Experian Privacy Vulnerability

Brian Krebs is reporting on a vulnerability in Experian’s website:

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

Tags: identification, identity theft, impersonation, privacy

Posted on January 12, 2023 at 7:18 AM • 15 Comments

Comments

Clive Robinson • January 12, 2023 9:34 AM

@ ALL,

Re : When Personal is Public.

“All that was needed was the person’s name, address, birthday and Social Security number.”

As far as I remember in the US all of those personal details are available online in one way or another already.

The fact that “all data brokers” not just the big three that includes Experian know this will not of course change the remediation from the stabdard nothing burger of,

“Use our product for a year so you can check your status”

But with that extra added poison pickle layers of,

“First enter required extra details including your mobile phone number, Email address, and all bank and financial account details.”

But also that effectively hidden small print of,

“Your account will be Auto converted to a premium paid service at the end of the year.”

Probably at 20/month… But also so that they can harangue you into paying $10/month this year so you will get sent “Text alerts” or “Email Alerts” of suspicious activity (or some other nonsense to get “new sales”)…

They then sell your info on for $50 or equivalent…

It surprises me that they are not also offering an online “Single Sign On” and “Password Manager”…

echo • January 12, 2023 9:48 AM

On balance Experian owe Jenya Kushnir a debt of gratitude for his outstanding work!

Aaaaaaye thank you. boom-tish

AlanS • January 12, 2023 3:14 PM

As best as I can tell, Krebs has managed at least one Experian data security screw-up story a year for over a decade. No one holds them to account so they don’t give a damn and nothing changes. Or worse, as Clive points out, lax security and losing your data is part of their business model.

Ted • January 12, 2023 4:33 PM

Welp, at least thieves can’t get other peoples’ reports anymore by changing the URL from “/acr/oow/” to “/acr/report” during the identity verification process.

What is Experian doing with $2.6 billion a quarter?

I just took a look at all three of my credit reports via annualcreditreport.com and they were all fairly accurate if not a little out-dated. To tell you the truth, the reports seemed fairly anemic infowise.

I put freezes on my credit files at Experian, Equifax, and TransUnion back in 2018 when Brian announced a law had been passed to make them free. Glad to see Brian providing links to that guidance again.

echo • January 12, 2023 7:22 PM

Most of the coming in so far proves the thoughts I’ve been having. They are a little candid and nobody is going to like them.

There’s chatter on Telegram.This is a known known hive of unlawful activity with the edgelord owner setting things up behind a claim of legal invincibility.
Random researcher picks up chatter and goes racing to a “personality”.
Said personality piles in to their ritual self promotion and grift to sell a story and make himself look like the man of the hour.
Chummocracy in full swing as other “security professionals” cut and past the headline.
Absolutely zero happens in the public policy domain which is the only thing that matters.

I’ve seen it all before. You need a policy position, politicians and regulators lined up, and NGO’s and lawyers to give them a prod. Best practice exists elsewhere i.e. EU and UK. Some of this may depend on a change of personality in the hierarchy or a change of government. Given the current political workload in the US this is not an easy task especially with various nutjobs and billionaire Christofascists always centering their egos in the discussion. As for the media they’re very little practical use at the moment. 24/7media has come with information overload and opinion masquerading as journalism and peddling gossip for clicks. The poor wounded dears nursing brittle masculinity, especially the younger ones, write of client journalism as “doing their best within the system they’re working in” which suggests a few problems at the editorial level. There are some, and I say some, good journalists (less so in the UK). None legacy media tends to be where the action is but is currently of limited reach.

From experience any hot button topic with buy in at the very top can see action within a year. If it’s a significant technical change with a large strategic impact it will take three years. A significant legislative change will take ten years. Structural change will take 20 years.

Anything else is just egos scratching itches.

And that’s why I get bored. When I see the same problem come around for the nth time I’m like yeah and?

Nobody has really commented on it but the most significant tweak so far uder the Biden administration has been to change the emphasis of business regulation. It’s not quote the same winner takes all monopolistic scheme (dating back to the writing of the US constitution) as it was. Not as far as Europe but a half step.

Privacy and other law isn’t as advanced as the EU or UK. As this issue is a US jurisdiction issue only it’s escaped the attention of GDPR and similar. But… Where a US citizen is abroad legal remedy is available in the EU and UK. I would go prodding around over there and seeing what levers can be pulled. An EU resident can write to the EU commission. They take it seriously. You’ll need an EU/UK lawyer. Mainland European media are better than the UK so use them.

