The credit reporting company TransUnion holds our intimate financial details. Until recently, its customer service hotline also left an opening for impostors to potentially take over our private records.
The Public Interest Research Group, a nonprofit consumer advocacy organization, spent months testing TransUnion’s security protections. PIRG staff discovered that they could talk TransUnion’s customer service representatives into resetting passwords and changing account contact information with bare-bones proof of identity.
If an identity thief had taken over a credit report account this way, he could have gleaned details about personal loans, credit card payments and bankruptcies without the legitimate account holder finding out. Personal details in a credit report could also be fodder to hone phishing attacks or to lift credit freezes.
After I shared details of PIRG’s findings with TransUnion in September, the company said that it changed its security protocols. PIRG staff recently repeated their test calls, and in most cases customer service representatives asked for additional proof of identity before agreeing to change TransUnion account information.
It’s not clear how many TransUnion accounts might have been compromised before the credit reporting company said it changed its security protocols. The vulnerability shows that companies holding the keys to our identity and financial lives don’t always reliably keep them safe.
Any gatekeeper to our secrets, though, faces a tricky balancing act: We want them to keep out bad guys but also help us when we forget passwords or lose access to accounts.
Finding a security hole in TransUnion
TransUnion, Equifax and Experian are the three major collectors of your history of financial payments and transactions. These nationwide credit reporting agencies are essential cogs in America’s financial system.
The companies make money by analyzing your financial data and scoring your creditworthiness. Information compiled by credit reporting agencies can influence your ability to buy a home or get a job and what you pay for car insurance.
Earlier this year, PIRG was trying to solve a mystery: How did a PIRG staff member have their TransUnion account information changed three times in about a month by someone they didn’t know? (The Washington Post is not identifying this person because they appear to have ongoing problems with identity theft.)
Mike Litt, the PIRG consumer campaign director specializing in consumer financial protection, said that staff used their TransUnion accounts to try multiple account takeover tactics.
They found that if they called TransUnion’s customer service line, representatives in most cases would reset the account password if callers provided a Social Security number and other pieces of personal information.
That information should not be enough to prove identity, said Litt and Lorrie Cranor, a digital security expert uninvolved in the case. Identity thieves can buy or obtain data such as Social Security numbers and dates of birth.
Litt said that PIRG notified TransUnion by email about the apparent security vulnerability. Litt contacted me after TransUnion hadn’t responded. (TransUnion told me that “work to address this matter began quickly once it was brought to our attention.”)
I decided to try PIRG’s hijacking blueprint on myself. It wasn’t difficult to steal my own credit report account.
In September, I called TransUnion’s customer service number. When I reached a representative, I said that I had forgotten my account password. (I did not identify myself as a journalist.)
The agent asked for my Social Security number, date of birth and street address, which I provided. I also asked the customer service rep to change the email contact information on my account.
She reset my password and coached me to enter a new password at TransUnion’s website.
I had a PIN set up on my TransUnion account, and an answer to a security question for additional identity verification. Neither PIRG staff nor I were asked for this information in our customer service calls.
After I contacted TransUnion with these details, a spokesman said that the company “implemented additional protocols to further protect against fraudulent email changes, consistent with the work we do every day to monitor threats and strengthen our processes.”
Flaws and alternative approaches to account security
This vulnerability is different from the security breach that allowed hackers to steal Equifax records on more than 140 million Americans in 2017.
But the TransUnion password reset by phone could have locked legitimate account holders out of their credit reports and let an impostor lift a credit freeze to apply for loans in another person’s name.
I detailed the TransUnion account takeover method to Cranor, director of the CyLab Security and Privacy Institute at Carnegie Mellon University. She said that what I described “leaves consumers extremely vulnerable.”
A better approach, Cranor said, is transferring callers to an identity verification service that asks a series of questions such as what cars you previously owned, information in your credit history and previous addresses.
Companies typically ask those questions until you correctly, or incorrectly, answer enough of them to feel confident about whether the account belongs to you, she said.
“While I do understand the need to help customers recover accounts, there are better ways to do this,” Cranor said.
TransUnion said that it uses a “wide range of solutions to identify fraudulent activity and protect consumers.”
Cranor also took issue with TransUnion not doing more to notify account holders about changes to an email or phone number on file with the company.
In most instances before October, when PIRG staff and I reset our TransUnion passwords, we didn’t receive notices about the changes to our accounts at the phone numbers or email addresses we had previously set up in our TransUnion accounts.
That meant a TransUnion account owner might not know if their account was hijacked.
More recent PIRG testing found that customer service staff asked for additional identity verification.
When PIRG repeated its test calls to TransUnion customer service in recent weeks, Litt said that in six of seven attempts they were asked either the security question on file in the person’s TransUnion account or a multiple-choice security question such as information about a state fishing license or a credit card limit.
Litt said that he’s concerned about people whose TransUnion credit reports could have been taken over and don’t know it. And he wondered if TransUnion is capable of catching potential future security flaws on its own.
“We want to know what they are doing to prevent vulnerabilities like this from happening again,” he said.
The TransUnion spokesman referred to the statement that the company is perennially monitoring for security risks and upgrading safeguards.
I want to hear about your experiences with credit report accounts. Email me or contact me on Signal at ShiraOvide.70
What you can do
Here are four digital security steps worth taking now, either with your online credit reports or generally.
While online protections cannot be your responsibility alone, you can help make yourself less vulnerable to identity thieves.
You can review the major credit report compilations as often as once a week at no cost, and ask to correct errors. Go to the government-authorized website, AnnualCreditReport.com, or set up online accounts directly with TransUnion, Equifax and Experian.
1) Check your TransUnion account. If you have a TransUnion online account, Litt recommended making sure you can log in and it wasn’t taken over by someone else.
Once you’re there, it doesn’t hurt to change your password and make sure TransUnion has your accurate contact information. Examine your credit report for financial accounts or loans that you don’t recognize.
If you don’t have an account with each of the three major credit reporting agencies, Litt said that it’s helpful to set one up. It’s the simplest way to do the next step.
2) Freeze your account with each of three major credit reporting firms. “It still remains the best step you can take to protect yourself from new account identity theft,” Litt said.
Follow links to freeze credit with TransUnion, Equifax and Experian. Or call these phone numbers. And read more from Michelle Singletary.
It’s free to freeze your credit, also called a security freeze. You may need to temporarily lift a credit freeze if you apply for a credit card or a job.
3) Use two-factor authentication for important accounts: You want this for credit report accounts, financial accounts and your primary email.
You may need to enter a numerical code in addition to your password when you log in. Even if a hacker gets your password, the extra security measure makes it much harder to get into your account.
4) Give nonsense answers to security questions: TransUnion and some other online accounts may ask you to set up a “secret” answer to one or more security questions. You would provide those replies if you later need help accessing your account or resetting a password.
But those “secrets” may not be secret. Identity thieves can pilfer or guess information such as your maternal grandmother’s first name or the make and model of your first car. Try setting gibberish replies when you set up security questions. Let’s say your first car was a Lorlsberqp9p.
The post It wasn’t hard to hijack TransUnion credit reports. I did it to myself. appeared first on Washington Post.
