Manipulation and abuse of the consumer credit reporting agencies
First Monday

Manipulation and abuse of the consumer credit reporting agencies



Abstract
This paper will present a number of loopholes and exploits against the system of consumer credit in the United States that can enable a careful attacker to hugely leverage her (or someone else’s) credit report for hundreds of thousands of dollars. While the techniques outlined in this paper have been used for the personal (and legal) profit by a small community of credit hackers, these same techniques could equally be used by more nefarious persons — that is, criminals willing to break the law, engage in fraud, and make off with significant sums of money. The purpose of this paper is to shed light on these exploits, to analyze them through the lens of the computer security community and to propose a number of fixes which will significantly reduce the effectiveness of the exploits, by both those with good and ill intentions.

Contents

1. Introduction
2. The consumer credit system in the United States
3. How to profit from the credit system
4. Credit vulnerabilities and exploits
5. Suggested fixes
6. Conclusion

 


 

1. Introduction

The economy of the United States is in many ways dependent upon the availability of detailed consumer credit information [1]. Because of this system, a new customer can walk into an auto dealership with whom she has no prior business relationship, write a check, and drive away in a new US$50,000 vehicle [2]. In other countries without a system of credit reporting agencies and centralized loan payment history, she would need to either pay in cash or obtain a letter of reference from her bank which would vouch for her identity and her ability to pay for the vehicle.

Three private corporations, known as consumer reporting agencies (CRAs) compile and distribute detailed information on the payment history and credit worthiness of millions of Americans [3]. Financial firms that lend money to consumers (via products that include credit cards, mortgages and student loans) provide most of the underlying data to the CRAs. The information that they provide can be be either positive or negative, most commonly in the form of payment history [4].

These CRAs act as a social accountability mechanism [5] or reputation system [6], through which a lender can reasonably estimate a potential customer’s credit risk without any prior interaction. Based on the information in a credit report, a lender might raise or lower the interest rate on a loan, require a significant down payment, or perhaps even refuse to do business with that customer.

The computer security literature is rich with examples of attacks against reputation systems [7]. In these scenarios, hackers typically attempt to falsify the information held by those systems, in order to deceive, and in some cases attack, a third party.

This paper outlines a number of vulnerabilities that have been repeatedly exploited in order to permit savvy individuals to manipulate and modify the information contained in their own credit reports. By being able to control their own financial reputations, these credit hackers [8] can then gain access to and tap significantly higher credit lines from lenders than they would normally be able to obtain.

These techniques are not true “hacks” or “exploits” in so far as they do not require unauthorized access to a computer–based system. Furthermore, in many cases, the attacker does not even interact with the CRAs directly, although the goal is still to manipulate the credit report data that they store. Since these attacks do not depend on the use of deception, it would be incorrect to describe them as social engineering [9]. These methods instead exploit process flaws within the rigid and formalized communication protocols used between the lenders and CRAs.

We will analyze these vulnerabilities and the techniques for their exploitation through the lens of the computer security community. Many of the exploits are textbook examples of known computer science problems, such as race conditions, atomic data access, and queue overflows [10], which have been extensively analyzed in the literature and likewise abused by hackers. It is through the cross–disciplinary application of knowledge from the fields of computer security, finance and the law that we are able to effectively analyze these vulnerabilities and propose appropriate solutions.

Finally, while we would have ideally tested and made use of these techniques ourselves, due to the possible legal risks associated with the exploitation and subsequent documentation of such abuse, we must instead rely upon the extensive first–hand accounts posted to Internet forums by large numbers of credit hackers who first discovered and continue to actively make use of these exploits [11].

In section 2 we will provide an introduction to the consumer credit system in the United States. In section 3 we will present a series of profit–making techniques through which someone can leverage their own credit report to make modest sums of money. In section 4 we will present a number of loopholes and attacks that can be used to significantly increase the amount of money that an individual can make through the earlier described techniques. Finally, in section 5, we will propose several ways to close these loopholes.

 

++++++++++

2. The consumer credit system in the United States

The availability of centralized, detailed reports on the borrowing and payment behavior of individual consumers has fundamentally changed the economy of the United States, and the ease with which consumers can gain access to new lines of credit [12].

Three private credit reporting agencies (CRAs) — Experian, Equifax and Transunion — collect detailed information on the payment and loan history of individual consumers [13]. This information is then used by lenders to evaluate the credit worthiness of those individuals, both for existing relationships, as well as new.

The CRAs have a file containing information on every credit–using individual in the United States. Over two billion items of information are added to these files every month, and over three million credit reports are issued every day [14].

The CRAs’ primary role is to provide detailed credit history information to financial institutions — this includes those with which consumers already do business, those with which consumers are in the process of establishing business relations, as well as companies who do not yet a relationship with particular consumers, but are interested in the possibility of starting one.

2.1. Applying for a line of credit

When a consumer establishes a relationship with a financial lending institution, a line of credit is opened. This can be for a credit card, an auto loan, a mortgage, a home equity line of credit (HELOC), a college loan, or one of many other financial products. However, before this line of credit is approved, the institution will typically consult one (or occasionally more) of the consumer CRAs in order to obtain a copy of that individual’s credit report and credit score. Using that information, the lender can determine the credit worthiness of the consumer and evaluate the potential risk associated with the loan.

While there is some variability in the selection of a particular CRA by the big banks based on the geographic location of customers, most lenders tend to use the same CRAs when they request a consumer’s report. That is, while applications to the same bank from two different customers living in different states may result in requests to two different CRAs, applications from consumers in the same state to the same bank are likely to result in requests to a single CRA.

Once the relationship has begun, the institution will regularly furnish information on the customer’s balance and payment activity to all three CRAs [15]. This information includes the customer’s current address, the total credit line, the balance on the most recent statement, the date and amount of the most recent payment, as well as any updated past payment information if it had been found to be incorrect and fixed.

 

Figure 1: A partial list of open credit lines from a consumer credit report (account numbers changed)
Figure 1: A partial list of open credit lines from a consumer credit report (account numbers changed).

 

2.2. The credit report

The CRAs have a file containing information on every credit–using individual in the United States, estimated to be over 90 percent of American adults [16]. The CRAs each maintain their own records, using information transmitted directly to them by the individual banks, financial firms, governmental entities and collection agencies [17].

Credit account records make up the majority of a consumer’s report, and contain a wide range of details about each account. This information includes the date that an account was established; the type of account, such as revolving, installment, or mortgage; the current balance owed; the highest balance owed; credit limits if applicable; and payment performance information, such as the extent to which payments are or have been in arrears for accounts in default [18].

Because the CRAs each independently obtain information on consumers and do not synchronize data, it is quite possible for an individual consumer to have different information listed in the credit files maintained by each of the three CRAs. As a result, credit reports often contain information that is invalid and potentially harmful to the consumer — for example, leading to higher interest rates, or the denial of new credit. A survey by the U.S. Public Interest Research Group (PIRG) found that 25 percent of reports contained serious errors that could result in the denial of credit, over 50 percent contained misspelled or otherwise incorrect information, and over 20 percent of the reports listed the same mortgage or loan twice [19].

 

Figure 2: A detailed view of a particular credit line on a consumer credit report, including historical payment information
Figure 2: A detailed view of a particular credit line on a consumer credit report, including historical payment information — in this case, perfect payment history.

 

Under current law, all firms who supply credit and debt information to the CRAs have no obligation to supply it in a timely manner, in a certain format, with consistency, in full, or even to report at all [20]. The only duty they have is to not submit information on consumers known to be inaccurate or for which there is a “reasonable cause” to believe it is inaccurate [21].

2.3. Credit inquiries

A consumer’s credit report contains vast amounts of information, including her past payment history and overall debt. In addition to tracking this valuable information, the CRAs also keep track of the number of firms that have asked to see the consumer’s credit report. These credit information requests, otherwise known as inquiries, provide a valuable glimpse into the behavior of consumers.

Whenever a CRA is contacted for a copy of a consumer’s credit report, that request is noted as an inquiry in the credit file maintained by only that CRA. These inquiries fall into two different categories: hard and soft.

A hard inquiry is generally the result of consumer’s request for new credit from a bank, credit card company, or lender. In particular, a request is considered to be hard if the information requested from the CRA is being used to make a new lending decision. Creditors that obtain a copy of a consumer’s credit report can see a list of which other firms have requested a copy of the report in the previous two years. Hard inquiries are incorporated into most credit–scoring schemes because consumers shopping for additional credit are deemed to be more risky than those who are not [22].

In years past, each individual inquiry was considered an attempt by a consumer to obtain additional credit. Consumer habits have changed, and many now “shop around” for the best rate by consulting a number of potential lenders for a single loan. Responding to this change in consumer behavior, credit scoring models have changed to consider multiple inquiries made within 15 or 30 days of each other as just one for risk assessment purposes [23]. Even with this change, large numbers of inquiries (spaced more than 15–30 days apart) are considered to be a strong indicator of risky behavior by lenders. Consumers with more than a handful of hard inquiries within any six–month period on their credit report thus risk being denied new credit.

After six months, the damage done by these hard inquiries lessens, and after 12 months, the inquiries are not considered at all. Finally, after two years, the old inquiries are removed from a consumer’s credit report.

A soft inquiry is one made by a creditor who may already have a relationship with the consumer. These inquiries are used for account management purposes, such as for periodic account reviews by existing lenders and are not listed in the credit report that is shared with other creditors. This category of requests also includes non–lending requests, such as background checks by employers and landlords, as well as requests by a consumer for her own report (either the once–per–year free report, or via a more frequent pay service). Soft inquiries are not factored into credit–scoring schemes.

2.4. The law

The Fair Credit Reporting Act (FCRA) was enacted in 1970 in response to questionable practices employed by credit reporting agencies in the 1960s [24]. It was the first federal law to regulate the use and disclosure of personal information and was enacted to limit access to private consumer information to those with legitimate needs for it, to prevent its misuse, and to maintain procedures to ensure “maximum possible accuracy” of consumer reports [25]. Prior to the passage of the FCRA, individuals had no right to view their credit files or the ability to contest mistakes in their credit records [26].

The FCRA requires that all credit agencies disclose to a consumer the information contained in a given consumer’s file, the sources from which the information was procured, and a record of all inquiries made for the consumer’s report during the preceding year [27].

The state of Vermont was the first to pass legislation requiring the CRAs to provide consumers with a free annual copy of their report. Other states soon followed, and in 2003, Congress passed the Fair and Accurate Credit Transactions Act (FACTA), which forced the CRAs to provide free annual reports to consumers in all states.

2.5. Credit freezes

Credit freezes are a financial tool that enables consumers to lock their credit reports so that no new credit lines can be opened in their name. By placing a freeze, consumers are able to lock their own report, after which potential creditors are unable to access any information on that consumer. Those consumers wishing to legitimately apply for a new credit card can then use a pre–defined PIN or password to either temporarily unlock their report for a period of time, or in many cases, “thaw” it for a particular creditor.

Up until 2003, there were few proactive identity theft protection tools available to consumers. The main tool was the free annual credit report required by various states, and later, federal law. Consumers who were particularly worried could also subscribe to commercial credit monitoring services, which would inform them whenever a new credit card account or loan appeared on their report. This approach was purely reactive — consumers had to wait until an identity thief opened a credit card in their name before would be notified.

California was the first state to provide its residents with proactive identity theft protection by passing legislation that forced the CRAs to permit all of the state’s residents to “freeze” their own credit report. Most other states soon followed, and then in 2007, the three CRAs voluntarily made credit freezes available to all United States residents. The fees for adding, suspending and removing a freeze vary by state: Free in some, and up to US$15 in others.

Consumers must contact each of the three CRAs when they wish to place, temporarily remove, or cancel a freeze on their report. Whatever fee is permitted by state law must also be paid three times. Thus, a California consumer must contact Experian, Equifax and Transunion in writing to freeze her report, and pay a fee to each CRA.

This approach creates a significant risk for consumers, who might forget to contact all three CRAs. The approach also differs sharply from the “norm” that consumers may have come to expect from other interactions with the credit agencies. For example, a victim of identity theft can place a fraud alert on her credit report by contacting any one of the three CRAs, which is then legally obligated to communicate that information to other two [28]. Similarly, consumers can request a copy of their credit report from all three CRAs by filling out a single and secure online form at http://annualcreditreport.com. The requirement that a consumer contact all three CRAs to place a credit freeze is non–intuitive and creates a needless barrier to individuals who wish to protect themselves from identity theft.

This lack of a single, simultaneous credit freeze across all three agencies has also resulted in a significant unintended consequence: The creation of an easily abusable loophole, through which savvy consumers can actively manipulate and control the information contained in their credit reports. This flaw will be explored at greater length in section 4.3.

 

Figure 3: A generous sign-up bonus offered for a United Airlines co-branded credit card
Figure 3: A generous sign–up bonus offered for a United Airlines co–branded credit card.

 

 

++++++++++

3. How to profit from the credit system

The primary purpose of this paper is to detail some of the more interesting and abusable flaws in the consumer credit reporting system. However, before we can dive into that material, we must first present a reasonable motive for this information manipulation. That is, why would a consumer go to the great lengths required to modify the information contained in her own or other individual’s reports?

For those engaging in fraud, the answer is fairly simple. The more credit cards an identity thief can apply for, be approved for, and then tap, the greater her financial gain. However, the profit motive for lawful persons is far less obvious.

In this section, we will present several ways in which an honest person can make a modest amount of profit, primarily through the use of promotional credit card offers. In section 4 we will explore several techniques that can then be used to significantly multiply these modest gains into sums that may shock the reader.

3.1. Sign–up bonuses

The first, and most basic financial reward to a credit applicant comes from credit card sign–up bonuses. In an effort to differentiate their own products in the highly competitive market for consumer credit cards, many banks offer would–be customers a reward for applying for and using a new credit card. The most common of these bonuses are one–time payments, typically issued in the form of a statement credit. These cash bonuses are rather simple, and do not require much in the way of explanation. The more of these cards a consumer applies and is approved for, the more bonuses she can collect. At US$100–150 per credit card, these rewards can soon add up.

A more complex form of bonus is specific to co–branded credit cards — a product in which a bank partners with an airline or hotel to provide frequent flier miles or points to reward spending. These cards are often a bank’s most profitable, in some cases, yielding twice as much profit as bank–branded card. This is due to the fact that holders of frequent flier cards tend to earn and spend much more than the average cardholder [29]. In order to entice these profitable customers into applying for new co–branded cards, banks often offer large numbers of frequent flier miles or hotel points to new applicants [30]. Typical card application rewards fall in the 20,000–30,000 mile range, which is often enough for a free domestic ticket in economy class, and half of the number of points necessary for a free ticket to Europe or Asia. Even if a consumer doesn’t plan to spend the tens of thousands of dollars on a card required to earn a free ticket (at one mile per dollar), it is possible to earn several airplane ticket’s worth of frequent flier miles through credit card applications.

