He froze his credit report. Could a scammer delete it?
The last time this happened a few years ago, Rishi had taken steps to protect himself, including freezing his credit report with all three major credit bureaus.
Yet he was now being told that one of them, Experian, had released his credit report despite the freeze.
Rishi, 53, co-executive director of the Boston Landmarks Orchestra and a musician, spent the next few days on the phone with Chase and Experian. He says Chase was helpful, but the explanation he got from Experian left him puzzled and suspicious.
“If credit freezes aren’t reliable and secure, I don’t know how to protect myself from fraud,” he wrote to me in an email. “I consider myself savvy and informed about how to protect myself against fraud, so it probably happens to others.”
Here is what happened, based on Rishi’s account of events:
The disturbing email Rishi received last month was from Identity Guard, a credit monitoring service. He started using the $30 a month service around the time he froze his credit report, both due to his identity being stolen in 2020. (Someone tried to open an account running on his behalf in another state but was ultimately thwarted.)
After receiving the alert, Rishi was on the phone with Chase almost immediately. A Chase representative quickly confirmed that someone had applied for a new credit card using Rishi’s social security number and date of birth and that Experian had provided them with Rishi’s credit report.
When Rishi told Chase that he hadn’t applied for a credit card, Chase concluded that the application was the work of scammers and terminated it.
It was a great relief for Rishi. He then focused on why Experian released its credit report despite the freeze it placed on it.
Creating an Experian account allows users to quickly and easily check whether creditors can obtain their credit report. Experian and other major credit bureaus collect data about you whether or not you have an online account with them, and you can freeze your credit report without an account over the phone. But having an account lets you turn the freeze on and off, as needed, with just one click. There is no charge for this.
When a freeze is in effect, creditors can’t get your credit report, which means they won’t approve a new credit card or loan in your name. It’s a security measure that blocks a crucial part of the credit approval process.
But it’s just as easy to turn it off – just one click. In fact, since 2020, Rishi has repeatedly turned freeze off to allow creditors to get his report while he applied for credit, then turned it back on.
Last month, after hanging up on the phone with Chase, Rishi tried to log into his Experian account to check the status of his gel. But he couldn’t log in because the account wouldn’t accept his password, even though he was sure he was using the correct one.
Finally, he clicked “I forgot my password”. Up flashed a message that instructions to reset his password had been sent to an email address – but, surprisingly, it was an address he had never heard of. This convinced him that his Experian account had been compromised.
On a hunch, Rishi decided to try creating a new Experian account, using his social security number, date of birth, and phone number. The next page that showed up asked him to “confirm your identity by answering the following authentication questions”.
Rishi said the handful of multiple-choice questions he was asked included two for which he recognized the correct answer, one about an old home address, the other about an automobile he owned. He said he answered the other questions with “none of the above”.
And with that, Rishi entered an Experian account, whether it was his original account or a new one, Rishi didn’t know. The first thing he noticed was that his credit file freeze had been turned off.
Rishi came to me after several frustrating hours on the phone trying to reach someone at Experian. He said he listened carefully to the phone options, but none of them described anything close to the type of issue he wanted to discuss.
Rishi said he wanted to ask Experian if it allowed multiple accounts to be created using the same social security number and date of birth, and if so, could a scammer have created a new account in his name. to break the frost.
Rishi said he found a discussion of apparent security issues at Experian on KrebsOnSecurity, a blog by security expert Brian Krebs, and on Reddit.
I contacted Experian with questions and a detailed account of what Rishi told me. As a result, Experian spent a few days investigating before calling Rishi and telling him he believed scammers had created an Experian account in Rishi’s name.
The rep said Experian believed the scammers created the account last month when Rishi did not have an account of his own. But that made no sense to Rishi. He created his Experian account a long time ago and has used it many times since then. He provided documentation showing the exact time and date he created it in 2020 (it was recorded by the password manager app he uses).
Experian responded to me with this statement: “We are in contact with the consumer and are investigating this matter further. Although we do not discuss specifics due to consumer privacy, we believe this is an isolated incident of fraud using stolen consumer information. We take consumer privacy and security seriously, and we continually review our security processes to guard against the constant and evolving threats posed by fraudsters.
I don’t know how Experian can be so confident that this is an isolated incident, given their acknowledgment of what apparently happened to Rishi and the prevalence of “stolen consumer information” on the internet.
In an email to Rishi, Experian did not repeat the explanation he had given her days earlier on the phone. “Our teams are always investigating your fundamental concerns,” he said. “We will provide an update once our investigation is complete.”
Experian is providing its $25-a-month credit monitoring and identity protection service to Rishi for free for one year. Rishi told Experian that he should offer him free service indefinitely.
I agree. I also think Experian should make it easier for consumers to reach them by phone with an urgent concern like Rishi’s. And that should give Rishi (and me) a better explanation of what happened.