back to article PINs and needled: Experian site blabbed codes to unlock credit accounts for fraudsters

Experian's website exposed to world-plus-dog the PINs needed to unlock frozen accounts, allowing crooks to potentially apply for loans and credit cards as their victims. The credit-monitoring agency lets people freeze their account using a PIN that has to be submitted in when applying for stuff like loans: it's a mechanism …

  1. The Man Who Fell To Earth Silver badge

    Nuke the entire Experian site from orbit

    It's the only way to be sure.

    1. Mark 85 Silver badge

      Re: Nuke the entire Experian site from orbit

      Also the other two big players. Might as well get rid of them all due to leaks, break-ins, etc.

  2. Mayday

    Can someone tell me why?

    I have to have pretty much my entire life, my ability to get a place to live, approval to get a credit card, to even get a mobile phone from shit cunts such as this?

    1. Anonymous Coward
      Anonymous Coward

      Re: Can someone tell me why?

      "I have to have pretty much my entire life, my ability to get a place to live, approval to get a credit card, to even get a mobile phone from shit cunts such as this?"

      Sure, here's your answer:

    2. Anonymous Coward
      Anonymous Coward

      Re: Can someone tell me why?

      Because you live in the USA? The mere concept of credit rating is so alien and scary to me. When I need a credit, the bank asks me for my records, and I bring them personally. What Experian & friends do is so illegal here, it boggles the mind it can happen somewhere else.

    3. Anonymous Coward
      Anonymous Coward

      Re: Can someone tell me why?

      because they have wiggled their way into the national and international-scale position of trust (lol), and you haven't. And now they're too big to fail while you, little man...

      Sigh. You might think it's all "by design", rather than chance. Where's me tinfoil hat... :/

      1. GnuTzu

        Re: Can someone tell me why?

        "Sigh. You might think it's all "by design", rather than chance. Where's me tinfoil hat... :/"

        Yet, now that it exists--why would they give it up?

        It occurred to me (during just this morning's commute) that, while this situation may have been subject to a certain amount of intentional design, this situation has certainly undergone a fair amount of evolution. And, then it occurred to me that this observation could well fall under Daniel Dennet's concept of the "free floating rationale", which essentially claims (though much debated) that things can have purpose as if they were designed despite not actually being designed. And yes, I know this is a topic that is debated at high academic levels, but I'm more interested in the implications for those who let a precarious economic system be at risk because of poor security practices.

        So, what is the moral imperative for those who profit from a flawed system that is a threat to the well being of the market, most people, the nation, and possibly humanity as a whole? If they knowingly continue to profit from it, knowing it works against survival, then does the claim that it's natural because it evolved this way really count as a reasonable moral choice? Remember, there are species that went extinct simply because they failed to adapt to a change in environment. Yet, we supposedly evolved big brains to overcome such possibilities. Apparently, our big "uh-brains" aren't yet big enough.

    4. Lee D

      Re: Can someone tell me why?

      I'll give you the "ability to get a place to live", because credit checks are done on both renters and people taking a mortgage.

      However, EVERYTHING else you state is either a) optional in that process or b) you expecting people to give you free money to do so.

      To get a mobile phone? Nope. I have one. No credit check. I bought it.

      To get a phone connection? Nope. I have one. No credit check.

      To get a credit card? Yes. To get a card that functions like a credit card? No.

      What I'll add to your list is "bank account" but - again - you don't really need them unless you want them to give you free money - overdraft or loans.

      If you want people to give you free money, yes, that person will use a service like this to check who you are.

      If you don't want people to give you free money, you don't interact with them.

      And the only time the average person NEEDS (not chooses to) someone to give them free money is... when applying for a mortgage or possibly a rental agreement.

      I hate them with a vengeance, and credit ratings are the most backwards things I've ever seen in my life. But the way to stop them is to NOT borrow money, and then pay them the interest for having done so. Then they lose not only your applications to them, but also all the money they would have made from you.

      That we live in a society where people are perfectly happy to give away their information and sign up to a loan in order to purchase an over-priced luxury that they use barely 1/10th of its capabilities... that's just a sign of the times. There are perfectly viable alternatives called "save up" / "buy outright" / "live within your means".

