A friend of mine send me a link to a site I hadn’t even thought about in over a year called Prosper. Prosper is a way to bid on risk. It’s sorta like ultra small scale investments. You invest money in Bob who is building a web portal. He needs a few thousand dollars and doesn’t want to take on real investment money, and doesn’t want partners. He just needs a few grand. Easy enough, upload credit info and you’re off to the races. But let me put on my black hat again.

Now let’s assume I’ve got all of Bob’s personal info and he’s never heard of Prosper before in his life. Let’s say I check and see that he’s got a perfect credit rating, I’ve already got access to his bank accounts etc… but before I wipe his assets out, maybe I want more than just what is in his bank account. Maybe I sign up for prosper under his identity and sign myself up for a $10k in investment capital. After a few weeks the money rolls in, I get the cash into the account, and before Bob notices, I take the $10k plus whatever he had in his account.

The Nigerian 419 scam never bothered to go much further than the initial scam, but it easily could. I know next to nothing about Prosper, so I can’t comment on their security, it just struck me that there are lots of nefarious things you can do when you have access to other people’s credit.

This entry was posted on Friday, February 2nd, 2007 at 5:18 pm and is filed under Webappsec. You can leave a response as well.