"Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
need403bhelp
Posts: 586
Joined: Thu May 28, 2015 6:25 pm

"Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by need403bhelp » Sun Oct 07, 2018 7:07 pm

https://www.nerdwallet.com/blog/finance ... it-freeze/

Haven't yet seen this posted here.

Apparently, although Experian asked knowledge-based authentication questions to recover your PIN ("what year honda accord do you own?") answering "None of the above" to all the questions allowed you to retrieve your PIN. It is now fixed, but it is not clear how long this has been possible, and whether it has been exploited by anyone...

Any ideas for remedies if one has had one's Experian frozen?

2015
Posts: 1985
Joined: Mon Feb 10, 2014 2:32 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by 2015 » Sun Oct 07, 2018 7:45 pm

Join the class action lawsuit when it starts.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Sun Oct 07, 2018 7:48 pm

2015 wrote:
Sun Oct 07, 2018 7:45 pm
Join the class action lawsuit when it starts.
What would that achieve?

2015
Posts: 1985
Joined: Mon Feb 10, 2014 2:32 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by 2015 » Sun Oct 07, 2018 7:57 pm

AlphaLess wrote:
Sun Oct 07, 2018 7:48 pm
2015 wrote:
Sun Oct 07, 2018 7:45 pm
Join the class action lawsuit when it starts.
What would that achieve?
I don't know, about the only thing these organizations respond to is what hits them in the pocketbook. Otherwise, it's pretty much a lost cause (as you can see by this debacle coming on the heels of the Equifax breech). Isn't it obvious? They really don't care.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Sun Oct 07, 2018 8:15 pm

2015 wrote:
Sun Oct 07, 2018 7:57 pm
AlphaLess wrote:
Sun Oct 07, 2018 7:48 pm
2015 wrote:
Sun Oct 07, 2018 7:45 pm
Join the class action lawsuit when it starts.
What would that achieve?
I don't know, about the only thing these organizations respond to is what hits them in the pocketbook. Otherwise, it's pretty much a lost cause (as you can see by this debacle coming on the heels of the Equifax breech). Isn't it obvious? They really don't care.
Punishing them is an excellent idea.

However, a class action is not the answer.

We need to fundamentally rethink the data warehousing as well as data custodianship issue.

Essentially, Experian and Friends make money using our data.
There is no business model for these companies that will allow them to make money without OUR DATA.
Sure, they need databases, networks, business applications, and army of employees and customers to actually make money. But the key ingredient is our data.

If there was a legal framework that allowed individuals to restrict their data based on security breaches, then I think Experian and their friendly competitors would rapidly lose their ability to perform as businesses.

Of course, you need competing companies to come in and offer the same services.

2015
Posts: 1985
Joined: Mon Feb 10, 2014 2:32 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by 2015 » Sun Oct 07, 2018 8:29 pm

Well I'd like to blow them all up personally, but then I'd not to be happy with the consequences. OP, thanks for the heads up.

User avatar
cheese_breath
Posts: 7928
Joined: Wed Sep 14, 2011 7:08 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by cheese_breath » Sun Oct 07, 2018 8:49 pm

Wonder if I'll get an Email from Experian pushing one of their products to protect me from this breach?
The surest way to know the future is when it becomes the past.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Sun Oct 07, 2018 8:54 pm

cheese_breath wrote:
Sun Oct 07, 2018 8:49 pm
Wonder if I'll get an Email from Experian pushing one of their products to protect me from this breach?
Exactly.
You call it a breach, we call it a marketing opportunity.

Just like Microsoft: is it a bug or a feature?

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Sun Oct 07, 2018 8:55 pm

2015 wrote:
Sun Oct 07, 2018 8:29 pm
Well I'd like to blow them all up personally, but then I'd not to be happy with the consequences. OP, thanks for the heads up.
You can.
Sign up to exclude your record from any marketing opportunities.
Lock up (freeze) your credit reports.
Vote for responsible politicians.

User avatar
catalina355
Posts: 60
Joined: Sun Jun 10, 2018 6:46 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by catalina355 » Sun Oct 07, 2018 8:57 pm

AlphaLess wrote:
Sun Oct 07, 2018 8:15 pm
2015 wrote:
Sun Oct 07, 2018 7:57 pm
AlphaLess wrote:
Sun Oct 07, 2018 7:48 pm
2015 wrote:
Sun Oct 07, 2018 7:45 pm
Join the class action lawsuit when it starts.
What would that achieve?
I don't know, about the only thing these organizations respond to is what hits them in the pocketbook. Otherwise, it's pretty much a lost cause (as you can see by this debacle coming on the heels of the Equifax breech). Isn't it obvious? They really don't care.
Punishing them is an excellent idea.

However, a class action is not the answer.

We need to fundamentally rethink the data warehousing as well as data custodianship issue.

Essentially, Experian and Friends make money using our data.
There is no business model for these companies that will allow them to make money without OUR DATA.
Sure, they need databases, networks, business applications, and army of employees and customers to actually make money. But the key ingredient is our data.

