BreachExchange mailing list archives
How not to address child ID theft
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 19 Aug 2010 23:57:25 -0400
http://emergentchaos.com/archives/2010/08/how-not-to-address-child-id-theft.html August 13th, 2010 by adam (San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” numbers. Unfortunately, credit issuers do not currently have the ability to verify if a SSN belongs to an adult or a minor. If they knew that the SSN presented belonged to a minor they would automatically deny opening a credit account. Years ago, the Identity Theft Resource Center envisioned a simple solution to this problem. It is called the Minors 17-10 Database and ITRC has been talking with various government entities and legislators about this concept since July 2005. (…) The creation of a Minors 17-10 Database would provide credit issuers the tool to verify if the SSN provided belongs to a child. This proposed SSA record file would selectively extract the name, month of birth, year of birth, and SSN of every minor from birth to the age of 17 years and 10 months. This record file, maintained by SSA, would be provided monthly to approved credit reporting agencies. When a credit issuer calls about the creditworthiness of a SSN, if the number is on the Minors 17-10 Database, they would be told that the SSN belongs to a minor. That’s from a press release mailed out by the normally very good Identity Theft Resource Center. Unfortunately, this idea is totally and subtly broken. Today, the credit agencies don’t get lists from the SSA. This is a good thing. There’s no authorization under law for them to do so. The fact that they’ve created an externality on young people is no reason to revise that law. The right fix is for them to fix their systems. The right fix is for credit bureaus to delete any credit history from before someone turns 18. Birth dates could be confirmed by a drivers license, passport or birth certificate. Here’s how it would work: Alice turns 18. Alice applies for credit and discovers she has a credit history Alice calls the big three credit agencies and gets a runaround explains she’s just turned 18, and apparently has credit from when she was 13. The credit agency asks for documents, just like they do today (see “when do I need to provide supporting docs”) The credit agency looks at the birthday they’ve been provided, and substracts 18 years from the year field. The credit agency removes the record from the report It’s easy, and doesn’t require anything but a change in process by the credit bureaus. No wonder they haven’t done it, when they can convince privacy advocates that they should get lists of SSN/name/dob tuples from Uncle Sam. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- How not to address child ID theft Jake Kouns (Aug 20)
- Re: [Dataloss] How not to address child ID theft Al (Aug 21)