 

Figure 4: Some credit cards offer customers cash bonuses on the customer's first statement as a reward for applying
Figure 4: Some credit cards offer customers cash bonuses on the customer’s first statement as a reward for applying.

 

Many of these bonuses, both direct cash rewards and frequent flier miles, can be earned repeatedly through a process which the financial hackers have dubbed “churning” [31]. While not possible at all banks, many credit card issuers will permit a customer to apply for, be approved, and get a particular sign–up bonus more than once. Thus, a customer who applies and is approved for the same United Airlines credit card twice, separated by a several month gap, can earn enough miles for a free ticket to Europe. For customers who churn applications, the effective limit on the number of free miles (and thus airplane tickets) that can be earned is completely dependent upon the frequency for which a customer can successfully be approved for new cards. As later sections of this paper will outline, this is something that can be easily manipulated.

3.2. Balance transfers

While the sign–up bonuses bring the credit hacker some financial reward, the real payoff comes via a more complicated scheme — balance transfers.

Many credit card companies offer balance transfers to new customers. These payments are intended to allow a customer to pay off existing loans — for example, to other credit cards, banks and debtors. In order to incentivize customers to transfer all their debt to them, and to attract customers not motivated by sign–up rewards, many firms offer extremely low “teaser” balance transfer rates, often at 0 percent for periods up to twelve or eighteen months.

An individual who applies for a credit card from a bank offering one of these balance transfer promotions can pay off all of her other debts, transfer the debt to the new creditor, and then not have to pay any interest on the debt for one year. All that she must do is to make the minimum payment (often just one percent of the total amount owed) each month.

 

Figure 5: Many credit cards offer customers attractive, low rate balance transfers
Figure 5: Many credit cards offer customers attractive, low rate balance transfers.

 

The banks are not charities — and thus, while the promotional balance transfer rates are attractive, consumers who make use of them risk running afoul of a number of carefully placed traps and pitfalls. A mistake by an unwitting consumer can trigger a rapid barrage of fees and interest rate hikes, through which the creditor hopes to make back the money it has lost by offering the low rate. For example, if a customer forgets to pay the minimum payment due on her card each month, the bank can immediately raise the rate from 0 percent to a more profitable 20 or 30 percent. Furthermore, due to an obscure rule known as “universal default,” many banks will raise a customer’s interest rate if she is late paying another card from a different bank [32]. That is, a customer might consistently pay her monthly bill to Citibank on time, but if she makes a late payment to her debt at Chase, that information will be communicated all of her other creditors, who are contractually permitted to immediately raise their interest rates.

Finally, while banks willingly offer balance transfers for a generous one–year period, they do not provide their customers with any prior notice as the expiration date of their promotional rate approaches. Thus, a customer who merely reads and pays each credit card bill as it arrives can find that on the 13th month she suddenly owes hundreds of dollars in interest.

As these examples demonstrate, teaser balance transfer rates often come with many potential risks. A savvy individual who can carefully manage her finances can save significant sums of money by making use of 0 percent promotional rates, while less careful consumers are far more likely to stumble into a one of the banks’ many fee traps.

3.2.1. Balance transfer arbitrage

By offering the teaser balance transfer rates, banks are attempting to attract individuals who already owe money. However, credit hackers without debt have found a way to use such promotions to make a real profit.

Instead of using the balance transfer offers to refinance existing debts, these individuals have taken the credit card companies’ money, and invested it. That is, rather than paying off an existing debt, credit hackers have borrowed large sums of money at 0 percent and invested it in high–yield savings accounts and certificates of deposit. After one year, they pay back the total balance owed, and keep the interest earned as profit.

A US$30,000 balance transfer (an amount that is not unreasonable for someone with good credit) can yield US$1500 in profit after one year, if invested in a savings account paying five percent. This most basic form of credit card arbitrage has been briefly mentioned in some media reports and even the economic literature [33]. However, as far as we are aware, no one has yet to describe these techniques in depth, nor have the more interesting and abusable aspects been documented. As this paper will show in later sections, larger profits can be earned when an individual can open and tap 20 or 30 credit cards, rather than one or two.

3.2.2. Tapping the funds

While the process of applying for a credit card and subsequent balance transfer is fairly straightforward, the act of tapping that credit line can be somewhat more difficult. Many conservative banks are unwilling to deliver a check for US$20,000 made out to a customer. Individuals wishing to invest funds borrowed from these banks must first withdraw them through a more permissive institution.

Some banks will send a customer a check for the full balance transfer, or transfer a 0 percent balance directly into her bank account. Other more risk–averse lenders will only allow balance transfer funds to be used to pay off existing debts to other financial institutions. A number of techniques have been discovered, some of which are presented here, which individuals can use to move balance transfer funds from more restrictive lenders into their own bank accounts [34].

Existing cards. While some banks will offer a customer a single balance transfer at 0 percent, others will offer endless balance transfers, as long as the total sum borrowed is less than the customer’s maximum credit line. If the customer is able to get a balance transfer from one such firm that offers both repeated 0 percent balance transfers, as well as direct payment to the individual via check or direct deposit, that account can be used to withdraw external funds. For example, a customer can borrow the maximum amount of funds from such a credit card (Bank A), and then borrow a slightly lower amount of funds from a more restrictive card (Bank B), which is asked to transfer the funds to pay off the customer’s debt with bank A. Once these funds clear, the customer can re–transfer the recently paid off debt at Bank A to her bank account, and start the process again.

Paying a positive credit card balance. In another scenario, a customer may have a financial relationship with an institution that while not willing to extend a balance transfer, is willing to send the customer a check in the mail when a positive balance is on the account. An example of this could ordinarily be if the customer accidentally pays her bill twice, or, perhaps, if she purchases a big ticket item, pays the credit card bill, and then returns that item to the store for a full refund.

In this scenario, a customer asks a balance transferring institution to pay off a non–existent debt at an existing account with an overpayment–friendly bank. The balance transfer will result in a massive positive balance (of several thousand dollars), which the customer can then request be paid to them via a check.

This technique is fairly risky, as many individuals have reported, as some firms may consider this activity to be a sign of money laundering [35]. This technique can result in frozen funds, or the return of the balance transfer, due to the simple fact that most credit cards do not consider a positive balance of ten or twenty thousand dollars to be normal. Even if this does not result in frozen funds, it is certainly an activity that will draw attention to the individual, and is thus generally warned against by those learned in the arbitrage of balance transfer funds.

Positive payment to ATM cards. While credit card companies are not used to seeing large positive balances on accounts, banks are used to seeing them in checking accounts. Furthermore, in the past few years, most banks have issued VISA/Mastercard–branded debit cards, which give customers the ability to make purchases from their checking accounts via existing credit card networks. As a result, most individual’s checking accounts now have an associated debit card, with a VISA or Mastercard number.

Some credit hackers have figured out that they can ask many balance transferring institutions to issue checks to their personal bank, listing their ATM debit card number as the account number. This technique relies on the fact that the balance transferring institution cannot easily differentiate between a credit card and debit card via the account number alone. In many cases, this kind of transaction will result in the deposit of balance transfer funds directly into the checking account of the customer. This technique is far less likely to set off fraud alerts than the previously described method because checking accounts, unlike credit cards, are designed to carry positive balances of several thousand dollars.

 

++++++++++

4. Credit vulnerabilities and exploits

As discussed in the previous section, by leveraging credit card sign–up bonuses and the arbitrage of balance transfers, it is possible to achieve some profit through credit cards. However, due to the conservative behavior of banks, which refuse to give credit cards to customers who have recently applied for more than a handful of cards, the amount of new cards (and thus total profit) that can be gained is fairly limited.

