Credit & Finance

Experian credit freeze flaw: Has my PIN been exposed?

By Steve Symanovich, a Symantec employee

Did you freeze your credit report at Experian? If so, your PIN number could have been exposed due to a security flaw within the credit bureau’s PIN retrieval process, according to reports.

Here’s why it matters. The potential exposure of your PIN would make it possible for a cybercriminal to unfreeze your credit report. That would enable the criminal to open new credit accounts in your name — for credit cards or personal loans, for example.

The Experian security flaw comes just more than a year after the Equifax data breach, which exposed the personal information of more than 148 million Americans.

Experian said the flaw has been addressed, but the company declined to say how long the flaw existed, according to USA Today.

How did the Experian flaw put PIN numbers at risk?

Cybercriminals — or anyone else — could retrieve your PIN by answering your four security questions with the same response: “None of the above.”

Here’s how it would work in four stages.

  1. When you order a credit freeze at Experian, you are either given or choose a PIN. The PIN allows you to unfreeze your credit file. You would need to do this when you apply for a loan, for instance.
  2. But you might forget your PIN. In this case, Experian would retrieve your PIN number if you correctly answered four security questions. For example, you might be asked, “Which one of the following streets have you lived on?”
  3. You could choose one of four answers, including “None of the above.” And that’s where the security flaw came in.
  4. If anyone answered “None of the above” to all four of your security questions, Experian would give them your PIN. That might enable a cybercriminal to open fraudulent accounts in your name.

Did Experian’s security flaw put me at risk?

Anytime your personal information is exposed, you could run the risk of financial fraud or becoming a victim of identity theft.

Experian provided this statement:

“There is not and never was a risk to consumer credit data, personal information or the security of our systems. A credit freeze PIN does not enable access to a credit file or consumer PII. Experian deploys multiple layers of security, many of those not visible to consumers. While we are confident that our authentication is secure, we have taken additional steps to make the process even more secure. We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.”

What should I do now?

It’s uncertain whether Experian will issue new PINs, according to USA Today.

But Experian’s security flaw is a reminder to monitor your credit report for suspicious activity. Keep in mind you can get a free copy of your report once a year from each of the three major credit bureaus at annualcreditreport.com.

It’s also important to remember that security incidents like data breaches may pose longer-term risks. When cybercriminals access your personal data, it sometimes ends up for sale on the dark web. Sometimes, the information can appear months or years after the security event.

That’s why it’s smart to consider cyber safety products and identity theft protection services. For instance, LifeLock can send alerts to members when it detects potentially suspicious uses of your personal information in its network, such as someone trying to open a credit account in your name.*

Credit freezes can help. But it’s a good idea to know why a credit freeze may not be enough to help protect against identity theft. For instance, your existing accounts may still remain at risk even with a credit freeze.

While a credit freeze can provide some protection, there are several other kinds of identity theft, including tax-related identity theft, you could still be vulnerable to.

The good news? You have other protection options available, including fraud alerts, credit monitoring, and identity theft protection services.

No one can prevent all identity theft or cybercrime.
*LifeLock does not monitor all transactions at all businesses.

 

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Start your protection,
enroll in minutes.