This hacker shopping list appeared recently on what appears to be a Russian-based website offering credit reports for sale. Prices are based on the victims' credit scores.
The most important tool consumers have to fight against ID theft has been turned against them by hackers, msnbc.com has learned. Websites that offer consumers a chance to see their credit reports are being brazenly used by hackers to steal victims' information.
The prices of the reports rise and fall depending on the credit score of the victim. For consumers with credit scores in the 750s, report data might fetch $80; reports from victims with scores in the low 600s sell for about half that, according to "for sale" pages viewed by msnbc.com.
"It shows how people with good credit and a net worth now have a bull’s-eye on their backs," said Dan Clements, who operates the Internet security firm CloudEyez.com. Clements gave msnbc.com a virtual tour of the marketplaces, which he has been observing for months.
The most troubling part of these markets however – many hosted in the .su domain, which stands for the now-defunct Soviet Union – is the ready availability of credit reports and the hackers' bragging about how easy it is to infiltrate websites like AnnualCreditReport.com or CreditReport.com.
"I'm selling super prime credit reports and scores which include all 3 bureaus and other information," brags one advertisement on one site.
Clements helped msnbc.com view dozens of credit reports on the forum, many of which had CreditReport.com stamped across the first page. But others viewed by msnbc.com indicated they were stolen from AnnualCreditReport.com and Equifax.com. Clements said most other online credit report and some credit score suppliers were hit, too -- he shared a page showing a victim's score produced at CreditKarma.com.
"We really have no idea how many reports have been used or put up for sale in the 'libraries,'" said Clements, who also operates a consulting firm.
The credit report trade shows why even simple credit card fraud – long considered a relatively benign form of ID theft – can escalate quickly into a full-blown identity nightmare. Criminals with stolen cards can obtain background reports, credit reports and ultimately open new accounts using the information gleaned about the victim, Clements said.
In one how-to posted on a bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?" But there's a critical flaw, the hacker said:
"Normally all ... of them will ask you the same question," the hacker wrote.
Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.
The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.
The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."
This bulletin board post, intentionally cut off to be incomplete by msnbc.com, shows a hacker discussing how he allegedly defeats credit report website security.
A would-be credit report thief needs additional information to get credit report access, but that can often be gleaned by ordering background checks using the victim's stolen credit card. Reports stolen from Intellius.com and BeenVerified.com, which provide previous addresses and a host of other valuable information, also were found on the site.
One victim whose credit report was spotted on the site told msnbc.com that she found one instance of credit card fraud on her accounts around the time the data theft was first discovered by Clements. She now pays to maintain a credit freeze on her credit reports.
"You hear about this kind of thing all the time but you never think it will happen to you," said the victim, who requested that her name be withheld. "And when it happens, you think, 'Great. Now what do I do?'”
For years, consumers have been advised to visit AnnualCreditReport.com once each year to see their reports. Federal law requires the nation's three largest credit bureaus – Experian, Equifax, and Trans Union – to maintain the site, under the direction of the Federal Trade Commission.
That's still good advice – looking at your credit report is the best way to detect identity theft. But the site is apparently both an ally and a foe now.
The FTC would not comment on hackers' use of AnnualCreditReport.com.
In the past, the FTC has sued companies for inadvertently selling credit report data to hackers, however. In 2011, the agency settled with Settlementone Credit Corp., ACRAnet Inc. and Fajilan Associates after those firms unknowingly sold reports to criminals. The three firms were ordered to submit to 20 years' worth of security audits.
Those firms prepare reports for car dealerships and other credit granters. Raiding consumer-facing sites like AnnualCreditReport.com is even more brazen, however.
CreditReport.com is operated by credit bureau Experian; that firm also provides credit reports to consumers as part of AnnualCreditReport.com.
"Experian is aware of schemes such as this to access reports illegally, and we have taken measures within our systems to mitigate the issue," said Experian in an e-mail to msnbc.com. "We are constantly evolving our systems to prevent fraud and criminal activity, but do not comment publicly on the specifics of our fraud prevention methods."
Trans Union and Equifax, which also provide reports through AnnualCreditReport.com, did not immediately respond to requests for comment.
Kenneth Lin, CEO of CreditKarma.com, said the firm had received "a handful" of complaints about compromised accounts and worked quickly to shut down access. CreditKarma credit score reports show no account information or other personal data, so the security risk posed by an imposter getting a victim's score is minimal, he said.
"That's intentional. That's a security feature," he said. The site also uses more difficult challenge questions than AnnualCreditReport.com, Lin added.
Solving the problem of credit reports stolen through consumer websites is no small task. One irony of the hackers' ability to easily raid such sites is that many consumers report great frustration getting their own credit reports through AnnualCreditReport.com. The challenge questions are sometimes so arcane – such as, "Which bank held your previous auto loan?" -- that legitimate consumers can't answer them easily.
"But anyone who does any research can probably figure out what the answers are before you can," said Jay Foley, who runs IDTheftInfoSource.com. In other words, it's too easy for criminals to get credit reports, but it's too hard for consumers.
One of the websites where Clements observed the stolen card activity – kurupt.su – dropped mysteriously off the Web late last week. The site was well-known as a haunt for criminals and scam artists in the computer underground. But Clements says that will hardly put a dent in the stolen data trade.
"You currently can't stop this scam because the 'soft inquiry' of a consumer pulling their own report doesn't record in the majority of credit files," he said, explaining that a consumer would never know if a criminal pulled a copy of their report. "Unfortunately, it allows the bad guys, by impersonating you, to download your credit file and leave no tracks."