Brian Krebs reports:
Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.
Read more on KrebsOnSecurity.com. It’s a long piece, but it’s important to understand that companies that should be giving us better security…. aren’t. And they get away with it. Again. And again. And again.
Krebs and this blogger have both taken the big CRA’s to task over their use of “KBA” (Knowledge-Based-Authentication). Only this month, this blogger was reminded once again at how bad KBA can be: a family member repeatedly experienced problems with lifting a security freeze because the information used by the CRA for KBA was inaccurate. Like Krebs, my relatives kept inputting “none of the above” for the first questions, as they had never had any such accounts, but the one account or question that they could answer – and did — well, the CRA claimed that they couldn’t authenticate them based on their answer. They could have lost the contract on a home purchase because of problems in lifting the security freeze so the financial part of the transaction could move forward. So they couldn’t lift the security freeze that they had placed, while Krebs finds it’s too easy for fraudsters to lift security freezes.
Something is not right there, folks.