This section will present a number of exploits that have been discovered, used, and abused by hundreds of savvy financial hackers to apply and be approved for large numbers of credit cards and thus, achieve significantly higher profits.

The first financial exploit enables an individual to apply and be approved for far more credit cards than she would under normal circumstances. The later exploit techniques allow an individual to rapidly “clean up” her credit report so that she can begin another round of successful credit applications without having to wait the months or years that it would otherwise take for her report to naturally recover from the earlier inflicted damage.

4.1. Exploiting the credit granting/reporting gap

As section 2.3 explained at length, under normal circumstances, it is impossible to open more than a handful of new credit lines in any single six–month period. Each credit card application results in the insertion of a new hard inquiry on to an individual’s credit report. Once a consumer’s credit report lists more than a few of these negative inquiries, most lenders will refuse to extend new credit. However, as the credit hackers have discovered, by timing the applications carefully, this limit can be circumvented.

The root of the problem lies with the fact that it can often take several days for an inquiry to appear on a consumer’s credit report. If a consumer submits a large number of credit card applications within a short period of time (hours, not days), it is often possible for each application to be approved before the first inquiry has shown up on the individual’s report. Thus, a consumer can apply for ten or twenty new credit accounts without any one lender knowing about the others [36].

Within 30–60 days of the opening of a new account, lenders will typically provide information to all three CRAs, and continue to do so regularly after that. Thus, a lender that chooses to later perform a “soft pull” of that consumer’s credit report will likely notice the flood of new accounts. However, in situations where a customer asks for a large balance transfer immediately after being approved for a new account, this information will come too late.

A similar vulnerability has been documented in the mortgage industry [37]. In such situations, criminals have applied, been approved for, and tapped mortgages from multiple banks for a single property. This method of fraud depends upon the fact that multiple inquiries within a 15–30 day period are often counted as a single one for the purposes of damage to a credit score. While consumers are likely to shop around for different mortgage rates from lenders who will need to see a copy of the applicant’s credit report before disclosing an interest rate, the situation is far different for credit card companies. Five successful applications for mortgages will typically still result in an honest consumer choosing just one of those firms. Whereas, five different successful credit card applications will result in five new credit card accounts. The difference between the two scenarios lies in the fact that consumers are able to accept or decline a mortgage based on the terms offered, whereas a credit card will always be issued upon receipt of a good application.

This vulnerability can be accurately described as a race condition, a problem that is very well understood in the computer security community. Essentially, two or more actors are attempting to access the same bit of critical information, without any ability to synchronize their requests. The literature contains numerous examples of cunning attacks that take advantage of such a situation.

Due to the fact that all of the banks rely upon this single, slowly updated piece of information, financial hackers have been able to apply and be approved for many more cards and far higher credit lines than they would otherwise have been able to legitimately obtain under normal circumstances.

4.1.1. Outline of an attack

For illustrative purposes, we will now describe a hypothetical scenario in which a consumer makes use of the credit reporting gap in order to apply for a large number of credit cards, and later use these to perform balance transfer arbitrage.

An individual will first obtain a copy of her own credit report, from all three CRAs. This can be done via directly via the CRAs once a year for free, but will more likely be performed through a commercial service that offers daily updates and automated alerts for credit activity.

She will verify that her reports do not list any missed payments, accounts in poor standing or any existing debts. Furthermore, she will also verify that none of the reports list a hard inquiry by a creditor in the preceding six months. Finally, she will make sure that her reports do not list any accounts that list an opening date within the previous six to twelve months. If she finds anything on her report that is problematic, she will need to go through the process of cleaning it up (outlined later in the paper). For now, we assume that her report is clean.

The individual will then prepare a hit list of Web sites to online credit applications and telephone numbers for agent–assisted applications — she will likely focus her efforts on cards that offer sign–up bonuses and no–fee 0 percent balance transfers. Such Web site addresses and offer codes can be found on several finance forum Web sites, often by other users who have followed the same process and documented their efforts.

Before going through with the process, she will prune her list to make sure that she does not apply to more than one or two cards per issuing institution, since such same–bank applications are easily detectable, even with the delay in inquiry reporting.

With the hit list at the ready, she will systematically apply to each credit card on her list. Within the next few weeks, accepted cards will begin to arrive in the mail, and along with them, several large 0 percent balance transfer checks [38].

4.2. Why user–generated and trusted data should not be mixed

Recall that in section 2.3 we explained the difference between the two forms of credit report inquiry, which we categorized as either hard or soft. Remember that while hard inquiries are accessible to anyone who requests that person’s credit file, soft requests are not. This latter category of inquiries, while listed on the report, are only shown to the consumer, and never to potential creditors. Also remember that each time a consumer requests a copy of her own credit report from one of the three CRAs, a soft inquiry is generated with that particular CRA. This form of inquiry is of course harmless.

Furthermore, as we explained in section 2.4, CRAs are legally required to provide consumers who ask with one free report per year. However, all three CRAs provide more frequent access to consumers via fee–based services. By paying for one of many third party services, a consumer can request her own credit report and score from each of the three CRAs, often as frequently as once per day. An individual using one of these services thus generates one new soft inquiry on her own report, for each of the three CRAs, every day.

Through experimentation, credit hackers have discovered that two of the CRAs — Transunion and Equifax — store both soft and hard inquiries in a single, first–in first–out (FIFO) style database of limited length. Each time a new inquiry is reported to one of these two CRAs, an entry is appended to the end of the shared inquiry database. Once this database fills up, the oldest credit inquiry is discarded.

While the inquiry databases were designed to hold more inquiries than could ever reasonably be generated through legitimate business requests, they were not designed to cope with new daily soft inquiries generated by the consumer.

Thus, by requesting their own credit report each day for several months, a large group of credit hackers have been able to systematically scrub their own credit reports of negative hard inquiries, simply by filling the CRA’s databases with consumer–generated soft inquirie [39]. Reports on the size of the databases vary, but it seems to take between two to four months of daily soft inquiries to completely erase all of the older negative inquiries.

In 2007, a number of individuals started to report that Transunion and some of the third–party credit report monitoring companies were taking action. Individuals were blacklisted from the commercial monitoring companies, for “access patterns which indicate potential fraud or a deliberate intent to tamper with the credit scoring system” [40]. Later in 2008, some credit hackers reported that Transunion appeared to be conducting audits, discovering the old “bumped” credit inquiries, and manually adding them back to consumers’ reports [41]. However, large numbers of individuals have since reported that they are still able to re–bump these newly restored inquiries from their reports, using the same FIFO database overflow techniques as before. Until Transunion deploys a comprehensive fix to the problem (such as by segregating the soft and hard inquiries into different databases), this game of cat and mouse will likely continue.

There are no reports indicating that Equifax has taken any steps to stop the abuse of this flaw, and many users continue to report success at bumping inquiries from their Equifax credit file [42].

When we consider the ease of removing inquiries from certain CRAs, it becomes clear that some credit card applications are “cheaper” than others. A bank which will request a consumer’s credit report from either Transunion or Equifax is far more attractive to the seasoned credit hacker than one which requests a report from Experian, simply due to the fact that this latter form of inquiry will be almost impossible to remove. It is this significant cost associated with an Experian inquiry that motivates the next exploit.

4.3. Selective credit freezes

There are often situations in which a consumer may wish to control which CRA a potential lender contacts for their credit report. As an example, Experian credit inquiries are far more burdensome for individuals, due to the fact that they cannot be easily removed. Likewise, it is quite possible for one CRA to list negative information not held by the other two CRAs, perhaps because the consumer was able to effectively dispute it with them.