If there was a legal framework that allowed individuals to restrict their data based on security breaches, then I think Experian and their friendly competitors would rapidly lose their ability to perform as businesses.

Of course, you need competing companies to come in and offer the same services. :twisted:
Given Experian's history the answer might be for the USG to shut the company down. :twisted:

User avatar
CollegePrudens
Posts: 164
Joined: Mon Oct 16, 2017 10:43 pm
Location: SF Bay Area

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by CollegePrudens » Sun Oct 07, 2018 9:06 pm

Ughh. Even by the ultra low standards of the three credit bureaus, this is just absurd. What a disgrace.
Live as if you were to die tomorrow; learn as if you were to live forever - Gandhi

UpperNwGuy
Posts: 987
Joined: Sun Oct 08, 2017 7:16 pm
Location: Washington DC

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by UpperNwGuy » Sun Oct 07, 2018 9:11 pm

AlphaLess wrote:
Sun Oct 07, 2018 8:55 pm
2015 wrote:
Sun Oct 07, 2018 8:29 pm
Well I'd like to blow them all up personally, but then I'd not to be happy with the consequences. OP, thanks for the heads up.
You can.
Sign up to exclude your record from any marketing opportunities.
Lock up (freeze) your credit reports.
Vote for responsible politicians.
Wait! Wasn't that what the PIN was for?
Retiree with a pension and a 60/40 taxable portfolio: Total Stock + Total Int'l + Total Bond + Interm Term Tax Exempt.

User avatar
willthrill81
Posts: 5765
Joined: Thu Jan 26, 2017 3:17 pm
Location: USA

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by willthrill81 » Sun Oct 07, 2018 9:18 pm

UpperNwGuy wrote:
Sun Oct 07, 2018 9:11 pm
AlphaLess wrote:
Sun Oct 07, 2018 8:55 pm
2015 wrote:
Sun Oct 07, 2018 8:29 pm
Well I'd like to blow them all up personally, but then I'd not to be happy with the consequences. OP, thanks for the heads up.
You can.
Sign up to exclude your record from any marketing opportunities.
Lock up (freeze) your credit reports.
Vote for responsible politicians.
Wait! Wasn't that what the PIN was for?
Yes. So people who had frozen their credit could have had their credit unfrozen so that new accounts could be opened in their name. However, I thought that they emailed you immediately (i.e. before hackers could change the email address on record) when you had your credit unfrozen.
“It's a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” J.R.R. Tolkien,The Lord of the Rings

annielouise
Posts: 331
Joined: Wed May 14, 2008 4:11 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by annielouise » Sun Oct 07, 2018 9:22 pm

If I understand their business model ( and I might not), they get paid when a company requests my credit report/score. Is that the basic idea?

In that case, they have no reason to care if it is me or a fraudster opening an account, they get paid for either. So, it actually benefits them if my credit freeze has been compromised, right?

That would explain why they aren't offering us the chance to get new PINs, and why they make it so easy to recover a lost PIN - just providing answers to questions that are available through our already compromised Equifax credit reports (which is a bad system even without this reported software bug).

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Sun Oct 07, 2018 9:36 pm

UpperNwGuy wrote:
Sun Oct 07, 2018 9:11 pm
AlphaLess wrote:
Sun Oct 07, 2018 8:55 pm
2015 wrote:
Sun Oct 07, 2018 8:29 pm
Well I'd like to blow them all up personally, but then I'd not to be happy with the consequences. OP, thanks for the heads up.
You can.
Sign up to exclude your record from any marketing opportunities.
Lock up (freeze) your credit reports.
Vote for responsible politicians.
Wait! Wasn't that what the PIN was for?
In this case, the advice to lock is merely to disallow Experian to monetize user's data.

No lock can prevent a good hacker from getting the info.
The pin system is a pony and dog show.
The back-end of the database is subject to a hack, no matter what PIN you pick.
Unless they employ proper cryptographic mechanisms (whereby the PIN is a type of a private key), then it is pretty useless.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Sun Oct 07, 2018 9:37 pm

catalina355 wrote:
Sun Oct 07, 2018 8:57 pm


Given Experian's history the answer might be for the USG to shut the company down. :twisted:
Well, the major CRAs have a poor record of being data custodians.
So your argument would extend to the other two as well.

But then, there will be no credit data providers left.

MJS
Posts: 172
Joined: Sat Aug 05, 2017 10:55 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by MJS » Mon Oct 08, 2018 12:08 am

need403bhelp wrote:
Sun Oct 07, 2018 7:07 pm
https://www.nerdwallet.com/blog/finance ... it-freeze/

Any ideas for remedies if one has had one's Experian frozen?
According to USPIRG, https://uspirg.org/news/usp/you-should- ... freeze-pin , you should spend 30-40 minutes resetting your PIN via phone. USPIRG provides the phone number & procedures.

