Odds are high that you’re part of the massive Equifax data breach. Nearly 143 million Americans had critical data exposed including Social Security numbers, home addresses, dates of birth, and some drivers license numbers. (Psst! Click here to learn the one critical thing you must do with your Social Security number now.)
Now, there’s more bad news. Another consumer credit reporting agency, Experian, has a major security problem of its own.
How cybercriminals can easily steal your critical data
One of the first security steps to take following the Equifax breach is to place a freeze on all of your credit reports. Freezing your credit means that creditors can’t access any of your credit files unless the freeze is lifted, stopping criminals from opening new accounts under your name. Click here to learn how to set it up.
What’s happening now is, Experian is making it too easy for criminals to unlock your credit accounts. When you set up a credit freeze with Experian, you need to select a PIN code. The PIN allows you to lift the credit freeze whenever you want.
Unfortunately, Experian has implemented a PIN recovery system that cybercriminals can easily bypass. If you have a security freeze on your credit report and have forgotten or misplaced your PIN, you simply need to fill out an online form on its site to recover it.
The problem is, criminals who have your stolen data from the Equifax breach, or any other breach for that matter, can also recover your PIN. That’s because they simply need to enter the stolen information, along with any email address of their own, to have the PIN sent to that email address. After answering a few security questions, which can most likely be found on the Dark Web, the criminal has your PIN and can unfreeze your credit.
Here is what the Experian PIN recovery form looks like:
Image: Experian’s PIN recovery form. (Source: Experian)
Experian really needs to close this loophole so criminals can’t steal victims’ PIN codes. A better system would be to have the PIN sent to the victims’ home through snail mail.
It’s still a good idea to set up a credit freeze following the Equifax debacle. You just need to stay vigilant and keep an eye on your credit reports and bank accounts to watch for suspicious activity.
Also, be aware that scams associated with Equifax are spreading. Phone scams, phishing emails and fraudulent Facebook posts are becoming more common. Keep checking in with our Happening Now section as we’re constantly giving you necessary updates dealing with the Equifax breach.
Update: Experian sent us the following comment:
“Experian is aware of media reports concerning the authentication processes we use in the consumer credit freeze PIN retrieval process. These reports portrayed those processes in an incomplete way. To be clear, our authentication processes go beyond requiring users to provide personally-identifiable information (PII) and answering a variety of knowledge-based authentication (KBA) questions. While we do not disclose those additional processes for obvious security reasons, they include a broad array of checks that are not visible to the consumer. Experian regularly reviews its security practices and adjusts as needed. We continue to see the effectiveness of KBA as part of a layered authentication approach.“