Utility and service providers can see your credit file.”Įxperian says my security is low because while I have a freeze in place, I haven’t bought into their questionable “lock service.” Banks can check your file if you apply for credit or loans. “You won’t see alerts if someone tries to access your file. “When your file is unlocked, you’re more vulnerable to identity theft and fraud,” Experian warns, untruthfully. The message I saw upon logging in confirmed that while I had a freeze in place with Experian, my current “protection level” was “low” because my credit file was unlocked. When a consumer with a freeze logs in to Experian’s site, they are immediately directed to a message for one of Experian’s paid services, such as its CreditLock service. And this has been going on for at least four years.”Įxperian has not yet responded to requests for comment. “They’re allowing this huge security gap so they can make a profit. “Experian had the ability to give people way better protection through added authentication of some kind, but instead they don’t because they can charge $25 a month for it,” Thomas said. Thomas said he’s furious that Experian only provides added account security for consumers who pay for monthly plans. Unless, that is, you subscribe to Experian’s heavily-marketed and confusingly-worded “ CreditLock” service, which charges between $14.99 and $24.99 a month for the ability to “lock and unlock your file easily and quickly, without delaying the application process.” CreditLock users can both enable multifactor authentication and get alerts when someone tries to access their account. Also, when the PIN is retrieved, Experian doesn’t bother notifying any other email addresses already on file for that consumer.įinally, your basic consumer (read: free) account at Experian does not give users the option to enable any sort of multi-factor authentication that might help stymie some of these PIN retrieval attacks on credit freezes. The best part about this lax authentication process is that one can enter any email address to retrieve the PIN - it doesn’t need to be tied to an existing account at Experian. The next two questions were useless for authentication purposes because they’d already been asked and answered one was “which of the following is the last four digits of your SSN,” and the other was “I was born within a year or on the year of the date below.” Only one question mattered and was relevant to my credit history (it concerned the last four digits of a checking account number). The answer to the second question also was none of the above. The first question asked about a new mortgage I supposedly took out in 2019 (I didn’t), and the answer was none of the above. KrebsOnSecurity stepped through the same process and found similar results. Thomas said he and a friend both walked through the process of recovering their freeze PIN at Experian, and were surprised to find that just one of the five multiple-guess questions they were asked after entering their address, Social Security Number and date of birth had anything to do with information only the credit bureau might know. Thomas said after several days on the phone with Experian, a company representative acknowledged that someone had used the “request your PIN” feature on Experian’s site to obtain his PIN and then unfreeze his file. Thomas said he only learned about the activity because he’d taken advantage of a free credit monitoring service offered by his credit card company. who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name using an address in Washington state that was tied to a vacant home for sale.īut the crooks were persistent: Earlier this month, someone unfroze Thomas’ account at Experian and promptly applied for new lines of credit in his name, again using the same Washington street address. Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.ĭune Thomas is a software engineer from Sacramento, Calif.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |