How not to address child ID theft

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://emergentchaos.com/archives/2010/08/how-not-to-address-child-id-theft.html

August 13th, 2010 by adam
(San Diego, CA) Since the 1980?s, children in the US have been issued
Social Security numbers (SSN) at birth. However, by law, they cannot
be offered credit until they reach the age of 18. A child?s SSN is
therefore dormant for credit purposes for 18 years. Opportunists have
found novel ways to abuse these “dormant” numbers. Unfortunately,
credit issuers do not currently have the ability to verify if a SSN
belongs to an adult or a minor. If they knew that the SSN presented
belonged to a minor they would automatically deny opening a credit
account.

Years ago, the Identity Theft Resource Center envisioned a simple
solution to this problem. It is called the Minors 17-10 Database and
ITRC has been talking with various government entities and legislators
about this concept since July 2005. (…)

The creation of a Minors 17-10 Database would provide credit issuers
the tool to verify if the SSN provided belongs to a child. This
proposed SSA record file would selectively extract the name, month of
birth, year of birth, and SSN of every minor from birth to the age of
17 years and 10 months. This record file, maintained by SSA, would be
provided monthly to approved credit reporting agencies. When a credit
issuer calls about the creditworthiness of a SSN, if
the number is on the Minors 17-10 Database, they would be told that
the SSN belongs to a minor.

That’s from a press release mailed out by the normally very good
Identity Theft Resource Center. Unfortunately, this idea is totally
and subtly broken.

Today, the credit agencies don’t get lists from the SSA. This is a
good thing. There’s no authorization under law for them to do so. The
fact that they’ve created an externality on young people is no reason
to revise that law. The right fix is for them to fix their systems.

The right fix is for credit bureaus to delete any credit history from
before someone turns 18. Birth dates could be confirmed by a drivers
license, passport or birth certificate.

Here’s how it would work:

Alice turns 18.
Alice applies for credit and discovers she has a credit history
Alice calls the big three credit agencies and gets a runaround
explains she’s just turned 18, and apparently has credit from when she
was 13.
The credit agency asks for documents, just like they do today (see
“when do I need to provide supporting docs”)
The credit agency looks at the birthday they’ve been provided, and
substracts 18 years from the year field.
The credit agency removes the record from the report

It’s easy, and doesn’t require anything but a change in process by the
credit bureaus. No wonder they haven’t done it, when they can convince
privacy advocates that they should get lists of SSN/name/dob tuples
from Uncle Sam.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php