Dec 18 2017

Krebs on Security 2017-12-18 15:13:53

Past stories here have explored the myriad criminal uses of a hacked computer, the various ways that your inbox can be spliced and diced to help cybercrooks ply their trade, and the value of a hacked company. Today’s post looks at the price of stolen credentials for just about any e-commerce, bank site or popular online service, and provides a glimpse into the fortunes that an enterprising credential thief can earn selling these accounts on consignment.

Not long ago in Internet time, your typical cybercriminal looking for access to a specific password-protected Web site would most likely visit an underground forum and ping one of several miscreants who routinely leased access to their “bot logs.”

These bot log sellers were essentially criminals who ran large botnets (collections of hacked PCs) powered by malware that can snarf any passwords stored in the victim’s Web browser or credentials submitted into a Web-based login form. For a few dollars in virtual currency, a ne’er-do-well could buy access to these logs, or else he and the botmaster would agree in advance upon a price for any specific account credentials sought by the buyer.

Back then, most of the stolen credentials that a botmaster might have in his possession typically went unused or unsold (aside from the occasional bank login that led to a juicy high-value account). Indeed, these plentiful commodities held by the botmaster for the most part were simply not a super profitable line of business and so went largely wasted, like bits of digital detritus left on the cutting room floor.

But oh, how times have changed! With dozens of sites in the underground now competing to purchase and resell credentials for a variety of online locations, it has never been easier for a botmaster to earn a handsome living based solely on the sale of stolen usernames and passwords alone.

If the old adage about a picture being worth a thousand words is true, the one directly below is priceless because it illustrates just how profitable the credential resale business has become.

This screen shot shows the earnings panel of a crook who sells stolen credentials for hundreds of Web sites to a dark web service that resells them. This botmaster only gets paid when someone buys one of his credentials. So far this year, customers of this service have purchased more than 35,000 credentials he’s sold to this service, earning him more than $288,000 in just a few months.

The image shown above is the wholesaler division of “Carder’s Paradise,” a bustling dark web service that sells credentials for hundreds of popular Web destinations. The screen shot above is an earnings panel akin to what you would see if you were a seller of stolen credentials to this service — hence the designation “Seller’s Paradise” in the upper left hand corner of the screen shot.

This screen shot was taken from the logged-in account belonging to one of the more successful vendors at Carder’s Paradise. We can see that in just the first seven months of 2017, this botmaster sold approximately 35,000 credential pairs via the Carder’s Paradise market, earning him more than $288,000. That’s an average of $8.19 for each credential sold through the service.

Bear in mind that this botmaster only makes money based on consignment: Regardless of how much he uploads to Seller’s Paradise, he doesn’t get paid for any of it unless a Carder’s Paradise customer chooses to buy what he’s selling.

Fortunately for this guy, almost 9,000 different customers of Carder’s Paradise chose to purchase one or more of his username and password pairs. It was not possible to tell from this seller’s account how many credential pairs total that he has contributed to this service which went unsold, but it’s a safe bet that it was far more than 35,000.

[A side note is in order here because there is some delicious irony in the backstory behind the screenshot above: The only reason a source of mine was able to share it with me was because this particular seller re-used the same email address and password across multiple unrelated cybercrime services].

Based on the prices advertised at Carder’s Paradise (again, Carder’s Paradise is the retail/customer side of Seller’s Paradise) we can see that the service on average pays its suppliers about half what it charges customers for each credential. The average price of a credential for more than 200 different e-commerce and banking sites sold through this service is approximately $15.

Part of the price list for credentials sold at this dark web ID theft site.

Indeed, fifteen bucks is exactly what it costs to buy stolen logins for airbnb.com, comcast.com, creditkarma.com, logmein.com and uber.com. A credential pair from AT&T Wireless — combined with access to the victim’s email inbox — sells for $30.

The most expensive credentials for sale via this service are those for the electronics store frys.com ($190). I’m not sure why these credentials are so much more expensive than the rest, but it may be because thieves have figured out a reliable and very profitable way to convert stolen frys.com customer credentials into cash.

Usernames and passwords to active accounts at military personnel-only credit union NavyFederal.com fetch $60 apiece, while credentials to various legal and data aggregation services from Thomson Reuters properties command a $50 price tag.

The full price list of credentials for sale by this dark web service is available in this PDF. For CSV format, see this link. Both lists are sorted alphabetically by Web site name.

This service doesn’t just sell credentials: It also peddles entire identities — indexed and priced according to the unwitting victim’s FICO score. An identity with a perfect credit score (850) can demand as much as $150.