Credit hackers have discovered that it is possible to completely deny potential creditors the ability to view or add items to files maintained by any one CRA. This technique makes use of the free credit reports offered by the CRAs to consumers and the fact that individuals can selectively freeze individual CRAs, rather than only being able to place a single, simultaneous freeze across all three CRAs.

When a potential creditor encounters a problem while attempting to access an individual’s credit report, the creditor can either fail open, or fail closed [43]. If the first CRA the creditor contacts reports that the consumer’s report is locked, the creditor can either request the consumer’s report from an alternate CRA, or refuse the individual’s credit request until they contact the CRA to unlock their report. The former approach can be thought of as failing open (protecting the ability of the lender to continue making loans), while the latter approach can be thought of failing closed (protecting the lender from potentially bad customers).

Financial hackers report varied amounts of success with this technique, and the approach seems to differ significantly by lender [44]. However, it does appear that many banks permit their staff to use a credit report from an alternate CRA in the event that a frozen report is encountered.

While this technique has primarily been used to avoid the creation of new inquiries on Experian reports [45], it has alternate uses. If a consumer finds that one particular CRA seems to have received an inordinate percentage of the credit inquiries from a recent round of credit card applications, she may opt to freeze her file in order to prevent future potential lenders from accessing the damaging information which the CRA would otherwise reveal.

This technique is extremely flexible, and comes with almost zero risk. For example, if a consumer freezes two of her reports, and the bank refuses to contact the third CRA, there will be no paper trail left of the failed application. This is because a potential lender cannot submit new inquiries to a frozen report.

4.4. Small business lines of credit

In addition to the consumer CRAs, there also exists an entirely different system for tracking the financial reputation of businesses. That is, when a corporation seeks a new credit line, the banks do not request a copy of the CEO’s personal credit report, but instead turn to one of the four main CRAs that track the past spending and payment history of America’s businesses [46].

In recent years, as the consumer credit market has become saturated with competition, credit card companies have increasingly turned their sights to the self–employed and other small business owners [47]. For lenders targeting these potential customers, whose businesses are too small or too new to have generated histories with the business CRAs, another approach is followed: Personally guaranteed business cards.

Credit card companies now routinely offer business credit cards to the self–employed and other owners of small businesses, but require that they take personal responsibility for the debt. That is, if a corporation goes bankrupt, the structure of the company protects the personal wealth of the CEO and other executives. If a small business owner goes bankrupt, and she has personally guaranteed his business credit card, the bank can attempt to take her home.

When a consumer applies for a small–business credit card, their personal credit report is obtained from one of the consumer CRAs, as well as their business credit report. However, other than the initial hard inquiry, no other information will be communicated to the consumer CRAs. The spending and payment history will only be reported to the business CRAs.

Everyone can in theory be self–employed, even if their side job only brings them a few hundred dollars of income per year. Perhaps the individual sells items on eBay, takes care of lawns, gives massages, or cuts hair. In all these cases, as long as the individual’s consumer credit history is good, many banks are likely to offer them a personally guaranteed small business credit card.

Competition for consumers is equally cut–throat in the small business credit card market, and so banks have to offer the same bonuses and promotional deals that have become the norm for consumer credit cards. Sign–up bonuses and 0 percent no–fee balance transfers for small–business cards are thus extremely common.

As a result, many financial hackers have discovered that they can radically improve their own personal credit rating by transferring existing large debts to small business credit cards. While they will still owe the money, the debt will have shifted, thus hiding the large balances from lenders who request an individual’s consumer credit report. Since lenders place a significant amount of weight on the amount of debt the consumer is currently carrying, individuals have a lot to gain by hiding this debt through small business credit card balance transfers. A few of these transfers can make the difference between a new mortgage, or a rejected application.

4.5. Piggybacking

While most of the techniques outlined in this paper are largely used by people with stellar credit, there are many other techniques in use by individuals who wish to repair negative information from their own reports. One of the most interesting of these is a practice dubbed “piggybacking.”

As we explained earlier in this paper, when an individual applies for a credit card, the potential lender will request her credit report in order to determine her creditworthiness. If the account application is approved, the account holder is then given the opportunity to add additional “authorized” persons to the account. The credit card company will typically allow these other individuals to be added to the account without first checking their creditworthiness. While these authorized account holders each receive a credit card with their name on it, the bill is usually sent to the primary account holder. Furthermore, the responsibility for payment also lies with the primary account holder. As a result, this type of account requires a significant amount of trust, and is thus primarily used by family members and small business employees.

These authorized accounts enable individuals with poor or non–existent credit histories to gain access to credit that would otherwise be unavailable. Once these authorized accounts have been opened, payment and other account records are transmitted to the CRAs, who then add this positive information to the credit files of those individuals.

In 2006, a number media sources began to report on a profit–motivated form of authorized account creation. Individuals with poor credit were paying middlemen, who would then get individuals with good credit to add the paying customers to their accounts as authorized users. The primary account holders used their own address for the new authorized accounts, which prevented the paying individuals from receiving their new cards and thus running up debt. By using this process, an individual with extremely poor credit could add several positive credit lines to his or her own credit report. Media reports indicated that the middlemen were charging between US$1,000 and US$3,000 for each new authorized account [48].

While industry executives initially reacted to the media reports with pledges to defeat the piggybacking issue by changing the methods for calculating credit scores, they later backpedaled. In testimony before the U.S. House Committee on Financial Services in 2008, an executive from Fair Isaac acknowledged the piggybacking issue and stated that the company had “decided to include consideration of authorized user tradelines” in its latest credit scoring algorithm [49].

The company has since stated that its latest credit score algorithm enables “legitimate authorized users [to] improve their credit scores — although perhaps to a lesser extent than prior [scoring] versions would — but [also protects] lenders from people who [are] trying to game the scoring mechanism.” [50]

4.6. Personal profit and the potential for severe abuse

By using the techniques outlined in this paper, many credit hackers have been able to earn tens of thousands of dollars through credit card sign–up bonuses and interest from balance transfer arbitrage. Except in the cases where mistakes were made, these individual’s credit reports showed no long term damage, and in some cases actually improved due to the documented borrowing and full, timely payment of hundreds of thousands of dollars. At the end of the loan period, the banks got their money back, and the financial hackers got to keep their profits. Online forums are filled with testimonials of balance transfer arbitrage, and reports of several hundred thousand dollars in total balance transfers are very common [51].

While the techniques enabling these gains are rather straightforward, it is unlikely that someone would come across them by accident. These loopholes have been documented through the careful observation and testing by an active community of credit hackers, many of whom have a deep and thorough understanding of the way that the system works. The knowledge of these techniques is concentrated in several Internet discussion groups.

These techniques can accurately be described as “dual use” — that is, they can be used by credit hackers to earn a modest, yet legitimate profit. They can also be used in a more blunt fashion by lawbreakers to massively increase the ill–gotten profits of identity theft [52]. If a criminal uses some of these techniques to borrow hundreds of thousands of dollars per stolen identity, and then withdraws the funds (instead of investing them in a savings account), she can very easily make off with millions of dollars. This form of identity theft requires a minimal amount of work, and by the time that the credit card companies start to notice that the monthly bills are unpaid, the thief is long gone.

We are mindful that in documenting and exposing these techniques to a wider audience, there is a significant chance that identity thieves and other criminals will adopt them. However, it is also rather naïve to assume that these techniques would stay unknown to criminals forever. The solution to these vulnerabilities is not security through obscurity, but rather the deployment of comprehensive fixes to the flaws within the financial system [53]. It is for this reason that we propose a number of fixes, which if deployed by the CRAs and banks, would significantly neutralize the techniques presented in this paper [54].