      1. Anonymous Coward
        Anonymous Coward

        Re: Can someone tell me why?

        That we live in a society where people are perfectly happy to give away their information and sign up to a loan in order to purchase an over-priced luxury

        Not just luxuries. Don't forget that gas, electricity and water bills usually involve a credit check unless you're on a pre-payment meter. If you're paying by instalment, then even dull stuff like home and car insurance is credit. Most but not all big telcos will credit check you for telephones, mobile or broadband, and some shitty MVNOs will even credit check you for SIM only deals.

        Anywhere that a business is incurring costs before payment or runs a smoothed direct debit system, they are extending credit. If you were running one of those businesses, you'd want to check that new customers didn't have a dreadful history of credit defaults.

      2. JimboSmith Silver badge

        Re: Can someone tell me why?

        My credit score from one of these numpty companies is 100% (999/999) from another it's not even 60%. When I enquired with my financial adviser as to why this might be he said they have different factors that they use. It might be because I don't have a mobile phone contract, a landline, regular broadband etc. This despite the fact that I've never missed a payment on anything in my life. Companies make their own minds up as to whether to lend you money based on the info they can see on your report. Your score means bugger all to them apparently but can be useful in massaging your ego.

        1. Lee D

          Re: Can someone tell me why?

          There's no such thing as a credit score.

          It's literally a number made up by a single entity, and has no standardisation or correlation to any other number. You can't compare them, you can't predict them, you can't even choose a threshold (GDPR says that a human must now evaluate if the customer demands, not a computer score). They are literally a fabrication and any website that claims to tell you your credit score is no different one telling you how many you rate out of ten on the sexiness scale.

          As such, no credit decision is taken on the basis of "at least 900 on your credit score". It doesn't exist like that, and isn't processed like that, and when you do a minimal/statutory/DPA request from the credit agency, that number never appears.

          Because the data they hold (what you pay for, when you pay it, how much you owe to whom) is the data that decisions are based on and every single credit-giving entity has their own criteria based on that data that has nothing to do with the credit reference agencies or any made-up "score".

          The reason they won't lend to someone like you with 999/999 is precisely stated in your comment: You don't have any credit, and "You're never missed a payment". You're not profitable to them. And even no credit history at all is a red-flag so they won't lend to anyone who doesn't already have some form of credit history. It's a reputation score of "would he pay me back" - when someone who's never needed credit in their life suddenly asks for a loan, the risk is enormous - you have no idea if they're just gonna cut-and-run.

          I made my "score" on one website drop from 700 to 100 by asking for a Vodafone SIM three times, and never receiving / activating any of them. Literally, I did nothing else, owe nobody any money, never even got to give payment details but "multiple credit requests" is considered a sign of desperation, so they hurt you for it so they don't put themselves at risk.

          Credit scores are made-up nonsense. Credit references are basically subjective and there to profit companies giving credit. Actual credit for daily life shouldn't be required except for the major unaffordable items (housing is about the only thing). That someone asks for credit for home or car insurance - that's a red-flag. They can't afford to pay an annual lump sum, but they're keeping their car in good nick are they? Credit shouldn't be required for that. But we've taught our kids that that's okay (I blame Direct Debit a bit, but most essential DD's are actually zero-interest and cheaper than the annual payment). Telephones and mobile - I covered that. No. Buy.

          But in all these other places you're ASKING for credit, when you could operate without credit. You're asking the gas company to lend you £200 for gas and you'll "pay them back next month". That's what you're doing. It's perfectly justified but also not strictly necessary. Nowadays pre-pay with a smart meter means you are on a monthly recurring pre-pay "contract" that you can cancel at any time and never get into debt for. That's no worse than a DD of credit on your account, in effect.

          I'm not saying it's not the norm. I'm saying all those things - apart form housing - you do actually have a choice on, but instead choose to pay money to credit reference agencies and credit middle-men who are paying for your car / phone / etc. and then taking their percentage on top.

          100 years ago, you literally didn't have a choice. You had the money or not, and lenders were not to be used for minor things. Nowadays, every 18-year-old fights for a credit card, phone contract, monthly car insurance deal, car finance, etc. the second they are of age to do so. Sorry... no sympathy.

