Frauds with Credit Bureau
In a recent post “Credit hackers”: a technique of bank manipulations
there was a squeeze of carder frauds with credit history bureaus in the USA.
In that post, reference was made to the full material on this topic by Christopher Soghoian. I took up the translation of this material, as I myself was interested, and there were also other users who would be interested in reading.
Since the text is rather voluminous, I decided to publish it in parts as it is translated.
Content
1. Introduction
2. The system of consumer loans in the US
3. How to benefit from the credit system
4. Credit vulnerabilities and exploits
5. Suggested improvements
6. Conclusion
PS links in the text are not translated and are in the original translation.
PS2 thanks to the user rusxg , who unexpectedly joined the translation of the text.
Frauds with credit bureaus.
annotation
')
This document will describe the loopholes and exploits applicable to the US Credit Institutions Bureau, which will significantly increase your (or someone else's) possible loan by hundreds of thousands of dollars.
Although the methods described below were used for the personal (legal) benefits of a small carders community, the same methods can also be used by far less honest people - criminal personalities with the goal of breaking the law, drawing a bunch of people into the pyramid and dumping money with them.
The purpose of this document is to highlight these exploits, analyze them through the prism of the computer security community, and also propose patches that will significantly reduce the effectiveness of existing exploits, no matter what intentions they use.
1. Introduction
The US economy is largely dependent on the provision of detailed information on the credit history of the buyer [1].
Thanks to the credit system, the buyer, who has no relationship with the car dealership, can come in, write a check and roll off on a brand new car for $ 50,000 [2].
In countries where there is no credit history system, you would have to pay in cash or receive a letter of guarantee from the bank, which will confirm your solvency.
Three private corporations, known as Credit History Bureaux (CII), collect and distribute information on the payment history and creditworthiness of millions of Americans [3].
Financial companies that lend money to customers (using credit cards, mortgages or student loans) transfer financial information to the CII. The information transmitted can be either positive or negative, and, as a rule, is provided in the form of a payment history [4].
Credit history bureaus act as an accounting mechanism [5] or reputation system [6], with which the lender can assess possible risks without any interaction with the borrower.
Based on the information provided in the credit report, the lender can raise or lower the interest rate, demand a large down payment, or even refuse a loan.
In the literature on InfoBezu there have already been cases of attacks on reputation systems [7]. Usually hackers falsified information stored by systems for misleading or third-party attacks.
This document shows the vulnerabilities that are constantly used by savvy users to change their credit histories.
By controlling their financial reputation, carders can get much more significant loans than they could actually get.
Actually, these are, of course, not hacks and exploits in the traditional sense, since they do not require unauthorized access to computer systems.
Moreover, in many cases, the attacker does not even interact directly with the CII, although its goal is still to change the credit data that is stored in the CII.
And since these attacks are not a scam or a hoax, it would not be correct to associate them with social engineering.
These methods use processes in rigidly formulated communication protocols between credit bureaus and creditors.
We will analyze these vulnerabilities and their use in terms of computer security.
Many exploits are book examples of known problems with computer systems. These are race conditions, atomic data access and queue overflows [10]. All these problems are carefully analyzed in the literature and are used by hackers.
Thanks to our knowledge of computer security, finance, and law, we can effectively analyze vulnerabilities and offer appropriate solutions.
Finally, we ourselves would test and benefit from these vulnerabilities, as a result of the existing legal risks associated with the exploitation and further documentation of this vulnerability, but have to rely on the increasing number of accounts posted on the forums by carders who first learned and continue to use these vulnerabilities [ eleven].
The second chapter, in essence, is an introduction to the consumer credit system in the USA.
In Chapter 3, we will show several ways that can affect a credit report, which in turn will allow you to borrow a lot of money.
The fourth chapter will tell about loopholes that will further increase credit funds.
And in the 5th chapter will be proposed ways to cover the above loopholes.
2. The system of consumer lending in the US
The availability of centralized detailed reports on the nature of the receipt and payment of loans by individual consumers led to fundamental changes in the US economy, and also facilitated the receipt of new credit lines by consumers [12].