Experian's North American office is at
475 Anton Blvd.
Costa Mesa, CA 92626
1 714 830 7000

Costa Mesa is in Orange County. OC's District Attorney Consumer Fraud Unit is at (714) 834-6553.
http://orangecountyda.org/howdoi/reportfraud.asp

User avatar
cheese_breath
Posts: 7928
Joined: Wed Sep 14, 2011 7:08 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by cheese_breath » Mon Oct 08, 2018 8:06 am

MJS wrote:
Mon Oct 08, 2018 12:08 am
need403bhelp wrote:
Sun Oct 07, 2018 7:07 pm
https://www.nerdwallet.com/blog/finance ... it-freeze/

Any ideas for remedies if one has had one's Experian frozen?
According to USPIRG, https://uspirg.org/news/usp/you-should- ... freeze-pin , you should spend 30-40 minutes resetting your PIN via phone....
It took me two phone calls at about 40 minutes each to get my Transunion pin reset. But most of the time on each was sitting on hold while they switched me between different people. Eventually I was switched to someone who asked me some simple questions to verify I was who I said I was. When she was satisfied she entered a request into the computer to authorize me to talk to the person who could actually give me a pin. I had to wait overnight for the request to be processed and phone back the next day. More time on hold switched between various folks until I finally reached the right person. He then asked me some questions, most of them the same questions you answer when you request a TU credit report and finally generated the pin for me.
The surest way to know the future is when it becomes the past.

wootwoot
Posts: 165
Joined: Tue Jan 27, 2009 7:37 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by wootwoot » Mon Oct 08, 2018 9:06 am

AlphaLess wrote:
Sun Oct 07, 2018 7:48 pm
2015 wrote:
Sun Oct 07, 2018 7:45 pm
Join the class action lawsuit when it starts.
What would that achieve?
Free credit monitoring for a year.

User avatar
oldcomputerguy
Posts: 3311
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by oldcomputerguy » Mon Oct 08, 2018 10:23 am

willthrill81 wrote:
Sun Oct 07, 2018 9:18 pm
Yes. So people who had frozen their credit could have had their credit unfrozen so that new accounts could be opened in their name. However, I thought that they emailed you immediately (i.e. before hackers could change the email address on record) when you had your credit unfrozen.
That was not my experience. I just unfroze my accounts with the Big Three temporarily in order to take out an Amazon card, I did not receive email notification from any of the Three.
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

need403bhelp
Posts: 586
Joined: Thu May 28, 2015 6:25 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by need403bhelp » Mon Oct 08, 2018 10:28 am

MJS wrote:
Mon Oct 08, 2018 12:08 am
need403bhelp wrote:
Sun Oct 07, 2018 7:07 pm
https://www.nerdwallet.com/blog/finance ... it-freeze/

Any ideas for remedies if one has had one's Experian frozen?
According to USPIRG, https://uspirg.org/news/usp/you-should- ... freeze-pin , you should spend 30-40 minutes resetting your PIN via phone. USPIRG provides the phone number & procedures.

Experian's North American office is at
475 Anton Blvd.
Costa Mesa, CA 92626
1 714 830 7000

Costa Mesa is in Orange County. OC's District Attorney Consumer Fraud Unit is at (714) 834-6553.
http://orangecountyda.org/howdoi/reportfraud.asp
Thanks, this is actually quite helpful.

Reading the article, they recommend permanently thawing your Experian report and then freezing it again. They specifically state you can do this ONLINE OR BY PHONE.

I did this for my Experian credit report online and was able to set a new PIN when I froze it again after permanently thawing it.

For my wife, for whatever reason, they are not able to verify her identity online (they were not able to previously either, although from what I can tell from her Experian report everything there is correct). However, she was able to re-freeze her report by phone (not sure why they don't ask any knowledge-based authentication questions over phone - hopefully, it is because they check the caller ID and are somehow able to rule out caller ID spoofing).

Thanks again everyone for your thoughts!

2015
Posts: 1985
Joined: Mon Feb 10, 2014 2:32 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by 2015 » Mon Oct 08, 2018 1:14 pm

cheese_breath wrote:
Mon Oct 08, 2018 8:06 am
MJS wrote:
Mon Oct 08, 2018 12:08 am
need403bhelp wrote:
Sun Oct 07, 2018 7:07 pm
https://www.nerdwallet.com/blog/finance ... it-freeze/

Any ideas for remedies if one has had one's Experian frozen?
According to USPIRG, https://uspirg.org/news/usp/you-should- ... freeze-pin , you should spend 30-40 minutes resetting your PIN via phone....
It took me two phone calls at about 40 minutes each to get my Transunion pin reset. But most of the time on each was sitting on hold while they switched me between different people. Eventually I was switched to someone who asked me some simple questions to verify I was who I said I was. When she was satisfied she entered a request into the computer to authorize me to talk to the person who could actually give me a pin. I had to wait overnight for the request to be processed and phone back the next day. More time on hold switched between various folks until I finally reached the right person. He then asked me some questions, most of them the same questions you answer when you request a TU credit report and finally generated the pin for me.
Oh great. Like this is all I have time to do, spend 40 minutes on the phone with these people cleaning up their mess. Why don't I just blow off the rest of my day go to their offices and clean their toilets, too? All of these "service" companies who swear "your call is important to us" eat away precious minutes of our lives by continually making us have to fix their screw ups. Windoze 10 latest update, anyone? It becomes death by a thousand cuts for anyone not watching.

