Experian will give away your credit Freeze pin?

[Chuckanut]

According to Krebs it does not take much to get your credit freeze pin from Experian.

https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).
After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

YCMTSU!

 

[audreyh1]

You do have to answer some additional questions which takes a little more work, but can be spoofed by researching past addresses and figuring out what car is registered to a person and other public records. A lot of it is silly stuff like current county of residence which is super easy once you have an address.

But to just let any email entered have it emailed? That boggles the mind!!!! They should be treated just like debit card PINs and mailed to the address of record. Unbelievable!

 

[Chuckanut]

As Krebs has pointed out some of the companies that provide the questions and answers for the so-called Knowledge Based Authorization have been hacked by criminals:

One more thing before I move on to the analysis. For more information on why KBA is a woefully ineffective method of stopping fraudsters, see this story from 2013 about how some of the biggest vendors of these KBA questions were all hacked by criminals running an identity theft service online.

Another entry in the YCMTSU file.

YCMTSU = You Can't Make This Stuff Up.

 

[audreyh1]

As Krebs has pointed out some of the companies that provide the questions and answers for the so-called Knowledge Based Authorization have been hacked by criminals:



Another entry in the YCMTSU file.

YCMTSU = You Can't Make This Stuff Up.

Yeah - companies are addicted to this knowledge based questions stuff and it's so stupid and easy to guess or quick Googling that it was the cause of huge IRS fraudulent access to personal tax records in 2015, I think, which was then used to efile a huge number of fraudulent returns. The IRS had to shut down online access to tax records for a while 2015 to 2016 to deal with the fallout.

So Experian should know better!

You'd think they would at least take some of the precautions banks do with PINs.

And someone complained that their Equifax security freeze info came in a big envelope with their name, adddress, and "Security Freeze" in big letters on the envelope. Way to go!