If you freeze your credit, Experian will let crooks unfreeze it by ticking a box


#1

Originally published at: https://boingboing.net/2017/09/21/cross-my-heart.html


#2

well this is useful today


#3

As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online

Good luck with that. I’ve purposefully never posted pet names, streets i grew up in, hometown, etc since i first started using the internet. And depending on the service sometimes i put in false responses in case that info is leaked. I have yet to freeze my credit though, you apparently need to do it with all 3 companies and Equifax has been down every time i’ve checked sooooo…


#4

I make up answers, too. But these kba pull from databases, not the info you gave them. If they wanted my mother’s maiden name I’d have to try every fake answer I’ve given every website.


#5

We’re sorry

A condition exists that prevents Experian from being able to accept your request at this time.

Awesome. Still down. And from what i’ve read if you call them to freeze your call won’t go through or get looped through their menus over the phone. I haven’t tried yet, anyone here had any success?


#6

Experian doesn’t know the answers to those questions, so I don’t think it’s asking you about your pet’s name.

I think that these are the same questions you have to answer when you freeze your credit: questions they know from their credit database. “Which of these 5 streets did you live on?” “What’s your monthly student loan repayment?” Etc etc.

THOSE questions the scammers probably already have the answers to, so they are probably useless for security.

(But it’s a difficult problem, once we’re assuming the existence of these odious agencies ands this whole system: once you’ve frozen your credit, how can you open it again if you’ve lost your PIN?)


#7

You think that’s bad, go try and freeze your credit with Transunion. They will let you fill in all your info, even your credit card so they can get your $5. You hit submit and then it tells you they couldn’t do it for whatever reason. The put an authrization on your credit card account anyway. So then you have to go to their document upload site (which doesn’t have any options to say you are sending documents for a credit freeze) and you have to upload a copy of an ID, a recent bill showing your address, and a PDF that contains your SSN and other info. I did this 4 days ago and have yet to hear back from them. It did the same thing for both me and my wife. Experian was the simplest one to get to work and they charged me the $5 (because of my state laws). Equifax I had to retry 3 times then it finally worked and it was still free as of 4 days ago. And don’t forget about Innovis. Their site was very easy and it was free but they said they would send me a letter in the mail with my pin.


#8

I’ve been through this, and it gets hard as hell when you get to be my age and have lived in a dozen cities, some for less than a year. Honestly, the fact that I can’t remember the exact street address from somewhere I lived my second year of graduate school in 1979 shouldn’t mean I can’t protect my credit.

There is an obvious solution to all of this, namely close the credit reporting agencies and make it a high-penalty felony for any private entity to share any aspect of your financial history without your express, written permission. If someone wants to check my creditworthiness before renting me a flat, I will grant them permission to phone my bank and my employer.


#9

Agreed, I’m only 30 and I have this problem. There’s always at least one KBA question I have to guess on (or for which I was pretty sure the correct answer was not present).

And I highly doubt the databases they draw from are consistently accurate, anyway. Yesterday I went online on my laptop to report a downed power line. I had to log into my account with the power company, which due to having e-bills and auto-pay set up I haven’t done in years. They still had me down as living at my previous address and claimed I had no bills less than 3 years old (even though the bills they sent me every month were for my correct address). Then I logged in through their android app, and everything there was correct.


#10

The one time I actually succeeded in getting a report it was a complete shambles and they never responded to any of the dispute forms I sent. Fortunately my bank said they don’t put much weight on Transunion data because everybody knows it’s fucked up.


#11

I was able to freeze my credit at all three credit bureaus. I believe Equifax was an online form, the other two I called and spoke to a rep and they helped me freeze my credit. Still, as this story reveals, I’m not at all confident my financial and personal data is safe. Persons are also allowed three free credit reports per year. It is recommended to obtain these reports spaced over 3-4 months throughout the year to get an idea if anybody has pilfered your credit. ‘Late stage capitalism’. Seems to be the latest meme.


#12

The problem is, for example, the KBA questions come from publicly-available sources. For example, my credit card company authenticates by asking “which of the following 3 addresses have you been associated with” and they ask 3 residential addresses, one of which I used to live at. Problem is, that kind of information is EASILY tracked down on the internet.

They then ask a second question, three more addresses, and yup, they are former residential addresses AGAIN where they ask about the place I lived in BEFORE the address in the first question.

The problem with that is while they’ve asked two questions there is only one source for the data they asked for.

If they had asked for a place where I’d worked, or a hotel I’d stayed in, that would be different-- break into one database with my historical residences and you’ve hacked into my credit card company.

I swear, there must be SO MANY IDIOTS working in security these days…


#13

This topic was automatically closed after 5 days. New replies are no longer allowed.