Identity thieves have been using a weakness in Experian’s website to obtain credit reports of US citizens for fraud.
Jenya Kushnir, a security researcher living in Ukraine, recently contacted cyber journalist Brian Krebs with a worrying find: credit reporting bureau Experian’s website allowed anyone to bypass security questions and go straight to a consumer’s credit report.
“All that was needed was the person’s name, address, birthday and Social Security number,” according to KrebsOnSecurity.
These pieces of information are easily captured in data breaches and then sold on the underground web, including on dark web forums and anonymized channels dedicated to cybercrime.
Kushnir reportedly discovered the method after spending time on Telegram chat channels used by criminals to defraud citizens whose digital identities were compromised in data breaches.
“I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing [expletive] and regular people struggle,” Kushnir wrote in an email to Krebs. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”
Kushnir revealed the crooks would trick Experian into displaying anyone’s credit report just by editing the URL address at a specific point in the identity-verification process.
Krebs confirmed the existence of Experian’s weakness and relayed it to the credit reporting bureau. The agency quietly addressed the flaw in December but refused to answer requests for comment or clarification.
It’s unclear how large of a time window criminals had to exploit the weakness and use the free credit reports to defraud unsuspecting victims.
US Senator Ron Wyden was more than willing to comment on the issue, telling Krebs that, while he was disappointed to learn of this grave security lapse, he was not surprised.
“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Wyden said.
Equifax, another major credit reporting bureau serving US citizens, has had similar issues with security.
Readers might remember the harrowing Equifax cyber incident in 2017, with cybercriminals making off with 146 million customer records.
Nearly two years after the incident, Equifax was said to have lost $1.4 billion in settlements, legal fees, new technology investments, professional services, staffing, regulatory sanctions and more. The costs also included the free credit monitoring services offered to those affected, following the incident.
Bitdefender Digital Identity Protection scans the web for unauthorized leaks of your personal data, monitoring whether your accounts are exposed and making it easy to take action before disaster strikes.
US citizens can opt for Bitdefender Identity Theft Protection which not only offers continuous monitoring of your identity, privacy and credit status, but also identity theft insurance of up to $2 million.
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsDecember 19, 2024
November 14, 2024