Mastodawn

Grant Avery Feb 6, 2025

A Boston news station recently interviewed a local man who had his Experian account hijacked after he'd frozen his credit with the big three consumer reporting bureaus. It's unbelievable that Experian still hasn't done jack about this problem that I've written about ad nauseum for years now. (try to ignore the many typos and grammar errors in this story).

https://www.boston25news.com/news/local/25-investigates-sutton-man-turned-credit-bureau-credit-protection-it-led-identity-theft/4LQOGEXFTBE5DJUIROK23E32IU/

Experian's system will allow anyone to assume control over your credit file and freeze merely by re-registering as you using your name, SSN, DoB but a different email address than the one on file. Experian has no problem approving that request, and instead of seeking approval from the existing email address and or phone number, they just say okay. Thieves can then unlock your credit, pull your file, apply for credit, etc. But they will send an automated email to the legitimate account holder's email, saying the account's email address has been changed. No "this wasn't me" option, no asking for approval. Nope. They just say hi we changed your email. Have a nice day!

Experian's response to the Boston news outlet is particularly infuriating, because they're basically saying the system operated as designed. Nevermind that the system is batshit crazy from a security in 2025 perspective.

"A spokesperson told us their protocols worked since Deyoe got that notification when his account was changed. In a written statement Experian said “Protecting consumers’ identities is among our highest priorities. We believe this is an incident of fraud using stolen consumer information.”

Past coverage of this:

https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

https://krebsonsecurity.com/2023/11/its-still-easy-for-anyone-to-become-you-at-experian/

This website is unavailable in your location. – Boston 25 News

Boston 25 News

BrianKrebs Feb 5, 2025

What's even more crazy is when you call Experian (assuming you somehow manage to get someone on the phone) and tell them someone hijacked your account, they will walk you through how to do what the thieves did you, so that you can regain access to your account. You know what their response is to people who have this happen to them multiple times? Naturally, they push you to paying them for more security, for basic stuff that should be available to everyone.

bls Feb 5, 2025

@briankrebs OMG We're freaking doomed. #Idiocracy invaders

Dan Hugo (แดน)Feb 5, 2025

It´s the 21st century (in some places), why are we (in the US anyway) tied to the ol´ SSN, never intended for any of this, which cannot (per policy) be changed 99.9% of the time?

Report your credit card compromised/lost/stolen and you have a new one in a week.

Though, I suppose now we can just tweet Elon and have his interns make those changes…

bls Feb 5, 2025

@briankrebs I can't believe that #Experian doesn't have 2FA. I'd enable it in a minute on every one of those self-appointed "credit agencies". They really need to have some governmental scrutiny and screws tightly applied to them, but doesn't seem likely that will happen until at least Jan 21, 2029 unless #trump himself gets hacked 🤔

Jeff Atwood Feb 5, 2025

@briankrebs this is why I've been low-key red teaming myself from birth. It's a mindset: https://blog.codinghorror.com/designing-for-evil/

Designing For Evil

Have you ever used Craigslist? It’s an almost entirely free, mostly anonymous classified advertising service which evolved from an early internet phenomenon into a service so powerful it is often accused of single-handedly destroying the newspaper business. Unfortunately, these same characteristics also make Craigslist a particularly juicy target for

Coding Horror

@codinghorror @briankrebs Jeff, how did the StackOverflow anti-spam architecture hold up over the years? I saw/see very little spam there, but wonder if this is because of huge moderation workload behind the scenes or not? (btw love your posts & essays!)

hallunke23 🇺🇦

@briankrebs Looks like identity is really broken in the US...

Zippoman924 Feb 6, 2025

@briankrebs That's crazy, I don't understand how anyone over there can look at this and think that it's okay. It simultaneously does and doesn't shock me at all.

birdpoof Feb 5, 2025

So what CAN we do...

