Latest in Gear

Image credit:

Experian makes it easy for someone to undo your credit freeze (updated)

Its procedure for obtaining credit file PINs asks for easily accessible information.
Mallory Locklear, @mallorylocklear
September 21, 2017
Share
Tweet
Share

Sponsored Links

Getty Images

Turns out Equifax isn't the only credit reporting agency with garbage security, which probably shouldn't come as a surprise at this point. As Brian Krebs reports on his security news website, Experian has a few issues too, namely some incredibly lax barriers to obtaining a PIN used to unlock a credit freeze.

The first step to getting a PIN through Experian requires a name, address, date of birth and Social Security number, all of which have been exposed in a number of past security breaches, including Equifax's. Chances are anyone can find that information quite easily. After that, the website asks for an email address -- and it can be any email address, not just the one associated with the account. Finally, Experian has you answer four questions such as where you previously lived and who lived there with you. And again, that information is readily accessible with just a little bit of effort. With those steps completed successfully, Experian will send the PIN to the email address entered in the form. It's that simple.

Experian has had some problems in the past as well. In 2015, it exposed personal information from 15 million people who applied for T-Mobile accounts. The data snagged during the breach included names, addresses and birth dates as well as encrypted data containing Social Security and drivers license numbers.

So, the takeaway lesson here is that even if you've frozen your credit files, you should pay attention to your credit reports because Experian has made it remarkably easy for someone to snag your PIN and unfreeze them.

Update 9/22: Experian sent us the following comment:

Experian is aware of media reports concerning the authentication processes we use in the consumer credit freeze PIN retrieval process. These reports portrayed those processes in an incomplete way. To be clear, our authentication processes go beyond requiring users to provide personally-identifiable information (PII) and answering a variety of knowledge-based authentication (KBA) questions. While we do not disclose those additional processes for obvious security reasons, they include a broad array of checks that are not visible to the consumer. Experian regularly reviews its security practices and adjusts as needed. We continue to see the effectiveness of KBA as part of a layered authentication approach.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

NASA will fund six more Artemis missions as it plans return to the moon

NASA will fund six more Artemis missions as it plans return to the moon

View
Google reveals its new Nest smart speaker

Google reveals its new Nest smart speaker

View
Amazon has eliminated single-use plastic at its Indian fulfilment centers

Amazon has eliminated single-use plastic at its Indian fulfilment centers

View
Apple's iOS 14 and iPadOS 14 public betas are available today

Apple's iOS 14 and iPadOS 14 public betas are available today

View
Amazon-owned Ring is preparing its first smart light bulb

Amazon-owned Ring is preparing its first smart light bulb

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr