Schneier on Security
A blog covering security and security technology.
« 1933 Article on Crooked Gambling Technology |
| Security Theater and a Secure Data Center »
January 15, 2007
Identity Theft and Children
Is this the kind of article that spurs legislators into action? After all, we have to protect our children.
Posted on January 15, 2007 at 1:35 PM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
@From the article: "The Identity Theft Resource Center is working with lawmakers in an attempt to push forward a proposal that would create a list using birth records of all Social Security numbers and birth dates. The list would be provided to repositories, which can not sell, distribute or use it for other purposes, according to the ITRC's 2003 testimony before the House Ways and Means Committee in 2003."
Of course, this list is completely useless unless there is some (probably automated) mechanism for checking against it. That, in turn, implies an access API. Which, in turn, suggests an attack-vector.
This would represent a very high-value target, and I suspect its security would not be top-notch, as the list would be distributed to multiple repositories with the specific intention of making at least some of the data available for access by the public.
Perhaps the solution is to get rid of the SSN as a form of identification?
The SSN is totally insecure as a form of identification and there is no way to fix that.
Unique identifiers must be secret if they are to remain useful as an identification method. They can only be used to confirm identity with a 3rd party that also has and protects the secret.
The SSA should publicly publish all SSN's. A monthly update of all assigned SSN's should be published as well. In the short term, a scheduled date a few years in advance would give the financial industry to prepare for the change. In the long term, it completely devalues the SSN as a tracking number. In reality, the SSN is pretty much public anyway (deeds, banks, insurance, taxes). Heck, the IRS prints your full SSN on the tax forms it mails to you. One number to bind them and rule them all is a bad idea anyway.
Well, shouldn't it be? I have heard similar stories from people that have been impacted by this problem. It's very disconcerting to listen to someone recount their first experience opening their own bank account as "I was told they had my SSN linked to someone else's name". And then it's even more odd to hear these kids talk about how they had to come up with thousands of dollars and spend countless days trying to fix their identity. Incidentally, the people this happens to are very easy to convince to carefully follow security guidelines meant to protect PII.
I think one of the most important things I've learned in life is that you are not required to disclose your SSN to most of the people who ask for it.
From what I remember, your place of work, the government, and your bank are the only people with the right to know your SSN.
Considering some universities use students' SSN as their student ID number, there are some institutions that really don't deserve to know my SSN.
I'm not from the US, so I'm a bit ignorant on the use of the SSN. How is it tied to a person's identity? I'm assuming full name and birth date at least, but does it not use some other sort of identifier like current address or birth certificate registration number? I'm trying to understand how someone can open a bank account or credit card account under a name and address that's completely different from the SSN. Do the financial institutions not validate that the SSN matches the name of the person applying? What's the use of asking for the SSN if they don't?
Sounds like we really need to look at developing a range of proper private-sector identity-management solutions that operate outside the Government/SSN numberspace. I forsee a range of competing "identity-brokers" who can provide truly global secure ID-management for those who need it. At a price, of course - security doesn't come cheap - but as a friend is currently finding out, ID-theft can be an expensive business too.
For better or worse, the Social Security Administration currently encourages parents to obtain SSNs for newborns. See http://www.ssa.gov/kids/parent2.htm The page says that obtaining an SSN is not required, but it also says that an SSN is required for certain purposes. These purposes include tax deductions, medical coverage, and bank accounts. Some of these purposes might be less essential than others.
The kids section of the SSA site has an entry on the Social Security card at http://www.ssa.gov/kids/... As of now, this entry mentions that "Your parents could have gotten you a card when you were born." among other things. It also tells kids that do not have a Social Security card to have their parents apply for one.
> Is this the kind of article that spurs
> legislators into action?
Does any kind of article spur legislators into action? As far as I can see, only money and maybe widespread outrage push things onto their radar.
does anyone know if a SSN is really required for US passport.
"For better or worse, the Social Security Administration currently encourages parents to obtain SSNs for newborns."
Forget about the SSA. You MUST HAVE an SSN to receive the tax exemption for your child on your 1040-variant IRS form.
"From what I remember, your place of work, the government, and your bank are the only people with the right to know your SSN."
