Credit scores of millions of Americans have been exposed online Banking
The credit scores of millions of Americans were left exposed online when a lender misused an API belonging to the credit reporting agency Experian.
As first reported by Krebs on Security, independent security researcher Bill Demirkapi was shopping around for student loan vendors online when he discovered that he could easily pull up his Experian credit score just by entering only a portion of the information normally required to do so.
Demirkapi was on a site that offered to check his loan eligibility just by entering his name, address and date of birth. Normally when using a credit monitoring service, Americans also need to provide their social security number to get access to their credit scores.
After providing the necessary information, Demirkapi took a look at the code on the lender’s site and it was then that he found that the company had been invoking Experian’s API. He provided more details on the significance of his discovery in a statement to Krebs on Security, saying:
“No one should be able to perform an Experian credit check with only publicly available information. Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Exposing Experian’s API
To make matters worse, Demirkapi also found that the Experian API being invoked on this particular lender’s website could be accessed without any sort of authentication. In fact, he was even able to enter all zeros on the site’s date of birth field to pull a person’s credit score.
From here, Demirkapi built his own command-line tool to speed up these lookups which he named “Bill’s Cool Credit Score Lookup Utility”. Besides being able to pull a person’s credit score, the Experian API also provides information on up to four “risk factors” that could explain why their score isn’t higher.
In the end, Demirkapi reached out to Experian and the company was able to discover which lender was exposing its API online. In a statement, Experian explained that it takes data security and matters such as this very seriously, saying:
“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter. While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”
The credit scores of millions of Americans were left exposed online when a lender misused an API belonging to the credit reporting agency Experian. As first reported by Krebs on Security, independent security researcher Bill Demirkapi was shopping around for student loan vendors online when he discovered that he could…
Recent Posts
- This Apple Watch Series 10 case costs more than an Ultra –and makes it look like a luxury chronograph
- Why NASA is sticking with Boeing
- UK companies are spending more on tech development, but aren’t always being more productive
- Apple’s AirPods Pro 2 could forever change how people access hearing aids
- The EU Has New Carry-On Luggage Rules. Here’s What to Know Before You Fly
Archives
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- December 2011