Criminals are still able to steal Experian customer accounts with relative ease, cybersecurity researchers have claimed.
While the company claims the method (explained below) is not a viable way to steal people’s accounts, independent researcher Brian Krebs (opens in new tab) managed to recreate it, confirming the strategy actually works.
The good news is that the victims can wrestle back control of their accounts rather quickly.
Here’s what happened: two people – one from Salt Lake City, and another from Boston, recently had their Experian accounts stolen. The attackers knew some of their personal information, reached out to the company and convinced it to assign a different email address to the account.
The accounts’ actual holders were never notified on their original emails.
Investigating on the matter, Krebs reached out to Experian, which described the attacks as “isolated incidents”, and the attack as unviable. “Once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file,” Experian told Krebs.
It also goes “beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” it added.
Krebs, however, managed to recreate the attack and steal his own account. He used a different computer, and with the knowledge of his Social Security number, date of birth, and the answer to a couple of questions, managed to convince Experian to change the email address associated with the account.
All the data needed to pull the attack off could be bought on the dark web, from previous attacks or leaks, or could be obtained via social engineering attacks.
“Experian promptly changed the email address associated with my credit file,” he wrote. “It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.”
Once the email is changed, all notifications go to that new address, meaning changing the password, or being able to communicate with the company, gets a lot harder.
However, just as the attackers managed to steal the accounts, the owners managed to get them back, the team found.