ID Theft: SSN Is 'Key to the Kingdom'

Incidents Prove Link Between Social Security Numbers, ID Theft
ID Theft: SSN Is 'Key to the Kingdom'
Editor's Note: Check out our ongoing series about Identity Theft, from victims to regulators.

The Colorado Supreme Court decision to reverse a conviction for criminal impersonation has stirred debate among identity theft protection advocates. In short, advocates say the Oct. 25 ruling sets a precedent that provides a loophole for those who impersonate others by stealing and/or misusing Social Security numbers.

"The Social Security number is the key to the kingdom of almost every type of identity theft," says attorney and certified information privacy expert Mari Frank. "It's the key to medical-benefit theft, government-benefit theft, you name it. This case, I think, sets a very bad precedent," she says, "because there are a number of people with bad credit or a criminal record or even illegal immigrants in this country that would use a stolen Social Security number to get a job, take out a car loan or get other benefits."

The Colorado Supreme Court overturned by a 4-3 decision the 2006 conviction of Felix Montes-Rodriguez for misusing another person's Social Security number to find work and apply for a car loan. Montes-Rodriguez' immigration status is not known; but the court found that because he used his own address, birth date and place of employment when he applied for the car loan, the use of the stolen Social Security number did not constitute false identity.

Frank, an identity-theft victim who authored "The Complete Idiot's Guide to Recovering from Identity Theft," argues that decision goes against Colorado law and federal law, which defines identity theft as the use of an identifier for some illegal purpose. In fact, the Identity Theft Red Flags Rule specifically mentions suspicious Social Security numbers, as their use might relate to loan applications or other documentation. A few noted suspicious uses: Use of a Social Security number that's listed on the Social Security Administration Death Master File12 or a number that hasn't been issued, according to the monthly issuance tables available from the Social Security Administration; inconsistencies in the information the consumer has given, such as a date of birth that doesn't correlate to the number range on the Social Security Administration's issuance tables; and a Social Security number that's been used by someone else to open an account

The Colorado ruling highlights an underlying misunderstanding about identity theft, criminal impersonation and the ease with which criminals can access and exploit Social Security numbers, Frank says, who adds that several of her clients have had their Social Security numbers stolen, including a 7-year-old victim.

"He is 21 now, and last year he tried to get a car loan from his credit union; but they did not want to give it to him," she says. "His credit union purchased a Social Security search from Experian and found that three other people were using his credit and his Social Security number." Frank later learned from credit bureau Experian Information Solutions Inc. that her client's Social Security number had been used by those three individuals to build individual credit profiles. In each case, the Social Security number was affiliated with a separate individual's name.

Frank says credit bureaus, such as Experian, bear some responsibility and should be required to ensure a single Social Security number is not affiliated with multiple names. "Your Social Security could be used by myriad people and presently you have no right to see the Social Security searches that do not appear on your consumer credit report. You cannot even access it to correct it," she says. "All the impersonator needs is a Social Security number to create a credit profile to establish loans and credit to commit fraud. Clearly, most people -- even judges -- don't' understand how vulnerable we all are if someone impersonates us with only the theft of our Social Security number."

Financial institutions, as lenders, also bear responsibility, not only to protect their existing customers and members but to ensure they don't store sensitive personal identifiers, such as Social Security numbers, in places or databases that can be easily accessed or hacked.

John Buzzard, client relations manager for FICO, which provides decision management and predictive analytics solutions, says more thorough credit background checks could solve most of the problem. "All new accounts that come through the lenders provide full credit reports. They just need to make sure they pull the full report and check it thoroughly," he says. "They also should make sure they require a full picture ID, as well as some other form of credit history," such as rental history.

Most financial institutions do some of this already, by verifying dates of birth and Social Security numbers through the ChexSystems network when customers or members open savings and checking accounts. The ChexSystems network comprises financial institutions that regularly contribute information about mishandled checking and savings accounts to a central location. ChexSystems shares the information among its members to help them assess risk before opening new accounts.

That kind of background check would not help in the case of a misused child's Social Security number, but the Identity Theft Resource Center suggests parents simply conduct annual checks to see if any credit report exists for a child. "If no credit report is found, it's good news," ITRC Executive Director Linda Foley says.

Vulnerabilities of Children's SSNs

The vulnerability of Social Security numbers, especially those held by children, is getting more attention. Because a Social Security number is considered dormant -- meaning it can't be used for credit -- until a person turns 18, a child's Social Security number could be stolen or sold and misused for several years before any red flags are raised. As in the case of Frank's client, he was not aware of any misuse until he tried to take out a car loan. In the Montes-Rodriguez case, the woman from whom Montes-Rodriguez stole the Social Security number only learned of the theft after getting dinged on her credit report.

The woman in Colorado got lucky. "Had this been a child, no one would have noticed this until the child turned 18," Foley says.

According to the ITRC, parents and family members are often the ones who misuse a child's Social Security number. There is no way for a creditor, employer or credit bureau to verify the age of a recipient who has just been issued a Social Security number. Having a system in place to raise a red flag when a child's dormant number is used for credit is something for which the ITRC is pushing.

In 2005, the ITRC proposed the Minors 17-10 database, which would provide credit issuers a tool to verify when a submitted Social Security number belongs to a child. Though the database has never been implemented, the ITRC is still pushing for its creation and says it has spoken with numerous agencies and regulatory bodies about the database's perceived effectiveness. ITRC's proposal is that the database would hold the name, month and year of birth, and Social Security number of every U.S. minor (from birth to age 17 years and 10 months), and would be maintained by the Social Security Administration, which would provide monthly updates to approved credit-reporting bureaus.

Adding another system for the Social Security Administration to maintain is the likely reason the Minors 17-10 Database has not taken off. But some of thinking behind the plan for the database could help mold some other type of system into reality, as the threat against Social Security numbers continues to grow.

Social Security numbers of babies and children are susceptible to innumerable scams. "There are plenty of consumers with bad credit who sacrifice their child's Social Security number to get access to good credit," FICO's Buzzard says, "and any caregiver who has access to those records, such a doctor's office, could have an employee who is willing to sell that information for profit. It definitely is a problem."


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.