[BreachExchange] Another Data Leak for Experian; Credit Scores of Americans Were Available to Anyone Due to API Security Issue

[Destry Winant]

https://www.cpomagazine.com/cyber-security/another-data-leak-for-experian-credit-scores-of-americans-were-available-to-anyone-due-to-api-security-issue/

One would hope that credit bureau Experian had learned a lesson about data
leaks after watching what happened to contemporary Equifax in 2017, but the
agency has now followed up a major 2020 breach in South Africa with a new
application programming interface (API) security vulnerability that appears
to have leaked the credit scores of nearly every American that has one.

A partner website allowed anyone with a subject’s name and mailing address
to pull up their credit score. While this particular data leak has been
patched, security researchers are concerned that other Experian partners
may have a similar vulnerability.

API security issue makes credit scores available by inputting publicly
available information
Thousands of authorized lenders have the ability to pull up the FICO credit
scores of Americans without having to obtain the legal consent required for
formal credit checks; this is primarily used for pre-qualifying offers and
quick initial credit screenings of applicants, but some financial
institutions also offer it to their customers as a means of quickly
checking their own credit scores.

As it turns out, Experian’s version of this service is handled by an API.
And that API was essentially unsecured, allowing anyone to access it
directly without any kind of authentication. The FICO credit score,
accompanied by an individualized list of “risk factors,” could be pulled up
with only a person’s name and primary address. The API does also ask for a
birth date, but it turns out that simply entering a string of zeros in that
field allows one to successfully bypass it.

The Experian API security vulnerability was discovered by Bill Demirkapi, a
student at the Rochester Institute of Technology. He came across it while
shopping around for student loan vendors and examining the code that one
used to check borrower eligibility. Demirkapi reported the data leak to
security researcher Brian Krebs, who in turn contacted Experian. Experian
has reportedly discovered which loan vendor was responsible and closed off
the data leak, but Demirkapi worries that this is a systemic API security
issue that could be exploited through hundreds or even thousands of other
sites; he says that Experian merely put the vendor in question’s endpoint
into maintenance mode, which would not address other possible API security
holes.

While none of the personal information found in a credit pull (such as
account numbers and payment history) was accessible as a result of this
data leak, FICO scores are sensitive and a form of personal information
that people would no doubt prefer not be this easily accessible. Credit
scores can also play a role in fraud, in helping scammers select targets
and craft more convincing and appealing approaches. For example, someone
with a low credit score and a lot of accounts might receive a fake
“pre-approved” offer for a type of credit card that they would not normally
qualify for.

Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto,
Calif.-based provider of API security, notes that if a college student was
able to come across this via simple curiosity then it should be assumed
that someone out there exploited it at some point: “Even if an individual’s
birthday was being properly validated, the authentication factors that were
being used were weak. Much of the authentication material that Experian was
using is public or semi-public as a result of prior security breaches at
other service providers … It’s not clear if this weakness was exploited by
other attackers beyond the security researcher’s probing and disclosure.
Experian confirmed only that they were able to uncover the security
researcher’s activity in their backend logs after the problem was disclosed
to them. An API that uses weak authentication like this could potentially
be enumerated and scraped to obtain large amounts of the private,
credit-related data.”

Experian data leak highlights a pattern of API vulnerabilities
API security is one of the first things that attackers probe when looking
to compromise an app, and it’s not unusual for them to find weak code to
exploit. Similar data leaks involving API access have hit other
high-profile companies recently; Clubhouse exposed the profile information
of 1.3 million users, for example, and Geico saw thieves make off with an
unknown number of driver’s license numbers.

The credit scores incident is also far from being Experian’s first security
issue. In 2015, a breach of Experian exposed the personal information of 15
million people who had applied for T-Mobile service over a two-year period.
This breach included extremely sensitive information, such as Social
Security and passport numbers. Prior to that, Experian inherited an ongoing
data leak when it acquired a company called Court Ventures that had already
been breached; this incident may have exposed 200 million Social Security
numbers.

Due to its position as one of the “big three” credit reporting agencies and
the volume of sensitive data it handles, Experian is subject to certain
enhanced data protection standards. This includes System and Organization
Controls (SOC) reporting conducted by a CPA, which reviews service
providers for various aspects such as cybersecurity posture and handling of
data privacy. This breach of credit scores indicates that Experian’s
controls in this area are likely wanting, something that does not reflect
well when paired with the company’s cybersecurity history over the past
decade. Rajiv Pimplaskar, CRO of Veridium, points out the the US is lagging
behind to some degree in terms of regulation in this area: “In an effort to
combat KYP or KYC fraud, several countries around the world predominantly
in Asia and LATAM have adopted a Government source verification paradigm
where certain institutions or relying parties can query a national database
using the prospect’s biometrics or certain biographic data. The Government
database provides identity verification and reduces the risk of fraud and
also the underwriting expense for the FSI entity. In the US such paradigms
are still emerging with several identity providers vying to assume this
role.”

Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose,
Calif.-based provider of application security, expanded on specific
improvements that Experian could make (and that any organization observing
the incident could learn from): “This yet again demonstrates that while the
use-cases have to be designed for the end user, the abuse cases have to be
designed for the super-users (benign or adversarial). If you look at the
flaw, it was a basic authentication flaw – something that should have been
contemplated during the design phase of the software. What is worse here is
that there are API Management solutions that allow organizations to
compensate for missing authentication in the APIs they want to make public
… When two companies decide to integrate their applications, they should
explicitly account for the risks both companies inherit — which are posed
by insecurities in each other’s applications. If you are an organization
looking to partner with other companies, API, web and mobile applications
must be tested for security to avoid consequential loss due to security
vulnerabilities on the part of a strategic partner. Similar to how we view
the spreading virus, it is possible to unintentionally infect your friend
or your organizational partner if you do not take the necessary
precautionary steps of testing and protecting your applications. Prioritize
the requirement for application security assessment with your partners when
you are executing on your growth strategy with them.”

Shreyans Mehta, co-founder and CTO of Cequence Security, added some more
industry-specific recommendations for addressing API vulnerabilities: “This
API authentication vulnerability highlights a concern with the growing use
of APIs between financial institutions. Not every organization has the
sophistication and security controls in place to validate and ensure they
are not exposing customer’s private financial data. And, even organizations
with sophisticated security programs in place can find themselves with
vulnerable APIs that were published outside of the controlled processes.
This is why it’s important to have broad visibility into all APIs —
home-grown, 3rd party, managed, and shadow APIs — so that risk can be
accessed and remediated quickly when needed. I’d like to hope that
organizations building apps with such sensitive data would pay close
attention to common OWASP API vulnerabilities. And at the same time,
organizations like Experian, who are keepers of the country’s financial
data should be playing an active role in validating how their APIs are
used.”

Those concerned about potential exposure of their credit scores may want to
put a freeze on their credit accounts; KrebsOnSecurity is reporting that
frozen accounts would not return any information via the API security hole.
Experian has not offered anything special in regards to this data leak, but
the company regularly allows for placing a freeze via its website or via
written request. However, the freeze will need to be at least temporarily
lifted to apply for credit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210504/4297ea2e/attachment.html>