 All right, so I have 28 slides in 20 minutes, so I'm going to make this very quick. Lots of material, so let's get going. Oh, before I start, this talk doesn't represent the opinions of Berkman at Harvard, Indiana, or any other organization I'm here by myself. All right, so I'm going to describe who I am. I'm going to tell you a little bit about the credit system and credit agencies. I'm then going to go into some motivations as to why someone would want to manipulate the data in their credit report or someone else's. And then I'm going to finish with some interesting techniques from abuse and manipulation of the credit reports. The paper that's online now has fixes for these flaws, but there's just not enough time to cover it. These techniques are not mine. They have been created and discovered by a thriving community of credit hackers who congregate in one or two internet forums. But these techniques are really not known outside those forums. And they're not forums that are frequented by security folks. They're finance geeks. And I think it's really interesting to analyze these techniques through the lens of the computer security community because you can really see some amazing parallels. And as I'll go into things, we'll see things like race conditions and buffer overflow attacks and these other techniques that are used commonly in the security space and just haven't been looked at or addressed in these other areas. All right, so a little bit about me. I'm a student fellow at the Berkman Center at Harvard, PhD candidate. I do privacy and security research. You may have heard about some researcher that a couple years ago where I made a fake boarding pass website for Northwest Airlines that got my house raided by the FBI. The lesson from that story is always have a good lawyer. Since then, I've done a few more things in the last few months. Just I think a month ago, 38 experts from the security and privacy community sent an open letter to Eric Schmidt, the CEO of Google, to chastise him for not turning SSL on by default for Gmail. I wrote that letter. I have, thank you for that one person, we have an open comment that we submitted to the corporate office to argue that consumers should be able to hack the DRM for music, movie, and media stores that go bankrupt and the authentication server is shut down. You may have seen in the last week or two that the content creators said that consumers do not have an expectation of being able to access their works deep into the future. We disagree with that, and so we want consumers to be able to hack their works and play them, things they've legally paid for, well into the future. And finally, I also created a tool for Firefox called TACO that opts you out of behavioral advertising. It came out three months ago and has over 100,000 users. If you're worried about your privacy online and you don't want these companies to follow you around the web, you should use it in addition to tools like NoScript and Adblock Plus and blah, blah, blah. OK, so a quick introduction to how the credit system works. There are three main credit agencies that store information on around 90% of Americans. They get information on all your financial transactions, but mainly the ones involving loans. All right, what does a credit reporting agency know? So every time you apply for a card, a loan, a mortgage, a student loan, and something from a medical bill, they find out about the application, and then they find out every month how much you've paid, how much you currently owe, whether you paid it on time. Information like that, if you've missed payments, if you've declared bankruptcy, all that information, they store it. So the three agencies get that information directly from the lenders and the financial institutions. They get it directly, which means they don't synchronize the data amongst themselves, and it means that three different agencies can have three different sets of data, depending on when they get it and any mistakes that might be in the data stream. In most cases, it's done via tapes and they're sent once a month by the banks, and these can have all kinds of errors. Based on this information, they compile what are called credit reports. And from your credit report, which details all your past financial activity, you get a credit score. When you apply for a credit card, they look at the credit report and the credit score and figure out whether you're a deadbeat or not. The important thing to note is that the three credit agencies do not compare notes. And so when you manipulate data held by one agency, the other two never find out about it. So I don't know if you can see this, but this is a screenshot from actually my report, but the numbers have been changed. But this is an example of just one card, so it tracks the account number, how much the maximum amount you've ever spent in one month, how much you've spent the most recent month, how your maximum credit line, and then you see the little stars at the bottom, and each one of those records a month in which the credit agency got data. All right, credit inquiries are really important and the talk will be heavily focused on these things. So each time you apply for a credit card, or loan, or anything else, the act of asking for your report causes what's called a credit inquiry. These inquiries themselves show up on your report. There are two types of inquiries though. There are what are called hard inquiries, and these relate to the creation of new accounts. So when you apply for a new mortgage, or a new car loan, or a new credit card, an inquiry is added to the report. Now the lenders only request one