Experian exposes credit scores via unprotected API
Credit reporting company Experian plc has suffered a new data breach, with the credit scores of almost everyone in the United States exposed through an unprotected application programming interface.
Discovered and made public on April 28 by a security researcher Bill Demirkapi, the breach involved a tool called the Experian Connect API that allows lenders to automate FICO score queries. Demirkapi discovered while visiting the website of a lender who offered to verify the eligibility of his loan that the code allowed him to invoke the Experian API with any authentication and pull up anyone’s credit score. .
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi Told Krebs on security. “Experian should require non-public information for promotional requests, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi was also able to design a command line tool to automate the search, which he rather interestingly called “Bill’s Cool Credit Score Lookup Utility”.
While Experian has since closed unauthorized API access, the issue is that the company may be using other APIs that could be leveraged in the same way. It is not known if others have accessed it.
“It is not clear whether this weakness has been exploited by other attackers beyond the security researcher’s research and disclosure,” Michael Isbitski, technical evangelist at the API Protection Company Salt Security Inc., said SiliconANGLE. “Experian only confirmed that they were able to discover Security Researcher activity in their backend logs after the issue was disclosed to them. An API that uses weak authentication like this could potentially be enumerated and removed to obtain large amounts of private credit-related data. “
Hank Schless, Senior Manager, Security Solutions at Mobile Security Solutions Firm Lookout Inc., noted that the predominance of cloud-based services and technologies has created a huge ecosystem of interconnected services that help organizations of all types energize their business internally for employees and externally for customers.
“The integration between various applications and services can make the overall experience much more convenient and transparent for users,” Schless explained. “APIs, especially for large platforms such as airlines or social media, are often made public so that anyone can connect their service to those platforms. However, the convenience of integration shouldn’t put security on the back burner. “
The incident underscores how important it is to understand the security posture of all resources, Schless added. “In this particular case, that means verifying any third-party service that you decide to integrate into your services or infrastructure,” he said. “When you integrate your services, there is always the risk that an attacker will gain access to your data after initially breaching the partner service.”
Experian last suffered a data breach with the theft of data belonging to 15 million Americans in October 2015.
Photo: Experian Thailand
Since you are here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will bring you content relevant to emerging businesses and technologies. Thank you!
Support our mission: >>>>>> SIGN UP NOW >>>>>> on our YouTube channel.
… We would also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of content, not advertising. Unlike many online publications, we don’t have a payment wall or banner ads because we want to keep our journalism open, without influence or the need to drive traffic.The journalism, reporting and commentary on SiliconANGLE – plus live, unscripted video from our Silicon Valley studio and globe-trotting video teams at The cube – requires a lot of work, time and money. Maintaining high quality requires the support of sponsors who are aligned with our vision of ad-free journalistic content.
If you enjoy reporting, video interviews, and other ad-free content here, please take a moment to view a sample of the video content supported by our sponsors, tweet your support, and keep coming back to Silicon ANGLE.