ikowik
Posts: 123
Joined: Tue Dec 23, 2014 6:52 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by ikowik » Mon Oct 08, 2018 2:07 pm

need403bhelp wrote:
Mon Oct 08, 2018 10:28 am
MJS wrote:
Mon Oct 08, 2018 12:08 am
need403bhelp wrote:
Sun Oct 07, 2018 7:07 pm
https://www.nerdwallet.com/blog/finance ... it-freeze/

Any ideas for remedies if one has had one's Experian frozen?
According to USPIRG, https://uspirg.org/news/usp/you-should- ... freeze-pin , you should spend 30-40 minutes resetting your PIN via phone. USPIRG provides the phone number & procedures.

Experian's North American office is at
475 Anton Blvd.
Costa Mesa, CA 92626
1 714 830 7000

Costa Mesa is in Orange County. OC's District Attorney Consumer Fraud Unit is at (714) 834-6553.
http://orangecountyda.org/howdoi/reportfraud.asp
Thanks, this is actually quite helpful.

Reading the article, they recommend permanently thawing your Experian report and then freezing it again. They specifically state you can do this ONLINE OR BY PHONE.

I did this for my Experian credit report online and was able to set a new PIN when I froze it again after permanently thawing it.

For my wife, for whatever reason, they are not able to verify her identity online (they were not able to previously either, although from what I can tell from her Experian report everything there is correct). However, she was able to re-freeze her report by phone (not sure why they don't ask any knowledge-based authentication questions over phone - hopefully, it is because they check the caller ID and are somehow able to rule out caller ID spoofing).

Thanks again everyone for your thoughts!
Thank you for this post. Reading through the thread I was dreading having to call Experian. I went online and did what you described for myself and wife. Was given the option to choose our new PINs.

changingtimes
Posts: 32
Joined: Mon Jul 24, 2017 9:28 am

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by changingtimes » Mon Oct 08, 2018 2:44 pm

I just tried and got an error saying they couldn't unfreeze mine online.

Then just for the heck of it I decided to pretend I forgot I had a freeze, and filled out the form to set one, and it told me I already have one, and showed me the previous PIN.

ikowik
Posts: 123
Joined: Tue Dec 23, 2014 6:52 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by ikowik » Mon Oct 08, 2018 2:58 pm

changingtimes wrote:
Mon Oct 08, 2018 2:44 pm
I just tried and got an error saying they couldn't unfreeze mine online.

Then just for the heck of it I decided to pretend I forgot I had a freeze, and filled out the form to set one, and it told me I already have one, and showed me the previous PIN.
That is not good!! Defeats the whole purpose of the PIN which is to stop someone who knows a lot about me and pretending to be me. I wish there was a way to stop Experian tracking me.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Mon Oct 08, 2018 9:14 pm

wootwoot wrote:
Mon Oct 08, 2018 9:06 am
AlphaLess wrote:
Sun Oct 07, 2018 7:48 pm
2015 wrote:
Sun Oct 07, 2018 7:45 pm
Join the class action lawsuit when it starts.
What would that achieve?
Free credit monitoring for a year.
Well, considering how many hacks our data has been subject to, we are probably entitled to gazillion free credit monitorings (sic). Unfortunately, after the first one, the remaining add zero value.

NoHeat
Posts: 190
Joined: Sun Sep 18, 2016 10:13 am

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by NoHeat » Mon Oct 08, 2018 10:30 pm

changingtimes wrote:
Mon Oct 08, 2018 2:44 pm
I just tried and got an error saying they couldn't unfreeze mine online.

Then just for the heck of it I decided to pretend I forgot I had a freeze, and filled out the form to set one, and it told me I already have one, and showed me the previous PIN.
Wow, this is yet another huge security hole.

I agree with ikowik, I wish I could prevent Experian from possessing any data on me. Same for the other credir reporting agencies.

WageSlave
Posts: 92
Joined: Tue Jan 08, 2013 3:20 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by WageSlave » Tue Oct 09, 2018 12:48 pm

willthrill81 wrote:
Sun Oct 07, 2018 9:18 pm
However, I thought that they emailed you immediately (i.e. before hackers could change the email address on record) when you had your credit unfrozen.
I'd call send email when unfrozen a technical solution. And these credit reporting agencies have already proven they fail at their most important technical task: protecting our data. And they continue to demonstrate their technical ineptness:
oldcomputerguy wrote:
Mon Oct 08, 2018 10:23 am
That was not my experience. I just unfroze my accounts with the Big Three temporarily in order to take out an Amazon card, I did not receive email notification from any of the Three.
changingtimes wrote:
Mon Oct 08, 2018 2:44 pm
Then just for the heck of it I decided to pretend I forgot I had a freeze, and filled out the form to set one, and it told me I already have one, and showed me the previous PIN.
...and the whole topic of this thread demonstrates yet another glaring technical failure in their systems.

annielouise wrote:
Sun Oct 07, 2018 9:22 pm
In that case, they have no reason to care if it is me or a fraudster opening an account, they get paid for either. So, it actually benefits them if my credit freeze has been compromised, right?
It certainly doesn't hurt them. The Equifax situation demonstrated that they can lose data, not tell anyone about the breach for months, then get immunity from lawsuits. What incentive do they possibly have to care? And you can't even opt-out!

