Experian, You Have Some Explaining To Do (krebsonsecurity.com) 60
Security reporter Brian Krebs: Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn't theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim's personal information and a different email address.
John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account. Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian's password reset process was useless at that point because any password reset links would be sent to the new (impostor's) email address. An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.
John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account. Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian's password reset process was useless at that point because any password reset links would be sent to the new (impostor's) email address. An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.
Exeperian is a joke (Score:5, Insightful)
They should be removed as a credit bureau, a credit bureau should protect peoples information. These clowns have proved again and again that they cannot and will not do their job. I have been personally been affected by their actions.
Re:Exeperian is a joke (Score:5, Insightful)
Re:Exeperian is a joke (Score:5, Insightful)
The occasional crime against some nobody is tolerated. The system is working as intended, for the most part.
When mass hacks cause severe economic harm, impacting the bottom-lines of rich people who matter, then we will see some real accountability.
Its also possible that someone important will be one of the random once-in-a-while victims, which could also spur actual legal action.
Re: (Score:2)
When mass hacks cause severe economic harm,
That's not going to happen from a credit report company. That is, we've already seen mass hacks, but credit report companies are not going to cause severe economic harm.
Equifax is also a shit show. (Score:5, Interesting)
TWICE I made accounts with Equifax so I could freeze my credit and both times they lost/deleted/changed my login. Obviously oversight is nonexistent.
Re:Equifax is also a shit show. (Score:4, Informative)
I had frozen my credit with all 3 back when it cost money and I had to do it by mail.
I believe that TransUnion was the first one to develop a proper portal and I have never had an issue with it.
Equifax's portal came later, but would error out and not let me log in to freeze/unfreeze my credit for years. Then, magically, it fixed itself somewhere in 2020 and I was able to log in. I haven't had a problem with it since.
Experian was the last one to create a proper online portal. For years, to do the freeze/unfreeze stuff, they required going through the whole "prove yourself by answering these terrible questions that are never correct" which I would answer correctly about half the time.
Re: (Score:3)
Same, and I've never had any kind of business (Score:2)
relationship with these thieves. How the fuck is legal for them to horde my information and affect my life when I never chose to have anything to do with them?
They're not the gov't, but the gov't is using them against us. Still waiting for a hold on a Treasury account I created because of "failed verification using commercially available information". It's been months, I've had to go to the bank and get them to open a vault to sign a letter with a secret medallion to prove I'm me. Wait time is several m
Re: (Score:2)
Yet you're still choosing to borrow money from banks.
Since this is slashdot, let's have a car analogy: When buying a new car in the US, you can curse car dealerships for being worthless sack of shit too, how can this racket "be even legal". Easy, car manufacturers are complicit and you chose to give em business.
Re: (Score:2)
I've never taken a loan for anything; Ever.
Re:Exeperian is a joke (Score:4, Informative)
Later when I applied for things like car financing or a mortgage, this got flagged; when they searched my credit and used just my social security number, TWO reports came up, one under my name and one under the other guy's name. For several financial institutions, that's immediate denial of credit. I spent probably 100 hours of my life on the phone with Experian to correct the issue, and they never got it fixed; I had to wait the 7 years for that account to effectively be dropped off of the other report and it was closed.
They are a blight on society.
Re: Exeperian is a joke (Score:5, Informative)
You didn't have to wait that long. You could have sued and likely won at least some settlement and had the wrong data expunged. A lawyer would take you on contingency. It wouldn't have been an instant result, but it would have been much less than 7 years. Source: I actually did this, a while ago.
Re:Exeperian is a joke (Score:5, Insightful)
A credit bureau is a data broker. Data brokers don't care about the data they're selling. The only care about the fact they can collect and sell that data and that other people can't get their data for free.
Your data might be part of the data, but they don't care about you because you're not their customer.
Ugh, Experian (Score:5, Insightful)
The fact that they are still allowed to store people's info after their past security lapses is a travesty. They should have been closed down back then - or at least some people send to jail, which might make them more careful.
Re:Ugh, Experian (Score:4, Interesting)
In the EU, their privacy blunders alone would send them into bankruptcy.
Re: (Score:3, Interesting)
Not sure what you mean. Experian is also the biggest credit agency in the UK (and has been from way before Brexit), from experience they are worse than the competition, and I have no reason to think they have any financial problems.
Re: (Score:2)
I think they made money out of this, they sold protection to people worried about their data.
