my information” option.
“I entered a second phone number and a new email address,” he explained. “I received an email in the inbox of my original account saying they updated my information after I ‘signed up’. The original email address was not required to be verified at any time. I also did not go through the original phone number to receive any SMS alerts. The particularly interesting and shocking part is that when I log in, it uses the new phone number for 2FA.”
Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by providing a random landline number.
“The only difference: it asked me five questions about my personal history (last time it only asked three), then announced ‘Welcome back, Pete!’ and granted full access,” @PeteMayo wrote. “I think it’s stupid to store passwords for Experian; I might as well create a new account every time.”
I’m lucky that whoever hijacked my account didn’t unfreeze my credit freeze. Or, if they do, they’ll politely freeze it again when they’re done. But I fully expect my Experian account to be hijacked again unless Experian makes some important changes to its authentication process.
It’s incredible that these basic authentication flaws were allowed to persist for so long in Experian, which already has a terrible track record in this area.
In December 2022, KrebsOnSecurity alerted Experian that identity thieves have found a very simple way to bypass its security and access permissions any A consumer’s complete credit report – contains only a person’s name, address, date of birth and Social Security number. Experian fixed the glitch and acknowledged that it lasted for nearly seven weeks between November 9, 2022, and December 26, 2022.
In April 2021, KrebsOnSecurity revealed how identity thieves exploited lax authentication on Experian PIN retrieval pages to unfreeze consumer credit files. In these cases, Experian was unable to send any notification via email when a frozen PIN was retrieved, nor did Experian require that the PIN be sent to the email address associated with the consumer’s account.
Days after the April 2021 report, KrebsOnSecurity broke the news that the Experian API exposed the credit scores of most Americans.
More Experian picks:
2022: Account security class action lawsuit against Experian
2017: Experian website can give anyone your credit freeze PIN
2015: Experian data breach affects 15 million customers
2015: Experian breach linked to identity theft ring in New York and New Jersey
2015: Experian loses security staff due to acquisition
2015: Experian hit with class action lawsuit over identity theft service
2014: Experian outage allows ID theft service to access 200 million consumer records
2013: Experian sells consumer data to identity theft service