Slashdot Mirror
Experian Criticized Over Credit-Freeze PIN Security and 'Dark Web' Scans (theverge.com)
Security researcher Brian Krebs complains that Experian's identity-protecting credit freezes are easily unfrozen online. An anonymous reader quotes the Verge:
Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person's name, address, date of birth, and Social Security number...data [that] was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information. After entering that data, attackers then just have to enter an email address -- any email -- and answer a few security questions.
That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them. Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow... In response to Krebs' report, Experian claims that it goes beyond the measures identified to authenticate users. "While we do not disclose those additional processes," said the company in a statement, "they include a broad array of checks that are not visible to the consumer."
Meanwhile, the Los Angeles Times reports that Experian is also advertising a "free scan of the dark Web" which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of "advertisements or offers" from financial products companies -- plus "an arbitration clause preventing you from suing the company" which a spokesperson acknowledges could remain in effect for several years.
That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them. Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow... In response to Krebs' report, Experian claims that it goes beyond the measures identified to authenticate users. "While we do not disclose those additional processes," said the company in a statement, "they include a broad array of checks that are not visible to the consumer."
Meanwhile, the Los Angeles Times reports that Experian is also advertising a "free scan of the dark Web" which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of "advertisements or offers" from financial products companies -- plus "an arbitration clause preventing you from suing the company" which a spokesperson acknowledges could remain in effect for several years.
The only thing you can do is to keep checking your credit reports for something suspicious. With the data they have, there is nothing you can do to 100% stop it.
Politicians SHOULD be fixing this, by forcing the credit bureaus to lock down everyone's data and come up with a foolproof way of confirming identity. But instead, I see we're all riled up on football players not standing during national anthems. Way to set priorities, America!
Here's what will keep happening during the next years: entire "systems" that are riddled with horrible security practices and no competent personel to care of it will come crashing down after years of negligence.
I dunno how many of them will be in such a spectacular cascade of revelations, but I imagine that a sizeable portion will be.
Security professionals and conscious people have been warning for a while that stuff like that was going to eventually happen, but businesses, services and corporations small and large have not only been ignoring things so far, they have been introducing more and more points of failure over the years.
We are only starting to walk in the middle of a minefield. By the end of it, if we didn't already go to a full blown war, privacy will be dead for a whole ton of people, rights violated and trampled.
It's pretty much the perfect storm crime/theft/scam. All that data that's being leaked, hacked into, collected and harvested to be sold, or actively spied and taken in real time is accumulating somewhere, perhaps in databases inside the darknet, by criminals and hacker groups, by corporations that will eventually take advantage of it. It'll be terabytes upon terabytes of sophisticated dossier databases that will give all sorts of private information about anyone with a single search.
People don't react to it and don't seem to care all that much because that information can be exploited slowly. Who cares if someone got his/her identity stolen, as long as it's not happening to me it's ok. But one day it will. And then, it's no use getting angry and trying to fight against it because much as yourself once did, no one cares.
This is our future.