Freezing your credit report may be free now, but if you’re the customer of one major credit bureau, you may need to change your credit freeze PIN after the report of a possible security flaw.
Last week, some Experian customers could allegedly access their accounts by retrieving a forgotten or lost credit freeze PIN, then selecting “none of the above” as the answer to a series of online security questions. By taking the same steps, a fraudster could’ve easily gained access to your PIN.
The situation has been resolved, but it’s unclear how long this was going on. If you’re an Experian customer, requesting a new PIN may be a good idea. While you’re at it, check your credit reports. And if you haven’t frozen your credit reports yet, this is a good time to consider whether doing so makes sense.
Another security incident
Mike Litt, a director for the consumer group U.S. PIRG, was initially able to retrieve his own PIN by selecting “none of the above” as responses on Experian’s online form. He was shocked.
“The credit bureaus make money off of our information but can’t even protect access to it? Not even after the worst data breach in history? It’s like they didn’t learn anything,” Litt says. “And they will continue to not learn anything or take our data security seriously unless there are financial penalties for such carelessness.”
Some data security experts weren’t so surprised.
“Unfortunately, we see glitches like this, programming errors like this, taking place all the time. In fact, we’ve tracked over 30,000 breaches over the past 10 years,” says Inga Goddijn, executive vice president of Risk Based Security in Richmond, Virginia. “Certainly there’s a good number of them that are attributable to zero-day vulnerabilities or really sophisticated hacking attacks, but there’s also quite a few of them that are attributable just to mistakes and the errors that are made and how systems and applications are maintained over time.”
Dean Nicolls, head of global marketing at an identity verification company called Jumio, says that it’s a “virtual certainty” that there will be additional data breaches. He notes that the incident involving Experian was “significant.”
At this point, no one can trust that information shared and stored online is secure.
“When you think about security practices and in preparing for the worst, one of the standard lines you hear in the security industry today is just assume that you will be hacked,” Goddijn says. “It’s just a matter of when and then the measures that you take are, you do everything to close as many holes as possible.”
Not Experian’s first rodeo
Last week’s incident wasn’t the first time Experian has been called out for its approach to security.
Last fall, security expert Brian Krebs brought attention to a separate issue with Experian’s PIN retrieval portal: the knowledge-based authentication questions customers needed to answer were easy considering how much personal information is already accessible to fraudsters.
According to a spokesperson for Experian, Krebs’ post didn’t accurately characterize the credit bureau’s authentication protocols.
“Experian regularly reviews its security practices and adjusts as needed,” a spokesperson says. “We continue to see the effectiveness of KBA [knowledge-based authentication questions] as part of a layered authentication approach.”
Getting a new PIN
This time around, Experian addressed the alleged security flaw fairly quickly. But it doesn’t plan to reissue any PINs.
“Taking into consideration the layers of security controls we have in place and that there is no risk to credit file data or consumer PII, we don’t feel it is necessary to replace PINs,” an Experian spokesperson says.
Replacing your PIN is something consumers should do on their own, Litt says. Just remember that you won’t need a PIN to unfreeze your Equifax or TransUnion credit reports online.
Experian customers may also want to consider complaining to two agencies: the Federal Trade Commission and the Consumer Financial Protection Bureau. That could be one way to ensure that the credit bureau is held accountable and it may prompt it to reissue PINs, Litt says.
Currently, selecting “none of the above” on Experian’s online PIN retrieval form reportedly leaves you with a message saying you can mail in copies of your Social Security card and other personal documents. But it’s an open question whether that’s a secure way to change your PIN.
“I don’t know that I would ever feel good about just making copies of that information and blindly putting it in the mail in the hopes that it’ll be handled correctly on the receiving end,” Goddijn says. “So I would think going through customer service — whether it’s the online customer service or by calling them up — I think I might feel a little more comfortable doing that.”
Freeze is not a catch-all solution
Despite what happened with Experian, Litt says freezing your credit reports is still your best bet to avoid becoming an identity theft victim. But it’s not a fool-proof solution. Credit freezes only protect consumers from fraud associated with the opening of new accounts, not tax refund fraud and other forms of criminal activity.
“It’s always been important that in addition to the freeze, you’re remaining vigilant and still checking your credit reports,” Litt says.
If you haven’t frozen your credit reports yet, make sure you take timing into account. You may need to hold off freezing credit files until after you’ve applied for a mortgage or gotten a new car.