Mastodawn

BrianKrebs Nov 10, 2023

Meanwhile, regulators continue to completely not care about regulating the credit bureaus. Specifically, Experian.

Last summer I wrote about how a ton of Experian accounts were getting hacked when ID thieves would simply create a new account using the target's personal info but with a new phone # and email, and Experian's website would be like, okay, sure, so you're the new owner. No problem. We'll just lock out the old user and give them no way to get back in. Except to, yeah, create another profile. And on it goes.

https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

Well, it looks like Experian is still sitting on its thumbs because someone has hijacked my Experian credit file now.

Experian, You Have Some Explaining to Do – Krebs on Security

Bas van Reeuwijk Nov 10, 2023

Still the same. Absolutely nothing has changed. Anyone can create an account as you with your info but different phone and email, and as long as they can answer the 5 multiple guess questions, right, they're you! And you're, well, left scratching your head and Experian's support will just say it's okay, just create another account.

When I reclaimed my account just now, it said, welcome back Brian. WTF!

BrianKrebs Nov 10, 2023

Boy, it's a good thing Experian's account sign up process makes you pick a security PIN and security question! Those are completely useless against someone just creating a new account as you.

BrianKrebs Nov 10, 2023

Both Equifax and Trans Union note on their credit files for me that I have a freeze on my file. This word freeze does not appear in any account information offered by Experian, either in my credit report or on their website after "logging in." My Experian credit file makes no mention that I have a freeze in place (I think), but it does mention about 20 times that my file is "unlocked," which is their terminology that has nothing to do with a freeze but is about selling you on their identity protection services.

BrianKrebs Nov 10, 2023

BTW, if you want to reproduce this, go to Experian.com and say you want to create a new account. Then enter all your personal info, but use a different email. Experian will make the change without even asking the original email address if the change was authorized.

I hope this is obvious, but you have to already have an account at Experian.

BrianKrebs Nov 10, 2023

Would love to hear from anyone who has an existing Experian account and wants to try and recreate it, and document the required info at each step. Very curious to see how many people have the same experience I did.

Jo3 Nov 10, 2023

@briankrebs they now offer banking through them as well I wonder if someone could still easily get people's money this way as well.

MeowMeow🐈‍⬛🐈‍⬛🐈‍⬛🧥Nov 10, 2023

@Jo3 @briankrebs I know someone who's bank account is connected to their Experian account and will be trying this with them tonight.

Aranjedeath Nov 10, 2023

@ThreeCatsInATrenchCoat @Jo3 @briankrebs very interested in the outcome. They're a "boost" user? Or something else?

MeowMeow🐈‍⬛🐈‍⬛🐈‍⬛🧥Nov 10, 2023

@Aranjedeath @Jo3 @briankrebs Yep, strong-armed into Boost during a home purchase due to a lack of reported trade lines on their history. Afaik they haven't un-linked the accounts or data. The process felt a little sketchy getting it all set up too.

@briankrebs yea, I've known this for years, I have like 4 profiles with them. And why I have a perfect credit score.

but so long as they still don't have the email I used with my bank, idgaf.

@briankrebs I created an Experian account in 2015 and have logged in within the last 12-months. I just completed the following actions, starting from the Experian Login page:
1. “Don’t have an account?” – I selected “Sign up for free” option
2. “Welcome! Let’s get you set up” – I entered last four of SSN & mobile number
3. I received an SMS from “Experian Verify” with a URL and instruction to “Click this link only if you made a request.” – I did not click the SMS link
4. “Check your text messages” – I selected “continue another way”
5. “Tell us about yourself” – I entered full name, address, DOB, SSN, new email address, and chose a password
6. “Confirm your identity” – I answered three questioned based on info available in any basic Credit Report (e.g. what year did you open credit card X?)
7. Account created; website redirected me to my Experian dashboard with full access/permissions

The email address to which my old Experian account was linked has not received any notifications/alerts, nor have I received further SMS communication.

Lightly redacted screenshots available upon request.

BrianKrebs Nov 10, 2023

@PeteMayo Thank you for doing this! Here's the thing. I think you can give them a new phone number also, and I'm not sure it does much at that point to verify if it's you. If you actually own that number, sure, Exp can do some lookups to see if you have had that number for a long time. What I'm saying is you may be able to use any mobile phone number at step 2. That worked last time, but I'm not sure about this time.

BrianKrebs Nov 10, 2023

@PeteMayo Either way, looks like you found what I found. Which was that the phone number is irrelevant anyway.

@briankrebs good distinction... I just ran through the same steps again using a random landline number. The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaming "Welcome back, Pete!" and granting full access.

