krebs on security – in-depth security news and investigation (https://krebsonsecurity.com)

page = krebs on security – in-depth security news and …

url = https://krebsonsecurity.com analysed @ 2021-04-29 10:05 UTC

Experian API Exposed Credit Scores of Most Americans

April 28, 2021
19 Comments

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.
Bill Demirkapi , an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology , said he discovered the data exposure while shopping around for student loan vendors online.
Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi said. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”
Demirkapi’s Experian credit score lookup tool.
KrebsOnSecurity put that tool to the test, asking permission from a friend to have Demirkapi look up their credit score. The friend agreed and said he would pull his score from Experian (at this point I hadn’t told him that Experian was involved). The score he provided matched the score returned by Demirkapi’s lookup tool.
In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.
For example, in my friend’s case Bill’s tool said his mid-700s score could be better if the proportion of balances to credit limits was lower, and if he didn’t owe so much on revolving credit accounts.
“Too many consumer finance company accounts,” the API concluded about my friend’s score.
The reason I could not test Demirkapi’s findings on my own credit score is that we have a security freeze on our files at the three major consumer credit reporting bureaus , and a freeze blocks this particular API from pulling the information. Continue reading →
Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?

Microsoft Patch Tuesday, April 2021 Edition

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.
New KrebsOnSecurity Mobile-Friendly Site

Dear Readers, this has been long overdue, but at last I give you a more responsive, mobile-friendly version of KrebsOnSecurity. We tried to keep the visual changes to a minimum and focus on a simple theme that presents information in a straightforward, easy-to-read format. Please bear with us over the next few days as we hunt down the gremlins in the gears.
We were shooting for responsive (fast) and uncluttered. Hopefully, we achieved that and this new design will render well in whatever device you use to view it. If something looks amiss, please don’t hesitate to drop a note in the comments below.
NB: KrebsOnSecurity has not changed any of its advertising practices: The handful of ads we run are still image-only creatives that are vetted by me and served in-house. If you’re blocking ads on this site, please consider adding an exception here. Thank you!
1
2

Next ›

Last »

Mailing List
Subscribe here

Recent Posts
Spam Nation
A New York Times Bestseller!
All About Skimmers
Click image for my skimmer series.
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Most Popular Posts
Sextortion Scam Uses Recipient's Hacked Passwords (1076)
Online Cheating Site AshleyMadison Hacked (798)
Sources: Target Investigating Data Breach (620)
Trump Fires Security Chief Christopher Krebs (534)
Cards Stolen in Target Breach Flood Underground Markets (445)
Reports: Liberty Reserve Founder Arrested, Site Shuttered (416)
Was the Ashley Madison Database Leaked? (376)
DDoS-Guard To Forfeit Internet Space Occupied by Parler (374)
True Goodbye: 'Using TrueCrypt Is Not Secure' (363)
Who Hacked Ashley Madison? (361)
Why So Many Top Hackers Hail from Russia
Category: Web Fraud 2.0
Innovations from the Underground
ID Protection Services Examined
Is Antivirus Dead?
The reasons for its decline
The Growing Tax Fraud Menace
File 'em Before the Bad Guys Can
Inside a Carding Shop
A crash course in carding.
Beware Social Security Fraud
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.
Krebs’s 3 Rules…
...For Online Safety.