Hot Topics
Analytics & Intelligence CISO Suite Cloud Security Cyberlaw Cybersecurity Data Security Editorial Calendar Featured Governance, Risk & Compliance Identity & Access Identity and Access Management Incident Response Most Read This Week Network Security News Popular Post Security Boulevard (Original) Social Engineering Spotlight Threats & Breaches Vulnerabilities 

Experian FAILs yet Again — Hackers can Change Your Email Address

by Richi Jennings on July 12, 2022

Credit reporting agency Experian has a nasty vulnerability: Bad actors can hijack your account simply by creating a new one with your stolen information.

When the bug was reported to Experian, the reply basically dismissed the problem—with a side order of, “We take consumer privacy and security seriously.” Given that Experian doesn’t even support two-factor authentication, this is proper piss-poor performance.

Why do we put up with this? In today’s SB Blogwatch, we are the product.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Soviet crypto.

Useless Idiots

All aboard the Brian Krebs cycle—“Experian, You Have Some Explaining to Do”:

This email address is no longer monitored
Twice in the past month [I’ve] heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used … strong, unique passwords for their Experian accounts. [But] identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information.

Experian’s password reset process [is] useless at that point because any password reset links would be sent to the … impostor’s email address. … Experian does not offer any type of multi-factor authentication options on consumer accounts. … Even using the paid Experian service, there [are] no additional multi-factor authentication options.

Experian suggested that what happened … was not a normal occurrence. [But] after providing my Social Security Number … date of birth, and answering several multiple choice questions whose answers are [in] public records, Experian promptly changed [my] email address … without first confirming … that the previous email address approved the change. [It] then sent an automated message to the original email address. … The only recourse Experian offered … was to sign in, or send an email to an Experian inbox that replies with … “This email address is no longer monitored.”

WTH? Rob Rich gives to the poor—“Security Expert Sounds The Alarm”:

Keep an eye on your account
Experian … has found itself at the center of yet another security kerfuffle — something you’d think one of the three biggest credit monitoring companies in the world would want to maybe try and avoid. Between a database hack that compromised the information of 15 million T-Mobile customers and being accused of making it too easy for the wrong person to get ahold of a credit freeze PIN, Experian hasn’t had the best track record.

Experian claims these were likely isolated incidents and that there’s more verification happening behind the scenes, though that doesn’t address the issue. … So unless and until Experian changes its account security management to allow for multi-factor authentication across the board, your best bet is probably to just keep an eye on your account manually.

Yeah, the lack of 2FA/MFA is unforgivable. jandrese agrees, but with a caveat:

An impressive level of negligence
While I agree with the article that it is embarrassing that Experian doesn’t support 2 factor authentication, I’m not sure it would have helped in this case, since the account was migrated without ever authenticating.

Normally a security breach this egregious would require the attacker to call the help desk, but for some reason Experian has it baked right into the signup process.

That is an impressive level of negligence. Someone had to put some serious effort into opening up that security hole.

What should Experian have done? Todd Knarr has some pointers:

You’d think Experian would do a basic check: If the information used to sign up matches an existing account, refuse to create the new account and direct the user to recover the password (and if necessary, email address).

If the email address is used as an account identifier, then it must not be used as part of the information determining whether a match occurred. Won’t stop a hacker from setting up an account in someone else’s name, but does at least ensure that they can’t hijack an existing account—and that once the actual user gains control over a falsely-created account the hacker can’t re-hijack it.

It’s all about perverse incentives, thinks Mayday:

This drives me up the wall. [We] are held by the short and curlies by these companies (Experian, D&B, Equifax, etc.) … and when they cock it up, it is … all over.

It’s not like you can say, “Oh we won’t use them again,” or “I won’t buy a XX again from them,” because we have no choice. We aren’t the customer, just the product. And of course, they all “take security very seriously” … when there’s a breach.

Are you pissed yet? Venting their eternal infuriation, it’s xoa:

It’s eternally infuriating
The entire concept of “identity theft” … as it exists now is 100% pure industry propaganda. Nobody is cloning bodies and transplanting brains or something. It’s not that anyone is “stealing my identity”—it’s the financial institutions don’t bother to verify it and then somehow have managed to make a system where this is my problem.

If Person M lies to a Bank … about their info claiming to be Person A and tries to escape their commitments, [then] sure they’ve committed fraud, but if the Bank … tries to go after Person A then the bank are literally accessories to fraud and should face criminal prosecution. [Also] credit bureaus should have no role in identity verification, and if they are lying about people … that again should be on them.

All the burdens are completely backwards, in turn massively perverting the incentives. And it’s eternally infuriating.

tl;dr? Go to GoTeam:

If [the] general public were as unaccountable as the credit bureaus, we’d be deemed unworthy credit risks. The burden of proof always falls on the people, not the rich corporations.

It’s ridiculous, says George Coates:

So let me get this straight. Equifax was breached in 2017 and essentially the database for 147 million was stolen. As a result if this breach settlement, Equifax gave essentially everyone four years of credit monitoring from Experian.

Now you are telling me that anyone with that hacked Equifax data can easily take over the account on Experian that was setup as a result of the breach. Am I the only one who sees the ridiculousness of this?

Meanwhile, argStyopa sounds slightly sarcastic:

Well, that’s OK. It’s not like people’s financial information or credit scores are important or anything.

And Finally:

KGB OTP FTW LOL

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Towfiqu barbhuiya (via Unsplash; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi