Submitted via IRC for Bytram
PINs and needled: Experian site blabbed codes to unlock credit accounts for fraudsters
Experian's website exposed to world-plus-dog the PINs needed to unlock frozen accounts, allowing crooks to potentially apply for loans and credit cards as their victims.
The credit-monitor agency lets people freeze their account using a PIN that has to be submitted in when applying for stuff like loans: it's a mechanism that's supposed to stop fraudsters from exploiting stolen personal information, such as names and social security numbers, to obtain credit using someone else's identity.
However, according to financial advice site Nerdwallet this month, the credit monitoring agency had a glitch in its online account recovery process that, when exploited, could leak a stranger's recovery PIN. A miscreant could then use that number to reverse an account freeze and free up funds for plundering.
The (since fixed) bug would allow anyone who knew a person's name, address, social security number, and date of birth to have a PIN cod[sic] sent to an email address of the attacker's choosing. Recovery questions designed to prevent account theft could be circumvented by setting all answers to "none of the above."
"The form required an email address, which didn't necessarily have to be the one associated with the person's Experian account," Nerdwallet explained.
"Answering 'none of the above' to the security questions — even if some of the proffered answers were correct — gave access to that person's PIN."
Armed with that PIN, the attacker would then be able to break the credit freeze and apple to open new accounts in the victim's name. This is particularly bad in the case of Experian, as one of the main reasons for setting up a credit freeze is to mitigate the leak of precisely the private information – social security number, and date of birth – used to retrieve the PIN.
[...] Though there is no indication that the flaw was ever actively abused, the findings will no doubt cause discomfort for the millions of people who have had to freeze their credit in recent years due to data breaches, including one at Experian in 2015 that involved the records of 15 million T-Mobile US customers.
(Score: 1, Funny) by Anonymous Coward on Thursday October 11 2018, @04:55PM
Experian, corporate America's poster child for "hold my beer".
(Score: 0) by Anonymous Coward on Thursday October 11 2018, @06:19PM
If the banks would do their jobs and verify those to whom they give credit, we wouldn't need to freeze our credit.........Lake
(Score: 2) by dast on Thursday October 11 2018, @07:33PM (2 children)
I mean seriously? SRSLY! How the fuck does Experian even still exist as a business? Do they do anything OTHER than leak our data?
(Score: 2) by Thexalon on Thursday October 11 2018, @09:47PM
2 factors combine to make them basically immune from consequences for this stupidity:
1. The data they're leaking isn't customer data. Instead, the data in question is their product.
2. The victims of the leaked data either don't know enough to do anything about it, accept a crappy insurance plan, or wait years for a class action lawsuit to work through that might net them $20 apiece.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by legont on Friday October 12 2018, @12:47AM
Their business is to collect and then leak our data. It's just so happened they leak it to wrong folks every now and than, but so what?
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 5, Insightful) by sjames on Thursday October 11 2018, @08:35PM (4 children)
There is no such thing as identity theft. There is only fraud. That is, someone claiming to be me convinces a bank to give them a load of money with little to no verification (certainly not effective verification). From a legal perspective, that's between the bank and the fraudster. I am not involved. In a reasonable legal system, the bank would have to prove that *I* actually took the money or shut up. Naturally, it can't do that because I didn't.
That becomes my problem when sloppy judges just take bank's word for it while ignoring the overwhelming evidence that banks aren't actually all that good at making sure people are who they say they are.
The next way it becomes a problem is when credit agencies just take the bank's word for it, ignoring not only the overwhelming evidence that banks aren't that good at making sure people are who they say they are, but also ignoring that they themselves have contributed substantially to the problem by leaking information like a sieve. In other words, they routinely commit libel and slander, that is saying and printing things that they know will harm me with a wanton disregard for the truth. That is, they do nothing to verify what they are told even knowing it is often untrue.
If the courts would act on that, none of this would be a problem either.
To add insult to injury, the credit agencies want us to pay them to protect us from the damage they do through negligence (although some of it is now court ordered or legislated after repeated warnings) and then they even fail to provide that protection.
(Score: 2, Disagree) by Thexalon on Thursday October 11 2018, @09:12PM (3 children)
Identity theft is simply one kind of fraud. And it can be more than just obtaining a fraudulent loan - for instance, a convicted criminal could steal someone else's identity in order to get a job or avoid the consequences of being on the sex offender registry by pretending to be someone with a clean record.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Touché) by sjames on Thursday October 11 2018, @10:02PM (2 children)
The trickery is that by claiming that the simple fraud is somehow "identity theft" against the 3rd party that still has their identity and knew nothing about it, it pushes the losses their way instead of keeping them firmly between the fraudster and the negligent company that was defrauded.
I used bank loans and/or credit cards because it makes the illustration easier. If someone uses your name to get a loan, you have no part in it. It is not ethically appropriate to put the onus on you to prove it was fraud or to clean up your credit history. The onus is on the bank that handed out the money without checking to show who they actually gave it to and to not libel or slander you in the process (by making the false claim that you didn't pay back a loan, for example).
Just look at all the commercials for 'identity theft protection'. as if the crime is against me or that I have some responsibility to stop it. Under any ethical system, it isn't and I don't. Any attempt to make it my problem is strictly unethical, and if the courts were even trying to serve justice, those attempts would be punished.
(Score: 2) by Thexalon on Friday October 12 2018, @01:21AM (1 child)
Identity theft is a crime against you, and also fraud against the bank/employer/landlord/whoever the thief is fooling by pretending to be you.
The damage to you isn't done when they made use of your identity. The damage happens when they screw it up. And I said "when", not "if", because (a) they screwed up enough that they decided to leave their old identity behind, and (b) they know they can escape the consequences of screwing up by assuming some other poor sap's identity. And until you do some digging, all you know is that you got fired for no obvious reason, or you couldn't rent the apartment you wanted, or nobody is willing to give you a reasonable rate on a loan.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by sjames on Friday October 12 2018, @05:23AM
The screwed up credit is the result of libel and slander committed against me by the banks and the credit agencies. Nothing more and nothing less.
If they would check their facts, there would be no adverse reports about me.
(Score: 2) by MichaelDavidCrawford on Thursday October 11 2018, @08:35PM
518-92-8663
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by MichaelDavidCrawford on Thursday October 11 2018, @08:38PM
I figured it would be good for a few laughs but they never sent it
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by mcgrew on Friday October 12 2018, @03:22PM
The Register is notorious for leaving out facts to make a story more sensational. Here's [sophos.com] a site run by grownups who actually know what they're talking about.
The Register is a joke.
mcgrewbooks.com mcgrew.info nooze.org