UPDATE: Experian tells Consumerist that its authentication processes go farther than previously identified steps. The company regularly reviews its security practices and adjusts as needed.
Placing a credit freeze on your accounts following a hack or issue with identity theft is only effective if the credit reporting agency you’re working with doesn’t give ne’er-do-wells the ability to unfreeze the accounts by providing the same information that any good ID thief already knows about you. This is a lesson some victims of Equifax’s recent data breach are learning after freezing their accounts with fellow credit reporting agency Experian.
Krebs On Security reports that a possible security flaw in Experian’s credit freeze process could leave victims of Equifax’s breach open to further fraud.
What’s The Freeze?
Ever since Equifax’s breach came to light, consumers have been urged to take steps to protect their credit histories and their private information.
In addition to placing fraud alerts on their accounts and signing up for credit monitoring, many consumers have chosen to freeze their credit.
A credit freeze — generally free for identity theft victims — prevents lenders and others from accessing a consumer’s credit report in response to a new credit application. With a freeze in place, even the bona fide account holders will need to take special steps if they want to apply for any type of credit or unfreeze the account.
Companies like Experian — and many others that deal with customers’ personal information — provide a PIN that a consumer must provide in order to access or make changes to their accounts.
What’s My PIN?
Unfortunately, humans are fallible and sometimes they forget their PINs. To make sure these folks aren’t forever frozen out of their own accounts, many companies offer a work-around.
In the case of Experian, the company allows customers to request their PIN by providing their personal information, such as name, address, date of birth, and Social Security number.
But in the wake of Equifax’s breach — and any number of other hacks in recent years — this is a problem. Namely because we know that most hacks involve the leak of this very same personal information.
So, to that end, a fraudster who is able to get their hands on this data could theoretically input that information into Experian’s PIN request form to obtain the code to unfreeze one’s credit.
Isn’t There A Fail-Safe?
Krebs points out that Experian does in fact employ a second verification method in which customers requesting a PIN must answer four personal questions.
The problem is, the type of questions asked for these kinds of verification tests — “Which of these streets have you lived on?” “Which of the following phone numbers have you previously had?” — are often the sort of thing that a good ID thief would have.
Additionally, Krebs notes that many companies relying on these types of questions to authenticate a user have been hacked in the past, meaning that some customers’ answers are already out there.
In the case of Experian, Krebs asked readers who have placed freezes on their account with the CRA to test process.
Nearly a dozen readers told Krebs they were able to retrieve their PINs by submitting the information and answering the questions, which included “Please select the city that you have previously resided in,” and “according to our records, you previously lived on XXX street. Please choose the city from the following list where this street is located.”
Both of these questions could easily be answered by someone who has previously stolen your identity or can look you up on any number of social media networks.
Krebs’ discovery is reminiscent of an issue Consumerist covered last year when reader Chuck discovered that credit reporting agency TransUnion had allowed the fraudster who stole his mother’s identity to lift the credit freeze on her account over the phone, even though she’d taken the precaution of setting up a unique PIN to protect the account.
“What is the point of issuing a PIN if you’re not going to require it for a lift of credit freeze? Especially on an account with an existing fraud alert?” Chuck asked Consumerist.
In the case of TransUnion, a locked-out customer can get around the PIN requirement by answering a slew of personal questions. A rep for TransUnion told Consumerist at the time that “it’s possible that someone else could fraudulently complete this process if they already had significant personal financial information about a consumer.”
Unfortunately, for Chuck’s mother, she was one of those rare cases, where the fraudster did have a wealth of information about her and was able to lift the freeze, thereby gaining access to her accounts again.
A rep for TransUnion noted that the authentication process is “constantly evolving and the questions are created in a way that would make it difficult for a fraudster to answer.”
The TransUnion spokesperson said that the company does have another layer of security built-in when customers can’t remember their PIN: After unfreezing an account and providing a new PIN, TransUnion sends a written confirmation to the user by mail.
Because of this written confirmation, the company would expect to hear back from a consumer if a PIN change was not initiated by him or her.
However, not everyone is obsessed with checking their email, and many people have multiple accounts that they check at varying intervals, so it could be hours or even days before an affected account-holder is aware someone unfroze their account.
Experian provided Consumerist with the following statement related to its PIN retrieval process:
Experian is aware of media reports concerning the authentication processes we use in the consumer credit freeze PIN retrieval process. These reports portrayed those processes in an incomplete way.
To be clear, our authentication processes go beyond requiring users to provide personally-identifiable information (PII) and answering a variety of knowledge-based authentication (KBA) questions. While we do not disclose those additional processes for obvious security reasons, they include a broad array of checks that are not visible to the consumer.
Experian regularly reviews its security practices and adjusts as needed. We continue to see the effectiveness of KBA as part of a layered authentication approach.
Editor's Note: This article originally appeared on Consumerist.