Three private credit bureaus (CII) - Experian, Equifax and Transunion - collect detailed information on the facts of payment and receipt of loans by consumers [13].
This information is then used by lenders to determine the creditworthiness of the consumer, whether already having a loan or not.
The LIC has a file containing information on each person using loans in the United States.
More than two billion records are added to these files every month, and more than three million credit reports are submitted daily [14].
The main role of a credit bureau is to provide a detailed credit history to financial institutions - institutions with which the consumer already deals, with which the consumer establishes business relations, as well as companies that do not have business relations with specific consumers, but are interested in the possibility of establishing such relations.
2.1. Applying for a credit line
After the conclusion of the contract with the credit institution, the client is provided with a credit line.
It can be presented in the form of a credit card, car loan, mortgage, mortgage, educational loan, or any of a variety of financial products.
However, prior to the approval of this credit line, the institution usually contacts one (and sometimes several) CII to obtain a copy of the client’s credit history and assess its creditworthiness.
Using this information, the lender can determine the creditworthiness of the client and assess potential credit risks.
Although large banks have some freedom in choosing a particular CII, depending on the geographical location of the client, most lenders use the same CII to inquire about the client file.
That is, although appeals to the same bank by two customers from different states can be processed using requests to two different CIBs, requests to the same bank of customers from the same state are more likely to be processed using requests to one CIB.
After establishing relations with a client, the financial institution will regularly provide information on the balance and payments of the client to each of the three CII [15].
This information includes the current address of the client, the total size of the credit line, the balance of the last statement, the date and amount of the last payment, as well as the correction of previously submitted information if errors are found in them.
Figure 1: Partial list of open credit lines from credit report (account numbers changed)
2.2. Credit report
The CII has a file containing information about each person using loans in the USA, which is approximately 90% of the adult population [16].
Each LIC manages its data using information transmitted directly to them from private banks, financial institutions, government agencies, and tax authorities [17].
One of the most important parameters in a user report is a credit account, which contains a wide range of information about each account.
Among this information are such information as the date of the conclusion of the contract; account type - renewable, installment plan or mortgage; current debt; maximum debt; credit limits, if present; information about the intensity of payments, such as the period during which there was or is a loan debt [18].
Since each LIC receives information about consumers independently and does not synchronize data between other LIBs, it is possible that for a particular consumer its consumer report will be different in each separate LIB.
As a result, credit reports often contain incorrect and negative information for the consumer, which can result, for example, at a higher interest rate or even provoke a refusal to issue a loan. A review of the US Public Interest Research Group (PIRG) published that 25% of reports contain serious errors that lead to a refusal to issue a loan, more than 50% contain typos and other incorrect information, and more than 20% contain duplicates of information on issuing a mortgage loan or loans [19].
Figure 2: Detailed scheme of the credit line in the consumer report, including information on the history of payments
According to the current legislation, all companies that supply information on debts and loans in the CII are not required to provide information in a timely manner, in a strictly defined format, whole, and may even not deliver this information at all [20].
All that is required of them is not to provide obviously inaccurate information about the consumer, or information that is more likely to be inaccurate [21].
2.3. Credit Information Request
A consumer credit report contains a wealth of information, including past loan payments and total debt. By tracking this information, the CII also monitors the number of firms that requested a report.
These credit information requests, also known as certificates, provide some insight into consumer behavior.
When a BKI receives a request for a copy of a credit report, this request is marked as a reference in the credit file processed only by the BUC.
Sparvki are divided into 2 categories: detailed and brief.
Detailed certificates arise when a customer requests a new loan from a bank, a credit card or a loan from a credit organization.
In particular, the request is considered to be detailed if the information requested from the CII is used to make a decision on granting a loan.
Lenders who own a copy of the credit report can view a list of other organizations that have requested a report on this consumer for the past 2 years.
Detailed references are embedded in most borrower appraisal schemes, since consumers taking additional credit are considered to be more risky than those who do not take additional loans [22].
Several years ago, each certificate was viewed as an attempt by the consumer to obtain additional credit.
But the behavior of buyers has changed, and many now simply consult with lenders in order to find the best interest on the loan.
