Pointed out that the security of Experian, the world's largest credit bureau, is too colander



Credit card and bank account fraud continues around the world, but banks and credit card companies are developing and using

a variety of technologies to prevent damage. However, security journalist Brian Krebs said that consumer credit bureau Experian is less secure against frozen accounts, can be easily unfrozen and used to open new accounts. I'm pointing out.

Experian's Credit Freeze Security is Still a Joke – Krebs on Security
https://krebsonsecurity.com/2021/04/experians-credit-freeze-security-is-still-a-joke/

Krebs received this information from engineer Dune Thomas, who lives in Sacramento, California. Thomas said in 2020, accounts of consumer credit bureaus Experian, Equifax, and TransUnion after someone tried to create a payment account using his name and the address of an unoccupied house in Washington. Frozen.

However, it turns out that someone who attempted the fraud unfrozen Experian in April 2021 and applied for a new account using Thomas' name and the address above. Mr. Thomas was using a free surveillance service provided by a credit card company, so he was able to know the behavior of the criminal.

Wondering why Thomas's frozen Experian account was unfrozen, Thomas contacted Experian. As a result, it was found that the criminal used the 'PIN request function'.



In fact, at Experian, the only process to revive the PIN needed to unfreeze is to 'answer the question after entering your address, social security number, and date of birth.' There are five questions, all of which are 'what only credit bureaus know', but Thomas shows that the answers are selective and can be easily broken through.

When Mr. Krebs actually tried the process for PIN revival, the first question was about 'new mortgage loan in 2019', and since he has never taken out a mortgage loan, the answer is 'Which one?' The correct answer is to select 'Not'. Also, the correct answer for the next question was to select 'None'. The third question is 'the last 4 digits of the social security number' and the fourth question is 'whether I was born during the following period', but this is because the birthday and social security number have already been entered. It's meaningless to the criminal who has already done it. In fact, the only question related to credit history was one question about the last four digits of the checking account number.

Also, in the authentication process to get a PIN, you can enter any email address and it was not necessary to associate it with an existing Experian account. In addition, when the PIN was obtained, the registered email address was not contacted.



In particular, Thomas and Krebs see the problem as Experian does not offer free account users the option of multi-factor authentication to help thwart PIN acquisition attacks. Experian offers multi-factor authentication options and the ability to be notified when someone accesses it, only for users who subscribe to the CreditLock service for $ 14.99 to $ 24.99 per month. I am.

Thomas said he was angry that Experian would only offer security to users who pay for a monthly plan.

'Experian doesn't do that because it wants to charge $ 25 a month, even though it can provide better security protection through additional authentication features. Experian has a big security gap between users. We allow it to be profitable, and this has been going on for at least four years, 'said Thomas.

Experian has made it clear that security will be reduced while the account is frozen. In the first place, the account freeze of the consumer credit information agency is an act to prevent the credit information from being seen by others, but this weakens the security protection and puts the information at risk of leakage. That's why.



Experian's Credit Lock service is described as 'a feature that locks / unlocks your credit information easily and quickly so that there is no delay in the application process.' 'The CreditLock service, despite the ability for creditors to instantly see what's going on when applying for a new credit, impresses by its name as if no one could see the account,' Krebs said. Pointed out. Experian also mentions that it provides a lot of credit information to third parties when users use the CreditLock service.

in Security, Posted by darkhorse_log