That’s going to get more done than navel gazing the technology.

Wannab techguy • January 12, 2023 9:08 PM

@ Ted,etc
Brian, Bruce & Steve Gibson(and his pal Leo L) are the go to guys for all things security for this wannabe. Amazingly, I even understand a good portion of what they say! Not bad for a dummy.
“What is Experian doing with $2.6 billion a quarter?” Very good question!

Clive Robinson • January 12, 2023 11:24 PM

@ ALL,

You should read this,

https://instalker.org/3m4lrsd1c19Uaru

Especially the “spoiler alert” indicating it’s not just Experian where this laxness is going on and that there is more to come.

Which is after you give it a little thought, what you would expect…

As others have noted above the reason this problem actually exists is,

1, Regulatory compliance
2, Done on the cheap
3, With no oversight from regulatory authority.

This “rabbit hole” has existed in many ways in many forms and has been usually “explained away” by the guilty with the expression of “Unintended Consequences”…

When I was a lot younger and a lot less experienced, I used to think that sounded “reasonable” after all,

“People are human, mistakes happen”

We’ve all made a few in our time.

But then after seeing it play out repeatedly the thought occured to me could you “weaponise” such systems, so I asked myself,

“How could I weaponise it?”

And then started to look further, for the signs I’d identified and what I found confirmed my thoughts.

Not only was the answer “YES” it was already being done big time, big scale and could be seen at that time by the likes of Google sending “short skirts” into Europe to lobby against the EU Patent system (spoiler alert they got what they wanted).

As some of the long term readers here know, I’m not very keen on the “regulation” method of solving “ills in a faux market” and have warned it’s not a wise choice to make as at the very least it creates another “Faux Market”, but worse you should especially not do it when “The Fox’s cubs run the hen house”…

That is when “Regulatory capture” is the default as it appears to be being pushed to in the US by certain “payed for mouth pieces” that get called “Representatives”…

Well @ALL, regard this Experian instance as the,

“Second Sign Post to Disaster”

And pin it on the wall as a reminder. To,

“Always think twice before you make a wish for a ‘Fairy Godmother’ solution.”

As the old saying goes, “The third wish is to undo the previous two!”.

The representatives gave people what they were told the US people wanted… The result is a “Major Cl45ter F4ck” the start of which you are now just seeing unwrapped… Be warned that not only does it need to be sorted out, you also need to realise that it,

“Gave ammunition to the enemy”

Who will now use it as an excuse to fight not just new regulation but more importantly any “Privacy Legislation” that the US people might actually realy want…

echo • January 13, 2023 10:36 AM

By “others” that would mean one (I counted) and that one would be?…

The EU complaint was Google were hacking the law so it was less about Google manipulating the EU Commssion and more about playing cute with courts. as for the law itself there’s two angles to this. I know enough about the law to spot opportunities within my domains of interest. There are also bad actors i.e. what are euphemistically called “Philadelphia lawyers”. Google supplied the latter.

Both “white knights” and sexists can be a right pest. People who have domain expertise and inclination are the best to work with.

People who aren’t on the ball and who don’t have their head in the game tend to show it very fast. As for short skirts I find they tend to get an over-reaction so avoid them. Ditto a push up bra with boosts. I’ve already had to have more than one job rescheduled because some man wasn’t paying attention or, conversely, been able to gently extract their life history as one said recently to me. Throw short skirts and push up bras into the mix and I would get nothing done.

Now, there is a way to exploit this over-reaction. I’ve found the most useful skirt is a flared calf length a-line skirt. People naturally gauge their distance to the nearest perceived edge. As the hemline of the skirt creates a large edge to edge shape people adjust their distance accordingly. Even in a busy shopping centre where people are nearly shoulder to shoulder I find I could stretch my arms out and touch air. This isn’t unlike the kind of “road presence” a Rolls Royce or even a Mercedes can have. It is a really odd feeling though that a mere skirt has this “road widening” effect. Not that I’m complaining.

Clive Robinson • January 13, 2023 4:31 PM

@ echo,

“By “others” that would mean one (I counted) and that one would be?…”

Well when I’d counted, there were refering to one part or more of the model created by the regulatory process,

1, @Clive Robinson, January 12, 2023 9:34 AM
2, @AlanS, January 12, 2023 3:14 PM
3, @Ted, January 12, 2023 4:33 PM

So yes “others” plural not singular.

