Experian accounts could still be at risk from hackers

Criminals are still able to steal Experian customer accounts with relative ease, cybersecurity researchers have claimed.

While the company says the method (explained below) isn’t a viable way to steal people’s accounts, independent researcher Brian Krebs (opens in a new tab) managed to recreate it, confirming that the strategy actually works.

The good news is that victims can regain control of their accounts quite quickly.

Isolated incidents

Here’s what happened: Two people, one from Salt Lake City and one from Boston, recently had their Experian account stolen. The attackers knew some of their personal information, contacted the company and convinced them to assign a different email address to the account.

The actual account holders were never informed on their original emails.

Investigating the matter, Krebs contacted Experian, who described the attacks as “isolated incidents” and the attack as unsustainable. “Once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file,” Experian told Krebs.

It also goes “beyond reliance on personally identifiable information (PII) or the ability of a consumer to answer knowledge-based authentication questions to gain access to our systems,” a- he added.

Krebs, however, managed to recreate the attack and steal his own account. He used another computer and, knowing his social security number, date of birth and the answer to a few questions, was able to convince Experian to change the email address associated with the account.

Any data needed to pull off the attack could be purchased on the dark web, from previous attacks or leaks, or could be obtained through social engineering attacks.

“Experian promptly changed the email address associated with my credit report,” he wrote. “He did this without first confirming that the new email address could reply to messages, or that the previous email address had approved the change.”

Once the email is changed, all notifications are sent to this new address, which means that changing the password or being able to communicate with the company becomes much more difficult.

However, just as the attackers managed to steal the accounts, the owners managed to recover them, the team found.

Via: The Registry (opens in a new tab)

Previous Supply issues affect global PC sales
Next 10 basic troubleshooting tips to fix common macOS issues