Identity Thieves Bypassed Experian Security to View Credit Reports

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
7,003
Reaction score
5,841
Credits
45,760
Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

read on
 


OP
Condobloke

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
7,003
Reaction score
5,841
Credits
45,760

The Scrap Value of a Hacked PC, Revisited​


A few years back, when I was a reporter at The Washington Post, I put together a chart listing the various ways that miscreants can monetize hacked PCs. The project was designed to explain simply and visually to the sort of computer user who can’t begin to fathom why miscreants would want to hack into his PC. “I don’t bank online, I don’t store sensitive information on my machine! I only use it to check email. What could hackers possibly want with this hunk of junk?,” are all common refrains from this type of user.

I recently updated the graphic (below) to include some of the increasingly prevalent malicious uses for hacked PCs, including hostage attacks — such as ransomware — and reputation hijacking on social networking forums.


Next time someone asks why miscreants might want to hack his PC, show him this diagram.

Read More
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
10,625
Reaction score
9,145
Credits
88,220
Considering how many times Experian has been breached, I don't expect any improvement.

I read about this on HN yesterday. Basically, all you had to do was change the URL and it'd spit out the credit report for the individual without any authentication.

Something like:


Becomes:


Somewhere around here, I wrote about writing a Perl safelist script for a buddy - and it was that insecure. That was in like 1998.
 

Members online


Top