
Experian Site Can Give Anyone Your Credit Freeze PIN - smokielad
https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/
======
vec
This isn't going to stop until we stop treating SSNs like they're secret.
Mine's not; it's been leaked at least once that I know of and I've given it
freely to dozens of clerks and HR staffers over the years, any of whom had
ample opportunity to jot it down for personal use.

I know this will never actually happen, but I sincerely wish the Social
Security Administration would publish a complete official database of real
name to SSN mappings. It wouldn't impede their use as _Social Security
Numbers_ , but it would make it extremely obvious how inappropriate they are
as a proof of identity. Maybe then we'd finally be forced to come up with
something a bit less insane.

~~~
scarface74
So as soon as you make SSN secret, companies are going to use another ID to
uniquely identify people and we are right back in the same boat.

~~~
lend000
They would probably pick something more secure than the government did,
considering they have a vested interest in not succumbing to fraud.

~~~
dragontamer
> not succumbing to fraud.

Erm... that's the entire fucking point of Experian. And yet they failed.

Experian is a free-market for-profit corporation.

~~~
lend000
If the government already chose a 9-digit 'secret' number that can be used to
pay taxes and get tax refunds and do pretty much any other sensitive
communication, is it the onus of private industry to supersede it?

Experian failed, but the system was designed to fail. You can already get all
of this important info with this number, so there was little incentive to
create a new system and ensure that every American participated in it. Their
operation was also entrenched by government credit reporting acts, pretty much
setting in stone how things are and preventing innovation. This was a pseudo-
government 'industry', not a free market system with new startups frequently
joining.

~~~
dragontamer
Last I checked, the US Government requires:

* Government Issued IDs -- Most situations. Police Tickets, Court issues, etc. etc. Usually your driver's license. This is effectively a security token, since its illegal to make illegitimate copies of a Government issued ID (although cryptography should be used in future ID efforts IMO)

* Tax PIN number and Last year's tax refund -- Pay taxes and do tax refunds. There's a ton of OTHER information you need to submit with your taxes to get it processed. The SSN is purely the "username" for your taxes, it isn't the "password".

\----

In the free market? People use SSN as a password, because free market doesn't
give a care about you or decent security practices. Or at least, Experian
doesn't (and they're a free market actor)

~~~
lend000
> Tax PIN number and Last year's tax refund -- Pay taxes and do tax refunds

For individuals, your TIN (Taxpayer Identification Number) defaults to your
SSN, and you do _not_ need the previous year's return to file taxes. Not sure
where you are coming up with these imaginative claims, and I find it somewhat
concerning how confident you feel in bureaucratic design decisions.

~~~
dragontamer
[https://www.irs.gov/individuals/electronic-filing-pin-
reques...](https://www.irs.gov/individuals/electronic-filing-pin-request)

~~~
lend000
(Your link is only for e-filing.) Millions of returns are still processed via
mail.

------
k3oni
Quick tl;dr

"The first hurdle for instantly revealing anyone’s freeze PIN is to provide
the person’s name, address, date of birth and Social Security number (all data
that has been jeopardized in breaches 100 times over — including in the recent
Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and
swear that the information is true and belongs to the submitter. I’m certain
this warning would deter all but the bravest of identity thieves!"

~~~
the_evacuator
Considering that address and date of birth strongly predict most of the digits
of the SSN, this is pretty bad. Consider further than even name can predict
SSN (people named Stein more likely to have been born at the Jewish hospital,
and SSNs are sharded by hospital).

SSN is not a secret. End of story.

------
KGIII
This just keeps getting more and more outlandish. I'm pretty sure you have to
deliberately work at it, if you want to be this incompetent. Had they just had
the entire IT staff play minesweeper, they might actually be better off than
they are now.

I am not actually sure that I've seen a bigger display of ineptitude. I
suspect there's going to be academic research papers published about this and
studied for years to come. I'm not big on conspiracy theories, but I could
understand someone believing this is deliberate incompetence. I'm not even
sure I could fault them for believing that.

~~~
lowbloodsugar
There is _no_ solution to this problem of identity. So they invent the credit
freeze. Then they invent the credit freeze PIN. Then someone loses their PIN
and they want to buy a car _now_. So business adds "look up your PIN" feature.
It is face-palming. But that's what you get when your business requires a way
to securely identify people when no such method exists.

~~~
KGIII
There may be no perfect solution but I am really hoping something better can
exist. There isn't as much trouble in some other countries, maybe we can look
into what they are doing?

I don't have the answers. But, just because I'm not an MD doesn't mean I can't
point out an obviously broken arm. This is a problem and it does need fixing.

At this point, it's reached the level of absurd. Not even a great author could
have come up with a better storyline. This has reached the point of being
surreal. If I weren't witnessing this, I'd have trouble believing it - it's
that bad.

At this point, I'm having trouble thinking of something they haven't screwed
up. This has more twists than a soap opera.

~~~
irq11
Other countries don’t have the free/easy relationship to credit that we do.

In many places, if you want to get a small, revolving line of credit it’s
considered perfectly normal to spend _weeks_ validating your identity,
including one or more in-person visits by a financial official. Can you
imagine doing this in modern America? The economy would shrink by whole
percentage points overnight.

We’ve made a deal with the devil, and this is how we pay.

~~~
KGIII
That might just be the saddest post I'm going to read all day because you're
probably right. Individuals have access to lots of credit, it fuels our
American consumerism.

Maybe it's better, in the long term, to suffer that shrinkage? I'm absolutely
not an economist, so I don't really know. Maybe we are in a credit bubble and
it needs to pop?

Could we absorb the negative drop in the economy without there being riots in
the street? Would it be better in the long run?

------
skylark
It's a weird situation. Your credit information is so crucial that the
agencies need a workaround for everything - a user can't be allowed to get
stuck in a state that locks them out of their credit forever.

I'm still annoyed by this entire debacle but I'm not sure what the correct
solution for a lost PIN should be.

~~~
tyrust
> I'm not sure what the correct solution for a lost PIN should be

Krebs gives an answer in the article and I think I agree:

> I understand if people who place freezes on their credit files are prone to
> misplacing the PIN provided by the bureaus that is needed to unlock or thaw
> a freeze. This is human nature, and the bureaus should absolutely have a
> reliable process to recover this PIN. However, the information should be
> sent via snail mail to the address on the credit record, not via email to
> any old email address.

Until we have a way to guarantee our electronic identity to the government
(e.g. an RSA key registry so that I can sign a message like "I am $name and
$email is my email"), physical delivery is the best option.

~~~
cesarb
> However, the information should be sent via snail mail to the address on the
> credit record

What would happen when that address is incorrect or outdated?

~~~
thehardsphere
If it's incorrect, you likely have bigger problems than where to send the pin.
And I think there are ways to correct the address.

If it's outdated, then it simply goes to your old address. If you moved, the
Post Office will forward mail addressed to you at your old address to your new
address.

~~~
apetresc
I always hear this story about post offices forwarding mail with old
addresses, but in my life (having moved a ton), I've _never_ received mail at
a new address with an old address printed on it, while I _have_ received huge
volumes of mail addressed to the last guy living where I'm at. Is forwarding
an American thing?

~~~
Retric
Yes, I have gotten mail forwarded as much as 8 months after a move. It get's a
yellow sticker with your new address on the bottom right. I believe it's based
on names so it may not work for all mail.

~~~
donarb
Having one's email forwarded to another address can also be subject to fraud.
Haven't done it in awhile, possibly you now have to go to the counter and show
some id, but it used to be far too easy to fill out the little card and hand
it to the person behind the counter, no questions asked.

[https://www.identityguard.com/news-insights/beware-change-
ad...](https://www.identityguard.com/news-insights/beware-change-address-
scams/)

------
scarface74
I know it is popular meme when it comes to Google, Facebook, etc. that “you
are not the customer”, but at least you have a choice not to use their
services. It’s impossible to opt out of allowing credit bureaus access to your
personal information and still function in society.

------
mtmail
Should be read together with the follow-up
[https://krebsonsecurity.com/2017/09/equifax-breach-
setting-t...](https://krebsonsecurity.com/2017/09/equifax-breach-setting-the-
record-straight/)

------
yvesmh
Looks like I wasted $10. My only hope is that with 143m affected people, they
just skip to the next one if they encounter a Credit Freeze.

~~~
JumpCrisscross
On the upside, you now have quantified damages.

------
SubZero
What could be a possible solution to the PIN reset? Security practices say
that we can authenticate across 3 ways; something you are, something you have,
and something you know. Its obvious to me that the something you know is also
known by hackers, and I don't think biometrics are going to be overly popular
after this. Does Experian send out a hardware token to all users that request
a security freeze?

~~~
ivmi
A mailed letter would work. Plenty of other orgs do that as the only way to
communicate your PIN to you.

~~~
jonnytran
It's interesting that this isn't one of the three traditional ways to
authenticate, but it's obviously effective to some degree. Maybe it suggests a
new mode of authenticating: some place where you are.

------
jfc
This is where Congress has utterly failed in its regulatory responsibilities.
There's no way this labyrinth of credit-related breaches/issues should be
confronting consumers.

Two things I do: monitory my credit reports regularly and give nonsensical
answers to the security questions.

~~~
kevin_b_er
The lesson Congress takes to heart that you should learn: Greed is more
important than your financial security.

------
s0ss
How the heck do other countries take care of these things? Aren't credit
agencies and their reliance on SSN's a purely American concept?

~~~
himlion
In the Netherlands every citizen has a digid, which is a two factor digital
identification mechanism. Almost all government and almost all (semi-)public
companies use it. Works like a charm and very secure.

------
DesiLurker
the only solution is to implant a RSA token generator on arms of every citizen
at birth. perfect 2FA. they get to turn you chip off if you make too much
trouble.

------
stringForSize
I think it's also worth noting while I do think they at least hash your
password if you sign up for an account you are limited to a 14 character
password.

