Remember the Equifax breach a few years ago? Almost 150 million people were affected. Now its competitor is under the microscope. The class action microscope.
A class action has been filed that says that Experian did little to prevent account takeovers by bad guys.
The suit, quoting Brian Krebs’ blog (yes, really), says that hackers were able to take over the victim’s accounts just by signing up with a new email and the user’s personal information.
The lawsuit says that Experian’s documentation says that you can reregister an account without first verifying that the existing account authorized the changes.
This is similar to what many online services do. For example, if you want to change your Twitter email, you log in and change it. After the change, Twitter sends an email saying your information was changed. Many banks do this.
The theory is convenience over security and most users are not willing to sue a big bank or social media company. That theory doesn’t always work.
Experian and the other bureaus use what are called “out of wallet” questions to verify your identity. Questions like, in 2015 did you buy a Chevy, Ford, Buick or Kia? Since all of this data has been stolen many times, it is useless for security. But as long as users don’t complain (after all, the bureaus don’t really care about consumers, they are not the bureau’s customers) and they do not get sued for a lot of money, they will keep doing this.
Experian says these are isolated incidents – meaning that they did happen, but well, shit happens. They don’t deny that they make the change first and then tell the real owner that you are locked out. They also say they do other stuff to protect users, but they are not willing to say what. Security by obscurity. You can talk in general terms about what you do without giving away the farm.
Assuming the lawsuit does not get dismissed, the only people who will win are the lawyers.
On the other hand, you, as a user, should do everything you can to protect your accounts.
Credit: Brian Krebs