AlphaLess wrote:
Sun Oct 07, 2018 9:36 pm
In this case, the advice to lock is merely to disallow Experian to monetize user's data.
Unfortunately, none of them have an "opt out" feature. And even if they did, do you trust them to really remove your data? Is it possible to get a report from them that shows not only who is querying your data, but how they got your data in the first place? To me it's self-evident that if someone is going to keep such detailed info on me, I have a right to know how they are collecting it, how they are storing it, and how they are using it. And why can I only see my report once a year? (Looks an awful lot like an artificial constraint to support credit monitoring services.)

AlphaLess wrote:
Sun Oct 07, 2018 9:36 pm
No lock can prevent a good hacker from getting the info.
The pin system is a pony and dog show.
The back-end of the database is subject to a hack, no matter what PIN you pick.
Unless they employ proper cryptographic mechanisms (whereby the PIN is a type of a private key), then it is pretty useless.
I agree no system is 100% secure. But people who know what they are doing can make a system very secure. First step is, don't make the database accessible in any way, except by authorized, internal systems. Even those systems go through a series of authenticating firewalls. The authorized systems only retrieve a subset of the raw data, through a constrained interface. Any public-facing systems need to be routinely audited by an independent third party. Every transaction at every level of the system gets logged. All logs are stored permanently. Logs themselves are analyzed for suspicious activity. None of this is really high-tech, it's just data security best practices. But it's real work, and definitely has a non-trivial amount of overhead. But those costs are born out somewhere...

AlphaLess wrote:
Mon Oct 08, 2018 9:14 pm
Well, considering how many hacks our data has been subject to, we are probably entitled to gazillion free credit monitorings (sic). Unfortunately, after the first one, the remaining add zero value.
...I would argue even the first has dubious value. Bad people use this data not just for opening lines of credit, but a litany of nefarious purposes. Case in point: not too long ago, on Sunday morning, I got a call from my credit card company reporting suspicious activity. Numerous fraudulent charges were made between me going to bed and getting the call in the morning. Now this isn't the first time I've had a credit card number compromised, so initially I didn't think too much of it---until we started receiving packages from those fraudulent charges. Not only did the perp have my credit card number, they had my phone number and mailing address as well. My wife was scared, asking, how could they get this information? I said, look at all the data breaches that have become routine: Equifax, Target, Home Depot, etc etc.

I just don't see why there isn't more outrage about data breaches. I can't opt-out, and these CRAs have zero accountability.

3-20Characters
Posts: 72
Joined: Tue Jun 19, 2018 2:20 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by 3-20Characters » Tue Oct 09, 2018 12:55 pm

2015 wrote:
Mon Oct 08, 2018 1:14 pm
cheese_breath wrote:
Mon Oct 08, 2018 8:06 am
MJS wrote:
Mon Oct 08, 2018 12:08 am
need403bhelp wrote:
Sun Oct 07, 2018 7:07 pm
https://www.nerdwallet.com/blog/finance ... it-freeze/

Any ideas for remedies if one has had one's Experian frozen?
According to USPIRG, https://uspirg.org/news/usp/you-should- ... freeze-pin , you should spend 30-40 minutes resetting your PIN via phone....
It took me two phone calls at about 40 minutes each to get my Transunion pin reset. But most of the time on each was sitting on hold while they switched me between different people. Eventually I was switched to someone who asked me some simple questions to verify I was who I said I was. When she was satisfied she entered a request into the computer to authorize me to talk to the person who could actually give me a pin. I had to wait overnight for the request to be processed and phone back the next day. More time on hold switched between various folks until I finally reached the right person. He then asked me some questions, most of them the same questions you answer when you request a TU credit report and finally generated the pin for me.
Oh great. Like this is all I have time to do, spend 40 minutes on the phone with these people cleaning up their mess. Why don't I just blow off the rest of my day go to their offices and clean their toilets, too? All of these "service" companies who swear "your call is important to us" eat away precious minutes of our lives by continually making us have to fix their screw ups. Windoze 10 latest update, anyone? It becomes death by a thousand cuts for anyone not watching.
This times 1 gazillion.

