Dan Clements

This hacker shopping list appeared recently on what appears to be a Russian-based website offering credit reports for sale. Prices are based on the victims' credit scores.

The most important tool consumers have to fight against ID theft has been turned against them by hackers, msnbc.com has learned. Websites that offer consumers a chance to see their credit reports are being brazenly used by hackers to steal victims' information.

The prices of the reports rise and fall depending on the credit score of the victim. For consumers with credit scores in the 750s, report data might fetch $80; reports from victims with scores in the low 600s sell for about half that, according to "for sale" pages viewed by msnbc.com.

"It shows how people with good credit and a net worth now have a bull’s-eye on their backs," said Dan Clements, who operates the Internet security firm CloudEyez.com. Clements gave msnbc.com a virtual tour of the marketplaces, which he has been observing for months.

The most troubling part of these markets however – many hosted in the .su domain, which stands for the now-defunct Soviet Union – is the ready availability of credit reports and the hackers' bragging about how easy it is to infiltrate websites like AnnualCreditReport.com or CreditReport.com.

"I'm selling super prime credit reports and scores which include all 3 bureaus and other information," brags one advertisement on one site. 

Clements helped msnbc.com view dozens of credit reports on the forum, many of which had CreditReport.com stamped across the first page. But others viewed by msnbc.com indicated they were stolen from AnnualCreditReport.com and Equifax.com. Clements said most other online credit report and some credit score suppliers were hit, too --  he shared a page showing a victim's score produced at CreditKarma.com.

"We really have no idea how many reports have been used or put up for sale in the 'libraries,'" said Clements, who also operates a consulting firm. 

The credit report trade shows why even simple credit card fraud – long considered a relatively benign form of ID theft – can escalate quickly into a full-blown identity nightmare. Criminals with stolen cards can obtain background reports, credit reports and ultimately open new accounts using the information gleaned about the victim, Clements said.

In one how-to posted on a bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?"  But there's a critical flaw, the hacker said:

"Normally all ... of them will ask you the same question," the hacker wrote.

Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.

The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.

The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."

Dan Clements

This bulletin board post, intentionally cut off to be incomplete by msnbc.com, shows a hacker discussing how he allegedly defeats credit report website security.

A would-be credit report thief needs additional information to get credit report access, but that can often be gleaned by ordering background checks using the victim's stolen credit card. Reports stolen from Intellius.com and BeenVerified.com, which provide previous addresses and a host of other valuable information, also were found on the site.

One victim whose credit report was spotted on the site told msnbc.com that she found one instance of credit card fraud on her accounts around the time the data theft was first discovered by Clements. She now pays to maintain a credit freeze on her credit reports.

"You hear about this kind of thing all the time but you never think it will happen to you," said the victim, who requested that her name be withheld. "And when it happens, you think, 'Great. Now what do I do?'”

For years, consumers have been advised to visit AnnualCreditReport.com once each year to see their reports. Federal law requires the nation's three largest credit bureaus – Experian, Equifax, and Trans Union – to maintain the site, under the direction of the Federal Trade Commission.

That's still good advice – looking at your credit report is the best way to detect identity theft. But the site is apparently both an ally and a foe now.

The FTC would not comment on hackers' use of AnnualCreditReport.com.

In the past, the FTC has sued companies for inadvertently selling credit report data to hackers, however. In 2011, the agency settled with Settlementone Credit Corp., ACRAnet Inc. and Fajilan Associates after those firms unknowingly sold reports to criminals. The three firms were ordered to submit to 20 years' worth of security audits.

Those firms prepare reports for car dealerships and other credit granters. Raiding consumer-facing sites like AnnualCreditReport.com is even more brazen, however.

CreditReport.com is operated by credit bureau Experian; that firm also provides credit reports to consumers as part of AnnualCreditReport.com.

"Experian is aware of schemes such as this to access reports illegally, and we have taken measures within our systems to mitigate the issue," said Experian in an e-mail to msnbc.com. "We are constantly evolving our systems to prevent fraud and criminal activity, but do not comment publicly on the specifics of our fraud prevention methods." 

Trans Union and Equifax, which also provide reports through AnnualCreditReport.com, did not immediately respond to requests for comment.

Kenneth Lin, CEO of CreditKarma.com, said the firm had received "a handful" of complaints about compromised accounts and worked quickly to shut down access. CreditKarma credit score reports show no account information or other personal data, so the security risk posed by an imposter getting a victim's score is minimal, he said.

"That's intentional. That's a security feature," he said. The site also uses more difficult challenge questions than AnnualCreditReport.com, Lin added.

Solving the problem of credit reports stolen through consumer websites is no small task. One irony of the hackers' ability to easily raid such sites is that many consumers report great frustration getting their own credit reports through AnnualCreditReport.com.  The challenge questions are sometimes so arcane – such as, "Which bank held your previous auto loan?" -- that legitimate consumers can't answer them easily.  

"But anyone who does any research can probably figure out what the answers are before you can," said Jay Foley, who runs IDTheftInfoSource.com. In other words, it's too easy for criminals to get credit reports, but it's too hard for consumers.

One of the websites where Clements observed the stolen card activity – kurupt.su – dropped mysteriously off the Web late last week. The site was well-known as a haunt for criminals and scam artists in the computer underground. But Clements says that will hardly put a dent in the stolen data trade.

"You currently can't stop this scam because the 'soft inquiry' of a consumer pulling their own report doesn't record in the majority of credit files," he said, explaining that a consumer would never know if a criminal pulled a copy of their report. "Unfortunately, it allows the bad guys, by impersonating you, to download your credit file and leave no tracks."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

It should be clear by now that nothing online is sacred, and no security company is safe from hackers. VeriSign Inc., the firm at the center of so many critical systems on the Web, was infiltrated by hackers in 2010.  Because details of the attack, first disclosed Thursday by Reuters, are so vague we are left to assume the worst -- and the worst is pretty bad.

It's possible that the VeriSign hackers could turn the Web upside down and create an Internet where nothing would be what it seems.  A hacker website could look and act just like your bank's website. Your PC could easily be tricked into downloading automatic software updates that would appear authentic but actually contain viruses. And no matter what web address you typed into your browser, you could be redirected to a criminal's website half-way around the world.

But there's important context to this story which might ratchet down the "Oh My God!" factor considerably.  For starters, there is reason to believe that VeriSign's revelation is nothing more than evidence companies are starting to comply with rules forcing them to disclose such incidents: In other words, similar successful hacks like this may have occurred in the past but simply went unreported.  We'll discuss the evidence for that in a moment. First, let's look at the possibilities raised by the VeriSign attack.

VeriSign is involved in two distinct, fundamental Internet security structures that could be impacted by this attack.  A successful attack on one would be serious, but a raid on the other could threaten the Internet itself. So let's start there.

VeriSign's most critical function is its role in the Domain Name System address book, which governs what happens when Web users type common name Web addresses into their browsers.  There are 13 "root"  DNS servers placed strategically around the planet for redundancy. VeriSign operates two of them. Should a hacker gain access to this part of VeriSign's business, he or she could theoretically poison the other 11 root DNS servers, and the bad data would eventually spread to the other DNS servers. The consequences could be dire: It could mean that everyone who typed "msnbc.com" into a Web browser would be sent to a computer controlled by criminals, instead of the real msnbc.com website.  A computer criminal with destructive intensions could theoretically ruin the database that maps names with IP addresses and effectively shut down parts of the Internet. It has long been discussed that these root name servers are perhaps the most vulnerable point of the attack on the Internet

But it's more likely that the agencies controlling the other 11 root Domain Name Servers would be able to regain control of the DNS table and restore the system within a day or two, if not within hours. As you might imagine, root DNS servers do disagree from time to time and there is a process for handling that.

It's also important to note that VeriSign, in the SEC disclosure which started this incident, claims that its DNS servers were not attacked by hackers.

"Access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network," the firm wrote in the filing.

VeriSign's other crucial function is issuing digital certificates through its VeriSign Authentication Services group. Certificates impact your computer use every day because they tell your PC that a company's website or software is really what is says it is. Certificates are a crucial part of the SSL system that ultimately displays a friendly looking lock when you visit your online bank.  They also identify the legitimacy of software updates sent to your computer by software makers.  Many modern PCs won't install software unless it is digitally signed. 

A hacker who could influence the way VeriSign issues certificates would be a massive problem for both consumers and corporations.

"VeriSign is one of the most important enterprise trust authorities in the world, which delivers people safely to more than half the world's websites,” wrote Catalin Cosoi, Chief Security Researcher at Bitdefender Labs. “A certificate issued by VeriSign will automatically be accepted by both browsers and operating systems. This kind of incident practically voids all the security provided by 64-bit operating systems,"

In other words, hackers would have an easy time loading viruses onto PCs around the world.

That's terrible, but it's not new. Virus writers have been compromising certificate issuers with abandon for the past 18 months. It's one of the reasons that Stuxnet computer virus managed to infect millions of PCs worldwide.  That also means structures are in place to deal with fraudulent certificates.

"The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit," Cosoi said. "This would potentially yield a huge level of data that could be exploited for financial gain. However, it’s important to remember that a strong anti-phishing solution will keep you protected."

Of course, it's not even clear from VeriSign's filing that its certificate business was compromised.  Complicating matters further: Symantec Corp. purchased most of that business from VeriSign last year. For its part, Symantec said on Thursday that the assets it acquired in the sale were not compromised.

"We want to make it very clear that Symantec takes the security and proper functionality of its solutions very seriously. The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing," said Symantec spokeswoman Nicole Kenyon in a statement to msnbnc.com.

Of course, it’s possible that one of Verisign’s other business unit – it provides extensive security consulting, for example – was the hackers’ only target.  That seems unlikely, however, given the target-rich environment the offers to computer criminals.

To be sure, many experts think the Verisign attack is serious business.

"The SEC filing says 'Information stored on the compromised corporate systems was exfiltrated.' That sounds like a targeted attack to me," said Mikko Hypponen, chief technology officer at F-Secure.com. "Like the one against Google. And RSA. And Lockheed-Martin."

But it's possible the VeriSign admission, buried in the SEC filing, is little more than paperwork which puts in print something that security professionals have long understood: No firm is safe from hackers.  This might be at once comforting and disturbing: In October of last year, the SEC issued guidelines that called out public firms for under-disclosing security leaks and hinted strongly that fines would come when firms failed to report successful hacker attacks. The VeriSign quarterly report was issued soon after, and it's easy to imagine the disclosure is more routine than anyone would like to admit.  In fact, Stewart Baker, a lawyer at Steptoe & Johnson, predicted as much in a blog earlier this month.

"With enforcement so easy, and the harm from breaches so tangible, so serious and so likely to bring headlines, no one should expect the enforcers to go easy on companies that have been slow to disclose. Instead I expect a growing wave of cases based on companies' failure to make timely disclosure of ongoing breaches," he wrote.

Clearly, admission by VeriSign that executives at the firm were unaware of the breach shows a terrible lack of coordination inside the firm. And it's scary to read this admission, too: "Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information."

Still, it’s important to note that we are talking about attacks that could be a year old, and whatever they were, criminals are already deep in the process of exploiting them. Sad to say there’s nothing most consumers can do in response to this report.

In health news, there’s always the complicated issue of increased diagnosis vs. increased incidence. Is a new disease on the rise, or are we simply better at finding cases of it? The VeriSign incident raises the same question.

But the deeper truth here is probably something that professionals have known for some time: In the cat and mouse game between hackers and security firms, hackers are winning and, in some places, it's starting to look like a blowout.  

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).