Experian Site Can Give Anyone Your Credit Freeze PIN

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Krebs on Security warns that Experian has made it easy for anyone to request the PIN needed to unlock a previously frozen credit file: some of the “hurdles” merely involve knowing the person’s name, address, date of birth, and social security number, all of which have been jeopardized in countless breaches. There is additional authorization in the form of challenge questions, but the answers to these are now indexed or exposed by search engines, social networks, and third-party services online — both criminal and commercial.

Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze. After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.
 
Yeah.... they need to die now. It’s embarrassing.


I’m sure Mr.Robot never thought it would be this easy
 
I hate to sound crazy but... part of me, somewhere deep down, wonders if this will spur a new method of identification. Perhaps someone will offer to implant everyone with secure RFID chips or something (like some employers are already doing). Would that be the mark of the beast?
 
20934032456b962f6cb17d1d7f7b57d6--i-hate-people-stupid-people.jpg


So far:

1. Hackers breached data of 50% of americans.
2. Americans react by going to the Equafax site which tells them if they might be affected.

3. Find out the site has an agreement that you're never going to sue them.
4. Americans get the correct site to find out if they're affected.

5. Americans pay $30 to freeze their credit report on each agency (and the hoops to do it all) with a pin that's supposed to be iron-clad.
6. Equifax links to a phishing site in their official tweet.

7. Hackers can hack the iron-clad pin number for Experian easy peasy.
- I suppose the silver lining is, hopefully you used different pin numbers. DON'T TAKE THIS FROM ME, MEGALITH.


Alright, TransUnion. We're batting 2 for 3. Want to make it a slam dunk so we can make it a double birdie and go home?
 
Last edited:
Is equifax really going to keep their doors opened... Oh wait they will just play a shell game, drop liability along the way, and rename the company... JUST LIKE THE PEOPLE COMPANIES ARE!!!
 
No but really this is out of hand, it's time we hold these kind of companies to a higher standard. Every damn person of any kind of management needs to be held PERSONALLY accountable, no more letting companies take the heat and then the company vanishes to be reborn under a different name. There needs to be personal risk associated with working higher up in a company handling this kind of information. I want major prison time that will NOT be reduced, I want widespread death to those at the top. A strong message needs to be sent!
 
SolarisGuru said:
I hate to sound crazy but... part of me, somewhere deep down, wonders if this will spur a new method of identification. Perhaps someone will offer to implant everyone with secure RFID chips or something (like some employers are already doing). Would that be the mark of the beast?
Click to expand...

I've been suggesting two part (not 2 device, 2 part as in 2 steps) authentication. A pin as long as 10 digits that is illegal to store. It creates an encrypted HASH where it goes to the credit processor which then sends this off to the government for verification to confirm you identity. Or user submits pin via phone or government website and they give a 1 time use hash code back that is submitted to the agency in question. The credit agency then feeds this hash info into a gov't computer which returns the users information to confirm the identity. This will still include a 6 digit portion of your social on your credit file, but even if the social is compromised, it can't be used to open accounts or confirm identity or pull social security.
 
What's even worse, if a hospital or any company in the medical field lost this same info (full names, Addr, SSN, DOB), they would be fined into oblivion for HIPAA violations. Yet, because it's a financial company that leaked the exact same data, they are not subjec to the same regulations.... Such a giant heaping pile of horseshit.

On top of that, they are going to make a shit ton of money from the people paying 10+$ to freeze their credit. Say even 1/3 of the 150M+ freeze it, that's only a meezely 1/2billion dollars in pure profit.... Probably enough to pay off most of the class actions, and the team of lawyers they'll use to fight them.
 
SolarisGuru said:
I hate to sound crazy but... part of me, somewhere deep down, wonders if this will spur a new method of identification. Perhaps someone will offer to implant everyone with secure RFID chips or something (like some employers are already doing). Would that be the mark of the beast?
Click to expand...


This has been talked about for a while now. Not like 2 or 3 years we are talking decades. Back in the 1990's I would get some literature from a company that would publish alternative view material. Some of the articles were off the wall stuff. However some of the other stuff in the publication was pretty futuristic that is coming to reality. One of the regular contributors would occasionally talk about the push for a new ID system or some form of federal ID system. RF tags on boxes were just getting into regular use. The author suggested RFID for people for tracking purposes. This was in early to mid 90s. There is a company that implanted the employee for door access, bathroom access, room access and even access to the vending machine. Personally that gets a bit creepy after while but the company is the producer of the RF ID product. Thier own people are the testers.
 