          (P.S. I have credit agreements. I'm no martyr here. But I do everything I can to ensure they're affordable, as well as ensure they are necessary and that I have a backup plan should something happen - lose my job, etc. And, no, that doesn't mean payment protection insurance! If you said to me tomorrow that you're cancelling all my credit agreements that I have in place... you'd take my car from me and have to give me back more than enough to buy several new cars, or I could dip into what I have and buy it from you - and even that is *literally* because I was forced to move out and live on my own, doubling my expenditure, and therefore spending the money I had put aside to pay off the rest of the car... halfway through the credit term).

      3. Doctor Syntax Silver badge

        Re: Can someone tell me why?

        What I'll add to your list is "bank account" but - again - you don't really need them unless you want them to give you free money - overdraft or loans.

        And providing you're intending to work cash in hand. Does any permanent job still pay wages in cash?

      4. Mr. Flibble

        Re: Can someone tell me why?

        I agree with most of your points, however, once I swapped my bank (savings only), and they spent ages giving back my personal details, so I went into complain, and they said they were sorry, but they were waiting for a credit check to complete.

        When I asked them why that was needed as it was only a savings account, they said it was in because they were also offering a non-savings account at the same time (which I didn't want, and didn't ask for), so there's no guarentee this wont happen when you open a normal account.

  3. Oliver Mayes

    "PIN cod"

    "apple to open new accounts"

    Was someone hungry while writing this?

    1. JimboSmith Silver badge

      Pin cod

      Well there was obviously something fishy going on. Mine's the one with the scampi Nik Naks in.

  4. Pascal Monett Silver badge

    The email address was not necessarily the one associated with the account ?

    Are they TRYING to make things easier for hackers ?

    Nobody thought this through at all. Nobody wondered what could happen if "none of the above" was selected across the board, and obviously nobody tested the final result beyond making sure it didn't crash on first try.

    There certainly are a few more niggles I could have, but the big one is allowing another email address. For frak's sake, nobody does that. There is no reason to, you already have the subscribers' address.

    1. Dan 55 Silver badge

      Re: The email address was not necessarily the one associated with the account ?

      Welcome to software development in the 2010s. It's not even "compile it, ship it" any more, it's "if some PHP or Java-based monstrosity doesn't spaff too much crap to the logs then deploy it to production".

      Also, Experian don't necessarily have your e-mail address, they just collect details about you while you go about your life hence the difficulty of proving that you're you to them. Perhaps if everyone got a "welcome to Experian, these are your account details" letter on their 18th birthday it might concentrate a few minds as to what's happening.

      1. Sherrie Ludwig

        Re: The email address was not necessarily the one associated with the account ?

        "Perhaps if everyone got a "welcome to Experian, these are your account details" letter on their 18th birthday it might concentrate a few minds as to what's happening."

        Actually, it would need to be issued upon birth, since people open bank accounts, etc. for their minor children, and have been known to open utilities accounts, etc., in their child's name because they blotted their own copybook. I agree with the poster above, nuke them from orbit, and salt the ground with the salt of the tears of their executives and investors.

      2. Down not across Silver badge

        Re: The email address was not necessarily the one associated with the account ?

        Also, Experian don't necessarily have your e-mail address, they just collect details about you while you go about your life hence the difficulty of proving that you're you to them.

        Considering this is about unlocking accounts that people have frozen with a pin, I would think it is reasonable to expect Experian in this situation to have email address and other information relating to that account for the people to be able to manage their account.

  5. teebie

    "its customers were never in any danger of having their personal information stolen via the PIN hack"

    But they were in danger of having loans fraudulently taken out in their name, which is the main reason people are worried about having their personal information.

    Or do they mean that 15 million people don't have to worry about their personal information being stolen from experian because it already happened in 2015?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • AMD targeted by RansomHouse, attackers claim to have '450Gb' in stolen data
    Relative cybercrime newbies not clear on whether they're alleging to have gigabits or gigabytes of chip biz files

    If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.

    RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.

    This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
    Customer data collection and retention requirements also increased, including for crypto operators

    India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.

    The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."

    Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.

    Continue reading
  • Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft
    Life tastes not so good right now

    Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.

    "We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."

    The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.

    Continue reading

Biting the hand that feeds IT © 1998–2022