User avatar
whodidntante
Posts: 4047
Joined: Thu Jan 21, 2016 11:11 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by whodidntante » Tue Oct 09, 2018 12:57 pm

You should freeze your credit. Lol. I hope they get a gozillion dollar EU style fine. Then they'll take security seriously.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Tue Oct 09, 2018 11:04 pm

WageSlave wrote:
Tue Oct 09, 2018 12:48 pm
AlphaLess wrote:
Sun Oct 07, 2018 9:36 pm
In this case, the advice to lock is merely to disallow Experian to monetize user's data.
Unfortunately, none of them have an "opt out" feature. And even if they did, do you trust them to really remove your data? Is it possible to get a report from them that shows not only who is querying your data, but how they got your data in the first place? To me it's self-evident that if someone is going to keep such detailed info on me, I have a right to know how they are collecting it, how they are storing it, and how they are using it. And why can I only see my report once a year? (Looks an awful lot like an artificial constraint to support credit monitoring services.)

AlphaLess wrote:
Sun Oct 07, 2018 9:36 pm
No lock can prevent a good hacker from getting the info.
The pin system is a pony and dog show.
The back-end of the database is subject to a hack, no matter what PIN you pick.
Unless they employ proper cryptographic mechanisms (whereby the PIN is a type of a private key), then it is pretty useless.
I agree no system is 100% secure. But people who know what they are doing can make a system very secure. First step is, don't make the database accessible in any way, except by authorized, internal systems. Even those systems go through a series of authenticating firewalls. The authorized systems only retrieve a subset of the raw data, through a constrained interface. Any public-facing systems need to be routinely audited by an independent third party. Every transaction at every level of the system gets logged. All logs are stored permanently. Logs themselves are analyzed for suspicious activity. None of this is really high-tech, it's just data security best practices. But it's real work, and definitely has a non-trivial amount of overhead. But those costs are born out somewhere...

AlphaLess wrote:
Mon Oct 08, 2018 9:14 pm
Well, considering how many hacks our data has been subject to, we are probably entitled to gazillion free credit monitorings (sic). Unfortunately, after the first one, the remaining add zero value.
...I would argue even the first has dubious value. Bad people use this data not just for opening lines of credit, but a litany of nefarious purposes. Case in point: not too long ago, on Sunday morning, I got a call from my credit card company reporting suspicious activity. Numerous fraudulent charges were made between me going to bed and getting the call in the morning. Now this isn't the first time I've had a credit card number compromised, so initially I didn't think too much of it---until we started receiving packages from those fraudulent charges. Not only did the perp have my credit card number, they had my phone number and mailing address as well. My wife was scared, asking, how could they get this information? I said, look at all the data breaches that have become routine: Equifax, Target, Home Depot, etc etc.

I just don't see why there isn't more outrage about data breaches. I can't opt-out, and these CRAs have zero accountability.
Too many concepts are confused by your post:
- freezing a report does not remove the data (there is no legal mechanism yet for removing your data),
- is it possible to see how is viewing your data. Yes. Every inquiry has a permissible purpose stated, together with name, address, and phone number of the party viewing it. Typical purposes are: (a) AR or account review, (b) credit inquiry (so called hard inquiry), (c) consumer inquiry, i.e., you requested it,
- why can I only see my report once. You can see your report once, for free, under the law passed a few years ago. There is a way to see your report daily, weekly, or any time you want. Some companies offer this as a service (e.g., for $x/M), and yet others offer this for free. Of course, they present the data in a nice web interface, which often times removes some good details. And lastly, you can always play the dispute game,
- yes, a lot of people pretend like they know what they are doing. I have not yet met a single company, organization, or a sovereign government that has learned how to secure data. Not one. And I am 100% sure that I will never meet one in my lifetime (or the next 200 years). Given enough resources, you can hack anything, even someone's private e-mail server e-mails. It is so easy, even a --deleted-- caveman can do it,
- well, the credit card unauthorized transactions have nothing to do with CRA breaches. Those come from two sources: some large retailer gets hacked, and a large number of credit cards get compromised, or something happened between you and the issuing bank.
- I don't see why there isn't such outrage about data breaches. There is. But we live in the united states of america, where corporations have powerful lobbies. Research shows that the single largest type investment, one with the highest ROI is corporate lobbying.

WageSlave
Posts: 92
Joined: Tue Jan 08, 2013 3:20 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by WageSlave » Wed Oct 10, 2018 1:29 pm

AlphaLess wrote:
Tue Oct 09, 2018 11:04 pm
- freezing a report does not remove the data (there is no legal mechanism yet for removing your data),
Agreed, I didn't mean to suggest otherwise.

What I was trying to say: there should be a way to remove the data or opt-out of the service entirely. It's detailed, identifying information about me, so I should be the one who gets to say how it's used, who sees it, etc.

AlphaLess wrote:
Tue Oct 09, 2018 11:04 pm
- is it possible to see how is viewing your data. Yes. Every inquiry has a permissible purpose stated, together with name, address, and phone number of the party viewing it. Typical purposes are: (a) AR or account review, (b) credit inquiry (so called hard inquiry), (c) consumer inquiry, i.e., you requested it,
Given all the technical issues the CRAs have had, how can we trust that what we are seeing is accurate? What's to stop them from offering a "premium inquiry service" where inquiries are made but not shown in the report?

Also, do we know what data is shown in these inquiries? Is it just data related to my credit history (lines of credit, payment info, etc)? Or do they also get to see personally identifying information? And does the party who sees the data (via the inquiry), are they limited (contractually or by law) in how they can use that data?

And where can I see the source of this data? And when it was collected? And how it was collected?

AlphaLess wrote:
Tue Oct 09, 2018 11:04 pm
- why can I only see my report once. You can see your report once, for free, under the law passed a few years ago. There is a way to see your report daily, weekly, or any time you want. Some companies offer this as a service (e.g., for $x/M), and yet others offer this for free. Of course, they present the data in a nice web interface, which often times removes some good details. And lastly, you can always play the dispute game,
Again, why is this restriction in place? Why can't I see directly from the CRAs all of this detailed information as often as I want? It is, after all, detailed information about me, and a system in which I have no means from which I can opt-out. To me, it looks like an awful lot of people profit from my data, and I have virtually zero say in how it's used (and no legal recourse when it's mis-used).

AlphaLess wrote:
Tue Oct 09, 2018 11:04 pm
- yes, a lot of people pretend like they know what they are doing. I have not yet met a single company, organization, or a sovereign government that has learned how to secure data. Not one. And I am 100% sure that I will never meet one in my lifetime (or the next 200 years). Given enough resources, you can hack anything, even someone's private e-mail server e-mails. It is so easy, even a --deleted-- caveman can do it,
No disagreement. But security is a continuum or spectrum, right? Zero security on one end (white), perfect security on the other (black), and many shades of grey in between. I will concede that perfect security ("true black") is not obtainable, but does that mean we shouldn't try? My point is, to me it looks like the CRAs are about the lightest shade of grey possible without being white. They should strive to do better, much better. They can do better. There are established best practices that raise the bar from I can crack this system with a rootkit I downloaded to requires eight-figure funding to crack.

That's the fundamental principle of security: the cost to defeat it should be greater than the value of what it secures. Given the CRAs current security effort, they are implying our information is basically worthless.

AlphaLess wrote:
Tue Oct 09, 2018 11:04 pm
- well, the credit card unauthorized transactions have nothing to do with CRA breaches. Those come from two sources: some large retailer gets hacked, and a large number of credit cards get compromised, or something happened between you and the issuing bank.
Is that always true in 100% of cases? What if the person working at the restaurant where I last used that credit card wrote down the number and my name. Then went to the "dark web" and bought the rest of my personally identifying information so they could execute their scam? Every data breach (be it CRA or whatever) makes the bad guys' jobs that much easier.

The main point is, CRA data security may never be perfect, but it can certainly be a lot better. It's a poorly designed system that makes money off my info, and I have practically no say in how it's used. That feels like an injustice to me.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Wed Oct 10, 2018 9:44 pm

WageSlave wrote:
Wed Oct 10, 2018 1:29 pm
Given all the technical issues the CRAs have had, how can we trust that what we are seeing is accurate? What's to stop them from offering a "premium inquiry service" where inquiries are made but not shown in the report?
The law.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Wed Oct 10, 2018 9:45 pm

WageSlave wrote:
Wed Oct 10, 2018 1:29 pm
Is that always true in 100% of cases? What if the person working at the restaurant where I last used that credit card wrote down the number and my name. Then went to the "dark web" and bought the rest of my personally identifying information so they could execute their scam? Every data breach (be it CRA or whatever) makes the bad guys' jobs that much easier.
I can't tell 100%, but I think CRAs lack the full information needed to charge a credit card:
- no expiration dates are stored at the CRA,
- no CVV (the little 3 digits) are stored at the CRA,
- it is also possible that the full credit card number is not stored at the CRA.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Wed Oct 10, 2018 9:49 pm

WageSlave wrote:
Wed Oct 10, 2018 1:29 pm
Again, why is this restriction in place? Why can't I see directly from the CRAs all of this detailed information as often as I want? It is, after all, detailed information about me, and a system in which I have no means from which I can opt-out. To me, it looks like an awful lot of people profit from my data, and I have virtually zero say in how it's used (and no legal recourse when it's mis-used).
It's not so much a restriction, as a valuable service made available to consumers under a law passed by Congress.
Imagine that prior to that law, you could not do that.

As for why once? Technically, it would be trivial for the CRAs to allow you to "pull" your report daily.
It would probably incur a very small fee (like 0.01$).

But CRAs rather monetize that information, just like any other business.

AlphaLess
Posts: 714
Joined: Fri Sep 29, 2017 11:38 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by AlphaLess » Wed Oct 10, 2018 9:52 pm

WageSlave wrote:
Wed Oct 10, 2018 1:29 pm
No disagreement. But security is a continuum or spectrum, right? Zero security on one end (white), perfect security on the other (black), and many shades of grey in between. I will concede that perfect security ("true black") is not obtainable, but does that mean we shouldn't try? My point is, to me it looks like the CRAs are about the lightest shade of grey possible without being white. They should strive to do better, much better. They can do better. There are established best practices that raise the bar from I can crack this system with a rootkit I downloaded to requires eight-figure funding to crack.

That's the fundamental principle of security: the cost to defeat it should be greater than the value of what it secures. Given the CRAs current security effort, they are implying our information is basically worthless.
Can't comment on the degree of security at various businesses. I don't have the data to make that judgement.

If you are an individual targeted by a sovereign entity or a large black-hat hacking organization, then you are screwed.
On the other hand, if you are just an anonymous Joe out of millions, does it really matter if your data got hacked?

My assumption with respect to warehoused data: eventually, every record is going to get hacked.

I think we need some type of a solution to purge existing data, and replace it with new data, somehow.
Can't do that with all the data, but can do that with specific records.

megabad
Posts: 576
Joined: Fri Jun 01, 2018 4:00 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by megabad » Thu Oct 11, 2018 2:15 pm

This is a bit off topic since it concerns another credit reporting agency but to my knowledge Equifax no longer requires a PIN for unfreezing credit. I have not tested yet, but if true, this effectively nullifies the security benefits of credit freeze for everyone's Equifax report. There is no fix that I know of. There has been no press about this to my knowledge either. Can anyone verify this?

McDougal
Posts: 25
Joined: Tue Feb 27, 2018 3:42 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by McDougal » Thu Oct 11, 2018 2:35 pm

megabad wrote:
Thu Oct 11, 2018 2:15 pm
This is a bit off topic since it concerns another credit reporting agency but to my knowledge Equifax no longer requires a PIN for unfreezing credit. I have not tested yet, but if true, this effectively nullifies the security benefits of credit freeze for everyone's Equifax report. There is no fix that I know of. There has been no press about this to my knowledge either. Can anyone verify this?
I can confirm, no PIN is required to temporarily lift an existing freeze at Equifax online. Just need to log into your account and bingo. Username and password is all that is needed.

NoHeat
Posts: 190
Joined: Sun Sep 18, 2016 10:13 am

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by NoHeat » Thu Oct 11, 2018 8:22 pm

My Experian PIN, which worked fine a few months ago, was no longer recognized today when I tried today to do a temporary freeze removal. So I tried with the forgotten PIN approach, and that failed also, resulting in this message: "to temporarily remove your freeze, please email us this letter, along with .. driver's license, ... copy of a utility bill ... and copy of your Social Security card ...." All that, to prove my identity, apparently.

This is different from what others are reporting, for Experian.

TransUnion and Equifax, on the other hand, were actually very easy to unfreeze temporarily, today. The only slight nuisance was creating a password for Equifax, since they now require a password for online unfreezing (the Equifax PIN might still be needed for the phone, I'm not sure).

Sandi_k
Posts: 778
Joined: Sat May 16, 2015 11:55 am
Location: SF Bay Area

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by Sandi_k » Fri Oct 12, 2018 3:27 pm

Following....

Nate79
Posts: 3479
Joined: Thu Aug 11, 2016 6:24 pm
Location: Portland, OR

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by Nate79 » Fri Oct 12, 2018 11:32 pm

Kind of funny that I get Experian email alerts for data breaches , such as the recent google or Facebook ones but never heard anything about their own breach.....
Last edited by Nate79 on Sat Oct 13, 2018 8:23 am, edited 1 time in total.

lazydavid
Posts: 1815
Joined: Wed Apr 06, 2016 1:37 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by lazydavid » Sat Oct 13, 2018 6:10 am

WageSlave wrote:
Tue Oct 09, 2018 12:48 pm
Bad people use this data not just for opening lines of credit, but a litany of nefarious purposes. Case in point: not too long ago, on Sunday morning, I got a call from my credit card company reporting suspicious activity. Numerous fraudulent charges were made between me going to bed and getting the call in the morning. Now this isn't the first time I've had a credit card number compromised, so initially I didn't think too much of it---until we started receiving packages from those fraudulent charges. Not only did the perp have my credit card number, they had my phone number and mailing address as well. My wife was scared, asking, how could they get this information? I said, look at all the data breaches that have become routine: Equifax, Target, Home Depot, etc etc.
I'm not sure why it would shock you that someone who was using your card fraudulently had your address. After all, it's required to validate online card-not-present transactions, so there would be no fraud without the address. Have you ever bought anything with a CC online and not been prompted for your billing address?

Additionally, it's not hard to get an address even absent a breach. Go to www.whitepages.com and put in your name. I bet your full address comes back.

lazydavid
Posts: 1815
Joined: Wed Apr 06, 2016 1:37 pm

Re: "Experian Flaw Just Revealed PINs Protecting Credit Data"; What to do?

Post by lazydavid » Sat Oct 13, 2018 6:12 am

Nate79 wrote:
Fri Oct 12, 2018 11:32 pm
Kind of funny that I get Experian email alerts for data breaches , such as the recent gooe or Facebook ones but never heard anything about their own breach.....
They sent the notice, but their DLP (Data Loss Prevention) tools dropped it on the way out to prevent divulging company-sensitive information. Yeah, that's the story.... :twisted:

Post Reply