"Bank" in that list means anyone from whom you can borrow money, including any bank or store that issues you a credit card.
Also: even though my health insurance provider at the time reissued ID cards to everyone with new non-SSN account numbers, and even though every health insurance account I've had since then uses a generated non-SSN for the account number:
I've been told by a dentist's office and at least one doctor's office that they cannot submit the insurance forms for payment without my SSN. I didn't fight too hard, since (a) my argument isn't with the dentist / doctor, and (b) my SSN is spread out all over the map by now anyhow. >ptui<
A bit tangental, but this misuse of figure of speech made me laugh...
"We're only seeing the icing on the cake," says Paul Stephens, policy analyst at Privacy Rights Clearinghouse. "There can be a very long time frame between identity theft and discovery, particularly with children."
@Tanuki: "I forsee a range of competing "identity-brokers" who can provide truly global secure ID-management for those who need it. At a price, of course - security doesn't come cheap - but as a friend is currently finding out, ID-theft can be an expensive business too."
Thawte security (since bought up by verisign, IIRC) actually started to implement something like this. They had their "personal certificate" level that anyone could get (but they only guaranteed that it tied to a postal address). They then had higher levels of certification, with corresponding authenticity bonds, wherein they actually did some sort of individual investigation. I think the lower levels were just getting a Notarized statement-of-identity, but higher levels required an actual face-to-face meeting at you place of residence (or business, since that was the target audience).
Don't know what happened to the concept and business plan, though.
@ac: Amusing. He most certainly got his wires crossed with "tip of the iceberg." Obviously not the sharpest bulb on the Christmas drawer.
The solution, of course, will be to eliminate the few remaining rights of persons under the age of 18. Then those rights can't be stolen, and the innocent children will be safe.
>I'm not from the US, so I'm a bit
>ignorant on the use of the SSN. How is
>it tied to a person's identity?
The documentation requirements for a SSN are very minimal. Heck, if you have a good enough story, they'll accept a Baptismal Certificate to "verify" your name and age.
And the U.S. government has done nothing to enforce it's security -- heck, it's a nice way to collect taxes on illegal aliens figuring they'll never apply for a refund of excessive withholding, or for benefits (although even there, you can file for benefits you earned but recorded under a bogus SSN...)
It's bad enough you can't get a copy of your credit report by SSN. The databases are so hosed the official excuse is they might expose other people's private data to you "accidentally" -- they'll provide someone the credit report based on name and address, not the SSN.
"Is our children protected?"
Sorry, couldn't resist...
I have yet to see mention of the "Woolworth card". http://www.snopes.com/business/taxes/... has some info on it. Seems that the "demo" card that they printed by a wallet manufacturer got used as the real thing. And no one caught on for years.
'The documentation requirements for a SSN are very minimal. Heck, if you have a good enough story, they'll accept a Baptismal Certificate to "verify" your name and age.'
On the flipside, sometimes people *have* lost everything - natural disaster or mental illness can potentially get rid of a large amount of your identifying papers. We do need a way for such people to reclaim their identity without too much difficulty, but hopefully also without breaking the security...
"Heck, the IRS prints your full SSN on the tax forms it mails to you."
This hasn't been the case for at least the past four or five years. (I don't recall exactly when the IRS stopped the practice; all I can recall was that it was within the past few years.)
In fact, I just looked at the 2006 1040EZ package I received from the IRS. My SSN is *nowhere to be found* -- not on any of the forms, and definitely not on the mailing label (which is where it used to be before the IRS stopped the practice). In fact, the following warning is printed next to the pre-printed mailing label:
"*Important*. Your SSN(s) is not on this label. You *must* enter your SSN (and your spouse's if married) in the space provided on your return."
Lets get this into perspective.
"Identity Theft" is plain old fashoined fraud; specificaly obtaining credit under false pretenses.
The "victims" here are the institutions issuing the credit.
These institutions are prepared to put up with a fairly high percentage of fraudulent transactions rather than risk turning away genuine customers who from whom they can extract "loan shark" interest rate payments.
Rather than tighten up thier own procedures they are spreading some "FUD" around to encourage the public to detect identity thieves for them (free of charge). This is futher exacerbated by credit rating companies who have found a brand new market charging people who dont want credit ten bucks to check thier own credit rating.