As for “Short Skirt” I don’t think you’ve heard it as an expression before…

Look up “Short Round” which originated in an Indian Jones Movie an got adopted by the military, and came to refer to someone who was a rougue/trouble in a likable way, and had pushy ways because they knew they had “big backup” (“Big Short Round” was his elephant and the two were symbiotic).

As I indicated it came to be used as a term about US lobbyists who were plaguing the EU halls of power who represented their own “elephant”, and the “short skirts” was used about the women “assistants” that misogynistic US negotiators feel gives them more presence. In Europe such behaviour is seen by others for what it is which “Greta Thunberg” ably demonstrated a little while back when an idiot for sake of machismo asked for her email address when boasting about his fleet of gas-guzzlers.

Have you noticed how the misogynists in the US press call it “The Greta Thunberg Fued” to some how make the lame idiot sound bigger than he realy is, just because he has 40-50 “short skirts” trying to run interferance for him…

name.withheld.for.obvious.reasons • January 20, 2023 2:40 PM

Experian IS the privacy vulnerability

When the Fair Credit Reporting Act was passed, a section that is never prosecuted or enforced is the duty by the agencies and reporters to these agencies to insure the accuracy and fidelity of the information reported. Go figure, why would there be little to no effort in this case–because–it can be weaponized. The Chinese social control system is more than loosely modeled on the reporting agencies BS. Even the scoring indexes are the same.

In my youth (11 and 12 years of age), I had the opportunity to understand some of the goings on at this organization, when it was called TRW. Also had the opportunity to dumpster at their facilities in El Segundo California (they also held swap meets of a sort). A target rich environment for anyone wanting to get their hands on interesting stuff. In one day, I acquired what in today’s dollars would constitute about $20,000.00 dollars in hardware. Some of the stuff could not be acquired commercial, if at all as they were internal build-outs such as prototypes and other non-scalar system platforms.

Today, you will be prosecuted for doing something of this nature and told the DMCA or some other non-sense prevented you from re-using your Kindle running linux as a Wikileaks bit-torrent server, getting up to twenty years in a maximum security facility.

Clive Robinson • January 20, 2023 6:23 PM

@ name.withheld…, ALL,

“Today, you will be prosecuted for doing something of this nature…”

That is only possible if there is the criminal legislation in place.

Which only happens when our supposed “Representatives” vote to do so.

Thus the question of,

“Who do the representatives actually represent?”

Arises, to which one certain answer based on observation is,

“Not you the votting citizen”

I will stop at this point because as you and I know from past experience, what comes next is regarded as “party politics” by some… And so it gets nasty as certain people try to shut the conversation they do not want being had starting. Usually by spreading false facts and nonsense in such large quantaties one can only assume they either have no jobs, or that their job is to be disruptive.

name.withheld.for.obvious.reasons • January 20, 2023 8:34 PM

@ Clive

Your last sentence, I choose the latter and suspect the former–they both apply. As if a watchmaker hired a coil spring unwinder chap, part time. Shortly after this, the watchmaker seeing many of the newly built watches failing, decided to bring the unwinder to full time status.

We know where this goes…

Clive Robinson • January 21, 2023 3:06 AM

@ name.withheld…, ALL,

“We know where this goes…”

To abject failure and worse.

That man kind can only survive by endeavor balanced with the environment around them. Should be one of those “self evident” facts, apparently though saying it in some places is worse than treason.

Those that have assumed their rights surpass those of society as a whole are a danger not only to us, but themselves. But they chose not to be denied, for them the Baronial Court and the iron control of the Church are their models of how society should serve them as leaders. It is not good and leads to such imbalance that destruction has almost always followed, that then gets followed by more destruction in ever faster turning circles of waste, and loss.

There are easy ways out though they will appear to be whole society efforts for long periods if not generations. The problem as always though will be keeping the leadership on task in an honest way, and keep peoples focus on the future not the waste of pyrrhic squables and power struggles of the present engendered to favour the few at the expense of the rest.

Mat • March 28, 2023 10:55 PM

It is time to punish their dumbo CISO and security team for the repeat offense that never stops.
I am sure the CISO is an MBA or JD with no security engineering background.

Unless the punishment follows raw Gulf style (stoning, ..), they will never learn. These executives just hire dinner buddies (not based on merit) and make them CISO/CIO who in turn hire big dumbos. Customers pay the price for ever.

Anonymous • December 3, 2023 3:23 PM

Note the third definition

https://duckduckgo.com/?q=define+idiot&va=d&t=hh&ia=web

Experian Privacy Vulnerability

Comments

Leave a comment Cancel reply