Manipulation and abuse of the consumer credit reporting agencies
This paper will present a number of loopholes and exploits against the system of consumer credit in the United States that can enable a careful attacker to hugely leverage her (or someone else's) credit report for hundreds of thousands of dollars. While the techniques outlined in this paper have been used for the personal (and legal) profit by a small community of credit hackers, these same techniques could equally be used by more nefarious persons - that is, criminals willing to break the law, engage in fraud, and make off with significant sums of money. The purpose of this paper is to shed light on these exploits, to analyze them through the lens of the computer security community and to propose a number of fixes which will significantly reduce the effectiveness of the exploits, by both those with good and ill intentions.
The paper was published in First Monday on Friday evening. With that, the secrecy surrounding this work vanished, and so Wired News was free to write about it.
This work has been under fairly tight wraps for the past few months, primarily due to my fear that the credit agencies might lawyer up and try to halt the publication if they were given prior warning. As a precautionary measure, I asked the Defcon organizers to list me as an "anonymous speaker" in the program schedule.
Now that the work is public, my hope is that the three credit agencies will carefully read my analysis of these exploits, and deploy the fixes that I suggest.