An SSN is an arbitary code used to aid tax collection. It is not ID and was never intended as such. If some businesses choose to use it as an ID and get stung as a result -- its thier problem.
The only sensible legislation in this area would be to require credit rating agencies to provide your personal credit data for free.
How come this is unheard of and no problem in other civilized nations? Could it be that the whole system being used in the US is flawed? So everyone can easily pretend to be whoever they choose. Weird. Doesn't seem to be the case or at least not such a huge problem outside the US.
Maybe that's why you mistreat harmless tourists and submit them to degrading treatment when they try to enter the country and spend their pockets full of cash during (how communist is THAT?!) their 4 weeks of holidays in Gods Own Country.
Wouldn't it just make more sense to ban the use of an SSN for anything other than tax collection and social security?
Our equivalent number here in the UK, the National Insurance number, isn't used for anything other than work and benefits (you have to give it to an employer to be able to pay tax and social security contributions by "Pay As You Earn"; I'm pretty sure you use it to claim benefits, though I've not done so in nearly a decade now) and is much less "useful" for identity theft as a result.
Sure, there are still abuses of our NI numbers (notably for illegal working by asylum seekers and illegal immigrants) and there are almost 50% more NI numbers in circulation than there are people who should have them, but it stikes me as much less of a problem than the SSN abuse you guys have in the US.
How much would it cost business to use some other identifier (some hash of name, date and ZIP code of birth, for example)?
From the Dept of State link in BLP's comment, at the very bottom:
6. Provide a Social Security Number
If you do not provide your Social Security Number, the Internal Revenue Service may impose a $500 penalty. If you have any questions please call your nearest IRS office.
I applied last week, and I sure provided my SSN.
Basically, the banks and credit bureaus are trying to outsource responsibility. If they do not have to verify age, or confirm ID, prior to opening an account/granting credit, they will not.
My example is a co-branded card where the bank/issuer had all of the application/approval process in house. In a 3 month period, they approved about 40 accounts of 60 which all applied from the same address, with different names, and all of the SSNs were taken from individuals who had no record of living in that state. When they tried to push the liability for the fraudulent accounts onto their partner, the bank claimed that they were following industry standards on their screening practices. The only reason the other 20 accounts were not approved was due to previous poor credit with the bank.
It's not about the children; it's about effective fraud prevention, and the unwillingness of banks to use it when they can offload the costs onto someone else.
From the article: "The children's identities are used to obtain credit cards, get driver's licenses or open accounts."
Huh?! Why on earth is it possible for a *child's* identity to get you a credit card or driver's licence?
The problem (as has been mentioned many times before on this blog) is not so much in the fact that identity information can be readily obtained by the bad guys; it's that the banks et. al. *choose* to permit such information to be used for fraudulent purposes (instead of actually implementing some sort of genuine security).
SSNs aren't a problem and are quite useful for linking records about a US citizen over time. After all, names are not unique and people change their names routinely (mostly through marriage/divorce).
The problem is that SSNs are used as if there were a PIN, which they are not. There should be no reason to keep your SSN a secret any more than your credit card number or your checking account number. After all, they are given out freely all the time.
TorUser:One number to bind them and rule them all is a bad idea anyway.
One number to rule them and in the darkness bind them is an even worse idea.
Best post here, you hit the problem on the head ;-)
Anyway, as stated, the problem is simple fraud. There is no such thing as identity theft, just fraud. That the banks are allowed to pass their losses from fraud (due to their own lack of diligence) onto consumers is the real crime.
From the article:
"The FTC is taking steps to inform young people about credit through an education campaign"
This is great. Rather than actually fix the problem, let's start educating our youth how they must live under such a broken system.
"The only sensible legislation in this area would be to require credit rating agencies to provide your personal credit data for free."
But how would the credit rating agency know that the person asking for a report is the person ON the credit report?
There's an authentication problem here that isn't being solved. Not by SSN's, and not by any of the proposed alternatives.
"The only sensible legislation in this area would be to require credit rating agencies to provide your personal credit data for free."
They are required to provide one free each year ( https://www.annualcreditreport.com/cra/index.jsp ), and also provide a copy if you've been rejected on a credit request.
