April 28, 2021
Big-three consumer credit bureau
Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.
Bill Demirkapi, an independent security researcher who’s currently a sophomore at the
Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.
BankInfoSecurity
DougOlenick) • April 29, 2021 Get Permission
Some security experts are questioning whether Experian is doing enough to ensure security after a researcher discovered that an API the credit reporting firm uses to allow lenders to check the credit score of prospective borrowers could expose customer s scores.
While visiting one lender s website, Bill Demirkapi, a student at the Rochester Institute of Technology who s a threat researcher, discovered the API issue, he told Krebs on Security. The vulnerability on that website, which Experian says it has since fixed, allowed someone to look up another person s credit score and some additional financial history by inputting their name, address and date of birth. But Demirkapi says he had to enter the birthdate as all zeroes to exploit the vulnerability.
Researchers fear wider exposure, amidst a tepid response from Experian.
A researcher is claiming that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, that he said was left open on a lender site without even basic security protections.
Experian, for its part, refuted concerns from the security community that the issue could be systemic.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.
The tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Bill Demirkapi, a sophomore at Rochester Institute of Technology, was shopping for student loans when he found a lender that would check his eligibility with just a name, address and date of birth, according to a published report.
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience. Necessary
Known as ROC Your Refund, Rochester’s scheme, which is now in its second year, allows those who qualify for the Earned Income Tax Credit (EITC) a refundable credit from federal government for low- to moderate-income workers to spread out payment over time, rather than receiving it as a lump sum once a year at tax time.
Participants instead received their EITC, which for some can account for almost a third of their annual income, in quarterly payments. Those who agree to provide survey feedback on ROC Your Refund are also paid a fee and could be selected at random to receive matched payments of up to 50% from City Hall, building on a similar initiative run by New York State that matches EITC credit up to 30%.