Website of credit bureau Experian uses outdated encryption

202010180001

Major credit reporting bureaus are seemingly inept at securing against avoidable vulnerabilities, as shown in Equifax’s infamous 2017 breach and later PIN debacle (Internet, Tor), TransUnion’s malvertising mishap, and I suppose now with Experian’s website.

Freezing credit report data is one of the simplest ways to prevent identity theft. However when I went to freeze my data with Experian, I was greeted with the above warning thanks to Firefox.¹

An SSL server test² explains the cause for concern. Their web server uses a mode of encryption – Cipher Block Chain (CBC) – which has been implemented in an insecure way, making users vulnerable to man-in-the-middle attacks. This vulnerability was first announced in 2014, which means Experian’s main website is six years out of date with secure encryption standards.

I guess I’ll call Experian in the morning to request my credit report freeze. This is plain embarassing.


¹ I made a prior attempt with a different Firefox instance, where I saw a “Secure Connection Failed” error message. This was thanks to using the arkenfox user.js browser configuration.

² Internet Archive capture: Internet, Tor.

Yeah well it wasn’t too long ago when Experian was breached:

To be honest I wouldn’t be doing business with them. There needs to be serious penalties for this kind of stuff.

At the moment it seems they only respond retroactively after they get hacked.