Experian credit-freeze PINs could be revealed by a simple trick

Last year was a rough time for consumers whose personal information was handled with, shall we say, less than due diligence by the credit bureaus.
In an aftershock following the epic Equifax data-quake last year, it was revealed that the PINs used to protect frozen credit files (frozen by victims to protect themselves from the effects of the breach) were woefully bad.
Now, the latest news shows that at least one other credit bureau – Experian – is also undermining its own PIN security. This time, knowledge-based authentication questions were set up in a way that gave away credit freeze PINs.

Equifax and Experian under fire last year

In September 2017, Equifax disclosed its massive breach – one that affected about half of the population of the US and a mess of Canadians and Brits. We recommended that people put a freeze on their credit files.
Equifax was more like a soap opera’s worth of security gaffes rather than a single-episode breach, what with the breach being caused by a widely reported Apache Struts framework flaw for which patches had already been available for two months; a XSS (cross-site scripting) vulnerability in the Equifax fraud alerts website; a pathetic PIN that was initially simply the date and time of your freeze and hence put even frozen credit files at risk; and Equifax sending customers to a fake phishing site for weeks, with a bafflingly convoluted domain set up that was supposed to help people handle breach fallout.
To put a rancid cherry on top of that unpleasant credit reporting company cupcake, shortly after the Equifax breach and subsequent fallout, fellow credit bureau Experian took its turn to screw up – this time offering a free online service that let pretty much anyone request the PIN that unlocks a previously frozen credit file.
As Brian Krebs reported in September 2017, Experian’s page for retrieving someone’s credit freeze PIN required “little more information than had already been leaked by big-three bureau Equifax and myriad other breaches.” Krebs wrote at the time:

One just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

For final authorization, the Experian site asked for the answer to four knowledge-based authentication questions.
As many privacy/security experts have pointed out, this is a lousy technique to use in authentication, for the simple fact that people tend to answer the questions truthfully. Unfortunately, the answers to many such questions – What’s your dog’s name? What’s your grandfather’s first name? Where did you go to high school? Where did you meet your partner? – are easy to find via social media or other publicly available information.

Experian’s latest leaky PINs

Now, a year later, Experian has again made it painfully easy to get credit-freeze PINs.
It was Nerd Wallet that first got a heads-up from a reader about the leaking PINs, which were exposed for at least several hours last Thursday, and heaven knows how long before that.
It seems that all you had to do to get somebody else’s PIN was answer all their “knowledge-based authentication” questions with a blanket “none of the above.”
Several staff at Nerd Wallet were able to replicate the issue. The publication says that some of its Facebook and Twitter followers also reported that they’d successfully replicated the flaw. Ditto for Mike Litt, campaign director for US PIRG, a public interest advocacy organization, who retrieved his own PIN by using the flaw. Litt:

There is absolutely no excuse for this. How do you just leave the keys to the door on top of the welcome mat?

As Nerd Wallet tells it, while the flaw was open, anybody could fill out a form on Experian’s PIN retrieval page with somebody’s name, address, taxpayer ID and date of birth – all information that was compromised in the Equifax breach and which can be found for sale on the Dark Web.
The form required an email address, but it didn’t have to match the one associated with the person’s Experian account. Answering “none of the above” to the security questions, even if the page offered up some correct answers, gave access to that person’s PIN.
Any attacker who got the PIN could then lift a victim’s credit freeze to commit identity theft, applying for credit lines in their name.
On 4 October, the same day the security hole was discovered, an Experian spokesman told Nerd Wallet to move along, please, there was nothing to see here. Though yes, we did in fact make the process “more” secure, he said:

While we are confident that our authentication is secure and no credit files are at risk, we have taken additional steps to make the process more secure. We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.

What to do?

On Friday, US PIRG recommended that consumers change their credit freeze PINs. Experian appears to disagree, telling the Atlanta Journal Constitution that it’s unnecessary:

Taking into consideration the layers of security controls we have in place and that there is no risk to credit file data or (information that identifies consumers), we don’t feel it is necessary to replace PINs.