I feel silly saving my password for Experian; may as well just make a new account every time 🤣

Jernej Simončič �Nov 10, 2023

@PeteMayo @briankrebs Reminds me of the old MasterCard 3D"Secure" verification – it had some asinine password requirements (very short, very limited allowed characters), so I always forgot what I set it to, not that it mattered, since I could reset the password with my birthdate and tax ID number.

Dan Goodin Nov 10, 2023

@jernej__s @PeteMayo @briankrebs

This thread is so depressing. I sure wish Ron Wyden would investigate (or that he and @csoghoian had a presence here in the fediverse).

Anthony Bosio Nov 11, 2023

@dangoodin @jernej__s @PeteMayo @briankrebs @csoghoian

I’m sorta feeling like it would not be much better to lock out an account because then the baddies could be the only ones with access if they get there first. The real problem is verifying that it is really you or not, and if they were able to do that reliably, it would be fine to allow new account creation. Not notifying via the existing email is pretty lame, though.

FirefighterGeek

@PeteMayo @briankrebs

Funny thing about these credit bureaus. I don't recall ever giving my permission to them to track my data.

Nonya Bidniss 🥥🌴Nov 10, 2023

@PeteMayo good lord. @briankrebs

Jeffrey Goldberg Nov 11, 2023

@PeteMayo @briankrebs, It really is simple economics. They have no incentive to serve or protect any data subjects. It is the extreme version of “being the product”. We don’t even have a choice to participate or not. So they don’t even face the minor cost of a data subject walking away.

But we can be sure that a customer, such as a bank, will have a very different experience if they attempt to create a duplicate account.

David Frew Nov 10, 2023

@briankrebs Seemed to work for me.
I'm based in the UK and I now have TWO accounts that can log in to Experian.
However, my original account shows me my credit card balances (hoping I'll use them to take out new cards) and the new one does not.
I only have the 'free' account, so neither shows the details of my loans. cards, etc.

David Frew Nov 10, 2023

@briankrebs
I checked my original account before I started this and I was pleased to see I could set up 2FA
Then I discovered it's only a SMS text code. 😩
And then, even worse, it claimed my actual mobile number is being used by another account (??)

Jack Nov 10, 2023

@briankrebs can confirm it worked exactly as you described. I received a single email in my original account inbox that said they've updated my information after I "signed up". No verification required from the original email address at any point.

spi Nov 10, 2023

@briankrebs I had created an Experian account back in Jan 2020 when I froze my credit. The credentials in my password vault were not valid and using the "Forgot pasword" or "Forgot username" flows didn't work. For the "Forgot username" they said my DOB and SSN were not valid.

I used the new account flow entering in my personal info with a different email. I only had to answer the questions about my credit to successfully create my account.

No notification to the old email yet.

Krishean Draconis Nov 10, 2023

@briankrebs is this automatable? if you had your own email domain could you just continually create new accounts, swapping your email address to a new one on your domain, and confound would-be attackers as they are continually kicked out of any attempt to create an account? (while at the same time with the side benefit of filling up experian's database with garbage)

blobfoxbreadsnoot

blobfoxbreadsnoot

@krishean @briankrebs Hmm, I think we'd want to be careful with how often we do an email change via web-scraped means, lest we add lots of serverside load in our goal of making our account secure

Maybe 1 email change per 50ms? Dunno if that's too long.. /s

Krishean Draconis Nov 10, 2023

@MolarFox @briankrebs seems reasonable to me

and if experian has a problem with people taking measures to keep their accounts secure what's the worst they could do, prevent your personal info from being used to create new accounts?

Steven Zhu Nov 10, 2023

@krishean @briankrebs There'll be at least one step that's not automatable, at least not fully. The identity verification questions are not the same ones every time, and recently they've been coming up with some extremely weird and unconventional ones...

BrianKrebs Nov 10, 2023

@szhu25 @krishean The multiple-guess questions from Experian are always a joke. Every time, it's mostly none of the above answers and then one or two that are asking about previous addresses.

Gord Nov 10, 2023

@briankrebs hypothetically speaking, if these companies were to just disappear off the face of the planet one day, I think that would be a day worth celebrating for the entire planet.

Matt Nov 10, 2023

@grs @briankrebs I think there’s a widely misunderstood movie about that

Gord Nov 10, 2023

@MattFerrel @briankrebs misunderstood or not, it would be real nice if they were the ones getting fucked for a change

Matt Nov 10, 2023

@grs @briankrebs

Bruce Heerssen Nov 10, 2023

@grs @briankrebs
Certainly nothing of value will have been lost.

ch4lox Nov 10, 2023

@briankrebs so if you try to use a "credit freeze" to stop someone from using your identity, that person can simply transfer the account to their own email and remove the freeze? genius!

Steven Zhu Nov 10, 2023

@briankrebs I think this is because they were trying to promote their membership. If you click on the part where it says unlocked, you should be able to see Credit File Unlocked and Credit File Frozen on that page.

Edit:
Checked mine and it says (on front page):
Protection:
Monitored items: x/x
Experian Creditlock: Unlocked
Security Freeze: Frozen

BrianKrebs Nov 10, 2023

@szhu25 Try creating a brand new account at Experian, with all your info but different email address. As long as you have all your info, it should let you. If it does, thieves could do the same and just unfreeze your file.

Steven Zhu Nov 10, 2023

@briankrebs ohhhh. Yeah I surely won't wish for that... I wonder if Experian would suggest "Buy our paid membership and we'll protect your account" lol

Bill Kelly (he/him)Nov 10, 2023

@briankrebs it should show up on the home page after you log in:

BrianKrebs Nov 10, 2023

@billkelly Thanks. I'm seeing the freeze notice in my credit file now. Must have overlooked it before. Well, at least my freeze is still in place.

init6 Nov 10, 2023

@briankrebs Experian seems like the dodgiest of the lot, though it's a close race. They definitely aggressively try to sell you stuff constantly

Bruin Nov 10, 2023

@briankrebs There is a special spot in Hades reserved for them.

Log 🪵Nov 10, 2023

@Bruin Scorzar is a desolation with sand and dust blowing everywhere. The humidity in the air is -80%--yes, that's *negative* humidity. If your credit score is 700, you can get 250 mL of water. At 850, you can get ice water.

Bruin Nov 13, 2023

@log Iced Tea with a sprig of of mint?

BogDrakonov Nov 10, 2023

@briankrebs These agencies need to cease existing. I think at this point they do more harm than good.

Corvid Crone Nov 10, 2023

@BogDrakonov @briankrebs

They've always done more harm than good unless you're white. Credit scores were the work around when banks were no longer allowed to simply deny BIPOC folks loans because they weren't white.

Chris Johnson Nov 10, 2023

@briankrebs As I recall, I had to create Equifax and Trans Union accounts in order to freeze my credit with them. I already had an Experian account, but the credit freeze process has nothing to do with that account. You freeze your Experian credit through some separate process outside of that account, using a separate PIN. I imagine they’d prefer people with an account to pay to “lock” their credit, whatever that means.

It’d be nice if, rather than continually freezing and unfreezing my credit at three separate agencies, leaving windows of opportunity for identity thieves every time I unfreeze it, they could just send me push notifications to approve or disapprove individual queries on my credit.

Bill Graefe Nov 14, 2023

@captainslim
Those push systems would get compromised on their end as they’re grossly incompetent

Homa Nov 10, 2023

@briankrebs This happens with Social Security representative payee status in the elder and disability law field: an exploiter (often using undue influence) can just say they are the new payee and the old one ends, without notice to the old payee until a payment doesn't show up.

Blort™ 🐀Ⓥ🥋☣️Nov 11, 2023

@briankrebs
There is a quick and easy fix for this whole situation:
1. Create new Experian account for the Experian CEO.
2. Send log in credentials of said account to media outlets and anything they can, at a pinch, describe as "The Daaaaaark Web" (wooooo-ooooh! 👻)
3. Profit?

Misuse Case Nov 10, 2023

@briankrebs It enrages me and should enrage everyone that these companies basically have a legal mandate to do what they do for profit (which means they also sell your personal and financial information to data brokers, it’s their business model) and secure all our information so poorly.

In other countries things like credit ratings are handled by public sector organizations that actually have some accountability.

Dave Erwin Nov 10, 2023

@briankrebs And they love it so they can run you through the dark patterns trying to get you to agree to a credit works account. They should be gone, the experience with them is so slimy compared to TransUnion and Equifax. Doesn’t even feel like a legit company let alone one that should be handling credit info

Travis Nov 10, 2023

@briankrebs But many will take the proprietary “score” these companies generate as gospel as to how “worthy” you are to borrow money. 🙄 Meanwhile they can’t tell you from Joe Schmo.

Todd Knarr Nov 10, 2023

@briankrebs And the answers to those questions can usually be gotten by going to a site like Spokeo, spending a bit of money on an account and looking up the person whose identity you want to hijack. Let's face it, most on-line identity verification methods are worse than useless. Can we start getting x.509 certificates signed by banks, the DMV and so on?

Jeff Miller (orange hatband)Nov 11, 2023

@briankrebs I get Experian updates for someone else who oopsied my email address in place of his, and I wonder if he ever noticed.