How to handle ID fraud's youngest victims
Sometime on October 14, a wide array of furniture and electronics were stolen from a commercial storage facility outside Phoenix. The building was used by the Arizona Early Intervention Program, which helps families of disabled children.
Two weeks ago, the state informed the parents of the nearly 40,000 children in the program that their personal information was potentially at risk for ID fraud. According to the Arizona Department of Economic Security (DES), a backup computer hard drive stolen from the facility was password protected. What happened next is where the controversy arises.
The DES and others in the media suggested that parents concerned about protecting their children against ID fraud seek a credit report for each child, and then put a credit freeze on the credit bureau accounts--advice that initially sounded right to me. But sources tell CNET News that such steps are wrong. Jay and Linda Foley, of the Identity Theft Resource Center (ITRC), said ordering a credit report that technically should not exist is one of the worst things you can do.
Making the problem worse
Julie Fergerson, vice president of emerging technologies at Debix, agreed. "If you actually try to order the credit file, there is a certain number of inquires against the Social Security number that the credit bureaus will create, potentially, on accident, a credit file."
Scott Mitic, CEO of TrustedID said, "according to the Federal Trade Commission, as many as 400,000 children may already be victims of identity theft. To make matters worse, the number of complaints has increased by 78 percent over the past several years, making children the fastest growing segment of identity theft victims." He said common warning signs include the receipt of pre-approved credit offers addressed to your child, calls from a collection agency in which the caller asks for your child by name, or notices addressed to your child from government or law enforcement agencies.
Scott Mitic, CEO of TrustedID
(Credit: TrustedID)Tom Rusin, president and chief executive officer of Affinion's North America operation, said there should be no credit information being stored for minors with the credit bureaus, but they aren't consistent with what age they start to hold a child's information. "For some they hold information for those 18 and older, with one it's 16 and older. Technically speaking, if you are nine, your information should not reside within the credit bureaus at all."
When is too early?
Children today can get a Social Security number assigned within days of birth. That number may be valuable for setting up college saving accounts and obtaining company health benefits, but, in most cases, that Social Security number sits dormant for about 16 years. No loans. No credit cards. No activity. Pat Dane, chief revenue officer at MyPublicInfo, recommends "as soon as the parents give the kid a Social, they ought to start monitoring it."
"It's a squishy area," said Affinion's Rusin. "If they don't have credit files, how can you monitor them?"
So what kind of monitoring is right for a child?
Julie Fergerson, Debix VP of emerging technologies
(Credit: Debix)Not traditional credit report monitoring, warned ITRC's Jay Foley. He said it's not a good idea to sign up a child for a service for something that does not exist.
Debix's Fergerson told me when ID theft occurs among children, a credit file is often attached to the child's Social Security number with the suspect's name and date of birth, not the child's. "So doing the traditional things like ordering fraud alerts or credit reports, any of those things, will always come back saying there is nothing there."
Mike Prusinski, VP of public affairs at LifeLock, agreed: "A credit freeze cannot be placed if there is nothing to attach it to. After multiple attempts or inquiries (in)to a child's identity, it is possible that a credit file might be created."
"And if there is a credit report file (associated with your child's name), it's not always necessarily identity theft said ITRC's Linda Foley. "It could be that someone mixed up the numbers and instead of a six they put down a five. And sometimes credit files are created because of clerical errors," said Foley. "The key here is to identify it early so we can fix it."
ID monitoring is not credit monitoring
Different from credit monitoring is ID monitoring. MyPublicInfo's Dane explained to me the subtle distinction between credit monitoring and ID monitoring, the difference that has ID fraud experts upset with those spreading misinformation about protecting children. Credit monitoring and ID monitoring are not the same, said Dane, who sent me some Gartner studies showing that credit report monitoring isn't as effective today as ID monitoring when it comes to detecting new account creation, for example. ID monitoring casts a much wider net, looking for activity on a person's Social Security number, not their credit report.
"If someone stole my son's Social," he said, "they could walk into Verizon, T-Mobile and open the easiest form of credit there is." Establishing a utility record is a common way that identity fraud is committed in part because it is harder to identify. Instead of appearing on a credit report, it needs a separate monitoring process, which the Gartner reports say most people do not have. When this so-called "synthetic ID theft" happens to a child, it may occur for years and years before the child needs to establish credit and finds he or she cannot.
"To me (new account creation) is probably one of the more egregious forms of identity theft," ITRC's Linda Foley said.
ITRC's Jay Foley said there's the classic story of a child in foster care. The kid turns 18 and the county ceases supervision. The kid then learns that through a bad parent or other means there's a bad credit report. "Instead of that child going on straight from high school to college, the child's going to end up working low- to pathetic-wage jobs while they clean up this mess in order to qualify for a student loan," he said.
Linda Foley, Founder, ID Theft Resource Center
(Credit: ITRC)
What should you do?
