Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Experian, You Have Some Explaining To Do (krebsonsecurity.com) 60

Security reporter Brian Krebs: Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn't theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim's personal information and a different email address.

John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account. Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian's password reset process was useless at that point because any password reset links would be sent to the new (impostor's) email address. An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.

This discussion has been archived. No new comments can be posted.

Experian, You Have Some Explaining To Do

Comments Filter:
  • by wakeboarder ( 2695839 ) on Monday July 11, 2022 @10:55AM (#62693364)

    They should be removed as a credit bureau, a credit bureau should protect peoples information. These clowns have proved again and again that they cannot and will not do their job. I have been personally been affected by their actions.

    • by GoTeam ( 5042081 ) on Monday July 11, 2022 @10:58AM (#62693374)
      If we (as general public) were as unaccountable as the credit bureaus, we'd be deemed unworthy credit risks. The burden of proof always falls on the people, not the rich corporations.
    • by Brain-Fu ( 1274756 ) on Monday July 11, 2022 @11:28AM (#62693480) Homepage Journal

      The occasional crime against some nobody is tolerated. The system is working as intended, for the most part.

      When mass hacks cause severe economic harm, impacting the bottom-lines of rich people who matter, then we will see some real accountability.

      Its also possible that someone important will be one of the random once-in-a-while victims, which could also spur actual legal action.

      • When mass hacks cause severe economic harm,

        That's not going to happen from a credit report company. That is, we've already seen mass hacks, but credit report companies are not going to cause severe economic harm.

    • by Kludge ( 13653 ) on Monday July 11, 2022 @11:49AM (#62693530)

      TWICE I made accounts with Equifax so I could freeze my credit and both times they lost/deleted/changed my login. Obviously oversight is nonexistent.

      • by The-Ixian ( 168184 ) on Monday July 11, 2022 @12:55PM (#62693716)

        I had frozen my credit with all 3 back when it cost money and I had to do it by mail.

        I believe that TransUnion was the first one to develop a proper portal and I have never had an issue with it.

        Equifax's portal came later, but would error out and not let me log in to freeze/unfreeze my credit for years. Then, magically, it fixed itself somewhere in 2020 and I was able to log in. I haven't had a problem with it since.

        Experian was the last one to create a proper online portal. For years, to do the freeze/unfreeze stuff, they required going through the whole "prove yourself by answering these terrible questions that are never correct" which I would answer correctly about half the time.

        • You should have done what I did: whenever I've signed up with a company that requires those questions, I put the questions and my answers into a text file. Then, when I need to prove my identity to them I can just copy/paste the answers in.
    • relationship with these thieves. How the fuck is legal for them to horde my information and affect my life when I never chose to have anything to do with them?

      They're not the gov't, but the gov't is using them against us. Still waiting for a hold on a Treasury account I created because of "failed verification using commercially available information". It's been months, I've had to go to the bank and get them to open a vault to sign a letter with a secret medallion to prove I'm me. Wait time is several m

      • by ezdiy ( 2717051 )

        Yet you're still choosing to borrow money from banks.

        Since this is slashdot, let's have a car analogy: When buying a new car in the US, you can curse car dealerships for being worthless sack of shit too, how can this racket "be even legal". Easy, car manufacturers are complicit and you chose to give em business.

    • by Whateverthisis ( 7004192 ) on Monday July 11, 2022 @12:58PM (#62693726)
      I once had a situation, that given the lack of follow up activity was likely a mistake, but screwed me for 7 years. Someone had opened a minor bank account, and what likely happened was the social security number was transposed by accident, having that person open up the account in thier name, but with my social security number. Experian picked that up and made a new file for that person but with my social.

      Later when I applied for things like car financing or a mortgage, this got flagged; when they searched my credit and used just my social security number, TWO reports came up, one under my name and one under the other guy's name. For several financial institutions, that's immediate denial of credit. I spent probably 100 hours of my life on the phone with Experian to correct the issue, and they never got it fixed; I had to wait the 7 years for that account to effectively be dropped off of the other report and it was closed.

      They are a blight on society.

    • by tlhIngan ( 30335 ) <slashdotNO@SPAMworf.net> on Monday July 11, 2022 @08:33PM (#62694962)

      a credit bureau should protect peoples information.