With the change in customer behavior, risk assessment models have also changed, so multiple certificates made within 15 to 30 days are counted as one [23].
However, numerous inquiries (with an interval of more than 15–30 days) serve as a serious indicator of risky behavior for creditors.
Consumers with a certain amount of detailed requests for their credit history risk getting a refusal to issue a new loan within six months.
After the expiration of the semiannual period the damage is reduced, after 12 months the certificates are no longer considered at all.
After the two-year term, the old certificates are completely removed from the credit report.
The brief information applies if the lender already has a business relationship with the credited person.
These certificates are used to manage accounts, in particular, for periodic viewing of accounts by creditors and are not displayed in credit reports.
These requests are used not only to request a loan, but also as an audit by employers and homeowners, as well as by consumers themselves.
Brief information is not included in the citizen credit rating schemes.
2.4. Legislation
The Law on the Fair Granting of Credit Information was adopted in 1970 in response to questionable operations performed by various credit history bureaus in the 1960s [24].
It was the first federal law regulating the use and provision of personal information. It was designed to provide private information to consumers only to organizations that have a legal right to prevent misuse of information, and also established a procedure to ensure the “maximum possible accuracy” of credit reports [25].
Prior to the adoption of this law, individuals had no right to view the contents of their credit files or to challenge the errors contained in them [26].
The law obliges all credit bureaus to provide the consumer with information from his credit file, sources for obtaining this information and a list of applications received in the last year requesting a credit report on this consumer [27].
The state of Vermont was the first to initiate legislation requiring KBI to annually provide consumers with a free copy of their own reports. The rest of the states soon supported this initiative and in 2003 the Law on Fair and Accurate Credit Transactions Act (FACTA) was passed, obliging the CII to provide annual free reports to consumers from all states.
2.5. Credit freeze
Credit freezing is a financial instrument that allows consumers to block access to their credit reports and thus prohibit the issuance of new loans in their own name.
By turning on the freeze, the consumer can prohibit the issuance of his own credit report, after which potential lenders will not be able to get any information about him. Consumers who want to legally apply for a new credit card can use a pre-set PIN or password either to temporarily unblock their reports, or in many cases have the opportunity to “unfreeze” them for a particular lender.
Until 2003, there were only a few anti-theft security tools available to consumers.
The main such tool was a free annual credit report, the provision of which was required in many states, and then was enshrined by federal law.
Most troubled consumers could also use the services of commercial credit monitoring services, which would inform them if a new credit card or loan account appeared in their report.
This approach worked only on the fact of the event - consumers had to wait until someone used a stolen data to open a credit card in their name to get a notification about it.
The first state whose residents received proactive protection against the theft of personal data was California, which obliged the CII to give all state residents the opportunity to “freeze” their credit reports.
Soon, this example was followed by the majority of the remaining states, and in 2007, three LICs voluntarily began to provide an opportunity for credit freezing to all US residents.
Depending on the state, the addition, suspension and removal of the "freeze" can be both a free service and cost up to $ 15.
Consumers wishing to install, temporarily remove or cancel the freeze should contact each of the three CII.
Regardless of what the cost of services is established by state law, it will have to pay three times. For example, a consumer living in California should contact Experian, Equifax and Transunion with a written statement to freeze their report, and pay each CII.
This approach carries a significant risk for consumers who have forgotten to apply to each of the three CII.
This approach is also fundamentally different from the “norm” to which consumers could get used to doing other operations with credit agencies.
For example, a victim of identity theft can signal a fraud with his credit report by contacting only one (any) KJV, which is legally obliged to share this information with two others [28].
Similarly, consumers can request a copy of their credit report from all three CIs by filling out the only secure online form at http://annualcreditreport.com.
The requirement that a consumer must apply to each of the three CIBs to install a credit freeze is unintuitive and creates an unnecessary barrier for people who want to protect themselves from identity theft.
The lack of a mechanism for simultaneous single credit freezing in all three bureaus also led to important unintended consequences — the emergence of easily usable loopholes through which intelligent consumers can actively manipulate and manage the information contained in their credit reports.
This flaw will be discussed in more detail in section 4.3.
