Get Smart about Business Spending
Sometime on October 14, a wide array of furniture and electronics were stolen from a commercial storage facility outside Phoenix. The building was used by the Arizona Early Intervention Program, which helps families of disabled children.
Two weeks ago, the state informed the parents of the nearly 40,000 children in the program that their personal information was potentially at risk for ID fraud. According to the Arizona Department of Economic Security (DES), a backup computer hard drive stolen from the facility was password protected. What happened next is where the controversy arises.
The DES and others in the media suggested that parents concerned about protecting their children against ID fraud seek a credit report for each child, and then put a credit freeze on the credit bureau accounts--advice that initially sounded right to me. But sources tell CNET News that such steps are wrong. Jay and Linda Foley, of the Identity Theft Resource Center (ITRC), said ordering a credit report that technically should not exist is one of the worst things you can do.
Making the problem worse
Julie Fergerson, vice president of emerging technologies at Debix, agreed. "If you actually try to order the credit file, there is a certain number of inquires against the Social Security number that the credit bureaus will create, potentially, on accident, a credit file."
Scott Mitic, CEO of TrustedID said, "according to the Federal Trade Commission, as many as 400,000 children may already be victims of identity theft. To make matters worse, the number of complaints has increased by 78 percent over the past several years, making children the fastest growing segment of identity theft victims." He said common warning signs include the receipt of pre-approved credit offers addressed to your child, calls from a collection agency in which the caller asks for your child by name, or notices addressed to your child from government or law enforcement agencies.
Scott Mitic, CEO of TrustedID
(Credit: TrustedID)Tom Rusin, president and chief executive officer of Affinion's North America operation, said there should be no credit information being stored for minors with the credit bureaus, but they aren't consistent with what age they start to hold a child's information. "For some they hold information for those 18 and older, with one it's 16 and older. Technically speaking, if you are nine, your information should not reside within the credit bureaus at all."
When is too early?
Children today can get a Social Security number assigned within days of birth. That number may be valuable for setting up college saving accounts and obtaining company health benefits, but, in most cases, that Social Security number sits dormant for about 16 years. No loans. No credit cards. No activity. Pat Dane, chief revenue officer at MyPublicInfo, recommends "as soon as the parents give the kid a Social, they ought to start monitoring it."
"It's a squishy area," said Affinion's Rusin. "If they don't have credit files, how can you monitor them?"
So what kind of monitoring is right for a child?
Julie Fergerson, Debix VP of emerging technologies
(Credit: Debix)Not traditional credit report monitoring, warned ITRC's Jay Foley. He said it's not a good idea to sign up a child for a service for something that does not exist.
Debix's Fergerson told me when ID theft occurs among children, a credit file is often attached to the child's Social Security number with the suspect's name and date of birth, not the child's. "So doing the traditional things like ordering fraud alerts or credit reports, any of those things, will always come back saying there is nothing there."
Mike Prusinski, VP of public affairs at LifeLock, agreed: "A credit freeze cannot be placed if there is nothing to attach it to. After multiple attempts or inquiries (in)to a child's identity, it is possible that a credit file might be created."
"And if there is a credit report file (associated with your child's name), it's not always necessarily identity theft said ITRC's Linda Foley. "It could be that someone mixed up the numbers and instead of a six they put down a five. And sometimes credit files are created because of clerical errors," said Foley. "The key here is to identify it early so we can fix it."
ID monitoring is not credit monitoring
Different from credit monitoring is ID monitoring. MyPublicInfo's Dane explained to me the subtle distinction between credit monitoring and ID monitoring, the difference that has ID fraud experts upset with those spreading misinformation about protecting children. Credit monitoring and ID monitoring are not the same, said Dane, who sent me some Gartner studies showing that credit report monitoring isn't as effective today as ID monitoring when it comes to detecting new account creation, for example. ID monitoring casts a much wider net, looking for activity on a person's Social Security number, not their credit report.
"If someone stole my son's Social," he said, "they could walk into Verizon, T-Mobile and open the easiest form of credit there is." Establishing a utility record is a common way that identity fraud is committed in part because it is harder to identify. Instead of appearing on a credit report, it needs a separate monitoring process, which the Gartner reports say most people do not have. When this so-called "synthetic ID theft" happens to a child, it may occur for years and years before the child needs to establish credit and finds he or she cannot.
"To me (new account creation) is probably one of the more egregious forms of identity theft," ITRC's Linda Foley said.
ITRC's Jay Foley said there's the classic story of a child in foster care. The kid turns 18 and the county ceases supervision. The kid then learns that through a bad parent or other means there's a bad credit report. "Instead of that child going on straight from high school to college, the child's going to end up working low- to pathetic-wage jobs while they clean up this mess in order to qualify for a student loan," he said.
Linda Foley, Founder, ID Theft Resource Center
(Credit: ITRC)
What should you do?
