No credit card required
Browse credit cards from a variety of issuers to see if there's a better card for you.
The tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Bill Demirkapi, a sophomore at Rochester Institute of Technology, was shopping for student loans when he found a lender that would check his eligibility with just a name, address and date of birth, according to a published report.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi said he was even able to build a command-line tool that let him automate lookups, even after entering all zeros in the fields for date of birth, which he named, “Bill’s Cool Credit Score Lookup Utility.”
In addition to raw credit scores, Krebs said that he was able to use the API connection to get “risk factors” from Experian that explained potential flaws in a person’s credit history. He ran a credit check for his friend “Bill” which returned the explanation for his mid-700s credit score that he had “Too many consumer-finance company accounts.”
Crazy.
Or at this point, is it?
Wow . . . like we really need another issue to slow down our attempt to improve our credit. It's already sometimes a challenge to deal with the Credit Reporting Agencies . . . or at least it is for me. I hope it has been thoroughly fixed!
He ran a credit check for his friend “Bill” which returned the explanation for his mid-700s credit score that he had “Too many consumer-finance company accounts.”
Haha, I feel for ya "Bill". That darn CFA code.
Of course, the worst part of this is that the API back door may still be active and by posting this story, even mor malicious actors will use it.
I wouldn't be surprised if more agencies have similar APIs and all information is really just wide open!
@designated_knitter wrote:Of course, the worst part of this is that the API back door may still be active and by posting this story, even mor malicious actors will use it.
I wouldn't be surprised if more agencies have similar APIs and all information is really just wide open!
The article says that Experian closed the back door.
I love how it's so easy for them and even "Bill" to get our private information but let us try to alert them to an inaccurate item and Fort Knox is closed for lockdown.
@805orbust wrote:I love how it's so easy for thrives and even "Bill" to get our private information but let us try to alert them to an inaccurate item and Fort Knox is closed for lockdown.
Haha for real! 😂
@Anonymous Do you think this is in any way connected with my EX updating slow this month normally by now I would have 2 or 3 updates at least for my EX and nothing has flipped over to May yet.....?!?
@Girlzilla88 wrote:@Anonymous Do you think this is in any way connected with my EX updating slow this month normally by now I would have 2 or 3 updates at least for my EX and nothing has flipped over to May yet.....?!?
Nah I doubt it. Mine updated like normal this month.