Figure 3: A generous introductory bonus offered by United Airlines credit card.
there was a squeeze of carder frauds with credit history bureaus in the USA.
In that post, reference was made to the full material on this topic by Christopher Soghoian. I took up the translation of this material, as I myself was interested, and there were also other users who would be interested in reading.
Since the text is rather voluminous, I decided to publish it in parts as it is translated.
Content
1. Introduction
2. The system of consumer loans in the US
3. How to benefit from the credit system
4. Credit vulnerabilities and exploits
5. Suggested improvements
6. Conclusion
PS links in the text are not translated and are in the original translation.
PS2 thanks to the user rusxg , who unexpectedly joined the translation of the text.
Frauds with credit bureaus.
annotation
')
This document will describe the loopholes and exploits applicable to the US Credit Institutions Bureau, which will significantly increase your (or someone else's) possible loan by hundreds of thousands of dollars.
Although the methods described below were used for the personal (legal) benefits of a small carders community, the same methods can also be used by far less honest people - criminal personalities with the goal of breaking the law, drawing a bunch of people into the pyramid and dumping money with them.
The purpose of this document is to highlight these exploits, analyze them through the prism of the computer security community, and also propose patches that will significantly reduce the effectiveness of existing exploits, no matter what intentions they use.
1. Introduction
The US economy is largely dependent on the provision of detailed information on the credit history of the buyer [1].
Thanks to the credit system, the buyer, who has no relationship with the car dealership, can come in, write a check and roll off on a brand new car for $ 50,000 [2].
In countries where there is no credit history system, you would have to pay in cash or receive a letter of guarantee from the bank, which will confirm your solvency.
Three private corporations, known as Credit History Bureaux (CII), collect and distribute information on the payment history and creditworthiness of millions of Americans [3].
Financial companies that lend money to customers (using credit cards, mortgages or student loans) transfer financial information to the CII. The information transmitted can be either positive or negative, and, as a rule, is provided in the form of a payment history [4].
Credit history bureaus act as an accounting mechanism [5] or reputation system [6], with which the lender can assess possible risks without any interaction with the borrower.
Based on the information provided in the credit report, the lender can raise or lower the interest rate, demand a large down payment, or even refuse a loan.
In the literature on InfoBezu there have already been cases of attacks on reputation systems [7]. Usually hackers falsified information stored by systems for misleading or third-party attacks.
This document shows the vulnerabilities that are constantly used by savvy users to change their credit histories.
By controlling their financial reputation, carders can get much more significant loans than they could actually get.
Actually, these are, of course, not hacks and exploits in the traditional sense, since they do not require unauthorized access to computer systems.
Moreover, in many cases, the attacker does not even interact directly with the CII, although its goal is still to change the credit data that is stored in the CII.
And since these attacks are not a scam or a hoax, it would not be correct to associate them with social engineering.
These methods use processes in rigidly formulated communication protocols between credit bureaus and creditors.
We will analyze these vulnerabilities and their use in terms of computer security.
Many exploits are book examples of known problems with computer systems. These are race conditions, atomic data access and queue overflows [10]. All these problems are carefully analyzed in the literature and are used by hackers.
Thanks to our knowledge of computer security, finance, and law, we can effectively analyze vulnerabilities and offer appropriate solutions.
Finally, we ourselves would test and benefit from these vulnerabilities, as a result of the existing legal risks associated with the exploitation and further documentation of this vulnerability, but have to rely on the increasing number of accounts posted on the forums by carders who first learned and continue to use these vulnerabilities [ eleven].
The second chapter, in essence, is an introduction to the consumer credit system in the USA.
In Chapter 3, we will show several ways that can affect a credit report, which in turn will allow you to borrow a lot of money.
The fourth chapter will tell about loopholes that will further increase credit funds.
And in the 5th chapter will be proposed ways to cover the above loopholes.
2. The system of consumer lending in the US
The availability of centralized detailed reports on the nature of the receipt and payment of loans by individual consumers led to fundamental changes in the US economy, and also facilitated the receipt of new credit lines by consumers [12].
Three private credit bureaus (CII) - Experian, Equifax and Transunion - collect detailed information on the facts of payment and receipt of loans by consumers [13].
