'Small' Experian breach gave savvy fraudsters access to credit reports

Until the end of last year, a vulnerability at Experian allowed identity thieves to access victims' credit reports while bypassing security questions, removing a barrier to automatically web scraping for personally identifying information.

Experian said it was "reaching out to the small number of consumers potentially affected" by the vulnerability, including providing them information about how to further protect their identity.

The company did not specify the number of potential victims or how it determined that only a small number were potentially affected. The vulnerability required a step that would make it easily traceable by reviewing server logs.

Although thieves still needed to know the Social Security numbers of their victims to steal information about their credit history, the vulnerability allowed them to skip security questions about previous addresses and credit history by merely changing the URL in their browser.

The episode is an example of a technical glitch that provides bad actors a way to steal information, and a case in point of how such loopholes can work. Such glitches have kneecapped stronger security measures such as multifactor authentication, as well. These vulnerabilities can ultimately provide bad actors with fodder for account takeovers, fraudulent loan applications and other means of defrauding financial institutions and their customers

As first reported by the cybersecurity journalist Brian Krebs, identity thieves had discussed the Experian vulnerability on Telegram chat channels dedicated to cashing out compromised identities. Jenya Kushnir, a security researcher living in Ukraine, told Krebs he discovered the vulnerability while monitoring those channels.

Identity thieves exploited the vulnerability on AnnualCreditReport.com, which the Consumer Financial Protection Bureau designates as an official source that U.S. citizens can use on a weekly basis to access their credit reports.

To exploit the vulnerability, an identity thief could enter the name, address, Social Security number and date of birth for the victim on AnnualCreditReport.com. After submitting that information, the thief could elect to view a credit report from Experian, at which point Experian would challenge them with a few multiple-choice questions.

These questions ask the name of the city where the victim used to live, the name of the company that provided the victim a certain line of credit and other details based on the victim's credit report.

Rather than answer the questions, the identity thief could skip them entirely by changing the end of the page's URL to "/acr/report," which is the page to which Experian redirects users after successfully answering the security questions. Even in some cases where Experian told users they could not verify their identity, changing the URL could provide the full credit report.

According to Julien Bonnay, the U.S. head of technology and cybersecurity for the financial services consultant Capco, getting the kind of information the bureaus provide in credit reports can make it easier for fraudsters to defeat some of the security and anti-fraud measures banks put in place.

"Bypassing security questions would grant access to credit reports, which will include past addresses, issuers, account balances, etc., providing attackers information routinely used to apply for credit, or used to validate identity of account holders in case of fraud," Bonnay said. 

A spokesperson for Experian said the company already had certain mitigations in place before it learned about the vulnerability, reducing the potential impact of attacks. One example is partially redacting account numbers contained in the credit report, preventing attackers from gaining that additional information. This is a standard practice at the other two credit bureaus as well.

The Experian vulnerability highlights another key difference between its process for obtaining credit reports and that of the other two credit bureaus. While TransUnion and Equifax require a phone number from the person trying to access a credit report, Experian does not.

Requiring a phone number as an additional identity verification step is imperfect. Although this adds another hurdle for fraudsters to overcome, motivated hackers can still spoof victim phone numbers via SIM swapping or simply obtain a new phone number anonymously cheaply.

However, multiple-choice questions can provide opportunities to fraudsters. In automated attacks using a list of compromised credentials, a fraudster can correctly guess answers to multiple-choice questions a small percentage of the time. In targeted attacks, fraudsters can use public people searches and databases available on the dark web to infer answers.

Data breaches that expose victims' Social Security numbers, address, date of birth and name — the requisite pieces of data to request a credit report — take place regularly, including among banks and credit unions. Last year, at least 79 financial institutions experienced data breaches, according to data from the Maine attorney general, many of them exposing this information and more.