Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experian Criticized Over Credit-Freeze PIN Security and 'Dark Web' Scans (theverge.com)

Posted by EditorDavid on from the consumer-credit-criticisms dept.

Security researcher Brian Krebs complains that Experian's identity-protecting credit freezes are easily unfrozen online. An anonymous reader quotes the Verge: Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person's name, address, date of birth, and Social Security number...data [that] was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information. After entering that data, attackers then just have to enter an email address -- any email -- and answer a few security questions.

That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them. Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow... In response to Krebs' report, Experian claims that it goes beyond the measures identified to authenticate users. "While we do not disclose those additional processes," said the company in a statement, "they include a broad array of checks that are not visible to the consumer."
Meanwhile, the Los Angeles Times reports that Experian is also advertising a "free scan of the dark Web" which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of "advertisements or offers" from financial products companies -- plus "an arbitration clause preventing you from suing the company" which a spokesperson acknowledges could remain in effect for several years.

65 comments

  1. Duh? by NotQuiteReal · · Score: 1

    Some Tips for Experian...

    --
    This issue is a bit more complicated than you think.
    1. Re:Duh? by Gr8Apes · · Score: 1
      The biggest one I don't get is this one:

      That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them.

      Security questions are fine, it's people who answer them with easily checkable facts that are morons. For instance, "Who's your best friend in first grade?" Answer: Empire State Building. "What's your mother's maiden name?" A: Queen of the Moon! etc.

      Yes, you have to keep a list, mine's even worse than that, individual answers for every site that requests them.

      "What's your first car?" A: Ponies!

      --
      The cesspool just got a check and balance.
  2. We're all basically screwed by Anonymous Coward · · Score: 5, Insightful

    The only thing you can do is to keep checking your credit reports for something suspicious. With the data they have, there is nothing you can do to 100% stop it.

    Politicians SHOULD be fixing this, by forcing the credit bureaus to lock down everyone's data and come up with a foolproof way of confirming identity. But instead, I see we're all riled up on football players not standing during national anthems. Way to set priorities, America!

    1. Re:We're all basically screwed by sjames · · Score: 5, Interesting

      No, the credit bureaus should be held to the fire and nailed for a few million counts of libel. Spreading harmful information with wanton disregard for the truth is sufficient for libel. For example, claiming that you did something to become less than credit worthy without solid proof it was actually you when they know damned well fraud is rampant.

    2. Re: We're all basically screwed by Anonymous Coward · · Score: 1

      Lets be real, no one is getting punished, and if someone was, it'd be a lowly engineer.

      Already the insider trading has been forgotten by the media.

    3. Re: We're all basically screwed by sjames · · Score: 1

      Yeah, realistically, they've gotten a pass from the courts and legislature since forever. Of course, we did eventually see some judges actually start demanding proof of mortgages from banks and the banks come up short.

    4. Re: We're all basically screwed by Alain+Williams · · Score: 1

      Corporations give large campaign donations, individuals do not. Who do you think politicians will listen to ?

    5. Re:We're all basically screwed by Anonymous Coward · · Score: 0

      Just close them down. They're parasites. I doubt they were around in 1945, and it seems we managed to nuke the Japs not once but twice without their help.

    6. Re: We're all basically screwed by Anonymous Coward · · Score: 0

      Once politicians have their identity stolen, they might do something.

    7. Re:We're all basically screwed by 140Mandak262Jamuna · · Score: 2
      Extend the libel liability to the lenders too. If they lend money to some Tom Dick or Harry and they report to the credit reporting agencies that I am in default, they should be held liable for damaging my reputation and credit worthiness.

      That is what will reduce identity theft. People steal identities because they are able to easily borrow based on stolen identities. We need to make it very difficult to borrow with stolen identities.

      In nearly all the other countries, unless the lender proves that they actually lent money to A, not to someone claiming to be A, they dont get to collect. In USA too they might not be able to collect but they can damage the reputation with impunity. That is the root cause of this identity theft market.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    8. Re:We're all basically screwed by Anonymous Coward · · Score: 0

      Its not "America" setting this priority. Its one specific person in the White House, that most people didn't vote for :-) Got that?.

    9. Re:We're all basically screwed by Anonymous Coward · · Score: 0

      Not really. What does the executive branch of the federal government have to to with this?

    10. Re:We're all basically screwed by Anonymous Coward · · Score: 1

      here's another non-sequitur: "Just close them down. They're parasites. I doubt they were around in 1945, and it seems we managed to elect Donald Trump without their help."

