One would hope that credit bureau Experian had learned a lesson about data leaks after watching what happened to contemporary Equifax in 2017, but the agency has now followed up a major 2020 breach in South Africa with a new application programming interface (API) security vulnerability that appears to have leaked the credit scores of nearly every American that has one.
A partner website allowed anyone with a subject’s name and mailing address to pull up their credit score. While this particular data leak has been patched, security researchers are concerned that other Experian partners may have a similar vulnerability.
According to a spokesperson for Experian, “We can confirm a single, isolated instance involving a client website. This situation did not implicate or compromise any of Experian’s systems, including our API. We were able to alert the client and resolve the matter.”
API security issue makes credit scores available by inputting publicly available information
Thousands of authorized lenders have the ability to pull up the FICO credit scores of Americans without having to obtain the legal consent required for formal credit checks; this is primarily used for pre-qualifying offers and quick initial credit screenings of applicants, but some financial institutions also offer it to their customers as a means of quickly checking their own credit scores.
As it turns out, Experian’s version of this service is handled by an API. And that API was essentially unsecured, allowing anyone to access it directly without any kind of authentication. The FICO credit score, accompanied by an individualized list of “risk factors,” could be pulled up with only a person’s name and primary address. The API does also ask for a birth date, but it turns out that simply entering a string of zeros in that field allows one to successfully bypass it.
The Experian API security vulnerability was discovered by Bill Demirkapi, a student at the Rochester Institute of Technology. He came across it while shopping around for student loan vendors and examining the code that one used to check borrower eligibility. Demirkapi reported the data leak to security researcher Brian Krebs, who in turn contacted Experian. Experian has reportedly discovered which loan vendor was responsible and closed off the data leak, but Demirkapi worries that this is a systemic API security issue that could be exploited through hundreds or even thousands of other sites; he says that Experian merely put the vendor in question’s endpoint into maintenance mode, which would not address other possible API security holes.
While none of the personal information found in a credit pull (such as account numbers and payment history) was accessible as a result of this data leak, FICO scores are sensitive and a form of personal information that people would no doubt prefer not be this easily accessible. Credit scores can also play a role in fraud, in helping scammers select targets and craft more convincing and appealing approaches. For example, someone with a low credit score and a lot of accounts might receive a fake “pre-approved” offer for a type of credit card that they would not normally qualify for.
Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security, notes that if a college student was able to come across this via simple curiosity then it should be assumed that someone out there exploited it at some point: “Even if an individual’s birthday was being properly validated, the authentication factors that were being used were weak. Much of the authentication material that Experian was using is public or semi-public as a result of prior security breaches at other service providers … It’s not clear if this weakness was exploited by other attackers beyond the security researcher’s probing and disclosure. Experian confirmed only that they were able to uncover the security researcher’s activity in their backend logs after the problem was disclosed to them. An API that uses weak authentication like this could potentially be enumerated and scraped to obtain large amounts of the private, credit-related data.”
Experian data leak highlights a pattern of API vulnerabilities
API security is one of the first things that attackers probe when looking to compromise an app, and it’s not unusual for them to find weak code to exploit. Similar data leaks involving API access have hit other high-profile companies recently; Clubhouse exposed the profile information of 1.3 million users, for example, and Geico saw thieves make off with an unknown number of driver’s license numbers.
The credit scores incident is also far from being Experian’s first security issue. In 2015, a breach of Experian exposed the personal information of 15 million people who had applied for T-Mobile service over a two-year period. This breach included extremely sensitive information, such as Social Security and passport numbers. Prior to that, Experian inherited an ongoing data leak when it acquired a company called Court Ventures that had already been breached; this incident may have exposed 200 million Social Security numbers.
Due to its position as one of the “big three” credit reporting agencies and the volume of sensitive data it handles, Experian is subject to certain enhanced data protection standards. This includes System and Organization Controls (SOC) reporting conducted by a CPA, which reviews service providers for various aspects such as cybersecurity posture and handling of data privacy. This breach of credit scores indicates that Experian’s controls in this area are likely wanting, something that does not reflect well when paired with the company’s cybersecurity history over the past decade. Rajiv Pimplaskar, CRO of Veridium, points out the the US is lagging behind to some degree in terms of regulation in this area: “In an effort to combat KYP or KYC fraud, several countries around the world predominantly in Asia and LATAM have adopted a Government source verification paradigm where certain institutions or relying parties can query a national database using the prospect’s biometrics or certain biographic data. The Government database provides identity verification and reduces the risk of fraud and also the underwriting expense for the FSI entity. In the US such paradigms are still emerging with several identity providers vying to assume this role.”
Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, expanded on specific improvements that Experian could make (and that any organization observing the incident could learn from): “This yet again demonstrates that while the use-cases have to be designed for the end user, the abuse cases have to be designed for the super-users (benign or adversarial). If you look at the flaw, it was a basic authentication flaw – something that should have been contemplated during the design phase of the software. What is worse here is that there are API Management solutions that allow organizations to compensate for missing authentication in the APIs they want to make public … When two companies decide to integrate their applications, they should explicitly account for the risks both companies inherit — which are posed by insecurities in each other’s applications. If you are an organization looking to partner with other companies, API, web and mobile applications must be tested for security to avoid consequential loss due to security vulnerabilities on the part of a strategic partner. Similar to how we view the spreading virus, it is possible to unintentionally infect your friend or your organizational partner if you do not take the necessary precautionary steps of testing and protecting your applications. Prioritize the requirement for application security assessment with your partners when you are executing on your growth strategy with them.”
Shreyans Mehta, co-founder and CTO of Cequence Security, added some more industry-specific recommendations for addressing API vulnerabilities: “This API authentication vulnerability highlights a concern with the growing use of APIs between financial institutions. Not every organization has the sophistication and security controls in place to validate and ensure they are not exposing customer’s private financial data. And, even organizations with sophisticated security programs in place can find themselves with vulnerable APIs that were published outside of the controlled processes. This is why it’s important to have broad visibility into all APIs — home-grown, 3rd party, managed, and shadow APIs — so that risk can be accessed and remediated quickly when needed. I’d like to hope that organizations building apps with such sensitive data would pay close attention to common OWASP API vulnerabilities. And at the same time, organizations like Experian, who are keepers of the country’s financial data should be playing an active role in validating how their APIs are used.”
Those concerned about potential exposure of their credit scores may want to put a freeze on their credit accounts; KrebsOnSecurity is reporting that frozen accounts would not return any information via the API security hole. Experian has not offered anything special in regards to this data leak, but the company regularly allows for placing a freeze via its website or via written request. However, the freeze will need to be at least temporarily lifted to apply for credit.
Update (May 5, 2021): Include statement from spokesperson for Experian.