Given the scores of leaks and hacks these days, attackers on the internet are already seeing the world in their oyster. Recent findings suggest that Experian’s security freeze on a credit report can be breached if just a handful of user information is available.
All an attacker needs to access the credit report is the card holder’s name, address, date of birth, and social security number. Considering the increasing number of data breaches, these pieces of basic information aren’t hard to find in marketplaces on the dark web, as pointed out by Brian Krebs.
Following these four information pieces, an email address has to be provided and all the information needs to be confirmed. After that, the PIN for the credit freeze will be requested.
The final authorization page on Experian requests a user to answer four Knowledge-based Authentication (KBA) questions.
“The problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks, and third-party services online — both criminal and commercial,” Brian Krebs writes.
Since the answers to these KBA questions are available online and so are the other information parameters required to breach the Experian credit freeze, such security measures are undoubtedly inadequate.
Experian is another large consumer credit reporting agency, similar to Equifax. The issues with security at Equifax earlier this month has made it clear that the companies need to ramp up their security framework. Otherwise, they are simply putting their user data at the risk of exposure and potential misuse.
How to Avert the Danger?
It would help if the information regarding the PIN recovery is sent to an email address that has been predefined by the user in his credit filings and not to any random email address given during recovery.
Since organizations such as Experian and Equifax, which was recently breached, are still ignorant of security online, it makes sense if you place a freeze on your credit files.