The Problem With Giving Your Data to … Experian
Okay, so you don’t really have a choice in this one. This is a little different than say giving your data to Facebook or Twitter. With social media, you can choose not to play. With the credit bureaus, you are not the customer, you are the pawn in the game.
Okay, so what did Experian do this time.
The big three bureaus run a website that allows you to request a copy of your credit report. You enter some basic data including your social and select which one or ones of the bureaus you want your report for.
The government mandated website then transfers you to the individual bureau’s website where they are supposed to validate your ID.
Generally they ask a bunch of low security questions, the answers to which have all been compromised in the thousands of data breaches. But they give naïve consumers a false illusion of security.
But even that is an illusion.
According to Brian Krebs, a security researcher in Ukraine (don’t they have more important things to do? Maybe not.) reached out to him and told him how to bypass these weak security measures.
And the bypass is not complex. All you need to do make some changes to the path in the URL. Either this was an attempt by Experian to use security by obscurity. Or, maybe they just didn’t test their software.
In either case, you change a little bit of the address line and Experian coughs up your full credit report.
Brian said that when he looked at his report is was a total disaster. That is another story.
I decided to try it myself and I got a message that they couldn’t process my request.
I assume that they took the site offline after this most recent debacle.
And, of course, Congress isn’t doing their job at regulating these guys. I bet that is a surprise.
Maybe with the republicans in charge of the House they will reign these guys in.
Credit: Brian Krebs