I was born in the US but moved to Canada before getting a SSN. Returning to the US at age 33, I got a passport before getting a SSN. It was a bit difficult doing anything in the US with new SSN, because nobody seemed to think it possible for a 33 year old to not have a SSN. That whole scenerio is going to be even more difficult once passports are required for entry from Canada. At least I was able to apply for my passport and SSN on a visit. Of course I had to have them sent to a relative in the US, who had to re-send them, since I couldn't afford to wait around for six weeks in the states until they arrived, and they wouldn't send them to a foreign address.
If it's that easy to provide a SSN and get credit, then I wonder if the credit agencies even check the number. Perhaps identity thieves are just using random SSNs to make up identities. I think I'll run a credit check on my five-day-old once his SSN arrives.
"I think I'll run a credit check on my five-day-old once his SSN arrives."
But that's one of the problems -- your credit report will be on your five-day old's name and address.
Someone else could very well be using the SSN, but the credit bureaus won't tell you if that's the case.
I guess you could think of it as part of a name...John Q. 111-22-3333 Public. Pulling a credit report won't tell you about Jose Q. 111-22-3333 Smith, just like it wouldn't tell you about John Q. 222-11-4444 Public.
The banks and other organizations that supposedly will guard privacy can pull a report by SSN, but it's considered a burden on them then to sort out conflicting SSNs and not reveal the "other" person on the report and their "private" information to the legitimate holder of the SSN.
One of the big troubles start when there's an extensive credit rating being done, like for a mortgage, and there's a same name / same SSN situation but the other person's info conflicts with what you wrote on the application, and it's not such a blatant identity screw-up for the bank to rule it out right away.
The problem with SSNs is that they are user IDs but we use them like passwords.
Why is the SIN/SSN system using numbers from a serial list anyway? Why not create a number that is tied to personal information to begin with? The algorithm that ties it together would be public knowledge, and it would become impossible for juan valdez, a 20 yo mexican immigrant to apply for any accounts with the SSN of Micheal Jordan a 43 yo Black Male becuase the numbers just wouldnt fit?
Couple that with a law that limits it use to financial transactions (make it illegal to ask for by any party other than financial institutions) and you could start to limit the fraud considerably...
I've been amused by name escalation for fraud. It started out as `fraud', then became ``social engineering'', ``identity theft'', and now, courtesy of Hewlett-Packard, ``pretexting''. Some states (California?) are passing laws agains pretexting; I wonder whether the legislators compare the bills to extant fraud laws.
Use fake and real social security numbers to obtain 1/4 million while State law enforcement covers up the crime is quite the racket. The State received federal funding and if it actually would enforce the law less funding.
google southdakotagov.info and the letter says it all. No arrest or prosecution even though law enforcement has the evidence.
What's there to stop somebody from applying again to the SSA to receive a second number under his name.
I'm a journalist and grad student at GU's journalism porgram. I'm currently working on an article about Identity theft in children. If you know any family has encountered this problem at home or that were at risk at some point, and would be willing to talk about, please have them e-mail me at email@example.com. This article will also be published in 90 spanish language newspapers nationwide. Thanks.
Two days ago my four-year old son was turned down by B of A for a credit card (he was very frustrated by this news). My cave man husband wanted to start digging the moat around our house.
Needless to state, Zander did not take the car, drive an hour, walk into a branch and apply for a card.
I'm still wondering HOW this happened. But I have spent two solid days on the phone trying to fix the problem. While I appreciate the "protection" in place for minors... there is a huge problem when it is easier to actually STEAL the information than a mom to find out how much was actually stolen.
And, don't get me started on the subject of getting a person on the phone in any one of the associated companies. THIS has been eyeopening.
When applying for a US PASSPORT, the IRS does say you could be penalized for not providing your ssn up to $500.
However, I know of someone who most definitely has a ssn that knows it is not required by the constitutional LAW (Not IRS law) to provide your ssn for identification purposes.
There is absolutely no reason the IRS needs to know your social security number in order to receive a passport. put 0 in box 5. you do not have a ssn and you don't plan on getting one ever. nothing more needs to be said.
Show me a law in our Constitution, our rights as American Citizens, that says we must give out our ssn for those purposes.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.