Re: (Score:2)
Re: Ugh, Experian (Score:2)
You'd think they'd do a basic check (Score:5, Insightful)
You'd think Experian would do a basic check: if the information used to sign up matches an existing account, refuse to create the new account and direct the user to recover the password (and if necessary, email address) for the existing account. If the email address is used as an account identifier, then it MUST NOT be used as part of the information determining whether a match occurred. Won't stop a hacker from setting up an account in someone else's name, but does at least insure that they can't hijack an existing account and that once the actual user gains control over a falsely-created account the hacker can't re-hijack it.
Re:You'd think they'd do a basic check (Score:5, Insightful)
If there is no punishment for this stupidity, why should they change their behaviour? They neither get fined for being ridiculously inapt at security, nor do they lose customers, so why should they waste money on it?
Re: (Score:2)
There’s actually an argument to be made here.
Unlike a typical online account, their financial info exists independently of whether they have an account. And unlike a typical online account, where someone can simply create a new one with minimal repercussions if they last access to a previous account, here, the person would still need access to that same financial info. And unlike a typical online account that will appeal to a subset of the population who is interested in the service, the users for the
Impressively bad (Score:1)
Delete my info (Score:4, Insightful)
Re: (Score:2)
The short answer, unfortunately is...no.
Re: (Score:2)
Yeah. Have a residence in the EU [wikipedia.org].
Wrong Problem (Score:2)
The correct problem is: why do we let credit bureaus exist at all? And if we do, why is the legal default not a list like the following:
1) every discrepancy is set in favor of the person's statement and the credit bureau must prove to a Court that their info is correct.
2) All accounts are frozen by default. Reports can only be released after receiving a notarized release form signed by both the person and the agency (bank, credit card, etc) requesting the info.
Re:Wrong Problem (Score:4, Insightful)
The reason 2 isn't in place is easy - the whole point of a credit bureau is selling your information, not protecting it. If they couldn't sell it willy nilly, it would not be profitable to even compile it.
I'm getting tired of Copy Pasta "summaries" (Score:5, Insightful)
You'd never guess from the summary that Krebs actually tested out the claims using their own account, and verified that what Experian called "isolated incidents of fraud" are probably not so isolated, and that their claims of good security are probably bullshit. Then again, you'd never know from the "summary" that Experian made these assertions.
I can't create a summary of a book by simply copying a sizable portion of it and calling it a "summary". Neither can Slashdot editors create a summary of a news story just by copying large hunks of it.
Editors, if you're gonna rely on the copyt/paste thing so heavily, you might at least take an extra minute to select relevant quotes from throughout the story, rather than selecting one big chunk of exposition whose starting and ending points often seem almost arbitrary.
Re:I'm getting tired of Copy Pasta "summaries" (Score:5, Funny)
To do that, they would have to read the entire article.
Re: (Score:2)
Most of the commenters don’t even read the article.
Re: (Score:2)
I'm getting tired of Copy Pasta "summaries"
if you're gonna rely on the copyt/paste thing so heavily...
I commend you for leading by example. Clearly you took the time to write this yourself.
Re: (Score:3)
I'm getting tired of Copy Pasta "summaries"
if you're gonna rely on the copyt/paste thing so heavily...
I commend you for leading by example. Clearly you took the time to write this yourself.
You mean "copyt" isn't a legitimate English word? Dang! ;-)
Re: (Score:2)
At least they attribute it to the correct author. For years (decades?) they would attribute the copy/pasted "summary" to the submitter instead of the person who wrote it.
I haven't been here that long compared with many of the regulars here, and even I remember when many summaries were actually written by the submitters. Sure, there was heavy reliance on quotes, but there was often worthwhile original writing as well; and when it came to quotations, submitters took the time to select ones that gave a reasonably complete picture.
KYC (Score:2)
It really makes you wonder, just how well Experian REALLY know its customer....?
Re:KYC (Score:5, Insightful)
Their customers are the banks and credit card companies. You are their product.
Hijack it Back? (Score:5, Interesting)
Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim's personal information and a different email address.
If that works couldn't you get the account back by signing up for a new account using a different email address? Then maybe locking your credit would prevent further logins, though not sure if that would be the case or not.
It's interesting that's the posited approach used to take over the account, at all credit agencies I've signed in for (including Experian recently) I had to answer three questions with mostly obscure information about items from my credit history (like past residences or employers). I wonder how they were able to get enough historical info to pass the questions.
Re: (Score:2, Informative)
probably from the last hack of experian
Re: (Score:2)
Social media or other such services most probably. Most people have schools and addresses all over the net...
