Stories
Slash Boxes
Comments

SoylentNews is people

PINs and Needled: Experian Site Blabbed Codes to Unlock Credit Accounts for Fraudsters

posted by Fnord666 on Thursday October 11 2018, @04:36PM   Printer-friendly
from the another-day-another-flaw dept.

"upstart" writes:

Submitted via IRC for Bytram

PINs and needled: Experian site blabbed codes to unlock credit accounts for fraudsters

Experian's website exposed to world-plus-dog the PINs needed to unlock frozen accounts, allowing crooks to potentially apply for loans and credit cards as their victims.

The credit-monitor agency lets people freeze their account using a PIN that has to be submitted in when applying for stuff like loans: it's a mechanism that's supposed to stop fraudsters from exploiting stolen personal information, such as names and social security numbers, to obtain credit using someone else's identity.

However, according to financial advice site Nerdwallet this month, the credit monitoring agency had a glitch in its online account recovery process that, when exploited, could leak a stranger's recovery PIN. A miscreant could then use that number to reverse an account freeze and free up funds for plundering.

The (since fixed) bug would allow anyone who knew a person's name, address, social security number, and date of birth to have a PIN cod[sic] sent to an email address of the attacker's choosing. Recovery questions designed to prevent account theft could be circumvented by setting all answers to "none of the above."

"The form required an email address, which didn't necessarily have to be the one associated with the person's Experian account," Nerdwallet explained.

"Answering 'none of the above' to the security questions — even if some of the proffered answers were correct — gave access to that person's PIN."

Armed with that PIN, the attacker would then be able to break the credit freeze and apple to open new accounts in the victim's name. This is particularly bad in the case of Experian, as one of the main reasons for setting up a credit freeze is to mitigate the leak of precisely the private information – social security number, and date of birth – used to retrieve the PIN.

[...] Though there is no indication that the flaw was ever actively abused, the findings will no doubt cause discomfort for the millions of people who have had to freeze their credit in recent years due to data breaches, including one at Experian in 2015 that involved the records of 15 million T-Mobile US customers.

Original Submission

 
This discussion has been archived. No new comments can be posted.
PINs and Needled: Experian Site Blabbed Codes to Unlock Credit Accounts for Fraudsters | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Thexalon on Thursday October 11 2018, @09:47PM

    by Thexalon (636) on Thursday October 11 2018, @09:47PM (#747673)

    2 factors combine to make them basically immune from consequences for this stupidity:
    1. The data they're leaking isn't customer data. Instead, the data in question is their product.
    2. The victims of the leaked data either don't know enough to do anything about it, accept a crappy insurance plan, or wait years for a class action lawsuit to work through that might net them $20 apiece.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2