'Credit Hackers' Win the Credit Card Game … Legally

Hundreds of “credit hackers” are legally gaming financial institutions by taking advantage of loopholes in the U.S. credit-reporting system, a security researcher says — warning that identity thieves could follow suit. [via wired]

Christopher Soghoian, a fellow at Harvard’s Berkman Center, took a security expert’s eye to the tricks already in use by a healthy subculture of clever consumers who have managed to garner zero-interest loans and erase some information from their credit profiles. He’s presenting his findings Saturday at the DefCon hacker convention.

“The techniques outlined in this paper are not traditional hacking,” he said in an interview. “All that is being done is taking advantage of the formalized structure of the process.”

In his paper (.pdf), Soghoian highlights several approaches perfected by the credit hackers.

In one ploy, the consumer generates a massive amount of quick credit by carefully timing simultaneous applications from different lenders. This takes advantage of the fact that it takes several days for an inquiry to appear on a consumer’s credit report, leaving issuing banks blind to the parallel applications.

“If a consumer submits a large number of credit card applications within a short period of time (hours, not days), it is often possible for each application to be approved before the first inquiry has shown up on the individual’s report,” he writes, adding that this dodge has been used to secure several mortgages for a single property.

Credit hackers with a solid credit rating can use the loophole to garner dozens of credit cards, and through more complicated chicanery they can take advantage of special offers to get relatively small amounts of free money, or obtain sizable cash loans with zero interest.

Another technique is a credit-reporting version of a hacker’s buffer-overflow attack. Two of the three major credit-reporting agencies – Equifax and Transunion – store the public record of credit inquires in a buffer of a fixed size. If one uses a paid credit-monitoring service, and requests to see their reports daily, inquiries from lenders move out of the buffer, scrubbing the profile of evidence of declined applications — a red flag for lenders.

“Reports on the size of the buffer vary, but it seems to take between two to four months of daily soft inquiries to completely cycle through the buffer and erase all of the old inquiries,” he writes.

On the DefCon speaking schedule, Soghoian’s presentation on credit hacking lists him only as an “anonymous speaker” — he says he feared the banks might try to block his presentation, set for 4 p.m. Pacific time.

“I don’t want to be like the MIT students last year,” Soghoian said in a telephone interview.

But Soghoian has reason to be paranoid. He was famously raided by the FBI in 2006 after highlighting a known loophole in airport security by creating a website that allowed anyone to easily create fake boarding passes that would fool TSA officials.

This time around, Soghoian says he’s trying to get credit issuers and credit-reporting agencies to close the loopholes. In the hands of real criminals, he says, the credit hacks could vastly multiply the impact of identity theft.

“These fraudsters can experiment and fine-tune their knowledge and abuse of the loopholes using the credit reports of tens or hundreds of stolen identities,” he writes. “Law-abiding individuals have only their own credit report with which to experiment, thus making potential mistakes extremely costly.”

Did you like this post? Leave your comments below!
Found this Post interesting? Receive new posts via RSS (What is RSS?) or Subscribe to CR by Email

More Post From The Web