Experian, one of the “Big Three” credit bureau has a problem on its hands. Bill Demirkapi, a student at the Rochester Institute of Technology (RTI) has discovered a bug in an application programming intermediate (API) that would allow an attacker to soft pull anyone’s credit score with just their name and mailing address.
Demirkapi’s findings were first published on the 28th of April along with a screenshot of the lookup utility he built to demonstrate the exploit.
(Courtesy of KrebsOnSecurity)
All someone needs to access a target’s FICO score is their name (first and last), street address, and zip code, and voilà! a FICO score, anybody’s FICO score, right in your terminal window!
Dmirkapi claims he discovered the security hole when shopping for a student loan.
Security7 wasn’t able to verify the credibility of Dmirkapi’s claim, but Experian has in a written statement.
So what can you do to protect yourself?
A few years ago there was a pretty massive data breach at Equifax, another major credit bureau. Security7 compiled a list of steps you could take to protect your credit file. Here they are:
Step 1. Find out if your information was exposed – Click on the “Potential Impact” tab and enter your last name and the last six digits of your Social Security number. Your Social Security number is sensitive information, so make sure you’re on a secure computer and an encrypted network connection any time you enter it. The site will tell you if you’ve been affected by this breach.
Step 2. If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
Step 3. Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could indicate identity theft. Visit IdentityTheft.gov to find out what to do.
Step 4. Place a credit freeze on your files – A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts.
How do I place a freeze on my credit reports?
Contact each of the nationwide credit reporting companies:
- Equifax — 1-800-349-9960
- Experian — 1‑888‑397‑3742
- TransUnion — 1-888-909-8872
You’ll need to supply your name, address, date of birth, Social Security number, and other personal information. Fees vary based on where you live but commonly range from $5 to $10.
After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
We’ve personally called all three numbers and can attest that they work. Equifax charges no fee for the credit freeze. Experian and TransUnion will charge you a fee, depending on the state you live in. A majority of people will probably have to pay $10 for both.