 

++++++++++

5. Suggested fixes

Of all the loopholes and flaws presented in this paper, it is the simultaneous application of credit card applications which has the biggest potential for abuse by identity thieves. While the other loopholes are certainly real, the impact to the financial system of their large–scale abuse is far lower. It is for this reason that the CRAs and banks will be unlikely to focus much, if any, effort on fixing most of these other flaws. The banks have far more to lose through the large–scale adoption of simultaneous credit card application techniques than they do of individuals sneakily removing valid credit inquiries from their own reports.

5.1. Simultaneous applications

The ability for individuals to apply and be approved for 20 or 30 credit cards, and then convert these credit lines into hundreds of thousands of dollars in cash is certainly a significant problem for the credit card industry. If the banks knew about a financial hacker’s 20 or 30 other simultaneous applications, it is highly unlikely that they would approve those new accounts, let alone balance transfers of 30,000 dollars per card. While there is little evidence to suggest that these techniques have yet been used by identity thieves and other financial criminals, there is no reason they could not in the future. Certainly, the potential for abuse is real.

The root cause of this vulnerability is of course the delay between the moment when a business accesses a consumer’s credit information, and the later insertion of a credit inquiry onto her report. Because these new inquiries are not immediately reflected on the consumer’s report, credit hackers can simultaneously apply for multiple accounts, secure in the knowledge that each lender is blind to the inquiries associated with the requests made by the other creditors.

The naïve solution o this problem is thus, of course, for the CRAs to update their systems so that credit inquiries immediately appear on a consumer’s report. However, if this solution were as easy as it sounds, it is likely that the CRAs would have deployed such a fix a long time ago. Assuming that constraints within the existing system prohibit the deployment of real–time updates to the inquiries on a consumer’s reports, another solution is warranted.

In order to solve this problem, we propose that lenders institute a delay in the credit approval process for their products. These firms will, as they currently do, request a copy of a consumer’s report from one of the CRAs while in the process of approving that person’s application. However, even after the credit line is approved, the bank will lock the new account pending a second, later approval. In the days that follow the initial application, the bank will request a second copy of the consumer’s credit report (since the consumer will now be a customer, and the report is not being used to evaluate her, this should count as a soft, non–harmful inquiry). The bank’s credit approval department will look for their own recent hard inquiry, and confirm that at least three business days have passed since the date it is listed as appearing on the consumer’s report. The auditors will also look for any other new hard inquiries associated with requests by other lenders. If no (or few) new inquiries are listed on the consumer’s report, the account will be unlocked. If, on the other hand, the consumer has submitted a flood of simultaneous applications, these should show up on the second, precautionary audit. In such a situation, the approval of credit will be reversed, and the consumer notified.

This second, delayed verification of a consumer’s credit report can be thought of as a speed bump in the credit approval process. By waiting a few days after the initial application, the bank auditors can be sure that they get access to a more full and accurate snapshot of the consumer’s credit file.

While this second audit will of course add further delays to the approval of credit, we do not believe that this will place a significant burden on most lenders. In most cases, consumers must already wait a week or more between the successful approval of their credit application, and the receipt of the new credit card by U.S. mail. Many credit card companies also require that consumers activate the new card by phone once it arrives. This is an ideal time to request an updated copy of the consumer’s credit report in order to look for other simultaneous inquiries.

Such a solution will, of course, significantly disrupt the “miracle of instant credit” — and so, perhaps lenders operating in the instant retail credit market will be unable to defend themselves from the threat of simultaneous account applications. Thus, while this might not be well suited to car dealerships or electronic stores offering loans on big screen TVs, we feel that it would work quite well for most credit card companies. Furthermore, since credit–at–purchase situations involve in–person loans for physical goods, rather at–home applications leading to highly liquid funds, we do not believe that they are as nearly as vulnerable to the threats outlined in this paper. While it is possible for an identity thief to apply for 30 credit cards in an afternoon, we do not believe it is possible to purchase and drive off in 30 vehicles in that same amount of time.

5.2. The inquiry database problem

As we explained in section 4.2, two of the CRAs have created a situation with the significant potential for abuse through the use of a single shared database for both hard and soft credit inquiries. As we noted in that section, Transunion appears to have responded to the efforts of the credit hackers by reinserting old inquiries onto the reports of consumers months after they had been “bumped” off. Many individuals still report limited success in this area, or at least report being able to re–bump those restored inquiries by again flooding the buffer with soft inquiries. A more comprehensive fix would appear to be required.

A simple solution to this problem exists, one which likely has already been deployed by Equifax, the single CRA that has not been vulnerable to these data overwriting attacks. Simply put, both Experian and Transunion should start to keep credit inquiries in two, separate databases, one for hard inquiries, and one for soft. Consumers who requested their own report once per day would thus be able to force the removal of soft inquiries (which are only retained for their own records, and are never displayed to lenders), but would no longer be able to force the removal of hard inquiries.

5.3. Towards better credit freezes

The problem of credit freezes is a tricky one. When a consumer applies for a credit card, the lender typically only consults a single CRA, and thus, that application will result in a single inquiry added to the consumer’s credit file. After a few applications, it is quite common that the reports maintained by one or two CRAs will list all of the recent inquiries, while the third CRA’s report will show no signs of recent damage.

The ability for consumers to focus the inquiry–related damage caused by their application sprees to particular CRAs is one that is directly a result of the CRAs’ refusal to allow universal, one–stop credit freezes. By requiring that consumers contact (and pay) each of the three CRAs to freeze or unfreeze a report, the CRAs have created this vulnerability. Two solutions to this problem exist: A single point of contact for initiating and removing credit freezes (such as the annualcreditreport.com Web site that exists for consumer access to credit reports) or a commitment by the CRAs to communicate freeze initiation and removal among themselves, as they currently do when a consumer places a fraud alert on her file.

Some consumer advocates might argue that this ability for individuals to selectively block individual CRA reports is a feature, not a bug. They would likely also argue that removing this feature might have a negative effect on consumers. That policy discussion is beyond the scope of this paper.

 

++++++++++

6. Conclusion

We have presented a number of abusable flaws in the U.S. system for consumer credit. As we have described at length, a large community of credit hackers have successfully used these techniques to borrow and profit from the arbitrage of hundreds of thousands of dollars per individual. While these flaws have been primarily abused by individuals using their own credit reports, these techniques could equally be used by criminals masquerading as others, making identity theft an even more crippling threat to the financial industry.

By analyzing these financial process flaws using the techniques and methods commonly used in the computer security community, we have been able to identify the root causes and propose comprehensive fixes. In order to protect against the huge amount of fraud that could be performed by identity thieves should they use these exploits, we strongly urge credit reporting agencies to adopt the fixes we have presented in this paper.

While there is already an established body of research performed by those applying the tools of economics to the field of computer security, we believe that we are among the first to apply computer security methods to the field of economics and commerce. It is quite likely that other interesting and useful research will emerge by looking into other business process flaws. We leave the exploration of these as an exercise for the reader. End of article

 

About the author

Christopher Soghoian (www.dubfire.net) is a Ph.D. Candidate in the School of Informatics and Computing at Indiana University and is currently a student fellow at the Berkman Center for Internet & Society. His research is focused at the intersection of applied computer security and privacy, technology law and policy. His research and activism has resulted in the successful passage of an amendment to Indiana’s data breach laws, a Congressional investigation of Web security flaws at the Transportation Security Administration, as well as several media firestorms.

