How a large credit bureau Experian has been making money from vulnerabilities in its system for 5 years





In 2017, the KrebsOnSecurity portal already reported a vulnerability in one of the three largest credit bureaus in the United States. The vulnerability allows attackers to cancel an Experian client's request to freeze a credit account and gain access to his personal data. Last week, a customer told KrebsOnSecurity employees that it is still possible to unfreeze an account without logging into the appropriate account on the Experian website. I decided to re-raise the sensitive topic of problems with the security of information systems of credit bureaus.





If your credit account is frozen and you would like to receive a forgotten or lost PIN, you can request it here. A PIN is required to un-freeze and provide the lender with access to your credit history.



Experian has a dedicated page where you can enter information to recover a forgotten PIN. Attackers can also take advantage of this "convenient" opportunity to find out your PIN. But for this you need to have enough information about you. Previously, we hoped that not all questions could be answered by having someone else's personal data with you, which periodically leaks into the network from the Equifax database and other credit bureaus. 



Client story



Last year, Dune Thomas, a software engineer based in Sacramento, California, froze his credit accounts at Experian, Equifax and TransUnion after he learned that scammers were trying to access funds in the accounts using the address of his empty house (in Washington state). for sale.



But after a while, the scammers again took on it. In early April, they unfrozen Thomas's Experian account and immediately applied for new lines of credit in his name, again using the same Washington DC address. Thomas has not received any notification of new loans. He only found out about it because he was using a free credit monitoring service from his credit card company.



After a few days of telephone conversation with Experian, a company representative admitted that someone had used the request your PIN feature on Experian's website and received their PIN, and then thawed the account.



Thomas and his friend decided to go through the Experian PIN recovery process themselves and were surprised: only one of the five multiple choice questions (which they were asked after entering their address, social security number and date of birth) was the last stronghold of security. It is unlikely that such a weak check could tie the hands of fraudsters for a long time.



KrebsOnSecurity investigation 



A KrebsOnSecurity employee went through the same procedure and found similar results. The first question about a new mortgage, which I allegedly took in 2019 (I did not do this), naturally went wild. The second, no less strange, question also went there.



The following two questions turned out to be useless, because they had already been asked and answered (well, this data is usually found in the databases merged into the network): 



  1. « ?»
  2. « , ?» 


Only one question was on the case and related to my credit history (it was about the last four digits of the current account number).



And the cherry on top of this spoiled authentication cake was that you can enter any email address to get a PIN - it may not be associated with an existing account in the Experian system in any way. In addition, when sending a PIN, Experian does not worry about sending appropriate notifications to other email addresses already associated with this client.



Finally, an account with basic functionality (read: free) prevents Experian users from enabling multi-factor authentication. Although it could prevent similar PIN theft. 



It turns out that you can buy a subscription to the publicized CreditLock service with a confusing description. You have to pay between $ 14.99 and $ 24.99 per month for the ability to "easily and quickly block and unblock your [credit] history without delaying the application process." CreditLock users can use multi-factor authentication and also be notified when someone tries to access their account.



Thomas is outraged that Experian provides security only for those customers who pay for it every month:



“Experian had the ability to securely protect people with additional authentication, but they didn't because they might ask for $ 25 a month for such a service. They do not specifically close this security hole in order to make a profit. And this has been going on for at least four years. "



Marketing lie?



When a customer with a frozen credit account logs into the Experian website, they are immediately redirected to a message about one of Experian's paid services, in this case, CreditLock. The message I saw when I logged in confirms Thomas's words: despite the fact that I had a freeze, my current "protection level" was "low", because my credit history was supposedly available for viewing:



“When your credit history is unlocked, you are more vulnerable to identity theft and fraud,” writes Experian. “You won't see notifications if someone tries to access your history. Banks can view it if you are applying for a loan or loan. Your credit history [also] can be viewed by utility providers and other providers. "





So Experian scares me because I haven't signed up for their paid service CreditLock yet.



Sounds scary, right? But the truth is that, with the exception of the no-notification phrase, none of the above statements are true if your credit account is already frozen. Freezing, in fact, already blocks the ability to view your credit history.



If your credit account is frozen, attackers can apply as much as they want on your behalf, but they will not be able to open new lines of credit. It is unlikely that any lenders will approve this loan without being able to assess how risky it is to give it (that is, they need to look at your credit history). Now you can freeze a loan for free in any state of the United States.



Experian, like other credit bureaus, deliberately uses the confusing term “blocking” to intimidate consumers into paying for monthly subscription services. The only argument in favor of such services is that lenders will be able to view your history faster when applying for a new loan. In practice, this may or may not be true. In the meantime, consider why it is so important for Experian to convince consumers to sign up for their CreditLock service .



Nothing Personal - Just Business



The real reason is that Experian makes money every time someone asks for a credit history on your behalf - and doesn't want to get in the way. Subscribing to the "blocking" service allows Experian to continue to sell credit information to third parties. In the FAQ section, Experian employees write that after blocking your credit history remains available to many companies, including:



  • potential employers or insurance companies;
  • collection agencies acting on behalf of your creditors;
  • companies providing pre-approved credit card offers;
  • companies that have an existing credit relationship with you (including frozen loans);
  • and it is also available for special offers from Experian.


It's a shame that by offering additional protection only to those people who pay the company a hefty amount every month to sell their own personal data, Experian can evade responsibility. It is also surprising that this security hole, which I wrote about back in 2017, has not yet been closed in 2021.



But Experian is not unique in this. In 2019, I wrote about how the new website of the Equifax credit bureau, MyEquifax, made it easier for thieves to freeze a loan by bypassing a PIN code. The attackers only needed to know your name, social security number, and date of birth.



Also in 2019, identity thieves were able to obtain a copy of my credit history from TransUnion. They guessed my answers to the questions - similar to those asked by Experian. I only found out after a Washington detective told me after the fact. A copy was found on a removable disk of a local resident arrested on suspicion of identity theft as part of a cybercriminal gang.



TransUnion specialists conducted an investigation and found that my data really got to the cybercriminals through the fault of the Bureau. But in 2020, they rehabilitated themselves when they blocked another fraudulent attempt to get my credit history:



“Through our investigation, we have established that a similar attempt to retrieve your story took place in April 2020 and was successfully blocked by enhanced controls that TransUnion has implemented since last year. TransUnion is deploying a multi-layered security program to combat the ever-growing threat of fraud, cyber attacks and malicious activity. In today's dynamic environment, TransUnion is continually expanding and improving our controls to address the latest security threats while still allowing customers to access their data. ”



Epilogue: non-Russian hackers



Yesterday, April 28, employees of the portal KrebsOnSecurity learned that the credit bureau Experian has eliminated the vulnerability of one dangerous partner site. It allowed anyone who wanted to know the personal credit rating of tens of millions of Americans simply by entering their name and email address. Experian says it has fixed the data breach, but Bill Demirkapi, the independent cybersecurity expert who reported the discovery, fears that the same vulnerability could be present on countless other partner sites that work with the credit bureau. 



But what can we say about partners, when something ... interesting is also happening with the API of the information system of Experian itself. 





Demirkapi discovered that the Experian API can be accessed directly without any authentication. Entering all zeros in the date of birth field will return the person's credit rating. He even created a console utility he called Bill's Cool Credit Score Lookup Utility.






Our virtual machines can be used for website development and hosting.



Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!






All Articles