Stolen identities with high credit scores fetch higher prices.

And of course this service also offers the ability to pull full credit reports on virtually any American — from all three major credit bureaus — for just $35 per bureau.

It costs $35 through this service to pull someone’s credit file from the three major credit bureaus.

Plenty of people began freaking out earlier this year after a breach at big-three credit bureau Equifax jeopardized the Social Security Numbers, dates of birth and other sensitive date on more than 145 million Americans. But as I have been trying to tell readers for many years, this data is broadly available for sale in the cybercrime underground on a significant portion of the American populace.

If the threat of identity theft has you spooked, place a freeze on your credit file and on the file of your spouse (you may even be able to do this for your kids). Credit monitoring is useful for letting you know when someone has stolen your identity, but these services can’t be counted on to stop an ID thief from opening new lines of credit in your name.

They are, however, useful for helping to clean up identity theft after-the-fact. This story is already too long to go into the pros and cons of credit monitoring vs. freezes, so I’ll instead point to a recent primer on the topic and urge readers to check it out.

Finally, it’s a super bad idea to re-use passwords across multiple sites. KrebsOnSecurity this year has written about multiple, competing services that sell or sold access to billions of usernames and passwords exposed in high profile data breaches at places like Linkedin, Dropbox and Myspace. Crooks pay for access to these stolen credential services because they know that a decent percentage of Internet users recycle the same password at multiple sites.

One alternative to creating and remembering strong, lengthy and complex passwords for every important site you deal with is to outsource this headache to a password manager.  If the online account in question allows 2-factor authentication (2FA), be sure to take advantage of that.

Two-factor authentication makes it much harder for password thieves (or their customers) to hack into your account just by stealing or buying your password: If you have 2FA enabled, they also would need to hack that second factor (usually your mobile device) before being able to access your account. For a list of sites that support 2FA, check out twofactorauth.org.

Oct 04 2017

Krebs on Security 2017-10-04 00:34:50

Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today.

Yahoo! announced that, our bad!: It wasn’t just one billion users who had their account information filched in its record-breaking 2013 data breach. It was more like three billion (read: all) users. Meanwhile, big three credit bureau Equifax added 2.5 million more victims to its roster of 143 million Americans who had their Social Security numbers and other personal data stolen in a breach earlier this year. At the same time, Equifax’s erstwhile CEO informed Congress that the breach was the result of even more bone-headed security than was first disclosed.

To those still feeling left out by either company after this spate of bad news, I have only one thing to say (although I feel a bit like a broken record in repeating this): Assume you’re compromised, and take steps accordingly.

If readers are detecting a bit of sarcasm and cynicism in my tone here, it may be that I’m still wishing I’d done almost anything else today besides watching three hours worth of testimony from former Equifax CEO Richard Smith before lawmakers on a panel of the House Energy & Commerce Committee.

While he is no longer the boss of Equifax, Smith gamely agreed to submit to several day’s worth of grilling from legislators in both houses of Congress this week. It was clear from the questions that lawmakers didn’t ask in Round One, however, that Smith was far more prepared for the first batch of questioning than they were, and that the entire ordeal would amount to only a gentle braising.

Nevertheless, Smith managed to paint an even more dismal picture than was already known about the company’s failures to secure the very data that makes up the core of its business. Helpfully, Smith clarified early on in the hearing that the company’s customers are in fact banks and other businesses — not consumers.

Smith told lawmakers that the breach stemmed from a combination of technological error and a human error, casting it as the kind of failure that could have happened to anyone. In reality, the company waited 4.5 months (after it discovered the breach in late July 2017) to fix a dangerous security flaw that it should have known was being exploited on Day One (~March 6 or 7, 2017).

“The human error involved the failure to apply a software patch to a dispute portal in March 2017,” Smith said. He declined to explain (and lawmakers inexplicably failed to ask) how 145.5 million Americans — nearly 60 percent of the adult population of the United States — could have had their information tied up in a dispute portal at Equifax. “The technological error involved a scanner which failed to detect a vulnerability on that particular portal.”

As noted in this Wired.com story, Smith admitted that the data compromised in the breach was not encrypted:

When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers. “We use many techniques to protect data—encryption, tokenization, masking, encryption in motion, encrypting at rest,” Smith said. “To be very specific, this data was not encrypted at rest.”

It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax’s attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all,” Smith replied. “There are varying levels of security techniques that the team deploys in different environments around the business.”

