US credit reporting system flawed claims information security researcher

In a presentation to the Defcon information security event in Las Vegas on Saturday, Christopher Soghoian, a fellow with Harvard's Berkman Centre, said that, although the techniques used are not conventional hacking, they are an interesting development.

In a paper posted on the web, Soghoian said that clever consumers could make multiple applications for different credit lines - submitted all at the same time - taking advantage of the fact that data on credit reports can take a few days to be updated on central files.

One interesting real-world application of the common buffer overflow flaw seen in computer programmes revolves around the submission of user credit report requests on a daily basis, so filling up the buffer of data on the credit report files of Equifax and Transunion, two of the three US credit report bureaus.

Using this approach, said Soghoian, means that refused credit reports slide down the tables eventually disappearing off the end, as the daily reports fill up the fixed-size data file.

Reportedly, the information security researcher said that he has been trying to get the credit bureaus to close their loopholes, as, in the hands of criminals, the credit hacks could amplify the effects of identity theft.

A copy of Soghoian's paper can be accessed on the University of Chicago's website.

What’s hot on Infosecurity Magazine?