Experian Was Barely Trying to Protect Individuals’ Credit Reports ⇥ krebsonsecurity.com
Annualcreditreport.com begins by asking for your name, address, SSN and birthday. After I supplied that and told Annualcreditreport.com I wanted my report from Experian, I was taken to Experian.com to complete the identity verification process.
Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?”
[Jenya] Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.
Oh come on. This is an elementary error for any gated service to make, let alone one with as much information as is held by a credit reporting agency like Experian. In the wake of the Equifax breach, Experian was running ads promoting its identity theft protection services — promises that are laughable in the wake of this vulnerability.