credit report at a time. So typically only one of the three credit agencies is contacted, and that credit agency will add an inquiry to the report held on you. Soft inquiries are non-harmful. They're not shown to anyone but you, and they reflect things like identity checks for apartment rentals or jobs. When you request your own credit report, those are soft inquiries, and any time you have an existing account with someone, that lender will usually check up once every couple of months just to see that you haven't become a total deadbeat, and that is also considered a soft inquiry. Now the important thing to note is the soft inquiries are not shown to anyone but you, and they're in no way harmful at all. All right, so if you get more than say four or five inquiries in a single six month period, you're, the credit companies that have basically decided that that's a negative thing. You're shopping around for credit, you've gotten four, five, six new loans, they'll cut you off and they won't give you any more credit for maybe six to 12 months. And so some of the attacks I'll describe in a few minutes look into this question of well, how do we either erase these inquiries or how do we make it so that these inquiries don't show up as fast as they otherwise would? This is a screenshot of a hard inquiry from my report, and you can see that these are all related to credit card applications, and you'll see, as you can see, that they're all for the same date, and I'll get into that in a minute. And then these are for soft inquiries, and these are from banks that I already had accounts with, and these are harmless. All right, so motivations. Why would you want to mess with your credit report? The techniques I'm gonna describe, they can only really be used by people with good credit, and the people who've been hanging out in these forums, most of them seem to have spectacular credit, and they've used these to actually make real money. So there are three main ways to make money that I'll go into. The first is sign up bonuses. So many credit cards will give you money for signing up for a new card. Sometimes in the range of maybe $100 or $200 per card, which is not terribly huge, but given enough credit card, that adds up fast. The second bonus are what I call non-cash bonuses, so these are airline miles, free rooms and hotels, that sort of stuff, and then the third and most lucrative benefit are 0% balance transfers, and these can be arbitraged, and I'll go into that in a minute to make some fairly significant profits. So as an example, Sony will give you $100 for getting a new card. United Airlines will give you 30,000 bonus miles, which is enough for a free domestic ticket, or two of these equals one international ticket to Asia or Europe, and Citibank will give you a huge pile of money at 0% with no fees. All right, so the balance transfer arbitrage, which is the most interesting of these attacks, you borrow a huge amount of money at 0%, you ask the bank to send you a check instead of paying off an existing loan, you put it in the bank and you get a CD or a savings account, and after one year, you pay it all back and you collect the interest. $30,000, this is real money, $100 or $200,000 as I'll get into in a few minutes, then we're talking $5,000, $10,000 a year given decent interest rates. All right, now these techniques that I'm gonna describe are somewhat limited, or the techniques I just described are somewhat limited by the fact that you can only get four or five cards in any six or 12 month period. So that's some income, but not huge amounts. So the question is, how can we raise this limit? How can we make it so that we can get many, many more cards without any of the lenders finding out? So what I'm gonna describe now are the application of several techniques, so race conditions, buffer overflows, and then the abuse of failing open or failing closed system design, and I'll cover these one by one. So the first thing that these credit hackers on these forums discovered was that it takes one or two days for inquiries to show up on a card or on our credit report, which means that if you simultaneously apply for 40 or 50 credit cards in a single afternoon, you can be approved for most of them, if not all of them. Now obviously there are some limits, so you can usually only apply for one or two cards per lending institution. So you can't apply for 10 credit cards from Citibank, for example, but there are enough banks out there that you can apply for huge numbers of cards. Now in the case of a balanced transfer, they'll send you the check within five or 10 days of the card, and then you wait another five or 10 days for the check to clear, which means by the time that that information about that account has been sent to the banks, to the other lenders, that money can be long gone. Now in the case of the people I'm discussing in this paper, most of them are law abiding, so they're putting the money in the bank, they're not running off with it. But if these are attacks were used by an evildoer, you could very well see that this money would be out of the country before the banks had even heard about this. So on these forums, reports of two or $300,000 in zero percent balanced transfers are extremely common. Credit, these hackers report getting 30 or 40 or 50 cards in a single day, very successful. For a year or so, that your credit report is completely shot. No one will give you any new credit, which in many ways is actually a great way to protect yourself from identity theft, right? So once your credit is maxed out, it's not worth stealing anymore. Okay, so the second technique that I think is