back to article PINs and needled: Experian site blabbed codes to unlock credit accounts for fraudsters

Experian's website exposed to world-plus-dog the PINs needed to unlock frozen accounts, allowing crooks to potentially apply for loans and credit cards as their victims. The credit-monitoring agency lets people freeze their account using a PIN that has to be submitted in when applying for stuff like loans: it's a mechanism …

  1. The Man Who Fell To Earth Silver badge
    Mushroom

    Nuke the entire Experian site from orbit

    It's the only way to be sure.

    1. Mark 85

      Re: Nuke the entire Experian site from orbit

      Also the other two big players. Might as well get rid of them all due to leaks, break-ins, etc.

  2. Mayday
    Flame

    Can someone tell me why?

    I have to have pretty much my entire life, my ability to get a place to live, approval to get a credit card, to even get a mobile phone from shit cunts such as this?

    1. Anonymous Coward
      Anonymous Coward

      Re: Can someone tell me why?

      "I have to have pretty much my entire life, my ability to get a place to live, approval to get a credit card, to even get a mobile phone from shit cunts such as this?"

      Sure, here's your answer:

      https://www.wired.com/story/age-of-social-credit/

    2. Anonymous Coward
      Anonymous Coward

      Re: Can someone tell me why?

      Because you live in the USA? The mere concept of credit rating is so alien and scary to me. When I need a credit, the bank asks me for my records, and I bring them personally. What Experian & friends do is so illegal here, it boggles the mind it can happen somewhere else.

    3. Anonymous Coward
      Anonymous Coward

      Re: Can someone tell me why?

      because they have wiggled their way into the national and international-scale position of trust (lol), and you haven't. And now they're too big to fail while you, little man...

      Sigh. You might think it's all "by design", rather than chance. Where's me tinfoil hat... :/

      1. GnuTzu

        Re: Can someone tell me why?

        "Sigh. You might think it's all "by design", rather than chance. Where's me tinfoil hat... :/"

        Yet, now that it exists--why would they give it up?

        It occurred to me (during just this morning's commute) that, while this situation may have been subject to a certain amount of intentional design, this situation has certainly undergone a fair amount of evolution. And, then it occurred to me that this observation could well fall under Daniel Dennet's concept of the "free floating rationale", which essentially claims (though much debated) that things can have purpose as if they were designed despite not actually being designed. And yes, I know this is a topic that is debated at high academic levels, but I'm more interested in the implications for those who let a precarious economic system be at risk because of poor security practices.

        So, what is the moral imperative for those who profit from a flawed system that is a threat to the well being of the market, most people, the nation, and possibly humanity as a whole? If they knowingly continue to profit from it, knowing it works against survival, then does the claim that it's natural because it evolved this way really count as a reasonable moral choice? Remember, there are species that went extinct simply because they failed to adapt to a change in environment. Yet, we supposedly evolved big brains to overcome such possibilities. Apparently, our big "uh-brains" aren't yet big enough.

    4. Lee D Silver badge

      Re: Can someone tell me why?

      I'll give you the "ability to get a place to live", because credit checks are done on both renters and people taking a mortgage.

      However, EVERYTHING else you state is either a) optional in that process or b) you expecting people to give you free money to do so.

      To get a mobile phone? Nope. I have one. No credit check. I bought it.

      To get a phone connection? Nope. I have one. No credit check.

      To get a credit card? Yes. To get a card that functions like a credit card? No.

      What I'll add to your list is "bank account" but - again - you don't really need them unless you want them to give you free money - overdraft or loans.

      If you want people to give you free money, yes, that person will use a service like this to check who you are.

      If you don't want people to give you free money, you don't interact with them.

      And the only time the average person NEEDS (not chooses to) someone to give them free money is... when applying for a mortgage or possibly a rental agreement.

      I hate them with a vengeance, and credit ratings are the most backwards things I've ever seen in my life. But the way to stop them is to NOT borrow money, and then pay them the interest for having done so. Then they lose not only your applications to them, but also all the money they would have made from you.

