Experian credit freezing service easily unlocked by third parties


In 2017 a free online service offered by Experian was found to be allowing anyone to request the PIN needed to unlock a previously-frozen consumer credit file. Freezing the file is intended to secure such accounts against tampering and fraud. To get an unlocking number, visitors needed to provide the target individual's name, address, date of birth, and Social Security number - information that has been repeatedly stolen in data breaches, including the massive 2017 Experian breach. The fraudster then only needed to supply a valid email address to receive the PIN and tick a box to say the information belongs to the applicant. Finally, the service asked four knowledge-based authentication questions that can often be answered from hacked databases or searches of public information.


tags: Experian, credit scoring, security, design

Writer: Brian Krebs

Publication: Krebs on Security

See more examples
Related learning resources