Experian Flaw Lets Attacker Obtain Credit Freeze PIN and Access Account

Plenty of consumers decided to go for a credit freeze to prevent identity theft and credit fraud after the unfortunate massive data breach at Equifax, a renowned credit reporting company. However, their worries are far from over since according to the findings of cybersecurity journo Brian Krebs; there is a vulnerability in Experian that allows leaking of anyone’s credit freeze PIN (personal identification number). Experian is a big-three credit bureau that offers a free online service to consumers with which they can ask for a PIN when they want to unlock their consumer credit file which is frozen at Experian.

On his blog site KrebsOnSecurity, Brian Krebs wrote that this particular vulnerability could let cybercriminals exploit the publicly available records and data to access an individual’s credit file on Experian if that person has placed a lock on his credit account. The flaw relies on social engineering tactics and needs advanced skills, but it is exploitable, says Krebs.

The exploitation is performed after submitting personal verification information on Experian, which is a multiple step process. The first stage requires that the attacker must provide personal information of the victim including the person’s name, address, Social Security number and date-of-birth. 

You might be thinking that acquiring Social Security number would be difficult for someone but given that Equifax data breach exposed identifiable information of about 143 million US citizens including the Social Security number, therefore, it is most likely that attackers would grab it in Experian’s case as well.

In the next stage, attackers need to provide an email address along with confirmation that the submitter is providing verified information about himself. Lastly, Experian requires people to submit an answer to four “knowledge-based authentication” questions to prove the identity. This can be understood as the last layer of defense against unauthorized access to credit accounts. However, the downside of this method is that it can easily be aced by a seasoned hacker as it just requires a bit of research on the internet to gain necessary information about the targeted individual. 

These questions are presented in the format of multiple choices where the submitter has to select an answer from four different options. For instance, there could be a question about the city you have previously resided in with four options so a quick search about the person on social media or elsewhere would most definitely reveal this detail.

It is true that the PIN could be compromised, but it is also true that despite these shortcomings consumers need to freeze their credit accounts as it serves as an additional layer of security to prevent fraud and identity exposure. The exploit can only be pulled off if the attacker has access to all the required personal information to access credit account on Experian which is not always a win-win situation for hackers.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.