ITRC's Linda Foley said "if you think that your child may be a victim of identity theft, parents need to fire off registered letters to each of the credit bureaus. The letters should include the child's full name, Social Security number, parent (or guardian's) name and address. The letter should ask that a search for a credit file be done of the child's Social Security number since often the name will be different. Additionally you should include photocopies of your driver's license (proof of your identity), a copy of the child's birth certificate showing you as the parent, any guardianship papers if you are not the parent and a copy of the child's Social Security card. Foley said it sounds like a lot, but that's what photocopiers are for.
The credit bureaus want to make sure you are the correct person before releasing information, Foley said. If you are told, "there is no file," that is a good answer and you should stop worrying. Check again when the child is 16 and then again when they are 17 and getting ready to apply for a job or college. "If you are told there is a file, contact one of the non-profits or government agencies that provide victim assistance at no charge," she said. "They will walk you through the steps to clear the records."
LifeLock's Prusinski said for minors 15 and under, his company attempts to set a fraud alert every six months; for children over the age of 16, it is every 90 days, just like adults. "Although we cannot place an actual alert if no credit file exists, we still take the necessary measures to ensure that we are preventing a credit file from being fraudulently created." In addition LifeLock does a credit report audit for minors once a year through the FACT Act, which only requests a credit file. "This action has not created an inquiry because there is nothing with the bureaus that matches that SSN or name." Ideally, parents should then receive the letter that states "a credit file cannot be found." LifeLock also performs a separate Social Security Administration audit for children to see if work history exists.
Debix will also monitor a child's ID and if there's a problem, it'll clean it up. Recently Debix partnered with Javelin research to study the first 500 children who signed up with its service. Of that group, researchers found 5 percent had a pre-existing problem. Debix' Fergerson said that 12 percent were aged 5 and younger, and the average amount of each fraud was about $12,000. She said the company saw one case where a 17-year-old found his Social Security number had been used by a woman for the last two decades, a woman who had $325,000 in debt, a mortgage, and car loan. The 17-year-old boy was a few months away from applying for college. "This case, the woman wasn't a criminal, she legitimately believed the number was hers." Debix straightened out the accounts.
Trusted ID offers similar protection for minors.
Affinion's Rusin said his company is in the process of creating a children's identity protection program.
Tom Rusin, president and CEO of Affinion's North America operation
(Credit: Robert Vamosi / CNET)
Catch it young
Right now parents and guardians cannot put a block on a child's Social Security number saying it "belongs to a minor," but Linda Foley said she's working to make that a federal law by the end of 2009. Affinion's Rusin further suggested that the Social Security Agency also needs to improve its database so that two names don't show up under one SSN.
"The reality is if we catch it when they are young, before they are 16 or 17 years old," Linda Foley said, "it is far easier to take care of than if you were to become a victim of identity theft because we can show that anyone under the age of 18 who is still a minor, not emancipated, cannot be held legally responsible for any contract." Knowing early on makes it easier for parents to repair the situation, she said.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
Banks, credit card companies, and the government have refused time and time again to implement changes that could actually protect against identity theft like creating a national database that links your SSN to your local bank branch and anytime you open a new account, whoever is opening that account with you, would have to call and get verbal, signed, and faxed authorization from your bank that is listed in the database that you have in fact when down to your local branch, authenticated your identity with people you know, and authorized the account such as opening a new credit card account. I should have to go down to my own local branch and prove my identity and authorize that the credit card company is indeed allowed to open an account in my name with my SSN. This would stop a thief from opening an account in my name from a thousand miles away.
We should also stop using SSNs for identity and if we continue to do so we should at least make it a one phone call procedure to receive a new SSN number with your old credit report moved over to it with all the fraudulent accounts taken off.
We should be using smart cards with public, private key technology where the private key never leaves the device. Even the bank employees shouldn't know the private key so a bank employee can't steal your private key. They should only have access to the public key and if it does get hacked you can easily just get a new smart card and the old one can become deactivated. Biometrics cannot be deactivated. What have they done instead? They've given us credit cards where the secret number is plastered on the front of it where any store clerk can read it. Their solution? RFID so now someone can read your credit card number with what basically amounts to a radio even if you never take it out of your wallet. How is that solving the problem? That's making it worse and they don't even care.
However, nobody has done anything to protect us from identity theft because they don't want people to have control over their credit information. We should just stop using it. If you want to loan someone money then don't even look at their stupid credit report. It means nothing. Have no faith in those reports. Businesses need to start coming up with their own ways to decide if they want to loan someone money based on if they know you or they trust you. We either need to reform the way credit scores work or we need a law that says companies can't put bad marks on your credit report anymore because the government and banks haven't even provided us with a secure way of knowing if the credit report you're looking at really belongs to the person that didn't pay you back or not. It's a system built around fraud and there's not way to tell if a credit report means anything or not. So, lets just stop using them entirely until someone in the government comes around and implements some real solutions.
