The 2017 breach of the Equifax credit bureau exposed the personal information of 147 million consumers. Although that may be the best-known credit bureau security breach, it is certainly not the only one – or even the latest one. In fact, the credit bureaus still have a surprising number of holes in their security.
Credit freezes are supposed to provide extra security for consumers’ credit files; however, recent experiences show that this idea of security may only be an illusion. KrebsOnSecurity reports that thieves have used the “request your PIN” feature on the Experian site to obtain customers’ PIN and unfreeze their accounts.
Dune Thomas discovered that someone had unfrozen his Experian account and applied for credit in his name. Experian confirmed that someone had used “request your PIN” to obtain his PIN and unfreeze his credit file. Thomas then went through the process of requesting his PIN to see what was involved and was shocked by how easy it was to do with just a few pieces of information.
To request your PIN you enter your address, Social Security Number and date of birth. Then you are asked five multiple-guess questions to verify your identity. According to Krebs, of the five questions he was asked when he went through the process two did not apply and would be answered “none of the above.” Two involved information that had already been supplied about his Social Security Number and year of birth. And only one (a question about his checking account number) would actually serve to confirm his identity.
Further, when the PIN is retrieved, Experian will send it to any email address you enter. It doesn’t have to be an email address tied to an Experian account and they do not notify the email address of record that the PIN has been requested.
One thing that would make this process more secure is enabling multi-factor authentication; however, that is only available when consumers pay $14.99 or $24.99 a month for Experian’s CreditLock service.
Experian is not alone in providing lax security for credit files. Other major bureaus also make it easy for crooks to access your information. Because consumers cannot effectively opt out of credit bureau reporting, Krebs recommends requesting a free copy of your credit reports from https://annualcreditreport.com/ to verify the information they contains. Consumers can request one free copy of their credit reports from each bureau once a year. They can all be requested at the same time or the requests can be spaced out over the year.
Ultimately, careful monitoring of your credit reports is your best bet when trying to ensure your credit remains secure.