 

Acknowledgements

This work was in part funded by Indiana University’s Center for Applied Security Research and a fellowship from the Institute for Humane Studies. This opinions expressed in this are the author’s, and do not reflect those of the Berkman Center, Harvard University, Indiana University, Institute for Humane Studies, or any other organization.

Thanks to Alessandro Acquisti, Michael Conover, Benjamin Edelman, Chris Hoofnagle, Robert M. Hunt, Markus Jakobsson, and Adam Shostack for their helpful comments on early drafts. Thanks also to Arjun Mehra and Phil Malone at the Berkman Center Cyberlaw Clinic for their pro bono legal advice relating to the research presented in this paper.

 

Disclaimer

The techniques outlined in this paper are for the most part rather simple. However, as always, the devil is in the details. While it is certainly possible to make thousands of dollars by using these techniques, it is also quite easy to do lasting damage to one’s own credit report if mistakes are made.

In many ways, identity thieves are far better situated to make use of these techniques and loopholes. These fraudsters can experiment and fine–tune their knowledge and abuse of the loopholes using the credit reports of tens or hundreds of stolen identities. That is, through a process of trial and error, criminals can more effectively reverse engineer the credit reporting system (which is effectively a black box). If a mistake is made, they can discard that identity and move on. Law abiding individuals have only their own credit report with which to experiment, thus making potential mistakes extremely costly.

Given the very real risk of damaging one’s own credit file, we strongly advise readers of this paper against attempting to use any of the exploits outlined in this paper without first performing significant amounts of independent research. This paper is not intended to be used as a how–to guide, and anyone who uses it as such is likely to run into problems. Finally, while we believe that the techniques outlined in this paper are legal, we are not lawyers, and nothing in this paper should be interpreted as legal advice. Anyone considering making use of these techniques should first consult legal counsel.

 

Notes

1. John M. Barron and Michael Staten, 2002. “The value of comprehensive credit reports: Lessons from the U.S. experience,” In: Margaret Miller (editor). Credit reporting systems and the international economy. Cambridge, Mass.: MIT Press, pp. 272–310.

2. This has been referred to as the “miracle of instant credit” by a former chairman of the Federal Trade Commission; see Jane Black, 2002. “How the FTC is policing privacy,” Business Week (5 June), at http://www.businessweek.com/technology/content/jun2002/tc2002065_9287.htm. This “miracle” has also been accompanied by the miracle of instant identity theft, in which a criminal purchases a high value item in a victim’s name, and is long gone by the time the fraud is detected; see Chris Jay Hoofnagle, 2008. “Putting identity theft on ice: Freezing credit reports to prevent lending to impostors,” In: Anupam Chandler, Lauren Gelman, and Margaret Jane Radin (editors). Securing privacy in the Internet age. Stanford, Calif.: Stanford University Press, pp. 207–220.

3. There are actually many more CRAs. However, for most consumers it is the three primary CRAs that are most relevant.

4. This practice is commonly described in the industry as “furnishing.”

5. Daniel B. Klein, 2001. “Credit–information reporting,” Independent Review, volume 5, number 3 (Winter), pp. 325–344.

6. Paul Resnick, Ko Kuwabara, Richard Zeckhauser, and Eric Friedman, 2000. “Reputation systems,” Communications of the ACM, volume 43, number 12, pp. 45–48.

7. Kevin Hoffman, David Zage, and Cristina Nita–Rotaru, 2009. “A survey of attack and defense techniques for reputation systems,” ACM Computing Surveys, volume 41, number 4 (December); earlier version at https://www.cerias.purdue.edu/apps/reports_and_papers/view/3319.

8. We use this term — or variants on it — to describe those savvy individuals who have documented and exploited the loopholes explored in this paper. The use of the word “hacker” should in no way be interpreted to imply any form of improper or illegal entry into a computer system.

9. Kevin D. Mitnick and William L. Simon, 2003. The art of deception: Controlling the human element of security. New York: Wiley.

10. J. Kempf, C. Castelluccia, P. Mutaf, N. Nakajima, Y. Ohba, R. Ramjee, Y. Saifullah, B. Sarikaya, and X. Xu, 2001. “Requirements and functional architecture for an IP host alerting protocol” (August), at http://tools.ietf.org/html/rfc3154#section–3.2.

11. We are not the first researchers to document the exploits of others by monitoring postings to these and similar forums; see Noriko Hara, Pnina Shachaf, Thomas Haigh, Thomas P. Mackey, Robert J. Sandusky, and Elisabeth Davenport, 2007. “Knowledge sharing in online communities of practice: Digital trends,” Proceedings of the American Society for Information Science and Technology, volume 43, number 1, pp. 1–10; and, Ram D. Gopal, Bhavik Pathak, Arvind K. Tripathi, and Fang Yin, 2006. “From Fatwallet to eBay: An investigation of online deal–forums and sales promotions,” Journal Of Retailing, volume 82, number 2, pp. 155–164.

12. John M. Barron and Michael Staten, 2002. “The value of comprehensive credit reports: Lessons from the U.S. experience,” In: Margaret Miller (editor). Credit reporting systems and the international economy. Cambridge, Mass.: MIT Press, pp. 272–310.

13. Innovis Data Solutions is often described as the fourth consumer CRA. This company does not sell consumer credit history information to lenders and is solely focused on compiling and selling mailing lists for pre–approved credit offers. We ignore Innovis in this paper, as consumers have little to gain by manipulating the information maintained by the company.

14. Robert M. Hunt, 2005. “A century of consumer credit reporting in America,” Working Paper, number 05–13. Philadelphia: Federal Reserve Bank of Philadelphia, at http://www.philadelphiafed.org/research-and-data/publications/working-papers/2005/wp05-13.pdf.

15. In fact, the CRAs enforce a “give–to–get” policy with the financial institutions — that is, lenders cannot get credit report information about a potential customer with whom they wish to do business unless that lender provides information to the CRA about customers with whom it already does business; see Mark Furletti, 2002. “An overview and history of credit reporting,” Payment Cards Center, discussion paper 02–07. Philadelphia: Federal Reserve Bank of Philadelphia, at http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2002/CreditReportingHistory_062002.pdf.

16. Alison Cassady and Edmund Mierzwinski, 2004. “Mistakes do happen: A look At errors in consumer credit reports,” Report, National Association of State PIRGs (June), at http://www.uspirg.org/uploads/BE/ev/BEevuv19a3KzsATRbZMZlw/MistakesDoHappen2004.pdf.

17. Robert B. Avery, Paul S. Calem, Glenn B. Canner, and Shannon C. Mok, 2004. “Credit report accuracy and access to credit,” Federal Reserve Bulletin, volume 90, number 3 (June), pp. 297–322.

18. Ibid.

19. Alison Cassady and Edmund Mierzwinski, 2004. “Mistakes do happen: A look At errors in consumer credit reports,” Report, National Association of State PIRGs (June), at http://www.uspirg.org/uploads/BE/ev/BEevuv19a3KzsATRbZMZlw/MistakesDoHappen2004.pdf.

20. Robert B. Avery, Paul S. Calem, Glenn B. Canner, and Shannon C. Mok, 2004. “Credit report accuracy and access to credit,” Federal Reserve Bulletin, volume 90, number 3 (June), pp. 297–322.

21. Fair Credit Reporting Act (FCRA), 15 U.S.C.A §1681s–2(A)(1)(a).

22. Mark Furletti, 2002. “An overview and history of credit reporting,” Payment Cards Center, discussion paper 02–07. Philadelphia: Federal Reserve Bank of Philadelphia, at http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2002/CreditReportingHistory_062002.pdf.

