Tuesday, January 31, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cyber Threats

Experian Glitch Exposing Credit Files Lasted 47 Days – Krebs on Security

Researcher by Researcher
January 25, 2023
in Cyber Threats
0
Experian Glitch Exposing Credit Files Lasted 47 Days – Krebs on Security
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

The tip about the Experian weakness came from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to cybercrime.

Normally, Experian’s website will ask a series of multiple-choice questions about one’s financial history, as a way of validating the identity of the person requesting the credit report. But Kushnir said the crooks learned they could bypass those questions and trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

When I tested Kushnir’s instructions on my own identity at Experian, I found I was able to see my report even though Experian’s website told me it didn’t have enough information to validate my identity. A security researcher friend who tested it at Experian found she also could bypass Experian’s four or five multiple-choice security questions and go straight to her full credit report at Experian.

Experian acknowledged receipt of my Dec. 23 report four days later on Dec. 27, a day after Kushnir’s method stopped working on Experian’s website (the exploit worked as long as you came to Experian’s website via annualcreditreport.com — the site mandated to provide a free copy of your credit report from each of the major bureaus once a year).

Experian never did respond to official requests for comment on that story. But earlier this week, I received an otherwise unhelpful letter via snail mail from Experian (see image above), which stated that the weakness we reported persisted between Nov. 9, 2022 and Dec. 26, 2022.

“During this time period, we experienced an isolated technical issue where a security feature may not have functioned,” Experian explained.

It’s not entirely clear whether Experian sent me this paper notice because they legally had to, or if they felt I deserved a response in writing and thought maybe they’d kill two birds with one stone. But it’s pretty crazy that it took them a full month to notify me about the potential impact of a security failure that I notified them about.

It’s also a little nuts that Experian didn’t simply include a copy of my current credit report along with this letter, which is confusingly worded and reads like they suspect someone other than me may have been granted access to my credit report without any kind of screening or authorization.

After all, if I hadn’t authorized the request for my credit file that apparently prompted this letter (I had), that would mean the thieves already had my report. Shouldn’t I be granted the same visibility into my own credit file as them?

Instead, their woefully inadequate letter once again puts the onus on me to wait endlessly on hold for an Experian representative over the phone, or sign up for a free year’s worth of Experian monitoring my credit report.

As it stands, using Kushnir’s exploit was the only time I’ve ever been able to get Experian’s website to cough up a copy of my credit report. To make matters worse, a majority of the information in that credit report is not mine. So I’ve got that to look forward to.

If there is a silver lining here, I suppose that if I were Experian, I probably wouldn’t want to show Brian Krebs his credit file either. Because it’s clear this company has no idea who I really am. And in a weird, kind of sad way I guess, that makes me happy.

For thoughts on what you can do to minimize your victimization by and overall worth to the credit bureaus, see this section of the most recent Experian story.



Source link

Related articles

Tech support scammers are still at it: Here’s what to look out for in 2023

Tech support scammers are still at it: Here’s what to look out for in 2023

January 20, 2023
New T-Mobile Breach Affects 37 Million Accounts – Krebs on Security

New T-Mobile Breach Affects 37 Million Accounts – Krebs on Security

January 20, 2023
Tags: CreditdaysExperianExposingfilesGlitchKrebsLastedsecurity
Share76Tweet47

Related Posts

Tech support scammers are still at it: Here’s what to look out for in 2023

Tech support scammers are still at it: Here’s what to look out for in 2023

January 20, 2023
0

Hello, is it me you’re looking for? Fraudsters still want to help you fix a computer problem you never had...

New T-Mobile Breach Affects 37 Million Accounts – Krebs on Security

New T-Mobile Breach Affects 37 Million Accounts – Krebs on Security

January 20, 2023
0

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as...

Top 10 Venmo scams – and how to stay safe

Top 10 Venmo scams – and how to stay safe

January 18, 2023
0

Don’t be the next victim – here’s what to know about some of the most common tricks that scammers use...

Identity Thieves Bypassed Experian Security to View Credit Reports – Krebs on Security

Identity Thieves Bypassed Experian Security to View Credit Reports – Krebs on Security

January 9, 2023
0

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer...

The Equifax Breach Settlement Offer is Real, For Now – Krebs on Security

The Equifax Breach Settlement Offer is Real, For Now – Krebs on Security

December 21, 2022
0

Millions of people likely just received an email or snail mail notice saying they’re eligible to claim a class action...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
KITMEK Launches $1 Digital Only School for Children Across MENA

KITMEK Launches $1 Digital Only School for Children Across MENA

January 31, 2023
Whole-Network Visualization With Meraki Dashboard

Whole-Network Visualization With Meraki Dashboard

January 31, 2023
Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

Securing CI/CD. There are many organizations moving to… | by Binu Panicker | Jan, 2023

January 30, 2023

Recent Posts

Novel Malware Installed in VMware ESXi Attacks

VMware Fixes vRealize Log Insight RCE Bugs

January 31, 2023
KITMEK Launches $1 Digital Only School for Children Across MENA

KITMEK Launches $1 Digital Only School for Children Across MENA

January 31, 2023
Whole-Network Visualization With Meraki Dashboard

Whole-Network Visualization With Meraki Dashboard

January 31, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Finds Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved