go to sections menu

Hey Experian, what is happening? Time to check in with you from blog The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: article commentary > Hey Experian, what is happening? Time to check in with you

Go to Homepage, contents or to navigation menu

Hey Experian, what is happening? Time to check in with you

Hello everyone, welcome to probably a very interesting article that I read yesterday. It probably has to go in to the worst things that I’ve read in the “I probably haven’t learned a thing” department.

All three major credit bureaus have had a breach of one magnitude or another. Fine. I’m game with that, because at some point, whether we know it, we’re all going to be breached individually or as part of a company.

Now, it seems as though Experian hasn’t really learned anything. According to Experian, You Have Some Explaining to Do which was read yesterday, you really need to do some explaining.

How can you potentially allow someone to sign up with an email address that is already assigned to an account? You also have some form of two-factor, yet you aren’t using it all the time like the major providers like Google, Name Ceap and others that have it? I know about the check box that says to trust the device, and that is all well and good, but you apparently only sent verification when you felt like it?

Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.

This is the first paragraph of the linked article for today’s story. But it is only the beginning of the story.

Someone got an email saying that the account was changed, using their email address. When talking to Experian, which BTW took forever, he authenticated just fine, but the security questions were changed to something the gentleman wouldn’t have used, and resetting the account would be useless.

So Experian allows someone who already has an account to sign up with a stolen address and get info on said person with no verification of anything.

Brian Krebs says that he tried it on the other two major sites and they both had him go through the password recovery department if you will. This was what should proababluy be expected. To make matters worse, the guy who’s account was taken had a strong password, taken from a password manager like Lastpass, Trend Micro, Keypass, Apple Keychain or any other that might be out there that could make secure passwords. The fact that the account was done this way was perfect, because I don’t think I’d expect less with someone who was in this field or doing similar computer work like software development or the like.

“The most frustrating part of this whole thing is that I received multiple ‘here’s your login information’ emails later that I attributed to the original attackers coming back and attempting to use the ‘forgot email/username’ flow, likely using my SSN and DOB, but it didn’t go to their email that they were expecting,” Turner said. “Given that Experian doesn’t support two-factor authentication of any kind — and that I don’t know how they were able to get access to my account in the first place — I’ve felt very helpless ever since.”

That’s the question, right? How did the thief get access to Mr. Turner’s account by just signing up with an account with his email address he already used for said account?

Another gentleman had his account in trouble by an enquiry even though his credit file was apparently locked. Experian never answered the phone after hours of waiting. Who works at this company anyway?

After recreating his account, he saw that his account was unfrozen, something he never did. Really? Is something phishy going on with this company?

In a written statement, Experian suggested that what happened to Rishi and Turner was not a normal occurrence, and that its security and identity verification practices extend beyond what is visible to the user.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

We’re supposed to believe this? We sometimes send a message to verify login or other activity and this was an unfortunate circumstance to two very different people, one who use a secure password while we’re not sure of the other? I call bull. I have no accounts at any credit bureau, probably a bad move, but this doesn’t quite sit well with me at all.

Brian Krebs goes in to detail on analysis which is discussed within the article.

Again, the article is titled Experian, You Have Some Explaining to Do and I urge people to read this one. This has got to be the worst thing a company can do or say. I don’t think its isolated, I think there is something phishy going on. You be the judge!

Informazioni sull'articolo

Hey Experian, what is happening? Time to check in with you was released on July 12, 2022 at 5:00 pm by tech in article commentary.
Last modified: July 12, 2022.

Comments (0)

No comments yet.

Leave a comment

You must be logged in to post a comment.

go to sections menu

navigation menu

go to sections menu