Experian Criticized Over Credit-Freeze PIN Security and 'Dark Web' Scans (theverge.com) 65
Security researcher Brian Krebs complains that Experian's identity-protecting credit freezes are easily unfrozen online. An anonymous reader quotes the Verge:
Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person's name, address, date of birth, and Social Security number...data [that] was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information. After entering that data, attackers then just have to enter an email address -- any email -- and answer a few security questions.
That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them. Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow... In response to Krebs' report, Experian claims that it goes beyond the measures identified to authenticate users. "While we do not disclose those additional processes," said the company in a statement, "they include a broad array of checks that are not visible to the consumer."
Meanwhile, the Los Angeles Times reports that Experian is also advertising a "free scan of the dark Web" which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of "advertisements or offers" from financial products companies -- plus "an arbitration clause preventing you from suing the company" which a spokesperson acknowledges could remain in effect for several years.
That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them. Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow... In response to Krebs' report, Experian claims that it goes beyond the measures identified to authenticate users. "While we do not disclose those additional processes," said the company in a statement, "they include a broad array of checks that are not visible to the consumer."
Meanwhile, the Los Angeles Times reports that Experian is also advertising a "free scan of the dark Web" which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of "advertisements or offers" from financial products companies -- plus "an arbitration clause preventing you from suing the company" which a spokesperson acknowledges could remain in effect for several years.
Duh? (Score:2)
Re: (Score:1)
Security questions are fine, it's people who answer them with easily checkable facts that are morons. For instance, "Who's your best friend in
Not that kind of security question (Score:1)
What you described are security questions that a customer sets up to regain access to a service they have contracted for.
What Experian asks, as do many financial services companies, are questions drawn from either their own or another data broker's (Axciom) database of information about you. It is especially pernicious that they are continuing this after they let that database be stolen.
I gave Fidelity an earful a little while back when they were going to take away the choice of using an OTP to verify my i
Re: (Score:1)
Re: (Score:1)
We're all basically screwed (Score:5, Insightful)
The only thing you can do is to keep checking your credit reports for something suspicious. With the data they have, there is nothing you can do to 100% stop it.
Politicians SHOULD be fixing this, by forcing the credit bureaus to lock down everyone's data and come up with a foolproof way of confirming identity. But instead, I see we're all riled up on football players not standing during national anthems. Way to set priorities, America!
Re:We're all basically screwed (Score:5, Interesting)
No, the credit bureaus should be held to the fire and nailed for a few million counts of libel. Spreading harmful information with wanton disregard for the truth is sufficient for libel. For example, claiming that you did something to become less than credit worthy without solid proof it was actually you when they know damned well fraud is rampant.
Re: We're all basically screwed (Score:1)
Lets be real, no one is getting punished, and if someone was, it'd be a lowly engineer.
Already the insider trading has been forgotten by the media.
Re: (Score:2)
Yeah, realistically, they've gotten a pass from the courts and legislature since forever. Of course, we did eventually see some judges actually start demanding proof of mortgages from banks and the banks come up short.
Re: (Score:2)
Corporations give large campaign donations, individuals do not. Who do you think politicians will listen to ?
About that... (Score:1)
It wasn't even the Judges, it was Plucky self-educated defendants who realized the scam, and brought the issue of no proof of ownership of the loan to the Judge during their hearings.
YOYO = You're On Your Own.
Re: (Score:1)
Re: (Score:3)
That is what will reduce identity theft. People steal identities because they are able to easily borrow based on stolen identities. We need to make it very difficult to borrow with stolen identities.
In nearly all the other countries, unless the lender proves that they
Re: (Score:2)
There's a bigger challenge here to keep in mind.
In most other countries, it's hard to get a mortgage without paying credit-card interest rates. Why is this? Because the concept of a "credit rating" doesn't exist in any meaningful way. As a result, it's nearly impossible for banks to assess risk in a highly-standardized fashion. This, in turn, means that entities like Fannie Mae and Freddie Mac (who underwrite the vast majority of non-mansion-sized mortgages) cannot exist either, because standarization o
Re: (Score:3)
Except this [mondaq.com] and this [deposits.org] suggest that mortgages in Europe are comparable to the U.S. Perhaps your information is out of date.
Re: (Score:1)
Aside from being a bad movie cliche, what is the problem with "Show me your papers." That's pretty much what we want if the "papers" are some sort secure proof of identity.
Arbitration Clauses (Score:2)
Congress needs to enact some laws banning arbitration clauses.