ITRC's Linda Foley said "if you think that your child may be a victim of identity theft, parents need to fire off registered letters to each of the credit bureaus. The letters should include the child's full name, Social Security number, parent (or guardian's) name and address. The letter should ask that a search for a credit file be done of the child's Social Security number since often the name will be different. Additionally you should include photocopies of your driver's license (proof of your identity), a copy of the child's birth certificate showing you as the parent, any guardianship papers if you are not the parent and a copy of the child's Social Security card. Foley said it sounds like a lot, but that's what photocopiers are for.
The credit bureaus want to make sure you are the correct person before releasing information, Foley said. If you are told, "there is no file," that is a good answer and you should stop worrying. Check again when the child is 16 and then again when they are 17 and getting ready to apply for a job or college. "If you are told there is a file, contact one of the non-profits or government agencies that provide victim assistance at no charge," she said. "They will walk you through the steps to clear the records."
LifeLock's Prusinski said for minors 15 and under, his company attempts to set a fraud alert every six months; for children over the age of 16, it is every 90 days, just like adults. "Although we cannot place an actual alert if no credit file exists, we still take the necessary measures to ensure that we are preventing a credit file from being fraudulently created." In addition LifeLock does a credit report audit for minors once a year through the FACT Act, which only requests a credit file. "This action has not created an inquiry because there is nothing with the bureaus that matches that SSN or name." Ideally, parents should then receive the letter that states "a credit file cannot be found." LifeLock also performs a separate Social Security Administration audit for children to see if work history exists.
Debix will also monitor a child's ID and if there's a problem, it'll clean it up. Recently Debix partnered with Javelin research to study the first 500 children who signed up with its service. Of that group, researchers found 5 percent had a pre-existing problem. Debix' Fergerson said that 12 percent were aged 5 and younger, and the average amount of each fraud was about $12,000. She said the company saw one case where a 17-year-old found his Social Security number had been used by a woman for the last two decades, a woman who had $325,000 in debt, a mortgage, and car loan. The 17-year-old boy was a few months away from applying for college. "This case, the woman wasn't a criminal, she legitimately believed the number was hers." Debix straightened out the accounts.
Trusted ID offers similar protection for minors.
Affinion's Rusin said his company is in the process of creating a children's identity protection program.
Tom Rusin, president and CEO of Affinion's North America operation
(Credit: Robert Vamosi / CNET)
Catch it young
Right now parents and guardians cannot put a block on a child's Social Security number saying it "belongs to a minor," but Linda Foley said she's working to make that a federal law by the end of 2009. Affinion's Rusin further suggested that the Social Security Agency also needs to improve its database so that two names don't show up under one SSN.
"The reality is if we catch it when they are young, before they are 16 or 17 years old," Linda Foley said, "it is far easier to take care of than if you were to become a victim of identity theft because we can show that anyone under the age of 18 who is still a minor, not emancipated, cannot be held legally responsible for any contract." Knowing early on makes it easier for parents to repair the situation, she said.
Jay Foley, co-founder of the Identity Theft Resource Center, told me recently that 57 percent of all identity fraud involves opening new accounts "for short-term gain." The ITRC should know: it has been surveying ID fraud victims for several years and has amassed some impressive real-world statistics.
Foley also said 13 percent of the identity theft victims found out about the attacks only after criminals had established utility or cable service in their names. "So your credit record is more theirs than yours, making it harder to fight them in court," he said.
Clearly the best solution is to stop credit fraud at the moment it starts, when the account is first applied for, but for years credit histories and scores lay shrouded in mystery.
Fortunately, there's greater transparency with regard to credit reports these days. Since 2003, the Fair and Accurate Credit Transactions Act, or Facta, makes it possible for individuals to request one free annual credit report from each of the three major credit reporting agencies. (Go to AnnualCreditReport.com.) Initially, it was to correct any errors in the credit report; many people, however, use this process to monitor their reports for credit fraud.
While you can request all three credit reports at once, experts recommend staggering these, requesting one from a different reporting agency every 90 days or so. That way you'll see a comprehensive view. In addition to requesting your credit report, Congress, through laws such as the Fair Credit Reporting Act (FCRA), has provided other tools for monitoring your credit activity.
A fraud alert placed on your credit history requires an issuing entity to contact you first before opening a new account. Fraud alerts need to be renewed every 90 days unless you are a documented victim of identity fraud, in which case you are entitled to additional protection for up to seven years.
Another option is to place a credit freeze on your credit history. As of November 1, 2007, all three major credit reporting agencies offer this option. Lenders looking to issue credit in the name of someone with a credit freeze will be unable to access the credit history without your explicit permission. In most states there is no termination date, however there is a $10 fee to institute a freeze, and a $12 fee to lift it whenever you want to allow a credit check. These fees are waived if there is proof the individual is an identity fraud victim. The main advantage of a credit freeze over a fraud alert is that the credit freeze does not expire. Credit freezes, however, do not apply to entities with whom the consumer has an existing account. Nor do they apply to law enforcement agencies and certain governmental agencies.