really interesting is what they call it bumpage. So two of the three credit bureaus, the TransUnion and Equifax, store both the soft, which are the non-harmful credit inquiries and the hard, the harmful credit inquiries in the same FIFO style buffer, which means that if you request your own credit report once a day for 60 days, you can push out all of the old negative inquiries. Now these can be done via free or maybe $9.99 a month credit monitoring services. My paper goes into more depth. There are a few techniques you have to avoid, so doing it more than once a day can actually cause your report to be split into multiple segments. It's complex, but it's really bad. But once a day seems to be fine. One of the credit agencies has discovered that this is happening and is manually adding the old inquiries back onto reports, but people report that you can still flush them out again and remove them. So it's a game of cat and mouse of one side deleting the inquiries and the credit agencies adding them back on again. All right, in the third attack, which I think this one is pretty cute too. So a few years ago, states started passing laws requiring what are called credit freezes. And after one state after another passed them, eventually the credit agencies decided to apply these across the board. So you as a consumer can contact the credit agency and ask them to lock your report. You give them a pin number or a password and it ensures that no one else can access your report for that time. If you want to apply for a new loan, you have to call up the credit agency, give them your password or pin number, and either they will open up your report for that specific lender or open it up for a 24 hour period. They usually charge between five or $10 a go for this. And when this legislation was being proposed, the credit agencies pushed back really hard. They didn't want to have a simultaneous credit freeze. So there's something else called a credit alert, which is you've been a victim of credit fraud and you can create a credit alert and three agencies are required to simultaneously give that information to their competitors. So you do one credit alert and everyone gets it. Where the credit freeze, they didn't want to do that. And so what you can do, you can abuse this technique to basically control which credit agencies the banks can have access to. You have control over the three reports. If one of the reports happens to have far more bad information on it than another, you simply freeze that report and the other two are left open. And so as I said before, because the banks only request your report from one of the three agencies, it's quite possible to have really bad information on one. And as I described in the previous attack, with two of the three lenders, people have been able to successfully remove negative information from those reports. So what you can do essentially is freeze a bad report and then apply for cards. And many of the financial institutions when encountering a frozen report, rather than turning a customer away, what they do instead is just contact another credit agency to get the report. So rather than failing close, they're failing open, right? This is a really, really simple technique and the best part about this technique I think is the fact that there's no downside. If the bank refuses to contact that alternative credit agency, no trace is left on your report. So it's a beautiful technique. All right, so these techniques right now have been used heavily by those in online financial forums, like Fat Wallet and a few others, but they haven't really been used by the credit hackers or by the identity thieves. And I think that now that these techniques are gonna get a little bit more attention, they could very easily be used by identity thieves. It's sort of strange, right? But now that the interest rates have dropped to one and a half or two percent, the actual legitimate profits that you can get from the arbitrage schemes are fairly low now. So you're looking at like $4,000 profit for borrowing $200,000 at zero percent, which for many people who are gonna invest the time and risk, and that means there's a little bit of risk, but for the people, maybe this isn't a good payoff. But for an identity thief who's not actually gonna pay the money back after one year, the lowering of the interest rates actually has zero impact on them. And if anything, maybe the banks have more money to lend the identity thieves now that the credit hackers aren't using these techniques as much. So I have some fixes that I outline in my paper. They're not rocket science. I mean, these are techniques, these are flaws that we've seen again and again in the security community and the solutions are things like separate the hard inquiries from the soft inquiries, that these are not rocket science. So more information. The paper was published in first Monday, which is an online journal, a peer review journal was published yesterday. It's firstmonday.org. You can get the full paper there with more information. These two forms are a wealth of information. Credit boards and fat wallet. One thing, the techniques that I've described, they're not so easy as they sound. And there have been people on these forms who've sort of tried to do it, but haven't done the required homework and have completely destroyed their credit reports in the process. So I'm not recommending that you try this out. And in sort of strange way, the identity thieves have again a leg up here, right? So they can experiment with other people's credit reports and when they screw up, whatever, it's someone else's report. Anyway, that's it.