Smith also sought to justify the company’s historically poor breach response after it publicly disclosed the break-in on Sept. 7 — roughly 40 days after Equifax’s security team first became aware of the incident (on July 29). As many readers here are well familiar, KrebsOnSecurity likened that breach response to a dumpster fire — noting that it was perhaps the most haphazard and ill-conceived of any major data breach disclosure in history.

Smith artfully dodged questions of why the company waited so long to notify the public, and about the perception that Equifax sought to profit off of its own data breach. One lawmaker noted that Smith gave two public speeches in the second and third weeks of August in which he was quoted as saying that fraud was a “a huge opportunity for Equifax,” and that it was a “massive, growing business” for the company.

Smith interjected that he had “no indication” that consumer data was compromised at the time of the Aug. 11 speech. As for the Aug. 17 address, he said “we did not know how much data was compromised, what data was compromised.”

Follow-up questions from lawmakers on the panel revealed that Smith didn’t ask for a briefing about what was then allegedly only classified internally as “suspicious activity” until August 15, almost two weeks after the company hired outside cybersecurity experts to examine the issue.

Smith also maneuvered around questions about why Equifax chose to disclose the breach on the very day that Hurricane Irma was dominating front-page news with an imminent landfall on the eastern seaboard of the United States.

However, Smith did blame Irma in explaining why the company’s phone systems were simply unable to handle the call volume from U.S. consumers concerned about the Category Five data breach, saying that Irma took down two of Equifax’s largest call centers days after the breach disclosure. He said the company handled over 420 million consumer visits to the portal designed to help people figure out whether they were victimized in the breach, underscoring how so many American adults were forced to revisit the site again and again because it failed to give people consistent answers about whether they were affected.

Just a couple of hours after the House Commerce panel hearing ended, Politico ran a story noting that the Internal Revenue Service opted to award Equifax a $7.25 million no-bid contract to provide identity-proofing and anti-fraud services to the tax bureau. Bear in mind that Equifax’s poor security contributed to an epidemic of tax refund fraud at the IRS in the 2015 and 2016 tax years, when fraudsters took advantage of weak security questions provided to the IRS by Equifax to file and claim phony tax refund requests on behalf of hundreds of thousands of taxpayers.

Don’t forget that tax fraudsters exploited this same lax security at Equifax’s TALX payroll division to steal employee tax records from an as-yet undisclosed number of companies between April 2016 and March 2017.

Finally, much of today’s hearing centered around questions about the difference between a security freeze — a right that was hard-won on a state-by-state level over several years — and the “credit lock” services being pushed instead by Equifax and the big bureaus. Lawmakers on today’s panel seemed content with Smith’s answer that the two things were effectively the same, only that a freeze was more cumbersome and costly, whereas credit locks were free and far more consumer-friendly.

To those still wavering on which is better, I have only to point to reasoning by Christina Tetreault, a staff attorney on the financial services team of Consumers Union — the policy arm of Consumer Reports. Tetreault notes that perhaps the main reason a security freeze is the better option is that its promise to guard your credit accounts is guaranteed by law, whereas a credit lock is simply an agreement between you and the credit monitoring company.

“Having a contractual agreement is not as strong as having protections under law,” Tetreault said. “The contract may be unclear, may include provisions that allow the other party to change it, or include provisions that you may be better off not agreeing to, such as an arbitration agreement.”

What’s more, placing a freeze on your file is exactly what Equifax and the other bureaus do not want you to do, because it prevents them from making money by selling your credit file to banks and others (including ID thieves) who wish to grant new lines of credit in your name. If that’s not the best reason for opting for a freeze, I don’t know what is.

If anyone needs more convincing on this front, check out the testimony given in other committees today by representatives from banking behemoth Wells Fargo, which is under fire signing up tens of thousands of auto loan customers for insurance they did not need and in some cases couldn’t afford. That scandal comes on the heels of another debacle in which Wells Fargo was found to have created more than 3.5 million bank accounts without consumers’ permission between 2009 and 2016.

Mr. Smith is slated to testify before at least three other committees in the House and Senate this week before he’s off the hot seat. On Friday, KrebsOnSecurity published a lengthy list of questions that lawmakers should consider asking the former Equifax CEO. Here’s hoping our elected representatives don’t merely use these additional opportunities for more grandstanding and regurgitating the same questions.

