Keep an eye on your Experian accounts: Some profiles hijacked using personal info
When identity thieves strike your identity theft monitor
Experian customers are reportedly at risk of having their accounts hijacked by fraudsters who only need a victim's personal information and a different email address to recreate an account in their name.
Infosec blogger Brian Krebs wrote in a column Monday that over the past month he was contacted by two readers who said their accounts at the consumer credit bureau had been compromised, and assigned new email addresses, despite using strong passwords for those accounts. Their account information, such as its PIN and secret question-answer pair, were also changed.
It appears it is possible to convince Experian to recreate someone's account, with a new email address, using that person's personal details, such as a social security number that may have leaked, and public records. At that point, the account password can be set by the miscreant, and subsequent requests to reset the password by the real owner to take back control will be sent to an email address they don't have access to.
At that point, it would be up to the victim to wrestle back control of the account.
Funnily enough, Experian is often drafted in by companies to provide identity-theft monitoring when sensitive personal data is exposed or stolen.
Krebs, a vocal critic of Experian's security, said he was able to replicate the account hijacking, adding that similar attempts at the other two major consumer credit reporting firms, Equifax and TransUnion, failed.
He wrote that even though Experian at times asks users to enter a multi-factor authentication code sent via SMS sent to a cellphone number on file when logging in, "there does not appear to be any option to enable this on all login" attempts.
I could see no option in my account to enable multi-factor authentication for all logins
"To be clear, Experian does have a business unit that sells one-time password services to businesses," he wrote. "While Experian's system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins."
Krebs recommends that customers of all three major credit bureaus put a security freeze on their files, and to at least try to make it difficult for thieves to silently hijack accounts and steal identities, such as by enabling multi-factor authentication. Experian's policies appear to have diluted the effectiveness of these measures, he noted.
He wrote that John, a software engineer in Salt Lake City, and Arthur, a musician in Boston, both found their accounts had been hijacked, though they eventually were able to regain control of their profiles.
In a statement to Krebs, Experian said the pair's experiences were isolated incidents, and said that typically "once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file," and that the company goes "beyond reliance on personally identifiable information (PII) or a consumer's ability to answer knowledge-based authentication questions to access our systems."
Speaking to The Register, Experian reiterated the points made to Krebs, adding that its "data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer ... We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters."
- Experian vows to drag UK's Information Commissioner's Office to court after being told off for data-slurping practices
- Experian says it recovered and deleted data on 24 million South Africans after giving it to random 'marketing' person
- Experian Audience Engine knows almost as much about you as Google
- T-Mobile US hires someone other than bungling Experian to offer ID theft monitoring to hack victims
Despite Experian's explanation, Krebs said he was able to hijack his own profile by using a computer other than the one used to create his original account, and by submitting his Social Security Number, date of birth, and answering multiple-choice questions.
"Experian promptly changed the email address associated with my credit file," he wrote. "It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change."
He did receive an automated message to his original email address saying the address on the account had changed. Krebs was then able to select the security question-answer response, set a PIN, and even asked if he wanted to lift a freeze on his file.
Craig Lurey, co-founder and CTO of zero-trust software maker Keeper Security, told The Register organizations with account services need to enforce the use of multi-factor authentication (MFA) or strongly suggest activating it for every user. It will protect not only the user but also the software vendor or service provider from account takeovers, customer churn, and revenue loss.
"Oftentimes, the activation of MFA is buried within application settings screens and most users don't take the time to educate themselves on the value," Lurey said. "Password managers make it easier for users by managing MFA codes along with generating strong passwords for full protection against account takeover attacks."
MFA has become "table stakes" for protecting authentication, but companies need to select features that can be used by the most technologically challenged customers, according to Andrew Hay, COO at information security firm LARES Consulting.
"An overnight rollout of MFA might address the security problem, but it may also result in a negative user experience or an unmanageable amount of customer service calls for those that do not understand how to configure the new feature," Hay told The Register.
He also noted that "Experian, like most companies the security industry anoints as 'repeat offenders,' has little incentive – or rather, lacks meaningful penalties – to increase its security. The company is one of three major credit bureaus and, as such, lacks sufficient incentive to have more security than its two competitors. It simply has to be as good as the others, not better." ®