BreachExchange mailing list archives
Re: [Dataloss] How not to address child ID theft
From: "Al" <macwheel99 () wowway com>
Date: Sat, 21 Aug 2010 02:01:21 -0500
A problem with your proposed solution, is a person with a ruined credit rating does not know it. Applications for college, for scholarships, for other activities might be refused, because of this info before adult turns 18. At what age does Alice get driver's license, apply for auto insurance, pay extra high premiums because of ruined credit, maybe not even get to first base? Suppose we modify the ITRC proposal to NOT issue any list of SSN's but to have a list of SSM's for SSA usage of those issued at birth, but not yet eligible for credit. That way we avoid abuse by crooks working at the credit agencies, and limit the places that can be breached to just SSA. A creditor contacts SSA to find out if SSN is valid. TILT ... there needs to be a police investigation of whoever is trying to use it. Don't wait until Alice turns 18, and maybe statute of traceable records run out on the crook. An employer contacts SSA to find out if SSN is valid to hire a person. Employers do not get lists from SSA. SSA gets lists from employers. - Al Mac -----Original Message----- From: dataloss-bounces () datalossdb org [mailto:dataloss-bounces () datalossdb org] On Behalf Of Jake Kouns Sent: Thursday, August 19, 2010 10:57 PM To: dataloss-discuss () datalossdb org; dataloss () datalossdb org Subject: [Dataloss] How not to address child ID theft http://emergentchaos.com/archives/2010/08/how-not-to-address-child-id-theft. html August 13th, 2010 by adam (San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these "dormant" numbers. Unfortunately, credit issuers do not currently have the ability to verify if a SSN belongs to an adult or a minor. If they knew that the SSN presented belonged to a minor they would automatically deny opening a credit account. Years ago, the Identity Theft Resource Center envisioned a simple solution to this problem. It is called the Minors 17-10 Database and ITRC has been talking with various government entities and legislators about this concept since July 2005. (.) The creation of a Minors 17-10 Database would provide credit issuers the tool to verify if the SSN provided belongs to a child. This proposed SSA record file would selectively extract the name, month of birth, year of birth, and SSN of every minor from birth to the age of 17 years and 10 months. This record file, maintained by SSA, would be provided monthly to approved credit reporting agencies. When a credit issuer calls about the creditworthiness of a SSN, if the number is on the Minors 17-10 Database, they would be told that the SSN belongs to a minor. That's from a press release mailed out by the normally very good Identity Theft Resource Center. Unfortunately, this idea is totally and subtly broken. Today, the credit agencies don't get lists from the SSA. This is a good thing. There's no authorization under law for them to do so. The fact that they've created an externality on young people is no reason to revise that law. The right fix is for them to fix their systems. The right fix is for credit bureaus to delete any credit history from before someone turns 18. Birth dates could be confirmed by a drivers license, passport or birth certificate. Here's how it would work: Alice turns 18. Alice applies for credit and discovers she has a credit history Alice calls the big three credit agencies and gets a runaround explains she's just turned 18, and apparently has credit from when she was 13. The credit agency asks for documents, just like they do today (see "when do I need to provide supporting docs") The credit agency looks at the birthday they've been provided, and substracts 18 years from the year field. The credit agency removes the record from the report It's easy, and doesn't require anything but a change in process by the credit bureaus. No wonder they haven't done it, when they can convince privacy advocates that they should get lists of SSN/name/dob tuples from Uncle Sam. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.851 / Virus Database: 271.1.1/3084 - Release Date: 08/20/10 13:35:00 _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- How not to address child ID theft Jake Kouns (Aug 20)
- Re: [Dataloss] How not to address child ID theft Al (Aug 21)