Chewie Feb 5, 2025

@briankrebs
Just in case you are not part of the "land of the free", I requested it to be archived here: https://web.archive.org/web/20250205184331/https://www.boston25news.com/news/local/25-investigates-sutton-man-turned-credit-bureau-credit-protection-it-led-identity-theft/4LQOGEXFTBE5DJUIROK23E32IU/

Fi 🏳️‍⚧️Feb 5, 2025

Given how all that information - name, DOB, SSN, etc. - is now presumed "in the wild" due to the massive ongoing breach of federal systems,

I would dearly like to see a class action suit start against Experian for those of us who are suffering the consequences of their negligence in system design and non-conformance with extant industry standards for IAM.

bls Feb 5, 2025

@briankrebs Pretty freaking insane: Never mind that someone's account was compromised, our system WORKED AS INTENDED. #WTF

Iris Young (he/they/she) (PhD)Feb 5, 2025

@briankrebs ahhhhhh fuck that too!

Jim Luther Feb 5, 2025

@briankrebs there are zero comments on that story at boston25nrws site. Maybe you should comment with your past coverage?

(he/him)Feb 5, 2025

@briankrebs It's so long past time we burned the whole credit rating system to the ground. Salt the earth where it stood. Put up signs warning that what was here was dangerous and repulsive to us.

bluGill Feb 5, 2025

@briankrebs I'm sure a lawyer would enjoy suing about this. They have a lot of $$$ to make, particularly if in discovery they can find multiple instances of this and turn it into a class action.

mayonnaise Feb 5, 2025

@briankrebs I am dealing with a similar situation with experian. I wish I could opt out entirely considering their irresponsible management of my financial data, but alas, I cannot.

Jeff Atwood Feb 5, 2025

@briankrebs "Thieves can then unlock your credit, pull your file, apply for credit, etc. But they will send an automated email to the legitimate account holder's email, saying the account's email address has been changed. No "this wasn't me" option, no asking for approval. Nope. They just say hi we changed your email. Have a nice day!" The answer is snail mail. I've had this happen to me, and that's how I know. The banks will send you physical mail that you have to receive and acknowledge before they will proceed. It is a form of two-factor (twenty factor?) auth

Fritz Adalis Feb 5, 2025

@codinghorror @briankrebs
You can't do that, it would take too long and the store wouldn't be able to run your credit for an expensive impulse purchase!

@briankrebs Experian is a poster child for bringing back the corporate death penalty. End them.

hallunke23 🇺🇦

@briankrebs Link to Boston 25 is broken. I'm just getting a 451 error.

Waitman Gobble Feb 5, 2025

It appears you are attempting to access this website from a country outside of the United States, therefore access cannot be granted at this time.

I get the 451 too, i'm in Portugal at the moment. it's somewhat typical for news sites for some reason.

Sergey Shkundaleu Feb 5, 2025

@briankrebs why would they learn something, they basically just settle for a year of monitoring per victim, since those victims won't be able to qualify any potential damage that may come decades later.

Petesmom *has moved*Feb 5, 2025

@briankrebs
So, sounds like the business model is “if you dont want your information hijacked you need to pay us ransom in advance?”
#Experian
#CreditReport
#Ransomware ?

SpaceLifeForm Feb 5, 2025

I notice that the preview is blocked for my instance.

Not that I need to go there anyway, because I know the story. The credit reporting agencies are all a scam to collect updated PII from people that get magically get awarded 2 free years of credit monitoring via some class action lawsuit you were not aware of in the first place.

If you get an offer for this free credit monitoring, throw it in the trash.

It is not free. They will sell your PII.

Red Hood Feb 6, 2025

@briankrebs wtf 💀

h4nd / UntouchedCupOfTea Feb 6, 2025

@briankrebs that's Amazing. I should totally do that 10 times a day to Brian Cassin

h4nd / UntouchedCupOfTea Feb 6, 2025

@briankrebs Sept 1967

Axel Hartmann Feb 6, 2025

@briankrebs - interesting that a news outlet choses to restrict access to clients from within the US.

Louise Auerhahn 🏳️‍🌈Feb 6, 2025

@briankrebs Experian is utterly incompetent. They refused for months to allow me to freeze my credit. I froze it with the other two credit bureaus, no problem. Experian's website just gave me an error message and a number to call. The number is entirely automated and the only message you can get to regarding issues with credit freezes directs you to... visit the website!
I filed a complaint against them with the CFPB last December, but with Elon Musk and his frat boys running amuk with our public dollars and data, that likely isn't going anywhere.

Cat West Feb 8, 2025

@briankrebs If the system is “working as designed” it is working to rob the client of their identity and their money.