It’s Experian’s turn to be in the hot seat.
The credit bureau’s process to retrieve a PIN that safeguards a frozen Experian credit report had a security defect, making it easier for a fraudster to potentially get the PIN, unfreeze the report and open new accounts in someone else’s name. NerdWallet first reported on the flaw after one of its readers alerted the personal finance website.
Experian has since addressed the issue, the company said. But the company has not said how long the defect was in place or whether it will issue new PINs.
“While we are confident that our authentication is secure and no credit files are at risk, we have taken additional steps to make the process more secure,” the company said in a statement. “We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.”
The flaw’s discovery comes just over year after Equifax disclosed a massive data breach that compromised personal data of 148 million Americans. It also follows the enactment of a new federal law on Sept. 21 mandating free credit freezes for everyone.
What was the flaw?
A credit freeze prevents lenders from pulling a person’s credit report, an essential part of the approval process for a credit card or loan. Freezing your credit reports at Experian, Equifax and TransUnion – the national credit bureaus – helps thwart criminals from opening fraudulent accounts in your name.
When you put a credit freeze in place, you’re either issued or you choose a PIN. At Experian, you need this PIN to unfreeze your credit if you want to apply for new credit such as a mortgage. If you’ve forgotten your PIN, Experian allows you to retrieve it by answering four security questions based on information the company has on file for you, such as:
• What year is the model of the car you purchased or leased before March 2018?
• Which one of the following streets have you lived on?
• How much do you pay each month for your mortgage?
Each question has four possible answers including “None of the above.”
Because of the flaw, if you – or say, a fraudster – answered all four questions with “None of the above,” Experian spit out the PIN, said Mike Litt, consumer campaign director at U.S. PIRG, a consumer advocacy organization.
“At first I thought: ‘You’ve got to be kidding me,’ and then I tried it myself,” Litt said. “What’s concerning about this is that one of our best lines of defense (against identity theft) has a flaw.”
A fix, and fallout
Now that the flaw’s been addressed, if you answer “None of the above” to all the security questions, Experian generates a message that it can’t process the request. The company instead instructs you to mail copies of identifying documents such as your driver’s license, utility bills or bank statement, and social security card to get your PIN.
TransUnion and Equifax recently did away with PINs. While they both give a PIN after you freeze your credit report, you just need an account username and password to unfreeze their reports online.
Even though Experian quickly responded to the PIN issue once it was raised, Litt worries the defect could have been around for quite some time.
There’s also no indication Experian will issue new PINs. Experian has not responded to USA TODAY’s request for further comment.
“If you can’t request a new PIN, that means consumers continue to be at risk,” Litt said. “We don’t know how long thieves had been harvesting these PINs and sitting on them.”