Experian Flaw Just Revealed PINs Protecting Credit DataCredit freezes are the best way to prevent new account fraud, where criminals open bogus accounts in your name. But one credit bureau's site made it distressingly easy to circumvent the security that's supposed to keep your credit reports safe. [...]
To get the numbers, people filled out the form on Experian's PIN retrieval page with a person's name, address, Social Security number and date of birth -- exactly the kind of information that was compromised in last year's Equifax breach, and that's readily available for sale on the dark web. The form required an email address, which didn't necessarily have to be the one associated with the person's Experian account. Answering "none of the above" to the security questions -- even if some of the proffered answers were correct -- gave access to that person's PIN.
With the PIN, anyone can thaw that person's credit freeze and apply for credit in their name.
"Credit freezes are the best way to prevent new account fraud, where criminals open bogus accounts in your name."
Or, you know, make this the problem of whatever idiot lets some crooks open bogus accounts? If banks don't want to do enough checks to know who opened the account, let them eat the costs associated rather than asking consumers to constantly jump through hoops "freezing" and "unfreezing" credit?
Are you getting Push Fraud yet? That's the new hotness here. You get an email "Hi, I'm from some-outfit-you-pay-large-sums-to sorry for the trouble but we've just changed bank accounts, please pay the money into account XYZ instead" and ordinary consumers figure well this sounds legitimate, and so they change where the money was going. Since the account holder changed the payment, not the fraudsters, when it turns out the email was from crooks the bank says well, that's not fraud, that's just you're an idiot, so if we can't reverse the transaction you're out of luck.
Lots of people assume that an attempt to pay $40 000 to "Legitimate Car Loans Inc." at 123456 0102030405 will not work if in fact account 123456 0102030405 is owned by "Mr. A Crook" rather than "Legitimate Car Loans Inc.", but the computer just matches the numbers and ignores the text, that's just for humans to look at.