An Experian product that allows organizations to verify customers’ identity could be exploited to expose partial Social Security numbers, a researcher found through testing several organizations that use the product.
The researcher, who asked to be identified only by the online handle Lucky225, first detailed the security issue in a September Medium post after finding it when trying to register for the Pacific Gas and Electric Company. Lucky225 contacted CyberScoop after identifying three additional clients using the same function — two healthcare companies and a state health agency’s vaccination verification system.
The problem with making it easy for bad actors to access a partial SSN is that those four digits provide a gateway for attackers to take over other services and devices.
“It is essentially the same as having your password,” Lucky225 explained.
For instance, attackers could use them to convince a phone company to port a victim’s cellphone number to a new device. The technique, known as SIM Swapping, allows cybercriminals to bypass two-factor authentication and gain access to everything from a target’s Twitter account to their bitcoin wallets.
What’s more, cybersecurity experts say verification tools such as the one Experian offers are no longer considered the best way to authenticate customers because they introduce too much risk and can be easily bypassed by attackers.
PG&E removed the function in early September after being contacted by Lucky225.
According to its website, Experian’s KBV product, Precise ID, “uses a proprietary search and match algorithm to compare consumer input data with our current and historical data related to the individual.” More simply put, Experian takes data from credit histories and public records and drafts a set of multiple-choice questions that hypothetically only the real person should be able to answer.
However, getting those questions to populate — and therefore the partial SSN — only took a name and current or former address. Lucky225 recreated his results experimenting with his own information and information from friends. In some cases, the form also asked for an alternate ID or account number but did not check if that number was authentic.
Lucky225 contacted Experian with concerns about the Social Security Number question in September but after an initial conversation, the company stopped responding. Experian did not respond to multiple requests for comment from CyberScoop.
“You don’t have to be a current customer for any of these places, and the way they do their sign-up flows you don’t even have to be eligible to sign up,” Lucky225 explained.
CyberScoop was able to confirm this was the case for Illinois’s “Vax Verify” portal, which accepted a Washington, D.C., address before presenting questions that included information about the author’s former addresses.
The Illinois Department of Health told CyberScoop it discontinued the use of question asking to identify the partial SSN.
“The State was informed of this issue from a concerned member of the public,” said Jennifer Jennings, communications director at the Illinois Department of Innovation & Technology. “The State has heard this concern and taken steps to remove the specific question from SOI ID verification processes.”
Jennings said in a follow-up email that the state had removed the question of out “an abundance of caution” and did not plan on notifying individuals using the system.
The two healthcare companies did not respond to CyberScoop’s questions about their use of Experian’s knowledge-based verification product. CyberScoop isn’t naming the companies because the KBV workaround could still be actively exploited by bad actors.
Verification systems such as the one Experian offers are a common tool that companies use to make sure they have the right person’s identity. But experts say they’re an outdated model and ripe for cyberattacks.
“It’s extremely easy to leak sensitive data through these identity verification methods,” Rachel Tobac, CEO of SocialProof Security, wrote to CyberScoop. “For instance, I can confirm which SSN is a specific person’s based on the KBV flow and cross reference that with data breach information easily. When I have access to SSN data (or other data like mother’s maiden name, addresses you’ve lived at, date-of-birth), it allows me to quickly get past customer support identity verification methods because I can simply answer the questions correctly as you would.”
She says that a more secure way for organizations to verify identity is through a multi-factor authentication that requires a one-time passcode or hardware authentication device.
While there isn’t much hard data on how many account-takeover attacks stem from knowledge-based verification, “there is ample anecdotal evidence that suggests [knowledge-based authentication systems] alone are no longer effective in preventing identity crimes — and haven’t been for a while,” James E. Lee, Chief Operating Officer of Identity Theft Resource Center, told CyberScoop in an email.
“The depth and breadth of personal information available as a result of data breaches and phishing attacks make it very easy to impersonate someone to create new accounts or take over existing accounts,” says Lee, whose organization collects data and helps victims of identity theft.
Jeremy Grant, coordinator of the Better Identity Coalition and managing director of technology business strategy at the law firm Venable, says that the issue is not necessarily the use of partial SSNs so much as how it’s used. Like Lee, he notes that SSNs have been too widely compromised for organizations to consider them a secret piece of information.
Grant says there could be legitimate cases where a vendor uses a partial SSN to verify identity, for example to determine that the person applying for something is John Doe of Virginia instead of John Doe from Ohio. But that won’t guarantee that John Doe from Virginia isn’t a cybercriminal who swiped his SSN from the dark web.
Government experts have also advised against an over-reliance on using SSNs and KBV programs in general.
“Due to the wide availability of KBV information and, therefore, KBV answers to potential impostors, KBV presents very limited strength to the verification process,” according to the National Institute of Standards and Technology’s identity proofing guidelines.
Experian previously came under fire when another researcher found that a third party exposed an Experian API that, by just plugging in a name and mailing address, could surface the credit score of millions of Americans. Experian told cybersecurity news outlet ThreatPost that the issue was limited to the website of one client. In 2020 Experian suffered a breach that affected an estimated 24 million South Africans.