Saturday, August 01, 2009

My new paper and Defcon talk

In three hours, I will present my latest research paper at the Defcon computer hacker conference:
Manipulation and abuse of the consumer credit reporting agencies

This paper will present a number of loopholes and exploits against the system of consumer credit in the United States that can enable a careful attacker to hugely leverage her (or someone else's) credit report for hundreds of thousands of dollars. While the techniques outlined in this paper have been used for the personal (and legal) profit by a small community of credit hackers, these same techniques could equally be used by more nefarious persons - that is, criminals willing to break the law, engage in fraud, and make off with significant sums of money. The purpose of this paper is to shed light on these exploits, to analyze them through the lens of the computer security community and to propose a number of fixes which will significantly reduce the effectiveness of the exploits, by both those with good and ill intentions.

The paper was published in First Monday on Friday evening. With that, the secrecy surrounding this work vanished, and so Wired News was free to write about it.

This work has been under fairly tight wraps for the past few months, primarily due to my fear that the credit agencies might lawyer up and try to halt the publication if they were given prior warning. As a precautionary measure, I asked the Defcon organizers to list me as an "anonymous speaker" in the program schedule.

Now that the work is public, my hope is that the three credit agencies will carefully read my analysis of these exploits, and deploy the fixes that I suggest.


Kumar said...

When I read about a couple of years ago that you used this exploit to finance part of your backpacking trip, I did not think you were also going to put a twist like this to it.

Good job!

Stu Thompson said...


Keep up the good work. I've been following your blog for years now, and this latest revelation is stunning. Again.

There is a complacency within The Bureaucracy (government and corporate), an aversion to introspection, and a comfort with security-through-obscurity that will us all great harm at some point. Other than a momentary ego blow, I really do not understand why the folks in power don't work more quickly to fix the holes you expose--instead they prosecute, harass, and condemn.

Keep it up.

Since expatriating from the US a decade ago, I've been very happy to be free and clear of the 'American Credit Industrial Complex' (or whatever we should call it.) Yet the stories that come back from friends and family continuously disturb me. Some day I very well return, and your efforts on all these many fronts make our country a better place for me and my fiancee.

Merci viel mal,

Stu Thompson

Unknown said...

I don't understand why you weren't given page 8 (the pricing info) from Verizon. The response to your FOIA indicates a hesitancy but seeming willingness to give you that information so long as the rest of the page is redacted.

"Thus, we respectfully request that you redact everything but the pricing schedule box on the bottom half of page 8 if for some reason you were to produce it notwithstanding the objections stated above."