    11. Re:We're all basically screwed by Anonymous Coward · · Score: 0

      Trump: "Hmmm... A lot of people who supported me are mad because Equifax lost their private info, and they want me to do something about credit bureaus. I really don't want to do anything"

      -Tweets bullshit about NFL players not standing during anthem-

      Trump: "There, that should do it."

    12. Re:We're all basically screwed by Shoten · · Score: 1

      There's a bigger challenge here to keep in mind.

      In most other countries, it's hard to get a mortgage without paying credit-card interest rates. Why is this? Because the concept of a "credit rating" doesn't exist in any meaningful way. As a result, it's nearly impossible for banks to assess risk in a highly-standardized fashion. This, in turn, means that entities like Fannie Mae and Freddie Mac (who underwrite the vast majority of non-mansion-sized mortgages) cannot exist either, because standarization of risk rating underpins their entire function.

      There's an underlying cry of "WHY DO THESE AGENCIES HAVE ACCESS TO ALL OUR INFORMATION???" and it's a good question to ask. Indeed, these agencies hold the keys to identifying (or impersonating) us all, and it's wise to examine whether that's a good thing or not. But they don't have that access for no particular reason besides corporate greed...they are part of a much-larger ecosystem that drives our housing market, among many other things. We shouldn't be examining this like it's just a solitary business function with no ties to anything else.

      The larger problem, I think, is the way that we manage identities in the US. The anchor for all of it is the SSN; it was never meant to be used the way it's used today. It's like a login with no password, based on a relatively-predictable sequence, being used for everything. This nation needs an identity standard...but then you have constitutional issues due the the possibility of abuse. What we need is somewhere halfway between the SSN identifier of today and something that can lead to hearing "May I see your papers, please?"

      --

      For your security, this post has been encrypted with ROT-13, twice.
    13. Re:We're all basically screwed by sjames · · Score: 2

      Except this and this suggest that mortgages in Europe are comparable to the U.S. Perhaps your information is out of date.

    14. Re:We're all basically screwed by Anonymous Coward · · Score: 0

      Its not "America" setting this priority. Its one specific person in the White House, that most people didn't vote for :-) Got that?.

      most people do not vote, so your statement applies to every single elected official in existence,past and present. quit being a crybaby, he's the president, there is nothing you can do about it, and crying will get you nowhere.

    15. Re:We're all basically screwed by Anonymous Coward · · Score: 0

      > But instead, I see we're all riled up on football players not standing during national anthems

      Moron. As though that issue affects how people are reacting to this breach in any way. Get the fuck off of reddit.

    16. Re: We're all basically screwed by Anonymous Coward · · Score: 0

      When a politicians identity is stolen, all accounts the politucian claims they did not open are removed from their history, no questions asked.

    17. Re: We're all basically screwed by Anonymous Coward · · Score: 0

      Lets be real, no one is getting punished [...]

      Not true! Millions of us will be punished for the failures of the credit bureaus.
       

    18. Re:We're all basically screwed by John_3000 · · Score: 1

      Aside from being a bad movie cliche, what is the problem with "Show me your papers." That's pretty much what we want if the "papers" are some sort secure proof of identity.

  3. Arbitration Clauses by intellitech · · Score: 1

    Congress needs to enact some laws banning arbitration clauses.

    They hurt consumers and destroy the spirit of the law.

    --
    vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
    1. Re:Arbitration Clauses by Anonymous Coward · · Score: 0

      Just don't agree to them; that's your right. Why is everyone's first answer to everything that government needs to step in and ban something they should be handling themselves?

    2. Re:Arbitration Clauses by Billly+Gates · · Score: 1

      Pff socialist

      --
      http://saveie6.com/
    3. Re:Arbitration Clauses by sjames · · Score: 2

      Probably because living naked in a cave to dodge arbitration clauses is impractical and likely illegal.

      It's not hard to imagine that unilaterally depriving someone of their right bring the matter to court should be illegal, is it?

    4. Re: Arbitration Clauses by Anonymous Coward · · Score: 0

      Pfft... fascist.

    5. Re:Arbitration Clauses by Anonymous Coward · · Score: 0

      Congress created the issue back in 1925 when they allowed for arbitration. For many decades it was mainly utilized between companies. It wasn't intended for business to consumer transactions, which, by and large, are adhesion contracts (take it or leave it with no effective bargaining power; dealing with Comcast, AT&T, etc).