      That we live in a society where people are perfectly happy to give away their information and sign up to a loan in order to purchase an over-priced luxury that they use barely 1/10th of its capabilities... that's just a sign of the times. There are perfectly viable alternatives called "save up" / "buy outright" / "live within your means".

      1. Anonymous Coward
        Anonymous Coward

        Re: Can someone tell me why?

        That we live in a society where people are perfectly happy to give away their information and sign up to a loan in order to purchase an over-priced luxury

        Not just luxuries. Don't forget that gas, electricity and water bills usually involve a credit check unless you're on a pre-payment meter. If you're paying by instalment, then even dull stuff like home and car insurance is credit. Most but not all big telcos will credit check you for telephones, mobile or broadband, and some shitty MVNOs will even credit check you for SIM only deals.

        Anywhere that a business is incurring costs before payment or runs a smoothed direct debit system, they are extending credit. If you were running one of those businesses, you'd want to check that new customers didn't have a dreadful history of credit defaults.

      2. JimboSmith Silver badge

        Re: Can someone tell me why?

        My credit score from one of these numpty companies is 100% (999/999) from another it's not even 60%. When I enquired with my financial adviser as to why this might be he said they have different factors that they use. It might be because I don't have a mobile phone contract, a landline, regular broadband etc. This despite the fact that I've never missed a payment on anything in my life. Companies make their own minds up as to whether to lend you money based on the info they can see on your report. Your score means bugger all to them apparently but can be useful in massaging your ego.

        1. Lee D Silver badge

          Re: Can someone tell me why?

          There's no such thing as a credit score.

          It's literally a number made up by a single entity, and has no standardisation or correlation to any other number. You can't compare them, you can't predict them, you can't even choose a threshold (GDPR says that a human must now evaluate if the customer demands, not a computer score). They are literally a fabrication and any website that claims to tell you your credit score is no different one telling you how many you rate out of ten on the sexiness scale.

          As such, no credit decision is taken on the basis of "at least 900 on your credit score". It doesn't exist like that, and isn't processed like that, and when you do a minimal/statutory/DPA request from the credit agency, that number never appears.

          Because the data they hold (what you pay for, when you pay it, how much you owe to whom) is the data that decisions are based on and every single credit-giving entity has their own criteria based on that data that has nothing to do with the credit reference agencies or any made-up "score".

          The reason they won't lend to someone like you with 999/999 is precisely stated in your comment: You don't have any credit, and "You're never missed a payment". You're not profitable to them. And even no credit history at all is a red-flag so they won't lend to anyone who doesn't already have some form of credit history. It's a reputation score of "would he pay me back" - when someone who's never needed credit in their life suddenly asks for a loan, the risk is enormous - you have no idea if they're just gonna cut-and-run.

          I made my "score" on one website drop from 700 to 100 by asking for a Vodafone SIM three times, and never receiving / activating any of them. Literally, I did nothing else, owe nobody any money, never even got to give payment details but "multiple credit requests" is considered a sign of desperation, so they hurt you for it so they don't put themselves at risk.

          Credit scores are made-up nonsense. Credit references are basically subjective and there to profit companies giving credit. Actual credit for daily life shouldn't be required except for the major unaffordable items (housing is about the only thing). That someone asks for credit for home or car insurance - that's a red-flag. They can't afford to pay an annual lump sum, but they're keeping their car in good nick are they? Credit shouldn't be required for that. But we've taught our kids that that's okay (I blame Direct Debit a bit, but most essential DD's are actually zero-interest and cheaper than the annual payment). Telephones and mobile - I covered that. No. Buy.

          But in all these other places you're ASKING for credit, when you could operate without credit. You're asking the gas company to lend you £200 for gas and you'll "pay them back next month". That's what you're doing. It's perfectly justified but also not strictly necessary. Nowadays pre-pay with a smart meter means you are on a monthly recurring pre-pay "contract" that you can cancel at any time and never get into debt for. That's no worse than a DD of credit on your account, in effect.

          I'm not saying it's not the norm. I'm saying all those things - apart form housing - you do actually have a choice on, but instead choose to pay money to credit reference agencies and credit middle-men who are paying for your car / phone / etc. and then taking their percentage on top.