      A credit bureau is a data broker. Data brokers don't care about the data they're selling. The only care about the fact they can collect and sell that data and that other people can't get their data for free.

      Your data might be part of the data, but they don't care about you because you're not their customer.

  • Ugh, Experian (Score:5, Insightful)

    by Ecuador ( 740021 ) on Monday July 11, 2022 @10:57AM (#62693370) Homepage

    The fact that they are still allowed to store people's info after their past security lapses is a travesty. They should have been closed down back then - or at least some people send to jail, which might make them more careful.

    • Re:Ugh, Experian (Score:4, Interesting)

      by Opportunist ( 166417 ) on Monday July 11, 2022 @11:12AM (#62693434)

      In the EU, their privacy blunders alone would send them into bankruptcy.

      • Re: (Score:3, Interesting)

        by RedDwarf69 ( 2883553 )

        Not sure what you mean. Experian is also the biggest credit agency in the UK (and has been from way before Brexit), from experience they are worse than the competition, and I have no reason to think they have any financial problems.

      • I think they made money out of this, they sold protection to people worried about their data.

      • Please explain how anyone can be a "credit rating organisation" without committing an offence against the GDPR.
    • What is interesting was there was some discussion of these services in terms of privacy and handling or consumer data back in the 1970s. There was not much experience or language that could be used, as nothing like this had ever e Oates, where a private could instantly retrieve massive amounts of data on a private individual. The Rockford files did have an episode where he shut down a proto Experian. We do now have the language and the experience, but still canâ(TM)t get ahead of Meta and Alphabet.
  • by Todd Knarr ( 15451 ) on Monday July 11, 2022 @10:59AM (#62693376) Homepage

    You'd think Experian would do a basic check: if the information used to sign up matches an existing account, refuse to create the new account and direct the user to recover the password (and if necessary, email address) for the existing account. If the email address is used as an account identifier, then it MUST NOT be used as part of the information determining whether a match occurred. Won't stop a hacker from setting up an account in someone else's name, but does at least insure that they can't hijack an existing account and that once the actual user gains control over a falsely-created account the hacker can't re-hijack it.

    • by Opportunist ( 166417 ) on Monday July 11, 2022 @11:13AM (#62693438)

      If there is no punishment for this stupidity, why should they change their behaviour? They neither get fined for being ridiculously inapt at security, nor do they lose customers, so why should they waste money on it?

    • There’s actually an argument to be made here.

      Unlike a typical online account, their financial info exists independently of whether they have an account. And unlike a typical online account, where someone can simply create a new one with minimal repercussions if they last access to a previous account, here, the person would still need access to that same financial info. And unlike a typical online account that will appeal to a subset of the population who is interested in the service, the users for the

  • Whenever there is a security issue with a credit reporting agency, be it a leak or a vulnerability, like weâ(TM)re seeing here⦠I often find myself wondering âoecould they sink even further to a new low?âoe I guess the answer, perpetually, is yes.
  • Delete my info (Score:4, Insightful)

    by OfMiceAndMenus ( 4553885 ) on Monday July 11, 2022 @11:01AM (#62693382)
    Is there some way I can force them to not have my information web-accessible? I don't need to review my credit every month like their constant spam emails suggest I do. I don't log into their site or review my credit online like that in any way. It seems kind of criminal that they're allowed to just have all my information freely available to the web for takeover by anyone who has my info from a job or loan application.
  • The correct problem is: why do we let credit bureaus exist at all? And if we do, why is the legal default not a list like the following:

    1) every discrepancy is set in favor of the person's statement and the credit bureau must prove to a Court that their info is correct.
    2) All accounts are frozen by default. Reports can only be released after receiving a notarized release form signed by both the person and the agency (bank, credit card, etc) requesting the info.

  • by jenningsthecat ( 1525947 ) on Monday July 11, 2022 @11:09AM (#62693422)

    You'd never guess from the summary that Krebs actually tested out the claims using their own account, and verified that what Experian called "isolated incidents of fraud" are probably not so isolated, and that their claims of good security are probably bullshit. Then again, you'd never know from the "summary" that Experian made these assertions.

    I can't create a summary of a book by simply copying a sizable portion of it and calling it a "summary". Neither can Slashdot editors create a summary of a news story just by copying large hunks of it.