      Ultimately, it's up to Congress to address the issue, though it doesn't look promising. It's also Congress that allows credit bureaus to charge for freezing and unfreezing credit with fees typically around $10 per instance, but can be even higher. Rambling on, but the U.S. government is very corrupt and the recent Equifax security breaches clearly illustrate that to the general public. Many still believe much of the government is there to serve the public - it should, but so often doesn't.

      Forced arbitration should be banned. And credit freezing, unfreezing, and related services should be free.

      p.s. Slashdot ads are getting even more sketchy by the day. Cursor is sluggish, jumping around, losing window focus. Slashdot seems to be on its last legs milking out whatever little revenue it can with no regard to users.

    6. Re:Arbitration Clauses by Anonymous Coward · · Score: 0

      Better to live naked in a cave FREE than to live in a mansion under communism.
      --
      roman_mir

    7. Re:Arbitration Clauses by Anonymous Coward · · Score: 0

      because corporations, *and* certain government agencies, will run all over ordinary people (kinda like they are now) if given free reign.

      people like you, too, don't forget, as special as you would like to believe you are.

    8. Re:Arbitration Clauses by ShanghaiBill · · Score: 1

      Forced arbitration should be banned.

      But can they charge extra to the people that want the right to sue, to cover litigation costs? Or, equivalently, offer a discount to people willing to sign the arbitration clause?

    9. Re:Arbitration Clauses by Anonymous Coward · · Score: 0

      But can they charge extra to the people that want the right to sue, to cover litigation costs?

      You are a little (big understatement) naive, aren't you ?

      Those companies already calculate every money-costing item (including luxury company dinings) into the price of their products, don't worry.

      What ? You did not know that ? :-)

    10. Re:Arbitration Clauses by Anonymous Coward · · Score: 0

      Congress needs to enact some laws banning arbitration clauses.

      Those same congresses (under multiple presidents mind you) which allow shrink-wrap contracts to exist ?

      I don't expect that that will happen at any time soon (with "soon" measured in decades). :-(

    11. Re:Arbitration Clauses by Anonymous Coward · · Score: 0

      The only ones living in a mansion under communism, are on top of it, not under it. And that is better than a cave.

    12. Re:Arbitration Clauses by Anonymous Coward · · Score: 0

      Huh? If you live in a mansion under communism that means that you're on top of the corruption food chain and loving life. And the equivalent in a capitalistic structure.

      All political systems have a component of corruption. The caveman days probably had its version too.

      So, no, give me the mansion in any political system. It means I'm enjoying the blackjack and hookers, not living a capped existence in some proletariat/middle-class cave that's essentially owned and controlled by those who live in mansions (via consumerism, debtor's prison, etc.).

    13. Re: Arbitration Clauses by Anonymous Coward · · Score: 0

      Pffft... istist.

    14. Re: Arbitration Clauses by Anonymous Coward · · Score: 0

      What a retarded reply. If they already factored in the cost of arbitration, do you think they already factored in more expensive court litigation? Hence, the GP's point of increased cost.

    15. Re:Arbitration Clauses by Anonymous Coward · · Score: 0

      Banks require them in order to open accounts now. If you don't have a bank account, you're pretty much a second-class citizen in a lot of ways.

      Cell phone? Arbitration clause.
      Internet provider? Arbitration clause.

      Refusing arbitration effectively means "opting out" of (what's left of) Western civilization.

  4. This is the future... by XSportSeeker · · Score: 5, Interesting

    Here's what will keep happening during the next years: entire "systems" that are riddled with horrible security practices and no competent personel to care of it will come crashing down after years of negligence.
    I dunno how many of them will be in such a spectacular cascade of revelations, but I imagine that a sizeable portion will be.
    Security professionals and conscious people have been warning for a while that stuff like that was going to eventually happen, but businesses, services and corporations small and large have not only been ignoring things so far, they have been introducing more and more points of failure over the years.
    We are only starting to walk in the middle of a minefield. By the end of it, if we didn't already go to a full blown war, privacy will be dead for a whole ton of people, rights violated and trampled.
    It's pretty much the perfect storm crime/theft/scam. All that data that's being leaked, hacked into, collected and harvested to be sold, or actively spied and taken in real time is accumulating somewhere, perhaps in databases inside the darknet, by criminals and hacker groups, by corporations that will eventually take advantage of it. It'll be terabytes upon terabytes of sophisticated dossier databases that will give all sorts of private information about anyone with a single search.
    People don't react to it and don't seem to care all that much because that information can be exploited slowly. Who cares if someone got his/her identity stolen, as long as it's not happening to me it's ok. But one day it will. And then, it's no use getting angry and trying to fight against it because much as yourself once did, no one cares.
    This is our future.

