Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.
Bill Demirkapi, an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.
Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.
Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”
KrebsOnSecurity put that tool to the test, asking permission from a friend to have Demirkapi look up their credit score. The friend agreed and said he would pull his score from Experian (at this point I hadn’t told him that Experian was involved). The score he provided matched the score returned by Demirkapi’s lookup tool.
In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.
For example, in my friend’s case Bill’s tool said his mid-700s score could be better if the proportion of balances to credit limits was lower, and if he didn’t owe so much on revolving credit accounts.
“Too many consumer finance company accounts,” the API concluded about my friend’s score.