This information is then used by lenders to determine the creditworthiness of the consumer, whether already having a loan or not.
The LIC has a file containing information on each person using loans in the United States.
More than two billion records are added to these files every month, and more than three million credit reports are submitted daily [14].
The main role of a credit bureau is to provide a detailed credit history to financial institutions - institutions with which the consumer already deals, with which the consumer establishes business relations, as well as companies that do not have business relations with specific consumers, but are interested in the possibility of establishing such relations.
2.1. Applying for a credit line
After the conclusion of the contract with the credit institution, the client is provided with a credit line.
It can be presented in the form of a credit card, car loan, mortgage, mortgage, educational loan, or any of a variety of financial products.
However, prior to the approval of this credit line, the institution usually contacts one (and sometimes several) CII to obtain a copy of the client’s credit history and assess its creditworthiness.
Using this information, the lender can determine the creditworthiness of the client and assess potential credit risks.
Although large banks have some freedom in choosing a particular CII, depending on the geographical location of the client, most lenders use the same CII to inquire about the client file.
That is, although appeals to the same bank by two customers from different states can be processed using requests to two different CIBs, requests to the same bank of customers from the same state are more likely to be processed using requests to one CIB.
After establishing relations with a client, the financial institution will regularly provide information on the balance and payments of the client to each of the three CII [15].
This information includes the current address of the client, the total size of the credit line, the balance of the last statement, the date and amount of the last payment, as well as the correction of previously submitted information if errors are found in them.
Figure 1: Partial list of open credit lines from credit report (account numbers changed)
2.2. Credit report
The CII has a file containing information about each person using loans in the USA, which is approximately 90% of the adult population [16].
Each LIC manages its data using information transmitted directly to them from private banks, financial institutions, government agencies, and tax authorities [17].
One of the most important parameters in a user report is a credit account, which contains a wide range of information about each account.
Among this information are such information as the date of the conclusion of the contract; account type - renewable, installment plan or mortgage; current debt; maximum debt; credit limits, if present; information about the intensity of payments, such as the period during which there was or is a loan debt [18].
Since each LIC receives information about consumers independently and does not synchronize data between other LIBs, it is possible that for a particular consumer its consumer report will be different in each separate LIB.
As a result, credit reports often contain incorrect and negative information for the consumer, which can result, for example, at a higher interest rate or even provoke a refusal to issue a loan. A review of the US Public Interest Research Group (PIRG) published that 25% of reports contain serious errors that lead to a refusal to issue a loan, more than 50% contain typos and other incorrect information, and more than 20% contain duplicates of information on issuing a mortgage loan or loans [19].
Figure 2: Detailed scheme of the credit line in the consumer report, including information on the history of payments
According to the current legislation, all companies that supply information on debts and loans in the CII are not required to provide information in a timely manner, in a strictly defined format, whole, and may even not deliver this information at all [20].
All that is required of them is not to provide obviously inaccurate information about the consumer, or information that is more likely to be inaccurate [21].
2.3. Credit Information Request
A consumer credit report contains a wealth of information, including past loan payments and total debt. By tracking this information, the CII also monitors the number of firms that requested a report.
These credit information requests, also known as certificates, provide some insight into consumer behavior.
When a BKI receives a request for a copy of a credit report, this request is marked as a reference in the credit file processed only by the BUC.
Sparvki are divided into 2 categories: detailed and brief.
Detailed certificates arise when a customer requests a new loan from a bank, a credit card or a loan from a credit organization.
In particular, the request is considered to be detailed if the information requested from the CII is used to make a decision on granting a loan.
Lenders who own a copy of the credit report can view a list of other organizations that have requested a report on this consumer for the past 2 years.
Detailed references are embedded in most borrower appraisal schemes, since consumers taking additional credit are considered to be more risky than those who do not take additional loans [22].
Several years ago, each certificate was viewed as an attempt by the consumer to obtain additional credit.
But the behavior of buyers has changed, and many now simply consult with lenders in order to find the best interest on the loan.
With the change in customer behavior, risk assessment models have also changed, so multiple certificates made within 15 to 30 days are counted as one [23].