Scary⦠(Score:5, Informative)
As a victim of the OPM hack, I was provided identity theft monitoring and protection.
After almost 6 years we have of trying to make any down my credit card debt as a result of my divorce, I HAD to use my credit card for a card repair as the debit card processing wasnâ(TM)t working (nothing wrong with the card). I had paid $600 a week prior on the credit card and charged $1200 for the repairs. The next day, my rating dropped 19 points.
I paid $800 more immediately. No change a month later.
Thankfully, my score is highâ¦but, I was about to break 800.
What pisses me off is that I could sign up for Experian boost and see a 50 point increase for doing nothing such as careful but consistent pay down of my debt.
It strikes me as a scam.
Re: (Score:2)
Similar thing happened to me (Score:5, Interesting)
Someone used my info (stolen elsewhere) to create an account at Experian, and now I'm locked out of ever contacting them because I don't have access to the email address that was used. That was followed by a bunch of fraudulent accounts being opened which I tried to stop, but I couldn't place a credit freeze at Experian because I was locked out.. so all I could do was alert the other credit reporting bureaus. That means Experian is the only credit reporting agency that has a bunch of trash information about me, and the only fraudulent accounts opened were at places that trusted Experian.
I'd really love it if someone crunched the numbers to see what the rates of fraud were for credit lenders when "trusting" different credit bureaus. I'd be pretty surprised if fraud wasn't much higher when businesses use Experian.
Re: (Score:3)
This is a terrifying story. I have spent years building my credit up for stupid mistakes and am finally at a place where I can easily be granted credit when I need it.
It absolutely keeps me up at night sometimes just thinking about someone tanking my credit.
They need to allow TOTP MFA options for protecting these vital accounts.
Re: (Score:2)
Someone used my info (stolen elsewhere) to create an account at Experian, and now I'm locked out of ever contacting them because I don't have access to the email address that was used. That was followed by a bunch of fraudulent accounts being opened which I tried to stop, but I couldn't place a credit freeze at Experian because I was locked out.. so all I could do was alert the other credit reporting bureaus. That means Experian is the only credit reporting agency that has a bunch of trash information about me, and the only fraudulent accounts opened were at places that trusted Experian.
I think you would have no trouble finding a lawyer to represent you pro bono in a lawsuit against Experian for fraud and libel. Please hire one.
Responsible Disclosure? (Score:4, Interesting)
Well... (Score:1)
Credit bureaus are corrupt organizations that have no real power or authority, which is why I ignore them. I don't care if my credit score is 800 or 400, because I don't use credit. "Oh but what about buying a car or a home?" Fuck those things. Credit is NOT needed for anything, and only stupid people use it.
Re: Well... (Score:3)
Re: (Score:1)
That may have been the idea behind it, but instead it's used exclusively as a tool of oppression and exploitation. Needing hundreds of thousands of dollars to afford a house is just plain stupid. The house isn't worth that much money nor is the land under it.
The credit bureaus are private entities that don't know jack shit about you, money, or how to spend it. And their rating system is equally as dumb. It was not set up by smart people who wanted it to have a purpose. They wanted to exploit people, and any
Why (Score:2)
Why does anyone put any faith in anything Experian has to say anymore. At best it is all hearsay and in light of recent reports, I see no reason to believe any of it is even about the person they attribute it to.
Well that's ok (Score:2)
....it's not like people's financial information or credit scores are important or anything.
This problem has an easy solution (Score:4, Insightful)
This happened to me (Score:1)
Ummm here is the answer (Score:2)
Just a reminder: (Score:5, Insightful)
Nobody ever authorized any of these credit rating firms to have YOUR personal information.
There's no such thing as "identity theft"; what there is, is: Two businesses (some vendor and some financial institution) assisted by a third business (some credit rating firm) did sloppy reckless business with a criminal who pretended to be you... and when the thing came apart, the criminal fled the scene, and the businesses involved all pointed at YOU (the one entity that had NOTHING to do with the scam). Your identity was not stolen (that's impossible), somebody simply identified himself as you, and the businesses involved did not bother to verify that the crook was you.
All of this could be cleaned up in a day, if only the congress and a president would agree to do it... which they will not because too many of them (in ALL parties) are on the take, and they figure they can let all this stuff happen because the voters are too lazy to do anything about it, or too addicted to voting on some social issue to get involved in the practical stuff that hurts everybody.
SPY ON YOUR SPOUSE (Score:1)
INFIDELITY IN MARRIAGE IS NEVER A THING OF JOY (Score:1)