PG&E was publicly exposing partial SSN information of US consumers through its use of Experian Identity Verification questions.
I recently discovered PG&E will let you sign up for electricity online without providing your SSN. Their website offered an option for “Alternate Identification”, so I chose it and proceeded to sign up for service. The only thing required was your name, “alternate mailing address”(i.e. your current address), and a State ID, Passport or similar photo ID number as shown below.
I knew through experience the ID number was likely not checked, and I verified this fact later. A reporter I was working with on this story also independently verified just throwing 123456789 as a Passport number bypassed the ID number check and that it was only verifying mailing address and name alone.
After providing PGE.com’s sign up page with a name, address and Photo ID number (which ID number goes unchecked and unvalidated), upon clicking Next you would be met with Experian’s Identity Verification questions. In our testing with the consent of various individuals, every single time prior to publication of this story while still live on PGE.COM, the first question was always, “Please select the last four digits of your Social Security Number.”
Every time the real last 4 digits was mixed in with the multiple choice selection among 3 false answers that were in a sequential order. For example if the last 4 of your SSN were 1234, it might ask to choose from 1233, 1234, 1235 and 1236. The fact that Experian would ever have this as a identity confirmation question, where they ask you to pick from a list instead of having you supply the information as input validation data is troubling.
Experian’s Knowledge Based Verification (KBV) identity verification questions are widely used by banks and credit card issuers, utilities, government agencies such as Georgia’s Secretary of State and the Illinois Department of Public Health among…