Sep 29 2017

Krebs on Security 2017-09-29 12:07:09

Richard Smith — who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers — is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I’d ask when Mr. Smith goes to Washington.

capitol

Before we delve into the questions, a bit of background is probably in order. The new interim CEO of Equifax — Paulino do Rego Barros Jr. — took to The Wall Street Journal and other media outlets this week to publish a mea culpa on all the ways Equifax failed in responding to this breach (the title of the op-ed in The Journal was literally “I’m sorry”).

“We were hacked,” Barros wrote. “That’s the simple fact. But we compounded the problem with insufficient support for consumers. Our website did not function as it should have, and our call center couldn’t manage the volume of calls we received. Answers to key consumer questions were too often delayed, incomplete or both.”

Barros stated that Equifax was working to roll out a new system by Jan. 31, 2018 that would let consumers “easily lock and unlock access to their Equifax credit files.”

“You will be able to do this at will,” he continued. “It will be reliable, safe, and simple. Most significantly, the service will be offered free, for life.”

I have argued for years that all of the data points needed for identity thieves to open new lines of credit in your name and otherwise ruin your credit score are available for sale in the cybercrime underground. To be certain, the Equifax breach holds the prospect that ID thieves could update all that stolen data with newer records. I’ve argued that the only sane response to this sorry state of affairs is for consumers to freeze their files at the bureaus, which blocks potential creditors — and ID thieves — from trashing your credit file and credit score.

Equifax is not the only bureau promoting one of these lock services. Since Equifax announced its breach on Sept. 7, big-three credit bureaus Trans Union and Experian have worked feverishly to steer consumers seeking freezes toward these locks instead, arguing that they are easier to use and allow consumers to lock and unlock their credit files with little more than the press of a button on a mobile phone app. Oh, and the locks are free, whereas the bureaus can (and do) charge consumers for placing and/or thawing a freeze (the laws freeze fee laws differ from state to state).

CREDIT FREEZE VS. CREDIT LOCK

My first group of questions would center around security freezes or credit freezes, and the difference between those and these credit lock services being pushed hard by the bureaus.

Currently, even consumer watchdog groups say they are uncertain about the difference between a freeze and a lock. See this press release from Thursday by U.S. PIRG, the federation of state Public Interest Research Groups, for one such example.

Also, I’m curious to know what percentage of Americans had a freeze prior to the breach, and how many froze their credit files (or attempted to do so) after Equifax announced the breach. The answers to these questions may help explain why the bureaus are now massively pushing their new credit lock offerings (i.e., perhaps they’re worried about the revenue hit they’ll take should a significant percentage of Americans decide to freeze their credit files).

I suspect the pre-breach number is less than one percent. I base this guess loosely on some data I received from the head of security at Dropbox, who told KrebsOnSecurity last year that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts. This extra security step can block thieves from accessing your account even if they steal your password, but many consumers simply don’t take advantage of such offerings because either they don’t know about them or they find them inconvenient.

Bear in mind that while most two-factor offerings are free, most freezes involve fees, so I’d expect the number of pre-breach freezers to be a fraction of one percent. However, if only one half of one percent of Americans chose to freeze their credit files before Equifax announced its breach — and if the total number of Americans requesting a freeze post-breach rose to, say, one percent — that would still be a huge jump (and potentially a painful financial hit to Equifax and the other bureaus).

creditfreeze

So without further ado, here are some questions I’d ask on the topic of credit locks and freezes:

-Approximately how many credit files on Americans does Equifax currently maintain?

-Prior to the Equifax breach, approximately how many Americans had chosen to freeze their credit files at Equifax?

-Approximately how many total Americans today have requested a freeze from Equifax? This should include the company’s best estimate on the number of people who have requested a freeze but — because of the many failings of Equifax’s public response cited by Barros — were unable to do so via phone or the Internet.

-Approximately how much does Equifax charge each time the company sells a credit check (i.e., a bank or other potential creditor performs a “pull” on a consumer credit file)?

-On average, how many times per year does Equifax sell access to consumer’s credit file to a potential creditor?

-Mr. Barros said Equifax will extend its offer of free credit freezes until the end of January 2018. Why not make them free indefinitely, just as the company says it plans to do with its credit lock service?

-In what way does a consumer placing a freeze on their credit file limit Equifax’s ability to do business?

-In what way does a consumer placing a lock on their credit file limit Equifax’s ability to do business?

-If a lock accomplishes the same as a freeze, why create more terminology that only confuses consumers?

-By agreeing to use Equifax’s lock service, will consumers also be opting in to any additional marketing arrangements, either via Equifax or any of its partners?

