|Received:||8/6/2007 3:26:10 PM|
|Agency:||Federal Trade Commission|
|Rule:||Private Sector Use of SSNs|
Comments:Experian uses the SSN in a dangerous way on their website for authentication. In order to log in, a username and password is asked for first. After the username and password are accepted, it asks for your full SSN. Spoofing the website to accept any username/password pair and then requesting a SSN could easily allow any phisher access not only to a user's SSN, but also to the user's Experian credit report. This "security" enhancement on Experian's site is ill conceived and is not necessary to ensure security.