Stealing Experian credit freeze PINs was as easy as 'none of the above'
A security hurdle meant to block criminals from stealing PIN codes that secure credit freezes at Experian was easily overcome simply by answering "None of the above" to a series of security questions, according to a report by NerdWallet.com.
"Our colleague Liz Weston and several others at NerdWallet this morning were able to get Experian’s site to cough up their PINs -- the personal identification numbers needed to thaw our credit freezes -- by answering the so-called “security questions” with a blanket answer: None of the Above.
In a statement to me Thursday night, Experian did not exactly confirm NerdWallet's findings, but said it did react to the news -- suggesting the security shortfall had been fixed.
"While we are confident that our authentication is secure and no credit files are at risk, we have taken additional steps to make the process more secure," a spokesperson wrote in an email. "We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security."
To obtain a target's PIN, a would-be ID thief would need a set of other personal information, such as Social Security number, belonging to the victim. That information is available through various hacks and for sale on the dark web, however. The PIN code is the secret that makes the credit freeze work; weak security defending it puts the entire freeze system at peril.
NerdWallet's Brad Wolverton called it a "huge loophole."
Mike Litt, a spokesperson for the Public Interest Research Group, used even stronger language.
"There is absolutely no excuse for this. How do you just leave the keys to the door on top of the welcome mat?" he said. "I tried it out for myself around 4:40 pm ET. I, too, was able to retrieve my PIN by selecting 'none of the above' for security questions even though the answer was in the list of options. This means that even if you had taken the step to freeze your Experian credit report, an identity thief could have unfrozen it and still tried to open a credit account in your name."
Two weeks ago, a federal law kicked in that made credit report freezes free for all consumers. Freezes are held out as the gold standard for preventing identity theft, and most everyone recommends them. I do, too, but they aren't the silver bullet they've been made out to be. Plenty of folks have reported difficulty unfreezeing their reports. There's also the potential for user error -- misplaced PIN codes. No doubt, Experian has been dealing with a lot of those issues as consumers flock to take advantage of free freezes, and that might have led to the less-than-secure process for retrieving PINs.
Last year, security reporter Brian Krebs noted another way that a criminal might retrieve a target's PIN code.
Any time a new security process is introduced, there's potential for new vulnerabilities to be introduced, too. This doens't mean consumers shouldn't take advantage of freezes. But don't expect everything to go smoothly, and don't believe a freeze is a silver bullet.