          100 years ago, you literally didn't have a choice. You had the money or not, and lenders were not to be used for minor things. Nowadays, every 18-year-old fights for a credit card, phone contract, monthly car insurance deal, car finance, etc. the second they are of age to do so. Sorry... no sympathy.

          (P.S. I have credit agreements. I'm no martyr here. But I do everything I can to ensure they're affordable, as well as ensure they are necessary and that I have a backup plan should something happen - lose my job, etc. And, no, that doesn't mean payment protection insurance! If you said to me tomorrow that you're cancelling all my credit agreements that I have in place... you'd take my car from me and have to give me back more than enough to buy several new cars, or I could dip into what I have and buy it from you - and even that is *literally* because I was forced to move out and live on my own, doubling my expenditure, and therefore spending the money I had put aside to pay off the rest of the car... halfway through the credit term).

      3. Doctor Syntax Silver badge

        Re: Can someone tell me why?

        What I'll add to your list is "bank account" but - again - you don't really need them unless you want them to give you free money - overdraft or loans.

        And providing you're intending to work cash in hand. Does any permanent job still pay wages in cash?

      4. Mr. Flibble

        Re: Can someone tell me why?

        I agree with most of your points, however, once I swapped my bank (savings only), and they spent ages giving back my personal details, so I went into complain, and they said they were sorry, but they were waiting for a credit check to complete.

        When I asked them why that was needed as it was only a savings account, they said it was in because they were also offering a non-savings account at the same time (which I didn't want, and didn't ask for), so there's no guarentee this wont happen when you open a normal account.

  3. Oliver Mayes

    "PIN cod"

    "apple to open new accounts"

    Was someone hungry while writing this?

    1. JimboSmith Silver badge
      Coat

      Pin cod

      Well there was obviously something fishy going on. Mine's the one with the scampi Nik Naks in.

  4. Pascal Monett Silver badge

    The email address was not necessarily the one associated with the account ?

    Are they TRYING to make things easier for hackers ?

    Nobody thought this through at all. Nobody wondered what could happen if "none of the above" was selected across the board, and obviously nobody tested the final result beyond making sure it didn't crash on first try.

    There certainly are a few more niggles I could have, but the big one is allowing another email address. For frak's sake, nobody does that. There is no reason to, you already have the subscribers' address.

    1. Dan 55 Silver badge

      Re: The email address was not necessarily the one associated with the account ?

      Welcome to software development in the 2010s. It's not even "compile it, ship it" any more, it's "if some PHP or Java-based monstrosity doesn't spaff too much crap to the logs then deploy it to production".

      Also, Experian don't necessarily have your e-mail address, they just collect details about you while you go about your life hence the difficulty of proving that you're you to them. Perhaps if everyone got a "welcome to Experian, these are your account details" letter on their 18th birthday it might concentrate a few minds as to what's happening.

      1. Sherrie Ludwig

        Re: The email address was not necessarily the one associated with the account ?

        "Perhaps if everyone got a "welcome to Experian, these are your account details" letter on their 18th birthday it might concentrate a few minds as to what's happening."

        Actually, it would need to be issued upon birth, since people open bank accounts, etc. for their minor children, and have been known to open utilities accounts, etc., in their child's name because they blotted their own copybook. I agree with the poster above, nuke them from orbit, and salt the ground with the salt of the tears of their executives and investors.

      2. Down not across

        Re: The email address was not necessarily the one associated with the account ?

        Also, Experian don't necessarily have your e-mail address, they just collect details about you while you go about your life hence the difficulty of proving that you're you to them.

        Considering this is about unlocking accounts that people have frozen with a pin, I would think it is reasonable to expect Experian in this situation to have email address and other information relating to that account for the people to be able to manage their account.

  5. teebie

    "its customers were never in any danger of having their personal information stolen via the PIN hack"

    But they were in danger of having loans fraudulently taken out in their name, which is the main reason people are worried about having their personal information.

    Or do they mean that 15 million people don't have to worry about their personal information being stolen from experian because it already happened in 2015?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like