Big-Three Consumer Credit Bureau Experian just fixed a weakness with a partner website that allowed anyone to view the credit scores of tens of millions of Americans simply by providing their name and mailing address, KrebsOnSecurity learned. Experian says it’s plugged the data leak, but the researcher who reported the discovery says he’s concerned the same weakness is present on countless other lending sites that work with the credit bureau.
Bill Demirkapi, independent security researcher currently in second year at the Rochester Institute of Technology, said he discovered the data exposure while researching student loan providers online.
Demirkapi met the site of a lender who offered to verify his eligibility for the loan by entering his name, address and date of birth. Looking at the code behind this search page, he was able to see it invoked an Experian Application programming interface or API – a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi said. “Experian should require non-public information for promotional requests, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi discovered that the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field allowed him to pull a person’s credit score. He even created a handy command line tool to automate searches, which he called “Bill’s Cool Credit Score Lookup Utility”.
KrebsOnSecurity put this tool to the test, asking a friend for permission to ask Demirkapi to check his credit score. The friend agreed and said he would withdraw his Experian score (at this point I had not told him that Experian was involved). The score he provided matched the score returned by Demirkapi’s search tool.
In addition to credit scores, the Experian API returns up to four “risk factors” for each consumer, indicators that could help explain why a person’s score is not higher.
For example, in my friend’s case, Bill’s tool was saying that his score in the mid-700s might be better if the proportion of balances to credit limits was lower and if he didn’t owe as much on credit accounts. revolving credit.
“Too many consumer credit business accounts,” the API concludes about my friend’s score.
The reason I couldn’t test Demirkapi’s findings on my own credit score is that we have a security freeze on our files at the three major consumer credit bureaus, and a freeze prevents this particular API to extract the information.
Demirkapi declined to share with Experian the name of the lender or the website on which the API was exposed. He declined because he said he suspected that hundreds, if not thousands of companies, were using the same API, and that many of these lenders might similarly disclose access to consumer data. ‘Experian.
“If we let them know the specific endpoint, they can just ban / work with the loan provider to block those requests on that one case alone, which doesn’t solve the systemic issue,” he explained.
However, after being contacted by this reporter, Experian found out for himself which lender was exposing their API; Demirkapi said that the provider’s site now indicates that API access has been disabled.
“We have been able to confirm only one instance of this situation occurring and have taken action to alert our partner and resolve the issue,” Experian said in a written statement. “While the situation does not involve or compromise any of Experian’s systems, we take this issue very seriously. Data security has always been and always will be our top priority. “
Demirkapi said he was disappointed that Experian had done exactly what he was afraid to do.
“They found an endpoint that I was using and sent it into maintenance mode,” he said. “But that doesn’t solve the systemic problem at all.”
Leaky and insecure APIs like the one Demirkapi found are the source of a lot of mischief in the hands of identity thieves. Earlier this month, the auto insurance giant Geico revealed that fraudsters abused a bug on its site to steal American driver’s license numbers.
Geico said the data was used by thieves involved in a fraudulent claim for unemployment insurance benefits. Many states now require driver’s license numbers as a means of verifying the identity of an applicant.
In 2013, KrebsOnSecurity broke news of a metro identity theft service that was programmatically extracting sensitive consumer credit data directly from an Experian subsidiary. This service was run by a Vietnamese hacker who told the Experian branch that he was a private investigator. the American Secret Service later said the identity theft service “caused more financial damage to more Americans than any other.”
Further Reading: The Safety Of Experian’s Credit Freeze Is Still A Joke (April 27, 2021)