[HN Gopher] Experian's credit freeze security is still a joke
___________________________________________________________________
Experian's credit freeze security is still a joke
Author : parsecs
Score : 76 points
Date : 2021-04-26 22:01 UTC (58 minutes ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| dawnerd wrote:
| Meanwhile, I can't get equifax to unfreeze my credit. Whatever
| answers they have on file are wrong and tell me to call - except
| you cant reach a human without answering those same questions.
| They've yet to respond to actual mail I've sent them too.
|
| Oh well, the other agencies unlock so it just takes a little
| talking whenever I need to run a credit check explaining equifax
| is jacked up.
| dylan604 wrote:
| To me, the title is overly wordy: "Experian is still a joke"
| dredmorbius wrote:
| The punch line is the public, unfortunately.
| Buttons840 wrote:
| It's important to realize that the credit monitoring services you
| can buy are provided by the credit companies.
|
| The same company, which may at times make false claims about you,
| is in possession of a service / technology they claim can detect
| those false claims.
|
| Why is it not libel when these companies make false claims about
| me? Especially when they advertise that they have the ability to
| detect such false claims? "Pay us and we will not make false
| claims about you" they say. "Pay us and we'll double check with
| you before making claims about you."
| economusty wrote:
| They don't make the claims, they provide a database where
| others can record claims. The difference is important.
| toomuchtodo wrote:
| The answer is, of course, regulation. To fix this will require
| more regulation. Contact your Congressional representatives.
| [1] The CFPB can enforce upgraded financial services policy in
| this regard once the legislation is enacted. Complaining to
| them today about this specific security failing is also likely
| helpful [2].
|
| Freezes and thaws are free. Your credit report, and any scoring
| mechanisms (FICO), should be available to consumers at any time
| free of charge. Credit monitoring products should be outlawed.
| Failures to safeguard citizen data (Equifax) or to promptly
| remove inaccurate data should incur steep financial penalties.
|
| [1] https://www.govtrack.us/congress/members ("Use GovTrack to
| find out who represents you in Congress, what bills they have
| sponsored, and how they voted.")
|
| [2] https://www.consumerfinance.gov/complaint/
| mdm12 wrote:
| Speaking of regulation, Biden apparently expressed interest
| in a federal credit bureau under the CFPB
| https://finance.yahoo.com/news/biden-wants-shut-down-
| credit-...
| toomuchtodo wrote:
| Cautiously optimistic. Having had to advocate for folks who
| were flagged by CAIVRS [1] (from an FHA mortgage
| foreclosure), I would support such a mechanism if it had
| robust transparency around metrics and exception handling
| mechanisms for those caught at the edges of the gears
| (which CAIRVRS, an existing federal credit and debt default
| data system, does not).
|
| [1] https://www.hud.gov/program_offices/housing/sfh/caivrs
| ("The Credit Alert Verification Reporting System (CAIVRS)
| is a Federal interagency database that contains the
| following: Delinquent debt information from the Departments
| of Housing and Urban Development, Agriculture, Education,
| and Veterans Affairs and the Small Business
| Administration.")
|
| Sidenote: The above systems is ripe for overhaul by the US
| Digital Service. It is a pathetically old mainframe system
| with limited operational hours, when it could be a
| PostgreSQL database (or similar relational db) with an API.
| mulmen wrote:
| IANAL so maybe this is hyperbolic but it smells like extortion
| to me.
| EGreg wrote:
| Funny, I just called to put a Fraud Alert on my credit report. I
| encourage everyone to do it - so this way reputable lenders are
| supposed to call you when they're trying to open an account in
| your name. An attacker would have to port your SIM card as
| well...
|
| However, all the information I was providing to set the alert, or
| remove it, is the exact information that any lender would receive
| on their application. The system if so horribly broken security-
| wise, I am shocked there aren't more accounts being opened left
| and right by people who got them from applications emailed to
| thousands of lenders over the years.
| RcouF1uZ4gsC wrote:
| > and were surprised to find that just one of the five multiple-
| guess questions they were asked after entering their address,
| Social Security Number and date of birth had anything to do with
| information only the credit bureau might know.
|
| And a lot more than the credit bureau know those two pieces of
| information.
|
| Honestly, the US really needs a government run public key ID
| service. The government in providing passports and drivers'
| licenses is already doing identity verification. If along with
| your passport they would allow you to register a public key that
| people could use to verify your identity, it would be a huge
| help.
| dylan604 wrote:
| Passports are federal while driver licenses are issued through
| the state. If you're suggesting that the public key be linked
| to a passport, then I'm guessing quite a few states will oppose
| that on "state's rights" standing.
| aneutron wrote:
| Not necessarily. The chain of trust doesn't require such a
| drastic deployment.
|
| In Europe, it's common place to be able to subscribe to loans,
| or similar contracts online. However, the legislation is VERY
| strict about requiring very tough MFA-authentication.
|
| Say for example you would want to subscribe to a new credit
| card. You would either have to go personally to do it (which
| means they can verify your identity), or you can do it from
| your Online portal. HOWEVER, if you choose to do entirely
| online, you HAVE to use your phone as a 2nd factor to authorize
| the operation.
|
| I'm not saying there's no identity theft. There absolutely is.
| But they are extremely strict about authenticating each and
| every (considerable) move.
|
| I guess what I'm trying to say is, a PKI for the US. government
| is not necessary (in fact, given the time and resistance it
| took to deploy SECURE ID, I'd say it's dead in the waters right
| now), and would only require legislators not in the bed with
| credit card companies, to setup and enforce strict rules for
| authenticating orders / proceedings.
| lhnz wrote:
| > The best part about this lax authentication process is >
| that one can enter any email address to retrieve the > PIN
| -- it doesn't need to be tied to an existing account > at
| Equifax. Also, when the PIN is retrieved, Equifax >
| doesn't bother notifying any other email addresses >
| already on file for that consumer.
|
| Hang on, so the attacker doesn't even need to break into
| somebody's email account first, they can just guess the questions
| and put in their own email address?! This is insane.
| Jaygles wrote:
| The days of confirming a person's identity by testing their
| knowledge on the person's metadata are long past (if they ever
| existed in the first place).
|
| I don't know what the best solution to this will look like, or
| if society will ever try to implement one. A lot of people are
| against having a Federal ID. A private solution will have its
| own set of problems.
|
| The good news is, its the responsibility of the place that's
| issuing the credit to do due diligence of confirming an
| identity. If someone steals your private details and gets
| approved for a line of credit using them, life will suck for a
| bit while you sort it out, but you'll never actually owe that
| money (no matter what the debt collectors tell you).
| toomuchtodo wrote:
| > I don't know what the best solution to this will look like,
| or if society will ever try to implement one.
|
| https://billhunt.dev/blog/2020/12/18/federal-policy-
| recs/#4-...
| kminehart wrote:
| Security questions in general are a farce. I've started
| generating random passwords for answers and storing them in my
| password manager. that at least helps me feel slightly more
| secure about how ridiculous security questions are.
___________________________________________________________________
(page generated 2021-04-26 23:00 UTC)