    1. Re:This is the future... by Anonymous Coward · · Score: 0

      Well, at some point in the scenario you outlined, proof of Identity will regress and the way we prove identity today will no longer be valid. We might be going to a time of attested transactions, where we have to go and have witnesses to all our important deals that can be called to testify if the deal actually occurred.

    2. Re:This is the future... by houghi · · Score: 1

      I know how the US hates to do things as they are in the rest of the world (Metric, PIN for cards, ...) yet her just some info how we handle credit info and data in Belgium.
      1) You need an official ID (We have one, but you could use other things that are official as well to make this work. Drivers license, presentation at city hall with a code, ...) These can be lost and replaced. https://www.checkdoc.be/ to see if they are valid or not
      2) All credits and loans are kept by the National Bank of Belgium
      3) To access the data and you are not the person you must be a credit company or a bank
      4) You will see limited data (not even who has given the credit and/or loan). Just enough to calculate/see if you can give a loan/credit or not.
      5) Give credit to somebody who should not get one, YOU are responsible. If they don't pay back for whatever reason, YOU pay.
      6) Give too many people credit if you are not allowed (or do not follow other procedures) and your license to do so is gone and you can close down.

      If you are not a credit company or bank, you will NOT get access to the data. Updates are done via secure connections, signed XML and fixed IP only. (At least last time I looked into it)

      --
      Don't fight for your country, if your country does not fight for you.
  5. White pages by michaelmalak · · Score: 1

    Yellow Pages-like databases

    No, individuals are found in the White Pages, not the Yellow Pages.

    1. Re: White pages by Anonymous Coward · · Score: 0

      Not nowadays.

  6. Has anyone done a study on this? by Hognoxious · · Score: 1

    It seems that you get organisations (I use that word deliberately, to include private sector and government) where once in a while somebody drops the ball and there's a bit of a balls-up but they fix it in good order, learn the lessons and move on.

    Then there are others that lurch from one crisis into two more, like Hobbes' Leviathan made of Mr Bean clones.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  7. Brian Krebs by Anonymous Coward · · Score: 0

    Why is most of the summary attributed to Brian Krebs, then you link to some shitty article from theverge.com?

  8. Opted not to freeze by Anonymous Coward · · Score: 0

    I think it really does not help to freeze months after a breach. Your only real effective solution now is to monitor any suspicious activity on your credit reports and hope your not a target. Brian Krebs is right, the damage is done and creating a online account with TrustedID is hardly going to stop anyone. I thought the same thing, don't these people already have enough of my information to unlock anything I do? Really I hope the help comes from institutions who may get false applications in my name for credit.

  9. Experian needs to die by Ritz_Just_Ritz · · Score: 1

    Yet ANOTHER ham fisted reaction to what ought to be a pretty straight forward mea culpa, fix of issues, etc. Their leadership is simply not trustworthy and that's paramount in this particular business.

    1. Re:Experian needs to die by Anonymous Coward · · Score: 0

      You are thinking of Equifax. Experian is a different company.

    2. Re:Experian needs to die by Ritz_Just_Ritz · · Score: 1

      Yikes. You're right. My bad.

  10. About that... by Anonymous Coward · · Score: 1

    It wasn't even the Judges, it was Plucky self-educated defendants who realized the scam, and brought the issue of no proof of ownership of the loan to the Judge during their hearings.

    YOYO = You're On Your Own.

  11. security questions? by Anonymous Coward · · Score: 0

    people still put true answers to security questions instead of password-like responses?

  12. Not that kind of security question by Anonymous Coward · · Score: 1

    What you described are security questions that a customer sets up to regain access to a service they have contracted for.

    What Experian asks, as do many financial services companies, are questions drawn from either their own or another data broker's (Axciom) database of information about you. It is especially pernicious that they are continuing this after they let that database be stolen.

    I gave Fidelity an earful a little while back when they were going to take away the choice of using an OTP to verify my identity for a trade and instead require me to verify Acxiom-provided biographic information. Talk about a security downgrade...