    Editors, if you're gonna rely on the copyt/paste thing so heavily, you might at least take an extra minute to select relevant quotes from throughout the story, rather than selecting one big chunk of exposition whose starting and ending points often seem almost arbitrary.

    • by saider ( 177166 ) on Monday July 11, 2022 @12:03PM (#62693574)

      To do that, they would have to read the entire article.

    • by ddtmm ( 549094 )

      I'm getting tired of Copy Pasta "summaries"

      if you're gonna rely on the copyt/paste thing so heavily...

      I commend you for leading by example. Clearly you took the time to write this yourself.

      • I'm getting tired of Copy Pasta "summaries"

        if you're gonna rely on the copyt/paste thing so heavily...

        I commend you for leading by example. Clearly you took the time to write this yourself.

        You mean "copyt" isn't a legitimate English word? Dang! ;-)

  • by kyoko21 ( 198413 )

    It really makes you wonder, just how well Experian REALLY know its customer....?

  • Hijack it Back? (Score:5, Interesting)

    by SuperKendall ( 25149 ) on Monday July 11, 2022 @11:11AM (#62693428)

    Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim's personal information and a different email address.

    If that works couldn't you get the account back by signing up for a new account using a different email address? Then maybe locking your credit would prevent further logins, though not sure if that would be the case or not.

    It's interesting that's the posited approach used to take over the account, at all credit agencies I've signed in for (including Experian recently) I had to answer three questions with mostly obscure information about items from my credit history (like past residences or employers). I wonder how they were able to get enough historical info to pass the questions.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      probably from the last hack of experian

    • by tizan ( 925212 )

      Social media or other such services most probably. Most people have schools and addresses all over the net...

  • Scary⦠(Score:5, Informative)

    by Ronin Developer ( 67677 ) on Monday July 11, 2022 @11:26AM (#62693474)

    As a victim of the OPM hack, I was provided identity theft monitoring and protection.

    After almost 6 years we have of trying to make any down my credit card debt as a result of my divorce, I HAD to use my credit card for a card repair as the debit card processing wasnâ(TM)t working (nothing wrong with the card). I had paid $600 a week prior on the credit card and charged $1200 for the repairs. The next day, my rating dropped 19 points.

    I paid $800 more immediately. No change a month later.

    Thankfully, my score is highâ¦but, I was about to break 800.

    What pisses me off is that I could sign up for Experian boost and see a 50 point increase for doing nothing such as careful but consistent pay down of my debt.

    It strikes me as a scam.

    • You're not the only one. Last month, I charged $90 on one of my credit cards, and my score instantly dropped 23 points. When it came time to pay my credit card bill, I paid $200, to bring the balance down. My score went up 2 points. At this rate, it will take almost a year to recover from that one purchase, which is absolutely absurd.
  • by xgerrit ( 2879313 ) on Monday July 11, 2022 @11:29AM (#62693488)

    Someone used my info (stolen elsewhere) to create an account at Experian, and now I'm locked out of ever contacting them because I don't have access to the email address that was used. That was followed by a bunch of fraudulent accounts being opened which I tried to stop, but I couldn't place a credit freeze at Experian because I was locked out.. so all I could do was alert the other credit reporting bureaus. That means Experian is the only credit reporting agency that has a bunch of trash information about me, and the only fraudulent accounts opened were at places that trusted Experian.

    I'd really love it if someone crunched the numbers to see what the rates of fraud were for credit lenders when "trusting" different credit bureaus. I'd be pretty surprised if fraud wasn't much higher when businesses use Experian.

    • This is a terrifying story. I have spent years building my credit up for stupid mistakes and am finally at a place where I can easily be granted credit when I need it.

      It absolutely keeps me up at night sometimes just thinking about someone tanking my credit.

      They need to allow TOTP MFA options for protecting these vital accounts.

    • by dgatwood ( 11270 )

      Someone used my info (stolen elsewhere) to create an account at Experian, and now I'm locked out of ever contacting them because I don't have access to the email address that was used. That was followed by a bunch of fraudulent accounts being opened which I tried to stop, but I couldn't place a credit freeze at Experian because I was locked out.. so all I could do was alert the other credit reporting bureaus. That means Experian is the only credit reporting agency that has a bunch of trash information about me, and the only fraudulent accounts opened were at places that trusted Experian.

