The credit scores of millions of Americans have been exposed online

The credit scores of millions of Americans have been exposed online
The credit scores of millions of Americans were exposed online when a lender abused an API owned by credit reporting agency Experian. As Krebs first reported on security, independent security scholar Bill Demirkapi was researching online student loan dealers when he discovered that he could easily get your Experian credit score by simply not entering some of the information typically precise to do it. Demirkapi was in a place that offered to check his eligibility for the loan simply by entering his name, address and date of birth. In general, when using a credit monitoring service, Americans must also manage their Social Security number to access their credit scores. After managing the accurate information, Demirkapi took a look at the code at the lender's place, and that's when he discovered that the company had invoked Experian's API. He further elaborated on the relevance of his discovery in a security statement to Krebs, saying: “No one should be able to run an Experian credit check with only publicly available information. Experian must enforce non-public information for promotional requests; otherwise, an attacker finding a single vulnerability in a vendor could simply abuse Experian's system. "

Expose the Experian API

To make matters worse, Demirkapi also discovered that the Experian API invoked on this particular lender's site was reachable without authentication. In fact, he was even able to enter each and every zero in the place's birth date field to get a person's credit score. From there, Demirkapi built his command-line tool to speed up these searches, which he called "Bill's Excellent Credit Score Lookup Utility." Aside from being able to get a person's credit score, Experian's API also provides information on up to 4 "danger factors" that could explain why your score isn't higher. In the end, Demirkapi contacted Experian and the company was able to find out which lender was exposing its API online. In a statement, Experian explained that it takes data security and issues like this very seriously, saying: “We have been able to confirm only one instance of this situation and have taken steps to alert our partner and fix the issue. While the situation does not involve or compromise any of Experian's systems, we take this issue very seriously. Data security has always been and always will be our top priority. " Via Krebs on security

You might also be interested ...