The plans from Experian, Trans Union, and Equifax are similar, each providing a complementary credit report from all three reporting agencies, continuous monitoring of credit activity and any online use of your personal information, and some insurance against identity fraud abuse. The plans range from $11 to $14 per month, with annual and family plans available for less. They do not, however, place alerts or a freeze on your credit history.
This creates a market for private identity protection companies. One of the first was TrustedID, which costs $10 per month per adult (with annual and family plans available) and places both a fraud alert and a credit freeze on your credit history (requiring you to be contacted in both cases), opts you out of credit offers, $1 million in loss insurance, scans for personal data on the Internet, and monitors change of address. TrustedID also scans for medical fraud and protects against spyware.
Providing similar protection is LifeLock. This company is perhaps the best known because its CEO advertises his personal Social Security number as an example of how secure the company is. Bruce Schneier recently did an analysis of what's right and what's wrong with LifeLock as did the CNET Blogger Network's Chris Soghoian.
The Achilles' heel in all of these plans is that the financial institution does not have to make a reasonable attempt to contact you, so the fraudulent account may still get opened. Even with a credit freeze, some financial intuitions won't contact you. There's no way to prove or disprove an institution called you, said ITRC's Foley.
Until now.
Back in 2004 a guy named Bo Holland took a gamble. He bet that that identity fraud would only get worse, not better. And he was right. Having built a series of start-ups within the financial services industry, Holland had an insider's perspective on the problem; he knew how banks and other institutions handled credit requests; he also had worked at Critix Systems, so he had understanding about application delivery. With his latest start-up, Debix, an identity protection network, Holland pulled together all of his skills.
Not only does Debix put a credit freeze on your profile, but it uses its own phone number to log whether the credit institution tried to contact you. And if you're not available, Debix puts the pending account or loan on hold until you are able to return the call. And by using a Debix phone number, not your home number, on your credit report, that adds another layer of security to the product.
So how does Debix work in the real world? Say you are at a car dealership and you need to finance a new car. Shortly after the salesperson leaves the showroom floor, your mobile phone should ring. That's Debix; you know it because it's your voice saying a secret code. Then Debix asks if you indeed are seeking to establish a new account. If yes, you type in a secret personal identification number.
Say you are on vacation and Debix conveys a permission request for a new account. Since you didn't request a new account, you press star and you are instantly put in touch with a Debix investigator, who then contacts the party requesting the credit check. The advantage here, says Holland, is that the ID fraud case is still hot. In some cases, Debix has been able to identify a particular IP address and then turn that information over the local law enforcement. This saves local law enforcement time; they don't have to get a warrant for the bank's information--Debix has already provided the information.
Jerry Dixon, former director of the National Cyber Security Division of the U.S. Department of Homeland Security, told me that there are many reasons why ID fraud cases aren't investigated.
"An assistant U.S. attorney might ask 'What's the likelihood of this going overseas?' 'What is the likelihood of being able to nail down who this is without having to write 20 subpoenas first?'"
If the IP address goes out to Belarus, then Dixon says forget it; the U.S. no longer has a law enforcement attache in Belarus so it's hard to enlist sympathy from law enforcement in that country. But if a company like Debix can provide law enforcement with details from the financial institution and a party willing to press charges, your odds of getting someone arrested improve.
Sound too good to be true? In a study published by Julie Fergerson, vice president of Emerging Technologies, and Debix's Holland, the authors looked at 30,000 Debix-secured transactions during a two-month period at the end of 2007. Of those, 380 were identified as fraud and were stopped immediately. Overall, the rate of new account fraud among Debix customers was zero percent.
ITRC's Foley said he was impressed with the results within the survey. Holland told me that during the survey period there were four instances of new account fraud. In each case, however, the financial institution did not call the customer. With Debix, though, you have some recourse. Debix maintains a record and can prove the institution in question did not attempt to call the customer.
Since learning about Debix in June, I've been trying to knock the protection, but so far cannot. Holland, it turns out, is no stranger to the computer security community; since 2004 he's been showing his wares and soliciting opinions at Defcon in Las Vegas. He invited Phil Zimmerman, creator of Pretty Good Privacy (PGP) to fault it, and he could not. Holland has invited other computer hackers to pick apart his logic. Even Foley and Dixon are full of praise for Debix.
And it gets better.
As of Monday, Debix is lowering its prices "way down" says Holland. One adult can sign up for $24 a year; families with up to three adults and four children can sign up for $72; and families with up to five adults and four children can sign up for $144 a year. That's much less than similar plans being offered by Experian, Trans Union, Equifax, TrustedID, and LifeLock. And Debix has been protecting people since 2004, so it's not some untested entity.
If you can name a more secure ID protection service for less cost, I'd like to hear from you.
- prev
- 1
- next
