Somehow I missed this one but it’s so significant that even though I am late with linking to it, I hope to make more people aware of it. @Lucky225 writes:
I recently discovered PG&E will let you sign up for electricity online without providing your SSN. Their website offered an option for “Alternate Identification”, so I chose it and proceeded to sign up for service. The only thing required was your name, “alternate mailing address”(i.e. your current address), and a State ID, Passport or similar photo ID number as shown below.
[…]
After providing PGE.com’s sign up page with a name, address and Photo ID number (which ID number goes unchecked and unvalidated), upon clicking Next you would be met with Experian’s Identity Verification questions. In our testing with the consent of various individuals, every single time prior to publication of this story while still live on PGE.COM, the first question was always, “Please select the last four digits of your Social Security Number.”
Every time the real last 4 digits was mixed in with the multiple choice selection among 3 false answers that were in a sequential order. For example if the last 4 of your SSN were 1234, it might ask to choose from 1233, 1234, 1235 and 1236. The fact that Experian would ever have this as a identity confirmation question, where they ask you to pick from a list instead of having you supply the information as input validation data is troubling.
Read more at Lucky225 Medium to find out what happened when Lucky225 contacted Experian and then PG&E about the concerns. In some respects, PG&E’s response seemed worse because as Lucky225 saw on follow-up:
In the meantime it now appears that new PG&E customers can’t even sign up for service without providing an SSN, although their website implies that they can:
When contacted again by Lucky225, PG&E said they were working on long-term solutions.
Social Security Numbers were never intended to be national identity numbers. Businesses should not be allowed to demand or use “last four” for identity validation purposes, and Experian should not offer “last four” as a method for validating identity, even if they do not give their clients the actual last four and only provide a yes/no as to whether the consumer has checked the correct last four entry.
Lucky225’s report is actually the second concern about Experian to cross my desk in the past month, although his report focuses more on PG&E’s decisions and not Experian’s. But Britton White also recently raised concerns about Experian when we were working on our article on RedLine info stealer. Britton claimed that if someone has an Experian account and their login credentials are stored in a password manager that is compromised by an info stealer, the hapless victim’s Experian account can be easily accessed because Experian does not require 2FA or MFA to access accounts. And once their account is accessed, the bad actor can make other changes to the account.
In profit-driven methods to make things convenient for customers, consumers’ information and safety take second place, regardless of any claims about taking privacy and security seriously.