Experian's online PIN-recovery system could let attackers undo a credit freeze just by figuring a few easy facts. In the weeks following the Equifax breach, consumers have been told to freeze their credit, thereby blocking possible attackers from opening new lines of credit under their names. It makes sense as a defense strategy, but as cybersecurity reporter Brian Krebs reports today, the protections around those freezes are easy to subvert.
Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person’s name, address, date of birth, and Social Security number when someone wants to retrieve their credit freeze PIN. All that data was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information.
After entering that data, attackers then just have to enter an email address — any email — and answer a few security questions. That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them.
Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow. We can assume a hacker would understand the internet pretty well and could do some quick Googling to gain your security freeze PIN.
In response to Krebs’ report, Experian claims that it goes beyond the measures identified to authenticate users. “While we do not disclose those additional processes,” said the company in a statement, “they include a broad array of checks that are not visible to the consumer.” Nevertheless, Krebs claims that several of his Twitter followers “reported success at retrieving their PINs on the site and via email” after answering Experian’s knowledge-based authentication questions.
Putting a security freeze on your account doesn't mean you never want a new credit card or to take out a mortgage, but it adds an extra step for you to do so. Every time you want a new line of credit or to provide someone access to your credit report, you'll have to lift the freeze temporarily (or permanently) using a PIN code either chosen by you or provided by each credit reporting agency. Of course, people tend to forget passwords and PINs, so these companies have developed recovery systems. The problem is that these systems aren't necessarily secure, either.
To be fair, other credit firms' recovery strategies don't seem as vulnerable as Experian's. TransUnion requires users to create an account before initiating a freeze, so they'll have to log in to get their PIN, too. Presumably their username and password aren't out on the internet (so long as they haven't reused a password). Equifax requires people to write to the company to request their PIN and provide proof of identity, like a copy of their driver's license, passport, or birth certificate. It might be more work for you, but it's also harder to fake a driver's license.
Although Experian's recovery system isn't great, it's still a good idea to put a credit freeze on your accounts. Identity thieves are going to go for the easiest target and forcing them to take extra steps might deter them from using your name. Just stay on top of your credit reports, even when you have a freeze in place, to make sure nothing fishy is happening.
Update Sep 22nd, 1:12 AM ET: Updated with statement from Experian.