[HN Gopher] Experian's credit freeze security is still a joke ___________________________________________________________________ Experian's credit freeze security is still a joke Author : parsecs Score : 76 points Date : 2021-04-26 22:01 UTC (58 minutes ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | dawnerd wrote: | Meanwhile, I can't get equifax to unfreeze my credit. Whatever | answers they have on file are wrong and tell me to call - except | you cant reach a human without answering those same questions. | They've yet to respond to actual mail I've sent them too. | | Oh well, the other agencies unlock so it just takes a little | talking whenever I need to run a credit check explaining equifax | is jacked up. | dylan604 wrote: | To me, the title is overly wordy: "Experian is still a joke" | dredmorbius wrote: | The punch line is the public, unfortunately. | Buttons840 wrote: | It's important to realize that the credit monitoring services you | can buy are provided by the credit companies. | | The same company, which may at times make false claims about you, | is in possession of a service / technology they claim can detect | those false claims. | | Why is it not libel when these companies make false claims about | me? Especially when they advertise that they have the ability to | detect such false claims? "Pay us and we will not make false | claims about you" they say. "Pay us and we'll double check with | you before making claims about you." | economusty wrote: | They don't make the claims, they provide a database where | others can record claims. The difference is important. | toomuchtodo wrote: | The answer is, of course, regulation. To fix this will require | more regulation. Contact your Congressional representatives. | [1] The CFPB can enforce upgraded financial services policy in | this regard once the legislation is enacted. Complaining to | them today about this specific security failing is also likely | helpful [2]. | | Freezes and thaws are free. Your credit report, and any scoring | mechanisms (FICO), should be available to consumers at any time | free of charge. Credit monitoring products should be outlawed. | Failures to safeguard citizen data (Equifax) or to promptly | remove inaccurate data should incur steep financial penalties. | | [1] https://www.govtrack.us/congress/members ("Use GovTrack to | find out who represents you in Congress, what bills they have | sponsored, and how they voted.") | | [2] https://www.consumerfinance.gov/complaint/ | mdm12 wrote: | Speaking of regulation, Biden apparently expressed interest | in a federal credit bureau under the CFPB | https://finance.yahoo.com/news/biden-wants-shut-down- | credit-... | toomuchtodo wrote: | Cautiously optimistic. Having had to advocate for folks who | were flagged by CAIVRS [1] (from an FHA mortgage | foreclosure), I would support such a mechanism if it had | robust transparency around metrics and exception handling | mechanisms for those caught at the edges of the gears | (which CAIRVRS, an existing federal credit and debt default | data system, does not). | | [1] https://www.hud.gov/program_offices/housing/sfh/caivrs | ("The Credit Alert Verification Reporting System (CAIVRS) | is a Federal interagency database that contains the | following: Delinquent debt information from the Departments | of Housing and Urban Development, Agriculture, Education, | and Veterans Affairs and the Small Business | Administration.") | | Sidenote: The above systems is ripe for overhaul by the US | Digital Service. It is a pathetically old mainframe system | with limited operational hours, when it could be a | PostgreSQL database (or similar relational db) with an API. | mulmen wrote: | IANAL so maybe this is hyperbolic but it smells like extortion | to me. | EGreg wrote: | Funny, I just called to put a Fraud Alert on my credit report. I | encourage everyone to do it - so this way reputable lenders are | supposed to call you when they're trying to open an account in | your name. An attacker would have to port your SIM card as | well... | | However, all the information I was providing to set the alert, or | remove it, is the exact information that any lender would receive | on their application. The system if so horribly broken security- | wise, I am shocked there aren't more accounts being opened left | and right by people who got them from applications emailed to | thousands of lenders over the years. | RcouF1uZ4gsC wrote: | > and were surprised to find that just one of the five multiple- | guess questions they were asked after entering their address, | Social Security Number and date of birth had anything to do with | information only the credit bureau might know. | | And a lot more than the credit bureau know those two pieces of | information. | | Honestly, the US really needs a government run public key ID | service. The government in providing passports and drivers' | licenses is already doing identity verification. If along with | your passport they would allow you to register a public key that | people could use to verify your identity, it would be a huge | help. | dylan604 wrote: | Passports are federal while driver licenses are issued through | the state. If you're suggesting that the public key be linked | to a passport, then I'm guessing quite a few states will oppose | that on "state's rights" standing. | aneutron wrote: | Not necessarily. The chain of trust doesn't require such a | drastic deployment. | | In Europe, it's common place to be able to subscribe to loans, | or similar contracts online. However, the legislation is VERY | strict about requiring very tough MFA-authentication. | | Say for example you would want to subscribe to a new credit | card. You would either have to go personally to do it (which | means they can verify your identity), or you can do it from | your Online portal. HOWEVER, if you choose to do entirely | online, you HAVE to use your phone as a 2nd factor to authorize | the operation. | | I'm not saying there's no identity theft. There absolutely is. | But they are extremely strict about authenticating each and | every (considerable) move. | | I guess what I'm trying to say is, a PKI for the US. government | is not necessary (in fact, given the time and resistance it | took to deploy SECURE ID, I'd say it's dead in the waters right | now), and would only require legislators not in the bed with | credit card companies, to setup and enforce strict rules for | authenticating orders / proceedings. | lhnz wrote: | > The best part about this lax authentication process is > | that one can enter any email address to retrieve the > PIN | -- it doesn't need to be tied to an existing account > at | Equifax. Also, when the PIN is retrieved, Equifax > | doesn't bother notifying any other email addresses > | already on file for that consumer. | | Hang on, so the attacker doesn't even need to break into | somebody's email account first, they can just guess the questions | and put in their own email address?! This is insane. | Jaygles wrote: | The days of confirming a person's identity by testing their | knowledge on the person's metadata are long past (if they ever | existed in the first place). | | I don't know what the best solution to this will look like, or | if society will ever try to implement one. A lot of people are | against having a Federal ID. A private solution will have its | own set of problems. | | The good news is, its the responsibility of the place that's | issuing the credit to do due diligence of confirming an | identity. If someone steals your private details and gets | approved for a line of credit using them, life will suck for a | bit while you sort it out, but you'll never actually owe that | money (no matter what the debt collectors tell you). | toomuchtodo wrote: | > I don't know what the best solution to this will look like, | or if society will ever try to implement one. | | https://billhunt.dev/blog/2020/12/18/federal-policy- | recs/#4-... | kminehart wrote: | Security questions in general are a farce. I've started | generating random passwords for answers and storing them in my | password manager. that at least helps me feel slightly more | secure about how ridiculous security questions are. ___________________________________________________________________ (page generated 2021-04-26 23:00 UTC)