Experian Criticized Over Credit-Freeze PIN Security and 'Dark Web' Scans

Security researcher Brian Krebs complains that Experian's identity-protecting credit freezes are easily unfrozen online. An anonymous reader quotes the Verge: Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person's name, address, date of birth, and Social Security number...data [that] was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information. After entering that data, attackers then just have to enter an email address -- any email -- and answer a few security questions.

That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them. Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow... In response to Krebs' report, Experian claims that it goes beyond the measures identified to authenticate users. "While we do not disclose those additional processes," said the company in a statement, "they include a broad array of checks that are not visible to the consumer."
Meanwhile, the Los Angeles Times reports that Experian is also advertising a "free scan of the dark Web" which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of "advertisements or offers" from financial products companies -- plus "an arbitration clause preventing you from suing the company" which a spokesperson acknowledges could remain in effect for several years.

We're all basically screwed

The only thing you can do is to keep checking your credit reports for something suspicious. With the data they have, there is nothing you can do to 100% stop it.

Politicians SHOULD be fixing this, by forcing the credit bureaus to lock down everyone's data and come up with a foolproof way of confirming identity. But instead, I see we're all riled up on football players not standing during national anthems. Way to set priorities, America!

Re:We're all basically screwed

[sjames]

No, the credit bureaus should be held to the fire and nailed for a few million counts of libel. Spreading harmful information with wanton disregard for the truth is sufficient for libel. For example, claiming that you did something to become less than credit worthy without solid proof it was actually you when they know damned well fraud is rampant.

Re:We're all basically screwed

[140Mandak262Jamuna]

Extend the libel liability to the lenders too. If they lend money to some Tom Dick or Harry and they report to the credit reporting agencies that I am in default, they should be held liable for damaging my reputation and credit worthiness.

That is what will reduce identity theft. People steal identities because they are able to easily borrow based on stolen identities. We need to make it very difficult to borrow with stolen identities.

In nearly all the other countries, unless the lender proves that they actually lent money to A, not to someone claiming to be A, they dont get to collect. In USA too they might not be able to collect but they can damage the reputation with impunity. That is the root cause of this identity theft market.

Re:We're all basically screwed

[sjames]

Except this and this suggest that mortgages in Europe are comparable to the U.S. Perhaps your information is out of date.

This is the future...

[XSportSeeker]

Here's what will keep happening during the next years: entire "systems" that are riddled with horrible security practices and no competent personel to care of it will come crashing down after years of negligence.
I dunno how many of them will be in such a spectacular cascade of revelations, but I imagine that a sizeable portion will be.
Security professionals and conscious people have been warning for a while that stuff like that was going to eventually happen, but businesses, services and corporations small and large have not only been ignoring things so far, they have been introducing more and more points of failure over the years.
We are only starting to walk in the middle of a minefield. By the end of it, if we didn't already go to a full blown war, privacy will be dead for a whole ton of people, rights violated and trampled.
It's pretty much the perfect storm crime/theft/scam. All that data that's being leaked, hacked into, collected and harvested to be sold, or actively spied and taken in real time is accumulating somewhere, perhaps in databases inside the darknet, by criminals and hacker groups, by corporations that will eventually take advantage of it. It'll be terabytes upon terabytes of sophisticated dossier databases that will give all sorts of private information about anyone with a single search.
People don't react to it and don't seem to care all that much because that information can be exploited slowly. Who cares if someone got his/her identity stolen, as long as it's not happening to me it's ok. But one day it will. And then, it's no use getting angry and trying to fight against it because much as yourself once did, no one cares.
This is our future.

Re:Arbitration Clauses

[sjames]

Probably because living naked in a cave to dodge arbitration clauses is impractical and likely illegal.

It's not hard to imagine that unilaterally depriving someone of their right bring the matter to court should be illegal, is it?

Thumbprint

[mspohr]

I read an article in The Guardian where a security expert recommended that uses (in the UK) put a "Notice of Correction" on their Experian(UK) file (and others):
Jamieson sent a notice of correction to the three main credit reference agencies. It states: “I, Jamie Jamieson, of [his address], do hereby declare that when my signature is required for any financial product or service, I will authenticate it with my thumbprint. Failure by me to comply with this direction should result in the service or product being withheld. Any application without a thumbprint should be considered fraudulent. I will inform you in writing, signed and thumbprinted, of any changes to this notice of correction.”

https://www.theguardian.com/mo...

This would seem to be a good solution. A fraudster would not necessarily know about the thumbprint requirement and when asked for a thumbprint would be reluctant to put his own thumbprint on a document. If they did, they could be traced by the thumbprint. It wouldn't require the creditor to check the thumbprint unless there was a problem.

Would this work in the US?
(The US credit bureaus allow you to add a "Statement" to your account.)
(I know that fingerprints can be copied and faked but this would probably stop a lot of opportunistic fraud.)