It’s Experian’s turn to be in the hot seat.
The credit bureau’s process to retrieve a PIN that safeguards a frozen Experian credit report had a security defect, making it easier for a fraudster to potentially get the PIN, unfreeze the report and open new accounts in someone else’s name. NerdWallet first reported on the flaw after one of its readers alerted the personal finance website.
Experian has since addressed the issue, the company said. But the company has not said how long the defect was in place or whether it will issue new PINs.
“While we are confident that our authentication is secure and no credit files are at risk, we have taken additional steps to make the process more secure,” the company said in a statement. “We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.”
The flaw’s discovery comes just over year after Equifax disclosed a massive data breach that compromised personal data of 148 million Americans. It also follows the enactment of a new federal law on Sept. 21 mandating free credit freezes for everyone.
What was the flaw?
A credit freeze prevents lenders from pulling a person’s credit report, an essential part of the approval process for a credit card or loan. Freezing your credit reports at Experian, Equifax and TransUnion – the national credit bureaus – helps thwart criminals from opening fraudulent accounts in your name.
When you put a credit freeze in place, you’re either issued or you choose a PIN. At Experian, you need this PIN to unfreeze your credit if you want to apply for new credit such as a mortgage. If you’ve forgotten your PIN, Experian allows you to retrieve it by answering four security questions based on information the company has on file for you, such as:
• What year is the model of the car you purchased or leased before March 2018?
• Which one of the following streets have you lived on?
• How much do you pay each month for your mortgage?
Each question has four possible answers including “None of the above.”
Because of the flaw, if you – or say, a fraudster – answered all four questions with “None of the above,” Experian spit out the PIN, said Mike Litt, consumer campaign director at U.S. PIRG, a consumer advocacy organization.
“At first I thought: ‘You’ve got to be kidding me,’ and then I tried it myself,” Litt said. “What’s concerning about this is that one of our best lines of defense (against identity theft) has a flaw.”
Click here to read more.
Source: USA Today