      I think you would have no trouble finding a lawyer to represent you pro bono in a lawsuit against Experian for fraud and libel. Please hire one.

  • by kevink707 ( 1331815 ) on Monday July 11, 2022 @12:32PM (#62693652)
    Given the scope of this vulnerability this is not a responsible disclosure by Krebs. The number of Experian accounts being hijacked will almost certainly increase because this information was published.
  • Credit bureaus are corrupt organizations that have no real power or authority, which is why I ignore them. I don't care if my credit score is 800 or 400, because I don't use credit. "Oh but what about buying a car or a home?" Fuck those things. Credit is NOT needed for anything, and only stupid people use it.

    • Unfortunately, most regular people don't have hundreds of thousands of dollars laying around to buy a house in cash. Loans are supposed to be available to us plebs to help us escape the cycle of renting and build equity. They're often not available due to other factors, but that's the idea anyway.
      • by Bahbus ( 1180627 )

        That may have been the idea behind it, but instead it's used exclusively as a tool of oppression and exploitation. Needing hundreds of thousands of dollars to afford a house is just plain stupid. The house isn't worth that much money nor is the land under it.

        The credit bureaus are private entities that don't know jack shit about you, money, or how to spend it. And their rating system is equally as dumb. It was not set up by smart people who wanted it to have a purpose. They wanted to exploit people, and any

  • by sjames ( 1099 )

    Why does anyone put any faith in anything Experian has to say anymore. At best it is all hearsay and in light of recent reports, I see no reason to believe any of it is even about the person they attribute it to.

  • ....it's not like people's financial information or credit scores are important or anything.

  • by AmazingRuss ( 555076 ) on Monday July 11, 2022 @01:54PM (#62693948)
    Don’t borrow. Starve the beast.
  • I couldnâ(TM)t cancel my card either because I couldnâ(TM)t identify myself on the phone or online. It took me about 12 months or longer to resolve with Equifax & Experian, who both locked my account so hard I have a zero fico score and all history removed. It took several requests by mail and FAXing
  • Gee, it's almost like they did it on purpose, to talk you into paying for their monitoring service. "Like Turner, Rishi is now worried that identity thieves will just hijack his Experian account once more, and that there is nothing he can do to prevent such a scenario. For now, Rishi has decided to pay Experian $25.99 a month to more closely monitor his account for suspicious activity."
  • Just a reminder: (Score:5, Insightful)

    by tiqui ( 1024021 ) on Tuesday July 12, 2022 @01:59AM (#62695522)

    Nobody ever authorized any of these credit rating firms to have YOUR personal information.

    There's no such thing as "identity theft"; what there is, is: Two businesses (some vendor and some financial institution) assisted by a third business (some credit rating firm) did sloppy reckless business with a criminal who pretended to be you... and when the thing came apart, the criminal fled the scene, and the businesses involved all pointed at YOU (the one entity that had NOTHING to do with the scam). Your identity was not stolen (that's impossible), somebody simply identified himself as you, and the businesses involved did not bother to verify that the crook was you.

    All of this could be cleaned up in a day, if only the congress and a president would agree to do it... which they will not because too many of them (in ALL parties) are on the take, and they figure they can let all this stuff happen because the voters are too lazy to do anything about it, or too addicted to voting on some social issue to get involved in the practical stuff that hurts everybody.

  • Lately my wife has been keeping late nights when i ask her she cooks up stories why she did’nt come home and all, I was becoming feed up about her cooked up stories. I had to hire a hacker to give me full access to her mobile phone and also her GPS after this hacker granted me all and i discovered that my wife has been lying all along to me not knowing she has been cheating on me . All thanks to wisetechacker @gmail com
  • Infidelity in marriage is never a thing of joy, I was battling with infections in marriage, painful right. I'm not so ashamed to say this because I'll like this to serve as an eye-opener to young couples out there. my ex-husband was a university lecturer and was always involved with extramarital affairs. I found myself in and out of hospitals treating myself for STDs, I had to get an ethical hacker wisetechacker @gmail com, to help me clone his phone and social media platforms in Whatsapp and Facebook messe

When you are working hard, get up and retch every so often.

Working...