However, numerous inquiries (with an interval of more than 15–30 days) serve as a serious indicator of risky behavior for creditors.
Consumers with a certain amount of detailed requests for their credit history risk getting a refusal to issue a new loan within six months.
After the expiration of the semiannual period the damage is reduced, after 12 months the certificates are no longer considered at all.
After the two-year term, the old certificates are completely removed from the credit report.
The brief information applies if the lender already has a business relationship with the credited person.
These certificates are used to manage accounts, in particular, for periodic viewing of accounts by creditors and are not displayed in credit reports.
These requests are used not only to request a loan, but also as an audit by employers and homeowners, as well as by consumers themselves.
Brief information is not included in the citizen credit rating schemes.
2.4. Legislation
The Law on the Fair Granting of Credit Information was adopted in 1970 in response to questionable operations performed by various credit history bureaus in the 1960s [24].
It was the first federal law regulating the use and provision of personal information. It was designed to provide private information to consumers only to organizations that have a legal right to prevent misuse of information, and also established a procedure to ensure the “maximum possible accuracy” of credit reports [25].
Prior to the adoption of this law, individuals had no right to view the contents of their credit files or to challenge the errors contained in them [26].
The law obliges all credit bureaus to provide the consumer with information from his credit file, sources for obtaining this information and a list of applications received in the last year requesting a credit report on this consumer [27].
The state of Vermont was the first to initiate legislation requiring KBI to annually provide consumers with a free copy of their own reports. The rest of the states soon supported this initiative and in 2003 the Law on Fair and Accurate Credit Transactions Act (FACTA) was passed, obliging the CII to provide annual free reports to consumers from all states.
2.5. Credit freeze
Credit freezing is a financial instrument that allows consumers to block access to their credit reports and thus prohibit the issuance of new loans in their own name.
By turning on the freeze, the consumer can prohibit the issuance of his own credit report, after which potential lenders will not be able to get any information about him. Consumers who want to legally apply for a new credit card can use a pre-set PIN or password either to temporarily unblock their reports, or in many cases have the opportunity to “unfreeze” them for a particular lender.
Until 2003, there were only a few anti-theft security tools available to consumers.
The main such tool was a free annual credit report, the provision of which was required in many states, and then was enshrined by federal law.
Most troubled consumers could also use the services of commercial credit monitoring services, which would inform them if a new credit card or loan account appeared in their report.
This approach worked only on the fact of the event - consumers had to wait until someone used a stolen data to open a credit card in their name to get a notification about it.
The first state whose residents received proactive protection against the theft of personal data was California, which obliged the CII to give all state residents the opportunity to “freeze” their credit reports.
Soon, this example was followed by the majority of the remaining states, and in 2007, three LICs voluntarily began to provide an opportunity for credit freezing to all US residents.
Depending on the state, the addition, suspension and removal of the "freeze" can be both a free service and cost up to $ 15.
Consumers wishing to install, temporarily remove or cancel the freeze should contact each of the three CII.
Regardless of what the cost of services is established by state law, it will have to pay three times. For example, a consumer living in California should contact Experian, Equifax and Transunion with a written statement to freeze their report, and pay each CII.
This approach carries a significant risk for consumers who have forgotten to apply to each of the three CII.
This approach is also fundamentally different from the “norm” to which consumers could get used to doing other operations with credit agencies.
For example, a victim of identity theft can signal a fraud with his credit report by contacting only one (any) KJV, which is legally obliged to share this information with two others [28].
Similarly, consumers can request a copy of their credit report from all three CIs by filling out the only secure online form at http://annualcreditreport.com.
The requirement that a consumer must apply to each of the three CIBs to install a credit freeze is unintuitive and creates an unnecessary barrier for people who want to protect themselves from identity theft.
The lack of a mechanism for simultaneous single credit freezing in all three bureaus also led to important unintended consequences — the emergence of easily usable loopholes through which intelligent consumers can actively manipulate and manage the information contained in their credit reports.
This flaw will be discussed in more detail in section 4.3.
Figure 3: A generous introductory bonus offered by United Airlines credit card.
Source: https://habr.com/ru/post/66962/
All Articles