Experian under fire for providing credit freeze PINs to unverified email addresses

The process of unfreezing or temporarily thawing a consumer credit file with Experian is riddled with flaws that could be exploited by an identity thief, one prominent security researcher has said.

In a call to alarm on his blog, Brian Krebs pointed out the numerous ways in which Experian’s method for obtaining a personal identification number, or PIN, for unlocking a credit file is problematic.

A PIN to unfreeze a person’s credit can be obtained with a name, address, date of birth, and Social Security number — personally identifiable information that was all exposed in the Equifax breach affecting up to 143 million Americans.

Once the correct information has been entered, Experian requests an email address to provide the PIN — any email address at all.

Finally, Experian conducts a “knowledge-based authentication” (KBA) with questions about previous cities the consumer resided in, people they lived with, or vehicles they may have owned. All of that information, Krebs noted, can sometimes be gleaned from a simple Google or social media search, let alone more detailed third-party tools.

“Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers,” Krebs wrote. “That is why this offering from Experian completely undermines the entire point of placing a freeze.”

In his view, a solution for this problem would be sending a requested PIN number via traditional mail to the address on record. To him, the fatal, final flaw is providing the PIN via email address, which means a nefarious user could thwart an account and have the PIN sent to a throwaway address completely unbeknownst to the victim of identity theft.

Still, Krebs and other security experts recommend that consumers institute a credit freeze with all three bureaus — Equifax, Experian and TransUnion. OWI has detailed the credit freeze process in a tutorial complete with links to the necessary pages with each bureau.

Once a credit freeze is in place, consumers will need to enact a “temporary thaw” or a full unfreeze of their credit file in order to accomplish tasks like opening a bank account or applying for a loan. It’s during that unfreeze process that Experian failed to meet the security expectations of Krebs.

For more on credit scores and identity, see the OWI Labs intelligence report Bad Credit? No Credit? Big Identity Problem, which includes a proprietary framework for understanding the credit and trust scoring ecosystem based around one fundamental organizing principle: identity data. The report enables investors and entrepreneurs to gauge market opportunities and potential challenges emerging in the broad and dynamic credit scoring and trust assessment landscape.