Why credit bureau integrations deserve dedicated security testing
Most security assessments focus on the lender's own application. The credit bureau API call is often treated as a black box — the request goes out, a score comes back, and the lender's decision engine uses it. But the entire chain from request initiation to decision execution is an attack surface. The identity sent in the lookup request, the response body that comes back, the parsing of that response, and the decision logic that consumes the parsed score — each of these steps can be manipulated if the right controls are not in place.
The data at stake is also unusually rich. A full credit bureau report contains the complete lending history of an individual across every regulated lender in Nigeria that reports to the bureau. An attacker who can perform unauthorized lookups does not just get a credit score — they get a complete map of a person's financial obligations, their lenders by name, their repayment behaviour, and in some cases their address and employer history.
1. Unauthorized credit report lookups
The most basic test is whether the bureau lookup endpoint on a lender's platform can be called by an unauthorized party. The lookup API is meant to be triggered only when a customer submits a loan application. We test whether an authenticated user — someone logged into the platform but who has not initiated an application — can trigger a lookup against any BVN or name they supply. The lookup itself costs the lender money per report and exposes the subject's data for a purpose they did not consent to.
2. BVN substitution in the lookup request
When a customer applies for a loan, their BVN is verified during KYC and then used as the identifier in the bureau lookup. We test whether the BVN used in the bureau lookup is taken from the server-side verified KYC record or from a client-submitted parameter in the loan application request. If an attacker can submit a different BVN in the application request than the one verified during KYC, they can obtain a credit check on any individual by substituting their BVN — without that person having applied for anything.
// Loan application request body
{
"amount": 50000,
"tenure_months": 6,
"bvn": "22312345678", // attacker substitutes a different person's BVN here
"applicant_bvn": "22312345678"
}
// If the backend uses bvn from request body for bureau lookup instead of
// the BVN from the authenticated user's KYC record, this is an unauthorized lookup 3. Credit report response caching and replay
Bureau reports cost per lookup. Lenders sometimes cache reports to reduce costs. We test whether cached reports are stored securely (encrypted, with a short TTL), whether the cache key is robust enough that one user's cached report cannot be returned in response to another user's query, and whether a report cached at a favourable time (when the subject had a clean credit history) can be replayed for a later application after the subject's score has deteriorated.
4. Decision engine manipulation via response body tampering
After the bureau API returns a score, the lender's backend passes it to a decision engine that applies thresholds and rules to produce an approve or decline decision. If the bureau API response is stored in a mutable object that passes through multiple service layers before reaching the decision engine, a service-to-service injection or a race condition in the processing pipeline could allow the score value to be modified before the decision is computed. We audit the full chain from bureau API response receipt to decision engine input to confirm the score is immutable in transit.
BVN accepted from request body rather than KYC session for bureau lookup
During a penetration test of a Nigerian digital lender, we intercepted the loan application submission request. The POST body contained a bvn field. We modified this field to the BVN of a third party and submitted the application. The backend initiated a CRC bureau lookup using our submitted BVN rather than the BVN from our authenticated KYC session. The full credit report for the third party — including their loan history, outstanding balances, and a credit score — was retrieved and logged in our application record. We had obtained another person's credit report without their consent simply by substituting their BVN. Fix priority: critical. Remediated by deriving the bureau lookup BVN exclusively from the authenticated session's verified KYC record, ignoring any BVN submitted in the application body.
Operating a digital lender in Nigeria? Book a security assessment of your credit bureau integration before an unauthorized lookup creates a regulatory incident.
Book a Credit Bureau Integration AuditFrequently asked questions
What data is exposed in a Nigerian credit bureau report?
A full credit bureau report from CRC or FirstCentral includes the subject's full name, BVN, date of birth, address history, all active and closed credit facilities (with lender names, amounts, and repayment status), total outstanding debt, number of credit enquiries in the last 12 months, and a credit score. This is one of the most comprehensive personal financial datasets available in Nigeria.
Can an attacker manipulate a credit score through API vulnerabilities?
Not directly at the bureau. The score is computed by the bureau from data submitted by member lenders. However, attackers can exploit integrations in two directions: they can cause a lender's system to submit false negative data (marking performing loans as delinquent, which damages a targeted individual's score), or they can prevent a lender's system from submitting negative data about a synthetic borrower (preserving a clean credit history on a fraudulent identity).
What regulations govern credit bureau data in Nigeria?
The Credit Reporting Act 2017 governs credit bureaus in Nigeria and sets obligations for member financial institutions regarding data accuracy, dispute resolution, and the permissible purposes for which credit reports can be obtained. CBN guidelines on credit risk management also specify how lenders must handle bureau data. NDPA 2023 applies because credit bureau reports contain personal data.
Related reading
Blog: Loan disbursement logic flaws · KYC and BVN data security · NIN verification API security
Services: Penetration testing · API security