An online caper that allegedly targeted famous Americans raises security concerns about how easy it is to dupe a legit website that provides free credit reports to everyday consumers.
On Tuesday, Equifax, one of the three national credit reporting bureaus, confirmed that criminals gained unauthorized access to four credit reports through AnnualCreditReport.com. Media outlets have reported that the compromised data belonged to at least 17 well-known people, including reality star Kim Kardashian and actor Ashton Kutcher, as well as political figures Vice President Joe Biden and first lady Michelle Obama. Equifax did not confirm the identities of the individuals who were victimized.
The credit bureau said it is working with the Federal Bureau of Investigation and the Secret Service on the investigation. The Secret Service declined to comment on the status of the investigation.
Experian, one of the two other main credit agencies, said it froze the credit reports of those affected by the attack and is conducting its own investigation to see if any of its information was accessed. TransUnion also is assisting those affected by the incident and is doing an internal investigation.
All three credit bureaus emphasized that their databases had not been hacked. The criminals got the credit reports after providing personal information and correctly answering personally identifiable questions online used to authenticate a request for a report.
"I'm surprised that this doesn't happen more often," says John Ulzheimer, president of consumer education at SmartCredit.com. "The authentication process is not terribly sophisticated. It's nothing more than a multiple-choice test."
The biggest obstacle is getting to the authentication test. On AnnualCreditReport.com, a consumer must provide first and last name, date of birth, Social Security number and current address. If the consumer hasn't lived at their current address for at least two years, they must provide their previous address. The consumer then must choose which type of report they want -- Experian, Equifax or TransUnion -- and then are directed to the company's own website.
Experian's and Equifax's authentication tests each feature four questions with five choices, while TransUnion's test is comprised of three questions with five choices. "None of the above" is always one of the five choices.
The questions are derived from personal and credit information found on a consumer's credit report, such as counties where a consumer lived, past phone numbers, the amount of a specific loan or the name of a specific lender. On its website, Equifax says "only you should know the answers" to these questions.
However, some of these answers are known by friends, family and co-workers, while others could be found on social networking profiles. And some of these answers are public record. For example, Monmouth County in New Jersey provides a searchable database of mortgages, which include the name of the lender and the amount of the mortgage. Other counties across the U.S. offer similar services.
Even without specific personal information, there is a 1 in 625 chance that someone could randomly answer the questions correctly on the Experian or Equifax test. On the TransUnion test, the chances are even better: 1 in 125.
"Once someone gets one copy of your credit report, then the game is really over," says Ulzheimer.
For anyone worried about unauthorized access, Ulzheimer recommends placing a credit freeze on their credit reports. That denies everyone, including yourself and lenders, access to your credit report.
Follow me on Twitter: @JannaHerron