Experian,
I don’t know what to continue to say about your service. While I’ve not been on Mastodon much due to other things going on, I do know that I still read.
I read the article that Brian recently released titled It’s Still Easy for Anyone to Become You at Experian and I’m just at a loss for words.
One major highlight is that I can sign up for an account, using someone’s email address, my info, and no email is ever sent to that person saying that their info is set.
While I read on Mastodon that an SMS is sent to do the verification by link, you can skip that and do it on the computer and nobody ever knows.
Remember that this company suffered a data breach, and this is their security?
- U.S. States Investigating Breach at Experian
- Its about time that experian face the music of their big mistake
- Hey Experian, what is happening? Time to check in with you
That last article, its leading to an article where they apparaently didn’t learn anything and they still haven’t learned anything.
When Equifax had their issues, they used Experian to assist. What?
I really didn’t go off on that, because I didn’t really know what to think about that ordeal.
Brian writes:
A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed portions of an email address I never authorized and did not recognize (the full address was redacted by Experian).
Why the hell did they allow someone to take Brian’s account over? Brian had to take it back by resigning up? What? Is this not security 101?
He continues:
I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Some Explaining to Do. So once again I sought to re-register as myself at Experian.
Can I just ask a question? Now Brian has lots of experience with this, and I am not questioning his article, but why would I use such a service that allows someone to use my email address to sign up and then give them their info instead of mine? Most services will not allow one to sign up with an email that belonged to someone’s account already. This is fucking discusting, I should say.
Skipping Brian’s experience, he writes:
In contrast, if you try to modify an existing account at either of the other two major consumer credit reporting bureaus — Equifax or TransUnion — they will ask you to enter a code sent to the email address or phone number on file before any changes can be made.
Of course they don’t comment when confronted with this, as the next paragraph says:
Reached for comment, Experian declined to share the full email address that was added without authorization to my credit file.
My question still asks why they allow this to begin with.
Anderson said all consumers have the option to activate a multi-factor authentication method that’s requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?
So they say you should use two-factor, yet it doesn’t prevent shit like this?
Brian goes in to mastodon experiences and other links, so we’ll stop here. But I could see signing up for an account, but I honestly don’t see the point if Experian is fucking lackadaisical at best.
Please read Brian’s full report, this I think is beyond repair. How much more aweful can it get?
The boards await you. There’s plenty more in the article.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.