Dan Clements

This hacker shopping list appeared recently on what appears to be a Russian-based website offering credit reports for sale. Prices are based on the victims' credit scores.

The most important tool consumers have to fight against ID theft has been turned against them by hackers, msnbc.com has learned. Websites that offer consumers a chance to see their credit reports are being brazenly used by hackers to steal victims' information.

The prices of the reports rise and fall depending on the credit score of the victim. For consumers with credit scores in the 750s, report data might fetch $80; reports from victims with scores in the low 600s sell for about half that, according to "for sale" pages viewed by msnbc.com.

"It shows how people with good credit and a net worth now have a bull’s-eye on their backs," said Dan Clements, who operates the Internet security firm CloudEyez.com. Clements gave msnbc.com a virtual tour of the marketplaces, which he has been observing for months.

The most troubling part of these markets however – many hosted in the .su domain, which stands for the now-defunct Soviet Union – is the ready availability of credit reports and the hackers' bragging about how easy it is to infiltrate websites like AnnualCreditReport.com or CreditReport.com.

"I'm selling super prime credit reports and scores which include all 3 bureaus and other information," brags one advertisement on one site. 

Clements helped msnbc.com view dozens of credit reports on the forum, many of which had CreditReport.com stamped across the first page. But others viewed by msnbc.com indicated they were stolen from AnnualCreditReport.com and Equifax.com. Clements said most other online credit report and some credit score suppliers were hit, too --  he shared a page showing a victim's score produced at CreditKarma.com.

"We really have no idea how many reports have been used or put up for sale in the 'libraries,'" said Clements, who also operates a consulting firm. 

The credit report trade shows why even simple credit card fraud – long considered a relatively benign form of ID theft – can escalate quickly into a full-blown identity nightmare. Criminals with stolen cards can obtain background reports, credit reports and ultimately open new accounts using the information gleaned about the victim, Clements said.

In one how-to posted on a bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?"  But there's a critical flaw, the hacker said:

"Normally all ... of them will ask you the same question," the hacker wrote.

Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.

The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.

The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."

Dan Clements

This bulletin board post, intentionally cut off to be incomplete by msnbc.com, shows a hacker discussing how he allegedly defeats credit report website security.

A would-be credit report thief needs additional information to get credit report access, but that can often be gleaned by ordering background checks using the victim's stolen credit card. Reports stolen from Intellius.com and BeenVerified.com, which provide previous addresses and a host of other valuable information, also were found on the site.

One victim whose credit report was spotted on the site told msnbc.com that she found one instance of credit card fraud on her accounts around the time the data theft was first discovered by Clements. She now pays to maintain a credit freeze on her credit reports.

"You hear about this kind of thing all the time but you never think it will happen to you," said the victim, who requested that her name be withheld. "And when it happens, you think, 'Great. Now what do I do?'”

For years, consumers have been advised to visit AnnualCreditReport.com once each year to see their reports. Federal law requires the nation's three largest credit bureaus – Experian, Equifax, and Trans Union – to maintain the site, under the direction of the Federal Trade Commission.

That's still good advice – looking at your credit report is the best way to detect identity theft. But the site is apparently both an ally and a foe now.

The FTC would not comment on hackers' use of AnnualCreditReport.com.

In the past, the FTC has sued companies for inadvertently selling credit report data to hackers, however. In 2011, the agency settled with Settlementone Credit Corp., ACRAnet Inc. and Fajilan Associates after those firms unknowingly sold reports to criminals. The three firms were ordered to submit to 20 years' worth of security audits.

Those firms prepare reports for car dealerships and other credit granters. Raiding consumer-facing sites like AnnualCreditReport.com is even more brazen, however.

CreditReport.com is operated by credit bureau Experian; that firm also provides credit reports to consumers as part of AnnualCreditReport.com.

"Experian is aware of schemes such as this to access reports illegally, and we have taken measures within our systems to mitigate the issue," said Experian in an e-mail to msnbc.com. "We are constantly evolving our systems to prevent fraud and criminal activity, but do not comment publicly on the specifics of our fraud prevention methods." 

Trans Union and Equifax, which also provide reports through AnnualCreditReport.com, did not immediately respond to requests for comment.

Kenneth Lin, CEO of CreditKarma.com, said the firm had received "a handful" of complaints about compromised accounts and worked quickly to shut down access. CreditKarma credit score reports show no account information or other personal data, so the security risk posed by an imposter getting a victim's score is minimal, he said.

"That's intentional. That's a security feature," he said. The site also uses more difficult challenge questions than AnnualCreditReport.com, Lin added.

Solving the problem of credit reports stolen through consumer websites is no small task. One irony of the hackers' ability to easily raid such sites is that many consumers report great frustration getting their own credit reports through AnnualCreditReport.com.  The challenge questions are sometimes so arcane – such as, "Which bank held your previous auto loan?" -- that legitimate consumers can't answer them easily.  

"But anyone who does any research can probably figure out what the answers are before you can," said Jay Foley, who runs IDTheftInfoSource.com. In other words, it's too easy for criminals to get credit reports, but it's too hard for consumers.

One of the websites where Clements observed the stolen card activity – kurupt.su – dropped mysteriously off the Web late last week. The site was well-known as a haunt for criminals and scam artists in the computer underground. But Clements says that will hardly put a dent in the stolen data trade.

"You currently can't stop this scam because the 'soft inquiry' of a consumer pulling their own report doesn't record in the majority of credit files," he said, explaining that a consumer would never know if a criminal pulled a copy of their report. "Unfortunately, it allows the bad guys, by impersonating you, to download your credit file and leave no tracks."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

Click for the entire series.

Everybody makes mistakes. But not every mistake is forgiven. In our capitalist society, mistakes with money are carefully logged, categorized and entered into a formula that controls your financial future -- your credit score.

But what happens when the companies that keep this list make mistakes? After all, the credit bureaus -- which keep the list of who's been naughty and who's been nice -- are staffed by people who are just as fallible as the rest of us. Theirs is a complicated business. They keep track of billions of pieces of information. Mistakes do happen.

Unfortunately, complaining about mistakes on your credit report can be one of the most maddening experiences a consumer can have. Erasing an unfair black mark on your credit history after a bout with identity theft or a run-in with a malicious company can turn into an odyssey worthy of a Kafka novel. That's why the first installment of our "How to Complain About" series takes on this most vexing of consumer issues.

The credit report is composed of voluntary submissions by companies that you do business with. Those companies are called "furnishers." A credit card company is a furnisher. So is a furniture store where you bought a living room set from on credit; so is a car dealership. As you might imagine, your credit report is only as accurate as the furnishers who contribute information about you. Their quality control measures vary widely.

There are many reasons a mistake might find its way onto your credit report. Perhaps a furnisher forgot to give you credit when you paid your final bill. Perhaps someone impersonated you, and didn't pay their bills. Perhaps a furnisher made a data entry error when submitting updates, and accidentally blamed you for someone else's unpaid bill. Or perhaps you and a creditor have a real difference of opinion about a debt it says you owe.

In most arenas of life, if someone makes false statements about you that cost you money or reputation, you can sue for libel. That's not true in the credit reporting system, however. Decades ago, Congress granted furnishers general immunity from libel lawsuits. That gives them less incentive to be impeccably accurate when they send data to the credit bureaus.

Credit report mistakes range from inconsequential misspellings to wrongful reports of debt defaults that prevent the victim from ever borrowing money. Credit reports are notoriously inaccurate, though it's hard to say with precision how many reports have errors, as the credit bureaus keep that secret. But studies by third parties have found error rates as high as 25 percent. A small pilot study conducted by the Federal Trade Commission recently showed that 16 percent of consumer reports contained errors that would impact a consumer's credit score. The credit bureaus, which compile and sell the credit reports, told Congress in 2004 that the error frequency is much smaller -- only 3 percent -- but that would still impact nearly 6 million Americans.

So it's entirely possible you'll find yourself battling a credit bureau about a mistake at some point in your adult life.

Dispute process is born
Decades ago, it was almost impossible to see the contents of your credit report and to fix mistakes. In response to an avalanche of complaints, Congress set up a formal dispute process when it passed an update to Fair Credit Reporting Act in 1997. In that law , Congress mandated that consumers be given a fair trial when they believe something inaccurate is being reported. It requires the nation's credit bureaus -- Equifax, Experian, Trans Union and the smaller regional bureaus -- to take evidence from consumers, evidence from furnishers and decide who is right.

Unfortunately, this process has been turned into something of a kangaroo court. In a recent report called "Automated Injustice," the National Consumer Law Center described the disheartening procedures that are now in place.

Consumers who initiate disputes often send in pages of documentation supporting their claims. But in many cases, the paperwork is sent overseas to places like Mumbai, India, for cursory processing, the law center reported. There, employees work under tight quota and bonus systems. Subcontractors for Equifax, for example, must resolve more than 13 disputes every hour, or about one every four minutes, according to the report.

So, according to the report, the paperwork is almost always ignored and the complaint boiled down to a two-or three digit code. About one-third of the time, that code indicates simply that the consumers claims the credit blemish is "not his/hers." This code is then sent to furnisher, which is asked simply to affirm the original entry. If it does, the bureau will often decide that the case is closed.

The National Consumer Law Center doesn't mince words when describing this procedure.

"The FCRA dispute process has become a travesty of justice," it said in the report.

How can you get around this travesty? It's not easy. But as is typical of most consumer protection disputes, there are two keys: persistence and the threat of a lawsuit. If your dispute process hits a serious snag along the way, you'll probably have to consider filing a lawsuit. But to win, you have to prove more than a simple mistake occurred. You'll have to prove the bureau, or the furnisher, were negligent. The mere threat of a lawsuit might gain you satisfaction, but you'll have an empty threat if you don't have good records showing the bureau and furnisher ignored your repeated requests for justice.

Maintaining your rights to sue, and building a good case along the way just in case, are critical to a successful dispute with the credit bureaus, says attorney Chi Chi Wu, who authored the "Automated Injustice" report. Much of the advice she gives has a dual purpose: to win the dispute, but also to preserve legal rights and create a lawsuit-ready paper trail, just in case. Here are some of the steps she recommends.

1. Request a review in writing
All three credit bureaus allow you to dispute errors using online forms.

• EXPERIAN http://www.experian.com/disputes/
• EQUIFAX http://www.equifax.com/online-credit-dispute/
• TRANS UNION http://annualcreditreport.transunion.com/entry/disputeonline

Wu says using them is a big mistake. The forms only help the bureaus steer your issue into one of their dispute "buckets," helping the agency automate your claim. It also means you'll have less of a paper trail to demonstrate negligence later on. Wu strongly recommends that consumers use old fashioned U.S. mail to file their complaints and send the letter return-receipt requested. And naturally, keep good records of all contact with a credit bureau. At this point, buying a shiny new notebook for just this purpose is a good idea.

• EQUIFAX mailing address
• TRANS UNION mailing address
• EXPERIAN No link. Address will be on credit report.

And while all three companies provide a simple form to fill out with dispute information, Wu recommends adding narrative detail and supporting documents anyway – again, to prevent the bureaus from "bucketing" you. That will help a lawyer make a case later than the bureau didn't perform even the most basic investigation.

It's always good to send the dispute to all three bureaus. While the reports can differ, the reports generally overlap and a black mark on one report usually becomes a black mark on all three. So while there may only be one bill in dispute, you probably have three disputes on your hands.

2. Also notify the furnisher
It seems reasonable that the credit bureau would send a copy of your dispute to the company that's involved, but don't count on. Send a separate, return-receipt-requested letter to the company that claims you didn't pay your bill. A carbon copy version of your dispute letter to the credit bureau should be sufficient.

3. Be ready for surprising account numbers
When tracking a credit bureau entry, it's likely that your "bad debt" will have an unfamiliar account number next to it. Companies often assign new numbers to accounts that go into default. Also, when debts are sold to debt collectors, they usually give an account its own number. For example, a dispute involving a furniture store account No. 345234 might end up listed on your credit report as Joey's Collections No. 432432. When filing dispute letters, including all possible account numbers. That cuts down on possible confusion -- or legal squirming -- later on. For example, a consumer might send a letter saying, "Please delete account No. 345234, and the bureau might "agree" to the request while doing nothing, and leaving the unpaid bill under the other account number.

4. Tell them where to go
This step might sound presumptive, but Wu suggests that the consumer explicitly recommend the steps that the credit bureau should take to investigate the matter. For example, if you've spoken to an operator at a furnisher who admits an error, tell the credit bureau to call that furnisher and interview that operator. The bureau may not do this, but this inclusion could help a lawyer at a later date persuade a judge that the bureau didn't take even the most obvious steps to resolve the dispute.

5. Discredit the furnisher
A little legal legwork can help make your case, too. If there is evidence that the furnisher involved in your dispute has a reputation for complaints of inaccuracy, include that evidence in your letter. This will help build the case that the bureau should not have presumed the furnisher was accurate.

Other advice
It might seem natural to complain directly to the furnisher of the information rather than the credit bureaus. However, the original Fair Credit Reporting Act granted no legal rights for to consumers to do so, and steered all complaints to the credit bureau dispute process. That limitation is changing. The Fair and Accurate Transaction Act of 2003 includes provisions calling for "direct disputes" with furnishers, though the Federal Trade Commission has yet to issue formal guidelines for the process. They should appear soon; public commentary on proposed rules was entertained by the agency last year.

In the meantime, consumers can try a direct dispute, but should only do so after completing the dispute process with the credit bureaus and getting an answer. Skipping the bureau process would force a consumer to surrender their rights to sue the furnisher, Wu says.

Even before the final rules are determined, Congress spelled out a few specifics in its 2003 law. Send a letter to the furnisher demanding a "reinvestigation" of the debt. Ask for all paperwork documenting the debt. Like the credit bureaus, the furnishers will be required to supply a response within 45 days. If none is forthcoming, the debt must be removed from the credit file. Even if a response arrives, it's entirely possible the company will not be able to produce detailed records documenting the debt, which would also enable a request for removal of information.

In advance of the FTC rules, consumers may not have the right to sue companies for non-compliance. But the process can work anyway, and stronger consumer rights should arrive soon.

Finally, if either the bureau or the furnisher isn't playing ball, a lawsuit is the consumer's last resort. Credit report dispute cases are highly specialized, and it's generally best to use a lawyer who specializes in these cases, Wu said. A list can be found at the National Association of Consumer Advocates Web site, www.naca.net.

There aren't nearly as many FCRA experts as there are credit report disputes, however, so some consumers may be frustrated by their inability to interest a lawyer in their case. That's why the previous five steps are so important. Lawyers love plaintiffs who are well-prepared with the right documentation and arrive with what amounts to an open-and-shut case. It's not necessarily fair, but it's true: Consumers who think like a lawyer from step one are much more likely to get justice, and a clean credit report, in the end.

If you want a head start on a dispute letter, you can see an example here.