23. Ibid.

24. Daniel J. Solove and Chris Jay Hoofnagle, 2006. “A model regime of privacy protection,” University of Illinois Law Review, volume 2006, number 2, at http://home.law.uiuc.edu/lrev/publications/2000s/2006/2006_2/index.html.

25. 15 U.S.C. §1681e(b).

26. Kristan T. Cheng, 2008. “Identity theft and the case for a national credit report freeze law,” North Carolina Banking Institute, volume 12, pp. 239–272; version at http://studentorgs.law.unc.edu/documents/ncbank/volume12/cheng.pdf.

27. Ibid.

28. Lenders are required to take extra precautions to verify a consumer’s identity before granting credit when a fraud alert is listed on their report. While a useful defensive technique, it is not nearly as a credit freeze.

29. Jane Adler, 2005. “Troubles for cobranded cards,” Credit Card Management, volume 17, number 11, pp. 12–16.

30. “Credit card choices,” InsideFlyer Magazine (November 2008), at http://www.insideflyer.com/articles/article.php?key=4938.

31. Ibid.; Gary Leff, 2007. “The Chase churn is over,” blog post to View From the Wing (17 December), at http://boardingarea.com/blogs/viewfromthewing/2007/12/16/the-chase-churn-is-over/; and, “Is Chase cracking down on churning M+ Visa cards?” thread on the FlyerTalk.com United Mileage Plus Forum (2007), at http://www.flyertalk.com/forum/united-mileage-plus/642366-chase-cracking-down-churning-m-visa-cards.html.

32. Eric Dash, 2008. “Citigroup considers repealing a pledge, and the slogan with it,” New York Times (25 June), at http://www.nytimes.com/2008/06/25/business/media/25adco.html.

33. Jane J. Kim, 2007. “How to cash in on 0% offers at credit cards,” Wall Street Journal (23 June); Austin H. Spencer, 2008. “The free lunch: Arbitrage profits associated with credit cards,” Journal Of Economic Issues, volume 42, number 1 (March), pp. 243–247.

34. “A summary of techniques for receiving BT money into your checking,” thread on the Fatwallet.com Finance Forum (2007), at http://www.fatwallet.com/forums/finance/740779.

35. Ibid.

36. “SIS comes back with the App–O–Rama FAQ — AKA MAKING THOUSANDS OF $$ FROM CREDIT Link AOR stories and post your successes,” thread on the Fatwallet.com Finance Forum (2006), at http://www.fatwallet.com/forums/finance/632935/.

37. J. Alex Heroy, 2008. “Other people’s money: How a time–gap in credit reporting may lead to fraud,” North Carolina Banking Institute, volume 12, pp. 321–352.

38. We have found over 100 detailed first–hand reports of this “App–o–rama” large–scale application and arbitrage, with some individuals reporting that they were approved for over 30 credit cards. Reports of sums of 0 percent arbitrage over US$300,000 are equally common; see “SIS comes back with the App–O–Rama FAQ — AKA MAKING THOUSANDS OF $$ FROM CREDIT Link AOR stories and post your successes,” thread on the Fatwallet.com Finance Forum (2006), at http://www.fatwallet.com/forums/finance/632935/.

39. “Bumping and bumpage: TU now bumps after Equifax? reoccurring choppage,” thread on the Fatwallet.com Finance Forum (2008), at http://www.fatwallet.com/forums/topic_view.php?catid=52&threadid=799643.

40. “True Credit suspending accounts for suspected bumping?” thread on the CardRatings Forum (2007), at http://www.cardratings.com/forum/viewtopic.php?f=1&t=14087; “MY True Credit accaunt [sic] Terminated?” thread on the myFICO Forum (2007), at http://ficoforums.myfico.com/fico/board/message?board.id=generalcredit&thread.id=38594; and, Anthony Koos, 2007. “The TrueCredit shutdown and a discussion of bumpage,” blog post to HustleBlog (31 August), at http://www.hustleblog.com/index.php/the-truecredit-shutdown-and-a-discussion-of-bumpage.

41. “TransUnion bumpage is finished, no more B*” thread on the Fatwallet.com Finance Forum (2008), at http://www.fatwallet.com/forums/finance/841394/?start=0.

42. “Bumping and bumpage: TU now bumps after Equifax? reoccurring choppage,” thread on the Fatwallet.com Finance Forum (2008), at http://www.fatwallet.com/forums/topic_view.php?catid=52&threadid=799643.

43. Systems can be designed to either fail open or fail closed. As an example, many office buildings will fail open, and automatically open all locked doors in the event of a fire alarm, so that the occupants can escape. A government compound storing classified data is far more likely to fail closed, and keep the doors locked in the event of a fire.

44. “EugeneV’s annual App–O–Rama 3.0 with EXP frozen,” thread on the Fatwallet.com Finance Forum (2007), at http://www.fatwallet.com/forums/arcmessageview.php?catid=52&threadid=773159.

45. “Freeze Experian credit score for fun and profit,” thread on the Fatwallet.com Finance Forum (2008), at http://www.fatwallet.com/forums/arcmessageview.php?catid=52&threadid=803709.

46. These business CRAs are Dun & Bradstreet, Experian Business, Equifax Business and Business Credit USA.

47. Shara Tibken, 2008. “Charging ahead,” Wall Street Journal (11 August).

48. Jaclyne Badal, 2006. “Piggybacking on a credit history,” Wall Street Journal (1 October).

49. Tom Quinn, 2008. “Credit scoring models and credit scores,” testimony Before The U.S. House Of Representatives Committee On Financial Services, Subcommittee On Oversight and Investigations (29 July), at http://financialservices.house.gov/hearing110/quinn072908.pdf.

50. Jane J. Kim, 2009. “New FICO credit score debuts,” Wall Street Journal (29 January).

51. “SIS comes back with the App–O–Rama FAQ — AKA MAKING THOUSANDS OF $$ FROM CREDIT Link AOR stories and post your successes,” thread on the Fatwallet.com Finance Forum (2006), at http://www.fatwallet.com/forums/finance/632935/.

52. Due to the requirement that the subject have a good credit report, this technique is not applicable to synthetic identity theft, in which a legitimate individual’s social security number and other information are combined with a fake name and address to create a new fake identity. Such a new synthetic identity would not have a long positive payment history, and thus would be unlikely to be approved for hundreds of thousands of dollars in balance transfers.

53. Peter P. Swire, 2004. “A model for when disclosure helps security: What is different about computer and network security?” Journal on Telecommunications and High Technology Law, volume 2, at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782.

54. While we presented the piggybacking flaw, discussed in section 4.5, we did not propose a fix for it. This issue has received a significant amount of press attention, and has even been discussed before a Congressional Committee. Fair Isaac and the CRAs claim to have already addressed much of the abuse, and likely are keeping their eye on those consumers who continue to engage in the practice. We therefore do not feel that it is necessary to propose any changes to the credit reporting system in response to this issue.

 


Editorial history

Paper received 24 June 2009; accepted 16 July 2009.


Creative Commons License
This paper is licensed under a Creative Commons Attribution–Noncommercial–No Derivative Works 3.0 United States License.

Manipulation and abuse of the consumer credit reporting agencies
by Christopher Soghoian.
First Monday, Volume 14, Number 8 - 3 August 2009
http://firstmonday.org/ojs/index.php/fm/article/view/2583/2246





A Great Cities Initiative of the University of Illinois at Chicago University Library.

© First Monday, 1995-2014.