BREACH RESPONSE

Equifax could hardly have bungled their breach response more if they tried. It is said that one should never attribute to malice what can more easily be explained by incompetence, but Equifax surely should have known that how they handled their public response would be paramount to their ability to quickly put this incident behind them and get back to business as usual.

dumpsterfire

Equifax has come under heavy criticism for waiting too long to disclose this breach. It has said that the company became aware of the intrusion on July 29, and yet it did not publicly disclose the breach until Sept. 7.However, when Equifax did disclose, it seemed like everything about the response was rushed and ill-conceived.

One theory that I simply cannot get out of my head is that perhaps Equifax rushed preparations for is breach disclosure and response because it was given a deadline by extortionists who were threatening to disclose the breach on their own if the company did not comply with some kind of demand.

-I’d ask a question of mine that Equifax refused to answer shortly after the breach: Whether the company was the target of extortionists over this data breach *before* the breach was officially announced on Sept. 7.

-Equifax said the attackers abused a vulnerability in Apache Struts to break in to the company’s Web applications. That Struts flaw was patched by the Apache Foundation on March 8, 2017, but Equifax waited until after July 30, 2017 — after it learned of the breach — to patch the vulnerability. Why did Equifax decide to wait four and a half months to apply this critical update?

-How did Equifax become aware of this breach? Was it from an external source, such as law enforcement?

-Assuming Equifax learned about this breach from law enforcement agencies, what did those agencies say regarding how they learned about the breach?

FRAUD AND ABUSE

Multiple news organizations have reported that companies which track crimes related to identity theft — such as account takeovers, new account fraud, and e-commerce fraud — saw huge upticks in all of these areas corresponding to two periods that are central to Equifax’s breach timeline; the first in mid-May, when Equifax said the intruders began abusing their access to the company, and the second late July/early August, when Equifax said it learned about the breach.

This chart shows spikes in various forms of identity abuse — including account takeovers and new account fraud — as tracked by ThreatMetrix, a San Jose, Calif. firm that helps businesses prevent fraud.

-Has Equifax performed any analysis on consumer credit reports to determine if there has been any pattern of consumer harm as a result of this breach?

-Assuming the answer to the previous question is yes, did the company see any spikes in applications for new lines of consumer credit corresponding to these two time periods in 2017?

Many fraud experts report that a fast-growing area of identity theft involves so-called “synthetic ID theft,” in which fraudsters take data points from multiple established consumer identities and merge them together to form a new identity. This type of fraud often takes years to result in negative consequences for consumers, and very often the debt collection agencies will go after whoever legitimately owns the Social Security number used by that identity, regardless of who owns the other data points.

-Is Equifax aware of a noticeable increase in synthetic identity theft in recent months or years?

-What steps, if any, does Equifax take to ensure that multiple credit files are not using the same Social Security number?

-Prior to its breach disclosure, Equifax spent more than a half million dollars in the first half of 2017 lobbying Congress to pass legislation that would limit the legal liability of credit bureaus in connection with data security lapses. Do you still believe such legislation is necessary? Why or why not?

What questions did I leave out, Dear Readers? Or is there a way to make a question above more succinct? Sound off in the comments below, and I may just add yours to the list!

In the meantime, here are the committees at which Former Equifax CEO Richard Smith will be testifying next week on Capitol Hill. Some of these committees will no doubt be live-streaming the hearings. Check back at the links below on the morning-of for more information on that. Also, C-SPAN almost certainly will be streaming some of these as well:

-Tuesday, Oct. 3, 10:00 a.m., House Energy and Commerce Committee. Rayburn House Office Bldg. Room 2123.

-Wednesday, Oct. 4, 10:00 a.m., Senate Committee on Banking, Housing, & Urban Affairs. Dirksen Senate Office Bldg., Room 538.

-Wednesday, Oct. 4, 2:30 p.m., Senate Judiciary Subcommittee on Privacy, Technology and the Law. Dirksen Senate Office Bldg., Room 226.

-Thursday, Oct. 5, 9:15 a.m., House Financial Services Committee. Rayburn House Office Bldg., Room 2128.

Sep 21 2017

Krebs on Security 2017-09-21 11:06:57

An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

Experian's page for retrieving someone's credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.

In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze. 

After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.

Here’s a sample of the KBA questions the site asked one reader:

1. Please select the city that you have previously resided in.

2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.

3. Which of the following people live or previously lived with you at the address you provided?

4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice.

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice. Image: Rob Jacques.

I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.

This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.

Experian has not yet responded to requests for comment.

While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.