Identity thieves bypass security questions to access Experian credit reports

After a tip from a Telegram user who frequented identity theft channels, Brian Krebs tested and confirmed that anyone who knew your name, address, social security number (SSN), and birthday could view your full credit report at Experian.

Skipping security questions

The method to get access did not require any hacking talents at all. It was a simple matter of replacing a part of the URL, which then allowed anyone with bad intentions to skip security questions.

After entering the initial information on annualcreditreport.com and asking for the Experian report, a visitor will be redirected to Experian.com and then asked several random questions to confirm their identity. At this point anyone could replace the part of the URL that says “/acr/oow/” with “/acr/report” and they’d be taken straight to the full credit report without having to answer any questions at all.

Incorrect information

Interestingly, when testing this with his own credit report, Brian Krebs found:

“The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out.”

Unfortunately, this is one of the reasons why we recommend checking these reports on a regular bases. By law, you are entitled to a free copy of your credit report from the three major bureaus: Equifax, Experian, and TransUnion. In addition, there’s a fourth bureau called Innovis that you should check in on. Review your reports annually and look for any suspicious activity and false information.

A lot of decisions about you are based on the information they find here. Will you get a loan, an apartment, or even a job? So, you should at least be aware of what information they have about you. Please note that this may require you to send copies of your identity documents through the mail or uploaded to a website.

Not the first time

This is not the first time Experian has shown that its methods of keeping your information secure are below all reasonable expectations. Only half a year ago, Brian Krebs also reported how identity thieves were able to hijack accounts. They did this by signing up for new accounts at Experian, while using the victim’s personal information but with a different email address.

Data breaches happen, but that doesn’t mean that credit bureaus shouldn’t be held to a higher standard when it comes to protecting such personal information.

Fixed now

Even though this method of accessing credit reports no longer works, it is unclear how long it did work and how often it’s been used. It’s also been pointed out at length that the “security questions” themselves are not a substantial obstacle in the way of a determined identity thief that wants to exploit your credit score. Most answers can be found in public records or on social media.

Under the radar

After reading all that, you may have decide that you don’t want Experian, or maybe any other credit bureau, to have no information about you at all. Unfortunately, that’s not going to happen.

One thing you can do is to freeze your credit files at the three major reporting bureaus. Essentially, this blocks any potential creditors from being able to view or pull your credit file, unless you affirmatively unfreeze or thaw your file beforehand. This will effectively also stop any identity thieves from getting loans in your name, because they are very unlikely to get credit when the creditor is unable to check your file.

And since 2018, it is free in every US state to freeze and unfreeze your credit file and that of your dependents. And as a happy side effect, it also protects your credit score since every credit inquiry caused by a creditor can potentially lower your credit score.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

https://blog.malwarebytes.com/feed/