Consumers who decided to place a credit freeze on their accounts in the wake of the massive hack of credit reporting firm Equifax may have a new issue to worry about, as security researchers are pointing out a vulnerability at Experian that could allow anyone to gain access to an individual’s credit freeze personal identification number (PIN).
The potential exploit, brought to light by cybersecurity journalist Brian Krebs, makes use of publicly available records and information to gain access to a person’s credit file, even when the person has placed a lock on the account to prevent fraud or identity theft.
The vulnerability relies primarily on social engineering tactics and would require some legwork, but is eminently exploitable and presents a level of concern for consumers who thought they were taking necessary security measures to protect themselves.
The first step of the vulnerability requires the attacker to provide personal information about the victim, including their name, address and date of birth. The most difficult datapoint required as a security measure by Experian is the person’s Social Security number, but seeing as the Equifax hack my have revealed that and other identifiable information for as many as 143 million Americans, it’s likely the number could be acquired.
From there, the hacker simply has to provide an email address and check a box asking to confirm the submitter is providing their own information—not much of a security check against an attacker who is aiming to hijack a person’s credit.
Experian does have one last line of defense against unauthorized access to a person’s credit account: the credit reporting company asks the submitter to answer four “knowledge-based authentication” questions designed to provide the identity of the submitter.
Unfortunately, the method of authentication is relatively easy for a hacker to ace, requiring little more than a cursory internet search to find some personal information about the target.
The questions are presented as multiple choice, with four answers to choose from. Examples of some of the questions include: :Please select the city that you have previously resided in,” “Which of the following people live or previously lived with you at the address you provided” and “Please select the model year of the vehicle you purchased or leased.”
All of this information is readily available online, be it on social media sites where users share information without giving thought to the potential malicious uses those life details could be used for or through sites like Zillow or Spokeo that have collected massive amounts of publicly accessible data from millions of people.
The details of the potential exploit in one of the major three credit reporting firm’s system is likely disheartening to consumers, especially those who attempted to protect themselves by placing a credit freeze on their accounts.
Despite the security shortcoming, consumers are still advised to place a credit freeze on their accounts if they believe they may be at risk. Even though their PIN could be compromised, the additional protection could still deter less ambitious hackers and prevent against attempts to open new accounts under a person’s name.