Experian is being criticized for allowing consumers to get their credit freeze PINs through email after answering questions that mostly involve information already leaked by Equifax and others. The PINs are used to unfreeze one’s credit, making it possible to seek loans and other similar things. Many consumers have put a freeze on their credit in light of the massive Equifax data leak.
Typically credit freeze PINs are mailed to a physical address, making it harder (or impossible) for a scammer or identity thief to remove a credit freeze and apply for credit in someone’s name. By offering the PINs online, Experian is making it possible for anyone with the required info to have the PIN sent directly to whatever email address they’d like.
The PIN request system, at least at the time it was pointed out by Krebs on Security, requires someone to provide info such as name, address, date of birth, and Social Security number…data that was exposed by another major credit bureau, Equifax, as well to various degrees in past security breaches through other companies. The only barrier that may give scammers trouble are some easily answered personal questions.
Those personal questions seek answers to a few personal questions, such as confirming a city where the person has lived in the past, what model of car they may have bought during a particular time period, and similar. Many of these answers can easily be found by searching public social networks and other public info.
That leaves the credit unfreeze options vulnerable identity thieves who may go the extra step of using the online system to remove the freeze. Reverting to a physical PIN mailed to a physical address would largely remove this vulnerability.
SOURCE: Krebs on Security