Turns out Equifax isn't the only credit reporting agency with garbage security, which probably shouldn't come as a surprise at this point. As Brian Krebs reports on his security news website, Experian has a few issues too, namely some incredibly lax barriers to obtaining a PIN used to unlock a credit freeze.
The first step to getting a PIN through Experian requires a name, address, date of birth and Social Security number, all of which have been exposed in a number of past security breaches, including Equifax's. Chances are anyone can find that information quite easily. After that, the website asks for an email address -- and it can be any email address, not just the one associated with the account. Finally, Experian has you answer four questions such as where you previously lived and who lived there with you. And again, that information is readily accessible with just a little bit of effort. With those steps completed successfully, Experian will send the PIN to the email address entered in the form. It's that simple.
Experian has had some problems in the past as well. In 2015, it exposed personal information from 15 million people who applied for T-Mobile accounts. The data snagged during the breach included names, addresses and birth dates as well as encrypted data containing Social Security and drivers license numbers.
So, the takeaway lesson here is that even if you've frozen your credit files, you should pay attention to your credit reports because Experian has made it remarkably easy for someone to snag your PIN and unfreeze them.
Update 9/22: Experian sent us the following comment:
Experian is aware of media reports concerning the authentication processes we use in the consumer credit freeze PIN retrieval process. These reports portrayed those processes in an incomplete way. To be clear, our authentication processes go beyond requiring users to provide personally-identifiable information (PII) and answering a variety of knowledge-based authentication (KBA) questions. While we do not disclose those additional processes for obvious security reasons, they include a broad array of checks that are not visible to the consumer. Experian regularly reviews its security practices and adjusts as needed. We continue to see the effectiveness of KBA as part of a layered authentication approach.