Say you're worried that Equifax has just destroyed your life with its callous disregard for the dossier it compiled on you and your finance; maybe you'll contact an Equifax competitor like Experian and ask them to "freeze" your credit so no one can use that data to open a new account in your name.
Good luck with that.
Once you've frozen your credit with Experian, you can't unfreeze it without a four-digit PIN. However, Experian will give anyone that four-digit PIN, provided they first tick a box promising that they are really, totally, honestly not a scammer, and then answer three easy-to-look-up "knowledge-based authentication" questions.
The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).
After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!
The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.