I found a way to opt out of all those things FOREVER online. I forget what it was, but it was a simple phone number you call, give them your name and address (nothing else) and you are put on a blacklist for those offers. I did it for myself and have YET to see another pre-approved offer come to my home.
Also, every bank already keeps national databases already. Look at your actual credit score. So, you're telling me they have a national database that links everyone's credit score to their SS number, but they can't add a couple more fields to same friggin database to keep track of what my actual address is plus the address of my local bank branch is? That's just crap.
Look, when I stick my credit card in any register in the country at any Walmart or any other store it can call up a database and see if I have money left in my account right? How come a teenage girl working at the counter of Walmart on the other side of the country can dial into a database to tell if I have money or not, but say a company like Capital One can't dial into a national database to see what my local bank branch is when I order a new smart card?
Then they could just mail the smart card down to my bank branch instead of to my house. Then I go down to the bank and pay a small fee, say 5 or 10 dollars for my local branch to auth my identity and activate my account for me. Banks could compete with each other based on who had the lowest fees.
Look, it's even profitable for the banks to do this. They could charge small fees like 5 or 10 dollars to do this for people and keep people's identity safer. Look, I just activated a new credit card account. They don't even ask you for your friggin mother's maiden name anymore sometimes. These criminals can open accounts with just your SSN which is plastered on every job form you ever filled out and everything else they ask for is pretty much publicly accessible. They can do it over a pre-paid cell phone and have the bill mailed to whatever address they want. They even asked me where I wanted the bill sent if I wanted it sent to a different address then where I live when I activated it over the phone where there was no way they could tell if I was really me.
This happened to my friend. He had his credit locked and everything and some credit card company (WAMU providian actually) still gave someone else a credit card in his name. The criminal had it sent to a completely different address from where my friend actually lived. My friend didn't find out for for months until collections started calling, but did it hurt his credit since he had it frozen I don't know, but a criminal still got some free money. If it's too hard to make sure people really are who they say they are then we shouldn't be issuing credit cards anymore at all.
Now, you say all this is too hard, but give me one good reason why it is too hard? We already ship people credit cards, we've already invented smart cards, and we already have national databases that can be checked by any teenager working a cash register. We have the technology now to do these things. Also, the fact that it's my credit means I should have some control over it. If they think it is too difficult then that's just tough titty. If the government came in and said that's how it had to be done then trust me they would find a way to make it happen.
The only thing that will happen if they implement this nonsense is a loss of privacy.
It is true that smart cards can be spoofed and so can credit cards, but it's much harder. Consider this. Nobody knows my private key. Not even the bank. It's not like a credit card where a copy of the number is made every place you use it. Only the factory that makes it could possibly know. The bank doesn't need my private key to auth a transaction. All they need to do is decrypt with the public key to know a transaction has indeed been signed with my private key. Remember, that's why I said even the bank shouldn't know what the private key is so a bank employee can't steal it. So, if a lot of spoofed cards start showing up we know it's probably someone that works at the factory. That narrows the list down.
Also, the people at the factory don't know my smart card's pin number. Why? because the pin number isn't set until the smart card leaves the factory. Only when I activate the account at my local bank branch do I type a pin number into the machine to set what I want my pin number to be. Remember, the pin number doesn't need to be stored on the device. It only needs to be store on the authorization server. So, now maybe my local bank branch knows my pin number, bu they still don't know my private key.
Also, the authorization server isn't in the same place as the factory that makes the cards. A smart card factory employee is probably not going to be working in the same building where the authorization server is. So, he would have to hack into that to get my pin number because my pin number wasn't set until long after the smart card left the factory.
Then, even if they could get my pin number I just call up and say the card was stolen and I get a new one and the old one gets deactivated. That's a lot of work to steal a smart card that only works two days and then you get arrested because the cops know it was probably someone at the factory since they had your private key.
However, what it would do is stop professional ID gangs from openening as many accounts as they do now because for every account they open they have to go to a different bank. So, they'd have to travel all over the country to different banks to get these cards activated plus pay a fee everytime they activate a card. Plus since they have to activate it at my bank I can go down to my bank at anytime and see what accounts have been opened in my name.
Now, it is true that they may find a way of activating it without going down to my bank branch by working with someone on the inside. However, if the credit card company doesn't have my faxed signature on a form that came from my banck branch's computer then obviously it wasn't me that opened the account and so I'm not responsible for it am I? No, it would not stop it, but it would make it harder.
- by Identity_Theft_Expert December 26, 2008 5:29 AM PST
- The only thing you can do wrong, is nothing. You have to actively monitoring your childs SSN. If applying for fraud alerts every 90 days instigates a credit report on a minor then so-be-it. Then place a credit freeze. Which should already be right, but its not due to lobby's set up by the bureaus. Broad sweeps of public data is great, but will only warn you. You still need a freeze. www.IDTheftSecurity.com
- Like this Reply to this comment
-
(8 Comments)