They hurt consumers and destroy the spirit of the law.
Re: (Score:3)
Probably because living naked in a cave to dodge arbitration clauses is impractical and likely illegal.
It's not hard to imagine that unilaterally depriving someone of their right bring the matter to court should be illegal, is it?
Re: (Score:2)
Pff socialist
Re: (Score:2)
Forced arbitration should be banned.
But can they charge extra to the people that want the right to sue, to cover litigation costs? Or, equivalently, offer a discount to people willing to sign the arbitration clause?
This is the future... (Score:5, Interesting)
Here's what will keep happening during the next years: entire "systems" that are riddled with horrible security practices and no competent personel to care of it will come crashing down after years of negligence.
I dunno how many of them will be in such a spectacular cascade of revelations, but I imagine that a sizeable portion will be.
Security professionals and conscious people have been warning for a while that stuff like that was going to eventually happen, but businesses, services and corporations small and large have not only been ignoring things so far, they have been introducing more and more points of failure over the years.
We are only starting to walk in the middle of a minefield. By the end of it, if we didn't already go to a full blown war, privacy will be dead for a whole ton of people, rights violated and trampled.
It's pretty much the perfect storm crime/theft/scam. All that data that's being leaked, hacked into, collected and harvested to be sold, or actively spied and taken in real time is accumulating somewhere, perhaps in databases inside the darknet, by criminals and hacker groups, by corporations that will eventually take advantage of it. It'll be terabytes upon terabytes of sophisticated dossier databases that will give all sorts of private information about anyone with a single search.
People don't react to it and don't seem to care all that much because that information can be exploited slowly. Who cares if someone got his/her identity stolen, as long as it's not happening to me it's ok. But one day it will. And then, it's no use getting angry and trying to fight against it because much as yourself once did, no one cares.
This is our future.
Re: (Score:2)
White pages (Score:2)
No, individuals are found in the White Pages, not the Yellow Pages.
Has anyone done a study on this? (Score:2)
It seems that you get organisations (I use that word deliberately, to include private sector and government) where once in a while somebody drops the ball and there's a bit of a balls-up but they fix it in good order, learn the lessons and move on.
Then there are others that lurch from one crisis into two more, like Hobbes' Leviathan made of Mr Bean clones.
Experian needs to die (Score:2)
Yet ANOTHER ham fisted reaction to what ought to be a pretty straight forward mea culpa, fix of issues, etc. Their leadership is simply not trustworthy and that's paramount in this particular business.
Re: (Score:2)
Yikes. You're right. My bad.
Thumbprint (Score:4, Interesting)
I read an article in The Guardian where a security expert recommended that uses (in the UK) put a "Notice of Correction" on their Experian(UK) file (and others):
Jamieson sent a notice of correction to the three main credit reference agencies. It states: “I, Jamie Jamieson, of [his address], do hereby declare that when my signature is required for any financial product or service, I will authenticate it with my thumbprint. Failure by me to comply with this direction should result in the service or product being withheld. Any application without a thumbprint should be considered fraudulent. I will inform you in writing, signed and thumbprinted, of any changes to this notice of correction.”
https://www.theguardian.com/mo... [theguardian.com]
This would seem to be a good solution. A fraudster would not necessarily know about the thumbprint requirement and when asked for a thumbprint would be reluctant to put his own thumbprint on a document. If they did, they could be traced by the thumbprint. It wouldn't require the creditor to check the thumbprint unless there was a problem.
Would this work in the US?
(The US credit bureaus allow you to add a "Statement" to your account.)
(I know that fingerprints can be copied and faked but this would probably stop a lot of opportunistic fraud.)
Re: (Score:2)
Would this work in the US? (The US credit bureaus allow you to add a "Statement" to your account.) (I know that fingerprints can be copied and faked but this would probably stop a lot of opportunistic fraud.)
Nice idea, but sadly it would not work in the current system. For years I have called credit card companies in advance to make a statement that I am traveling to a foreign country so don't put my charges on hold when I use my card there. First charge, they always ignore the statement and put my card on hold until they can contact me. After that they will allow it to be used. No credit company is going to follow any special instructions from the consumer given to a rating agency. Sometimes lenders will not e
Re: (Score:1)
Re: (Score:1)
I know a guy that did that. He was smart on all of his answers. Then he needed his password reset. We made him show up, show two forms of ID.
dark web search (Score:1)
if the dark web isn't indexed, and the sites are encrypted, how the hell is experian "searching the dark web?