Is your Experian PIN in danger?On Sept. 21, news broke that a tool Experian, one of the three major credit bureaus, has on its site to retrieve the PIN needed to remove credit freezes had a major security flaw. While such a tool can be helpful, the problem is that accessing the tool is fairly simple, only requiring users to enter information that is likely to have been leaked in the recent Equifax breach (if not in an earlier breach), allowing almost anyone to unfreeze someone’s credit. Continue reading below as we go into detail about this tool, its security implications and the broader issues surrounding the security of the credit reporting industry.

What exactly is the Experian PIN verification tool?

Although the tool formally has no name — the page on Experian’s site is titled “Experian – PIN Reminder” — it’s a form that allows consumers to request the PIN Experian provided to them when they placed a credit freeze on their account. The tool asks consumers to enter key credentials like their name, address, social security number and email. The problem with this process, as many have pointed out, is that much of this information has likely been compromised in the recent Equifax breach or might already be readily available for sale in some corner of the dark web, which means that if someone knows this information and can get pass the identity-verification questions, they can easily retrieve someone’s PIN and thaw their frozen credit. Even if someone’s key credentials weren’t leaked in a breach, public records and social media make finding out many of these details fairly trivial.

While the above aspects make the tool security lax (despite having HTTPS and Extended Validation which of themselves are good security practices), what’s particularly egregious is that Experian encourages users to provide email addresses “for faster delivery of your results.” Given large email breaches, such as the Yahoo breach, and the fact that email phishing is particularly rampant, encouraging the delivery of highly sensitive information via email can set the stage for some particularly nasty hacks and social engineering campaigns down the line. Furthermore, without confirming the legitimacy of an email, it’s somewhat unclear if just any email address (or multiple email addresses for that matter) could be used to request a PIN.

Experian, in its own defense, points out that it has additional methods of verification that it doesn’t disclose. However, it’s unclear if these checks rely on information that’s easily verified. If randomized knowledge-based authentication questions are the only means by which Experian PIN retrieval requests are validated, then, as security expert Brian Krebs pointed out in his article, the tool is undeniably completely insecure. As we’ve discussed before, knowledge-based authentication, often used in online account security questions, is an easily defeated security measure because the inputs are static. Furthermore, if the answers to the questions are relatively straightforward, like with the information asked for in Experian’s PIN request, basic research on social media and public records will often allow anyone to answer knowledge-based authentication questions.

Should you still get a credit freeze with Experian?

Regardless of how insecure this tool is, it’s still advisable to place credit freezes with each of the credit bureaus. First off, this security “oversight” is believed to only affect Experian and, to be fair, no breaches through this tool have yet been reported. That said, the simplicity of this tool means that you’ll need to watch your Experian credit report like a hawk and constantly monitor the status of your freeze. At the very least, this incident proves that it’s no longer enough to set a freeze on your reports and forget about them. Even if Experian removes this tool or modifies it to be more secure, in the long run, it might just be better to check in on your credit freeze status frequently — remember that the bureau will send you a notice of a freeze/thaw via mail, so be on the lookout for those.

Why do these issues keep happening?

Sadly, this story comes right on the heels of Equifax gaffes earlier this week. Incidents like these seem to be part of a long line of issues which would be a comedy of errors were they not directly impacting Americans’ lives. The persistence of these mishaps across companies seems to suggest that there are perhaps fundamental problems with not just Equifax, but the entire credit reporting industry. Unfortunately, addressing these issues is beyond our abilities as consumers, but we should be cognizant of the fact that these issues do exist and could result in a substantial change to the industry should the government and perhaps even lenders and banks decide to change how credit reporting is managed. In the meanwhile, it seems that we not only have to monitor our reports and other sensitive accounts as frequently as possible, but we also have to play an active role in managing our own cybersecurity. Reading about all these breaches and security flaws can be exhausting, but on the bright side with regards to this particular issue, nothing seems to indicate that the other bureaus’ methods for PIN verification are as insecure as Experian’s, although another day will likely reveal yet another security issue.

To stay up to speed regarding the fallout of the Equifax breach, keep reading our dedicated Equifax breach blog. And to know the latest about emerging breaches and hacks, keep reading our security breach blog.