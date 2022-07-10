That alarmed Rishi because he had not applied for a new credit card. Scammers, he suspected, were trying to steal his identity — again.

The e-mail said Chase credit card services had requested and received a copy of his credit report while processing an application for a new credit card.

The last time it happened, a couple of years ago, Rishi had taken steps to protect himself, including by putting a freeze on his credit report at the three major credit bureaus.

Yet now he was being told that one of them, Experian, had released his credit report despite the freeze.

Rishi, 53, the co-executive director of Boston Landmarks Orchestra and a musician, spent the next few days on the phone with Chase and Experian. He says Chase was helpful, but the explanation he got from Experian left him baffled and wary.

“If credit freezes are not reliable and secure, I’m not sure how to protect myself from fraud,” he wrote in an e-mail to me. “I consider myself savvy and informed about protecting myself from fraud, so this is likely happening to others.”

Here’s what happened, based on Rishi’s account of events:

The worrisome e-mail Rishi received last month came from Identity Guard, a credit monitoring service. He began using the $30-a-month service at about the time he put freezes on his credit report, both as a result of his identity having been stolen in 2020. (Someone tried to open a checking account in his name in another state but was ultimately thwarted.)

After getting the alert, Rishi was on the phone with Chase almost immediately. A Chase representative quickly confirmed that someone had applied for a new credit card using Rishi’s Social Security number and date of birth and that Experian had provided it with Rishi’s credit report.

When Rishi told Chase he had not applied for a credit card, Chase concluded the application was the handiwork of scammers and terminated it.

That was a big relief for Rishi. He then shifted his focus to why Experian had released his credit report despite the freeze he had placed on it.

Creating an Experian account allows users to quickly and easily control whether creditors can obtain their credit report. Experian and the other major credit bureaus collect data on you whether you have an online account with them or not, and you can freeze your credit report without an account, by phone. But having an account allows you to turn the freeze on and off, as needed, with one click. There is no charge for it.

When a freeze is on, creditors can’t get your credit report, which means they won’t approve a new credit card or loan in your name. It’s a safety measure that blocks one crucial piece in the credit approval process.

But it’s just as easy to turn it off — one click. In fact, since 2020, Rishi has clicked the freeze off several times to allow creditors to obtain his report while he applied for credit and then clicked it back on.

Last month, after getting off the phone with Chase, Rishi tried to log into his Experian account to check the status of his freeze. But he was blocked from logging in because the account wouldn’t accept his password, even though he was sure he was using the correct one.

Finally, he clicked on “I forgot my password.” Up flashed a message saying instructions for resetting his password had been sent to an e-mail address — but, shockingly, it was an address he had never heard of. It convinced him his Experian account had been compromised.

On a hunch, Rishi decided to try creating a new Experian account, using his Social Security number, date of birth, and phone number. The next page that came up asked him to “confirm your identity by completing the following authentication questions.”

Rishi said the handful of multiple-choice questions he was presented with included two for which he recognized the right answer, one about a previous home address, the other about an automobile he owned. He said he answered the other questions with “none of the above.”

And with that, Rishi got into an Experian account, whether it was his original account or a new one, Rishi didn’t know. The first thing he noticed was that the freeze on his credit report was turned off.

Rishi came to me after several frustrating hours on the phone trying to reach someone at Experian. He said he listened carefully to the phone options, but none of them described anything close to the kind of problem he wanted to discuss.

Rishi said he wanted to ask Experian whether it allowed the creation of multiple accounts using the same Social Security number and date of birth, and if so, could a scammer have created a new account in his name in order to release the freeze.

Rishi said he found a discussion of apparent security issues at Experian on KrebsonSecurity, a blog by security expert Brian Krebs, and on Reddit.

I contacted Experian with questions and a detailed account of what Rishi told me. As a result, Experian spent a few days investigating before calling Rishi and telling him that it believed scammers created an Experian account in Rishi’s name.

The representative said Experian believed the scammers created the account last month at a time when Rishi had no account of his own. But that didn’t make sense to Rishi. He created his Experian account long ago and has used it repeatedly since then. He provided documentation showing the exact time and date he created it in 2020 (it was recorded by the password manager app he uses).

Experian responded to me with this statement: “We’re in touch with the consumer and investigating this matter further. While we do not discuss specifics due to consumer privacy, we believe this is an isolated incident of fraud using stolen consumer information. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

I’m not sure how Experian can be so confident this is an isolated incident, given its acknowledgment of what apparently happened to Rishi and the prevalence of “stolen consumer information” on the internet.

In an e-mail to Rishi, Experian did not repeat the explanation it gave to him days earlier on the phone. “Our teams are still researching your fundamental concerns,” it said. “We will provide an update once our investigation is complete.”

Experian is providing its $25-a-month credit monitoring and identity protection service to Rishi for free for a year. Rishi told Experian it should extend complimentary service to him indefinitely.

I agree. I also think Experian should make it easier for consumers to reach them by phone with an urgent concern like Rishi’s. And it should give Rishi (and me) a better explanation for what happened.