RogueTadhg said:
So far:

1. Hackers breached data of 50% of americans.
2. Americans react by going to the Equafax site which tells them if they might be affected.

3. Find out the site has an agreement that you're never going to sue them.
4. Americans get the correct site to find out if they're affected.

5. Americans pay $30 to freeze their credit report on each agency (and the hoops to do it all) with a pin that's supposed to be iron-clad.
6. Equifax links to a phishing site in their official tweet.

7. Hackers can hack the iron-clad pin number for Experian easy peasy.
- I suppose the silver lining is, hopefully you used different pin numbers. DON'T TAKE THIS FROM ME, MEGALITH.
Click to expand...

So I haven't done anything to protect myself, which from this sounds like a good thing.

What should I be doing now?
 
DF-1 said:
So I haven't done anything to protect myself, which from this sounds like a good thing.

What should I be doing now?
Click to expand...

I am with you. I just assumed we are fucked forever and can't do anything because with the info obtained there is no way to protect yourself other than getting a whole new identify. New name, new bank info, new cards, new SSN.
 
DF-1 said:
So I haven't done anything to protect myself, which from this sounds like a good thing.

What should I be doing now?
Click to expand...
Yeah I am in the same boat as you. Didn't put my SS into Equifax because it just seemed fishy to begin with, haven't paid 10$ to anyone because that just feels like im rewarding a defective system.

I heard the three credit unions do free credit alerts for 3 months. Shrug, better than nothing, im gonna research that next and if its free just do that every 3 months for the next... what, 10 years?
 
Master_shake_ said:
The greatest tool a hacker needs is Shelly down in the call center.

Fuck me.
Click to expand...

You slap on a shirt that says "Something-tec" on it and talk to the boss' assistant.

The boss doesn't know his passwords and his assistant way too busy to hang over your shoulder. The chances are you'll walk out of that office with every scrap of information you'll ever need to compromise their network or even rob the building.
 
SolarisGuru said:
I hate to sound crazy but... part of me, somewhere deep down, wonders if this will spur a new method of identification. Perhaps someone will offer to implant everyone with secure RFID chips or something (like some employers are already doing). Would that be the mark of the beast?
Click to expand...

Not like modern countries haven'tt had better ID methods for years.. but you know not the American way to prevent when you can cure.

Pin code. nah just a signature will fix it if something happens.
Chips reader. nah lets keep the cheap magnetic ones. we just fix it when it happens.
global climate change. Naah we wil f ix it once we are dead...
 
Exavior said:
I am with you. I just assumed we are fucked forever and can't do anything because with the info obtained there is no way to protect yourself other than getting a whole new identify. New name, new bank info, new cards, new SSN.
Click to expand...

At least those CAN be changed. Wait until the Apple database of facial ID image records gets stolen. Or some other database of biometric ID records. Good luck getting a new face, fingerprints or DNA.

But yeah, we are pretty much screwed for a long time. The smarter criminals will sit on this info for years before using it, waiting until the fury dies down and folks move on to the next great concern, and the credit monitoring runs out and folks unfreeze their accounts.
 
DF-1 said:
So I haven't done anything to protect myself, which from this sounds like a good thing.

What should I be doing now?
Click to expand...
Checking your credit periodically to uncover any suspicious activity. The most likely use of someone's full credit profile would be to open new credit in their name. The most likely credit they'd try to open would be credit cards, probably online, low balances, etc. So someone might just go to American Express.com and apply for a 2k credit card, have it sent to a PO Box or something, pick it up, execute an immediate cash advance for $500 at an ATM and then throw it away. They could conceivably go as far as try to apply for a full blown loan, like for a car or something, but that would jeopardize their anonymity having to show face in person, sign documents, etc. But if they did do this they could steal a whole car, chop it up, etc.

So you'll just want to get some kind of credit alerting system that shows when any hard inquiries are performed on your account as this would signify a credit check likely used to open an account, and of course any alerts that actually show new credit established in your name (clothing store cards, etc). You can then immediately contact those agencies and dispute the new credit, and do the same with the credit agency to get it removed from your report.