    1. Re:Not that kind of security question by Gr8Apes · · Score: 1

      Then Experian may truly be more incompetent than Equifax. All my financial institutions allow me to setup security question/answers per my pairing, not some external pairing.

      --
      The cesspool just got a check and balance.
    2. Re:Not that kind of security question by Anonymous Coward · · Score: 0

      Mine sold me that same lie. Then I tried to sign in to my Chase Bank account from a browser where I hadn't let them persist a cookie ... not a sign of "my" security questions in sight.

    3. Re:Not that kind of security question by Gr8Apes · · Score: 1

      But they didn't work security questions from some external source, did they?

      --
      The cesspool just got a check and balance.
  13. Thumbprint by mspohr · · Score: 3, Interesting

    I read an article in The Guardian where a security expert recommended that uses (in the UK) put a "Notice of Correction" on their Experian(UK) file (and others):
    Jamieson sent a notice of correction to the three main credit reference agencies. It states: “I, Jamie Jamieson, of [his address], do hereby declare that when my signature is required for any financial product or service, I will authenticate it with my thumbprint. Failure by me to comply with this direction should result in the service or product being withheld. Any application without a thumbprint should be considered fraudulent. I will inform you in writing, signed and thumbprinted, of any changes to this notice of correction.”

    https://www.theguardian.com/mo...

    This would seem to be a good solution. A fraudster would not necessarily know about the thumbprint requirement and when asked for a thumbprint would be reluctant to put his own thumbprint on a document. If they did, they could be traced by the thumbprint. It wouldn't require the creditor to check the thumbprint unless there was a problem.

    Would this work in the US?
    (The US credit bureaus allow you to add a "Statement" to your account.)
    (I know that fingerprints can be copied and faked but this would probably stop a lot of opportunistic fraud.)

    --
    I don't read your sig. Why are you reading mine?
    1. Re:Thumbprint by kerrbear · · Score: 1

      Would this work in the US? (The US credit bureaus allow you to add a "Statement" to your account.) (I know that fingerprints can be copied and faked but this would probably stop a lot of opportunistic fraud.)

      Nice idea, but sadly it would not work in the current system. For years I have called credit card companies in advance to make a statement that I am traveling to a foreign country so don't put my charges on hold when I use my card there. First charge, they always ignore the statement and put my card on hold until they can contact me. After that they will allow it to be used. No credit company is going to follow any special instructions from the consumer given to a rating agency. Sometimes lenders will not even check for a freeze on credit at the rating agency and will issue a card- so you can't even depend upon that.

      They are simply going to have to stop using SSNs as authenticator values and come up with something more secure.

    2. Re: Thumbprint by Anonymous Coward · · Score: 0

      Why don't you cancel the credit card for being incompetent? Hello, red fucking bells...

      I go to Mexico each year. I used to call the credit card company and give them exact dates to avoid processing problems. No issues, ever.

      Last year, they started saying there won't be any problems, I don't have to notify them anymore.

      I'm Canadian, so that might be why it's better than you, but really, just get another credit card if they are going to fuck around.

    3. Re:Thumbprint by watice · · Score: 1

      This thumbprint thing, even if not followed by certain creditors, will at least give you plausible deniability of fraudulent charges not made by you. I see it as being more of a headache though when it comes to shopping. You would have to carry ink around in order to post your thumbprint as most places aren't going to have spare ink laying around.

    4. Re:Thumbprint by Anonymous Coward · · Score: 0

      Sorry folks but the thumbprint isn't secure. Go look up the 2014 incident when a German hacker/security researcher obtained a minister's thumbprint from a photograph (and no the German minister didn't hold the photo). https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands

  14. Quick tip by Anonymous Coward · · Score: 0

    This seems glaringly obvious to me, and I would hope anyone that has to use security questions, but DO NOT put actual answers in.

    Mother's Maiden Name? PALkfidhf776dg.

    No amount of googling, public records or other searching will EVER turn those type of answers up in relation to one of your accounts.

    1. Re: Quick tip by Anonymous Coward · · Score: 0

      Fail. Rejected answer.

      "Fuck you snowflakes with numbers in your name."

    2. Re:Quick tip by ebvwfbw · · Score: 1

      I know a guy that did that. He was smart on all of his answers. Then he needed his password reset. We made him show up, show two forms of ID.

  15. dark web search by Some_Llama · · Score: 1

    if the dark web isn't indexed, and the sites are encrypted, how the hell is experian "searching the dark web?