Security researcher Brian Krebs complains that Experian’s identity-protecting credit freezes are easily unfrozen online. An anonymous reader quotes the Verge:
Experian makes it easy to undo a credit freeze, resetting a subject’s PIN through an easily accessible account recovery page. That page only asks for a person’s name, address, date of birth, and Social Security number…data [that] was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information. After entering that data, attackers then just have to enter an email address — any email — and answer a few security questions.
That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they’ve previously lived and the people that resided with them. Much of that information is available through a person’s own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow… In response to Krebs’ report, Experian claims that it goes beyond the measures identified to authenticate users. “While we do not disclose those additional processes,” said the company in a statement, “they include a broad array of checks that are not visible to the consumer.”
Meanwhile, the Los Angeles Times reports that Experian is also advertising a “free scan of the dark Web” which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of “advertisements or offers” from financial products companies — plus “an arbitration clause preventing you from suing the company” which a spokesperson acknowledges could remain in effect for several years.

Read more of this story at Slashdot.

Source: Slashdot – Experian Criticized Over Credit-Freeze PIN Security and ‘Dark Web’ Scans