Credit freezes are the best way to prevent new account fraud, where criminals open bogus accounts in your name. But one credit bureau's site made it distressingly easy to circumvent the security that's supposed to keep your credit reports safe. [...]
To get the numbers, people filled out the form on Experian's PIN retrieval page with a person's name, address, Social Security number and date of birth -- exactly the kind of information that was compromised in last year's Equifax breach, and that's readily available for sale on the dark web. The form required an email address, which didn't necessarily have to be the one associated with the person's Experian account. Answering "none of the above" to the security questions -- even if some of the proffered answers were correct -- gave access to that person's PIN.
With the PIN, anyone can thaw that person's credit freeze and apply for credit in their name.
Experian Flaw Just Revealed PINs Protecting Credit Data