This isnt the end of the world people. The worst fallout from this is just people getting their credit scores damaged and thus impacting their ability to qualify for a loan of their choosing. Sure it would suck if you were planning to buy a house and thought your score was 750 only to find out it's now 550, but even then you can usually backtrack your report and get a bunch of stuff disputed up over the period of a few months.

If anything this could even be a blessing in disguise as it will finally motivate people to become more involved in their credit. You could probably ask almost anyone you know if they know whats on their report or what their score is and they wouldnt have a clue.
 
Just you wait until Elizabeth Warren gives them a really good scolding. Everything will be fine after that and we can all forget about it until the next time it happens and Elizabeth Warren has to scold them again.
 
This @#$@# makes my head hurt.

Has Experion taken the page down yet?
 
When they first announced the hack I read this in a New York Times article
"Equifax also houses much of the data that is supposed to be a backstop against security breaches. The agency offers a service that provides companies with the questions and answers needed for their account recovery, in the event customers lose access to their accounts."

I wasn't able to figure out what companies are using them to store security questions.
I bet they will announce this information was also leaked, on a Friday afternoon Holiday weekend.
 
Apparently they didn't learn anything from the first security breach.....they created a brand new one?
 
nysmo said:
This isnt the end of the world people. The worst fallout from this is just people getting their credit scores damaged and thus impacting their ability to qualify for a loan of their choosing. Sure it would suck if you were planning to buy a house and thought your score was 750 only to find out it's now 550, but even then you can usually backtrack your report and get a bunch of stuff disputed up over the period of a few months.
Click to expand...

I suggest you talk to some people who have had their identities stolen and ask them how easy it was to clean up the mess. Some have said it was the worst experience of their lives. Do some Google searches, it can really disrupt your life.

Anyone who knows anything about the credit reporting agencies knows how difficult it is to get them to correct mistakes. Our information is simply product that they sell to their customers (banks, retailers, etc.). They don't care how accurate it is.
 
Well, first yeah we're all fucked -- but that is nothing new and this changes nothing. It simply makes it more apparent that the herd that walks about mooing and thinking about which new iPhone they really need remain in their decorticate state. Us "real men" are busy folding new tinfoil hats to replace the older thinner models.

The government as a solution -- if you selected that answer, first slap yourself then google CIA, NSA, Snowden, Manning, etc. and then slap yourself again. Unless you live in China your government is completely incompetent at IT -- and if you do live in China they are good at it but are going to kill you if you disagree with anything they say and/or do; they are busy hacking Experian. So back to rule 1: you're fucked.

Credit scores are total bullshit, I've looked at many and the person's wealth/ability and willingness to pay and there is *very* poor correlation.

At least we can take solace that the really screwed up nature of all these systems will be a huge challenge for AI to kill us all and take over. :eek:
 
SphincterBoy said:
I suggest you talk to some people who have had their identities stolen and ask them how easy it was to clean up the mess. Some have said it was the worst experience of their lives. Do some Google searches, it can really disrupt your life.

Anyone who knows anything about the credit reporting agencies knows how difficult it is to get them to correct mistakes. Our information is simply product that they sell to their customers (banks, retailers, etc.). They don't care how accurate it is.
Click to expand...

The run of the mill stolen funds on a CC, new CC opened in your name, etc, most of the time are relatively easy to fix. The really insidious ones are fraudsters walking around using your actual identity to commit additional fraud and crime, and getting warrants or even arrests on your record. It appears cleaning that up is particularly hard.


The thing here is, this PIN request issue isn't really Equifax's fault. There is only so much data in a core identity - name, DOB, SSN, address, phone, e-mail, etc. Yes, you can create better methods once someone has identified themselves the first time - but the first time around, that's the data that is there. And everyone's data is compromised, and has been for a while.

So essentially, the whole system of identity is fucked right now. Has been for a while, hopefully this latest breach will push for something but...it will be so massive, so complex, so expensive, nothing will get done. And really, what is the suggestion? I definitely don't want a centralized biometric database like India is trying to do - fuck that.
 
You must log in or register to reply here.
Back
Top