Is Data Safe at Credit Bureaus?

Experian is feeling the heat in the wake of a hacking at Abilene Telco Federal Credit Union that wound up exposing data at the credit reporting agency, leading Experian to defend its security protocols.

"This issue is indicative of the larger problem of cybercrimes facing many companies and many industries, which is the growing sophistication of financial malware," says Gerry Tschopp, a spokesman for Experian.

Tschopp described the attack is an isolated security issue experienced by a few of its U.S. clients, and not an attack on Experian's systems in North America. The credit union did not return calls for comment by Thursday morning.

The trouble started in 2011 when hackers broke into a staffer's computer at Abilene Telco Federal Credit Union, which is now called First Priority Credit Union. The crooks used an illegally obtained username and password to access an Experian account, where they stole Social Security numbers and financial data on several hundred consumers, including many that were not customers of the credit union. The incident is drawing attention to security at Experian and other credit agencies, where there have been dozens of similar breaches over the past few years. DataLossDB's website says more than 17,000 credit reports have been taken from agencies since 2006, mostly through the use of illegally obtained financial institution online credentials.

While the agencies contend that the attacks are not direct, the companies are still being criticized for not doing enough to protect these types of attacks.

"The crooks used basic credentials to get in. It would have been better to increase and strengthen the type of authentication required," says Al Pascual, an industry analyst for security, risk and fraud for Javelin Strategy & Research.

Experian contends its security requires more than just usernames and passwords, and includes other factors such as geolocation and IP addresses. While Tschopp didn't divulge details on software brands and tech structure, Experian uses a risk-based authentication system coupled with a tech network that monitors and detects anomalies in system access by clients. The system looks for access requests made from unusual locations, at odd times or for a unusual purpose. "We require and expect our clients to routinely and securely manage their authentication credentials to the highest standards and monitor the security of their systems," Tschopp says.

While Experian did not define these "highest" standards, emerging guidance from the Federal Financial Institutions Examination Council (FFIEC) strongly encourages layered authentication. That usually means one mode of communication, such as a mobile phone, is used to confirm authentication in another mode, such as a PC, since it's hard for a crook to compromise two devices at the same time.

"In the instances where credentials might be compromised, our security systems monitor 24/7 for any anomalies that could suggest suspicious activity. These are then flagged immediately to the client, and, as appropriate, to consumers and law enforcement for resolution," Tschopp says.

In the Abilene Telco case, Experian's system alerted the credit union and the consumers affected by the suspicious activity, and Tschopp says Experian ensured that the unauthorized access was disabled.

Demitra Wilson, director of media relations for Equifax, said the company could not provide specifics on security measures, and added it uses authentication and detection systems to prevent and identify unauthorized access to a consumer's file. Those processes also include notifying impacted parties, including government authorities in the situations where it appears personal information may have been inappropriately accessed.

Pascual suggested stronger protections against access from unauthorized origin could enhance protection. One option is device fingerprinting, or the gathering of browser, operating system and connection attributes to generate a risk profile of a device. Device fingerprinting is used to determine if a valid password and username is being used to fraudulently access a network from an invalid device, though it's not a foolproof measure.

"If they are using device fingerprinting to make sure that the machines that are accessing the consumer records are bank machines, that will strengthen the protocol," Pascual says.

Experian referred to its protection as multifactor and noted that in some instances with some clients there is a form of device identification, but did not describe its technology as device fingerprinting.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER