Why children are now prime targets for identity theft

As electronic payments become more secure, criminals must be just as innovative as they seek to steal identities and commit fraud. In the case of synthetic identity theft — one of the fastest-growing and most prevalent forms of identity theft, with annual losses to the credit card industry estimated at $8 billion — criminals need to be patient, as well as clever.

Synthetic identity theft frequently involves the use of stolen Social Security Numbers (SSNs) combined with fabricated personal information, which is used to trigger the creation of a “synthetic” credit file. This file is then nurtured and grown over time, generating a slim but positive credit history, which is then leveraged in a “bust out” to obtain credit, max it out, and never repay.

For a criminal set on committing synthetic identity fraud, the key is finding SSNs associated with very young children or others with non-existent credit files. This became a little easier for thieves when the Social Security Administration (SSA) in 2011 switched systems

Previously, the three parts of the individual number corresponded to other data points specific to a person, like the state and year in which they were born. Now, the SSA uses a process that randomly creates and assigns new SSNs.

SSA believed this change would make it more difficult for thieves to “guess” someone’s SSN by looking at other public information available for that person. However, now that an SSN is not tied to additional data points, such as a location or year of birth, it becomes harder for financial institutions, health care providers, and others to verify that the person using the SSN is in fact the person to whom it was issued.

In other words: Thieves now target SSNs issued after this change as they know your 6-year-old niece or your 4-year-old son will not have an established credit file.

The absence of any history is a clean slate on which the synthetic identity can be built. For the child today whose SSN is used to create a synthetic identity, they probably will not discover the consequences of the theft until many years later, at which point they will have to unravel a long history of fraud and tangled identities, not to mention prove the compromised SSN is, in fact, theirs.

As I discussed on a recent Federal Trade Commission panel, there is an obvious solution to combat this type of identity theft: Update the existing process that allows financial institutions to verify whether or not a given name, date-of-birth and SSN match against a known “source of truth.” 

The Social Security Administration — the only source of truth for SSNs that exists — recognized the need to verify SSN’s many years ago when it created a system to allow financial institutions to make these verifications. However, the system has not kept pace with the rapid digitization of the financial industry due to a requirement that a physical pen-on-paper signature must be received from the consumer.

Electronic applications for many financial products, like credit cards, therefore cannot take advantage of this verification service. This challenge is not unique to the Social Security Administration, as many federal, state and local government agencies also need to modernize their authentication processes.

Recent efforts by all stakeholder, government, industry and advocacy groups to modernize access to SSA’s verification system are very encouraging. While there is much debate about the future of SSNs in the marketplace, the reality is that today they are the key to financial security for nearly every American consumer. However, as the rise in synthetic identity theft teaches, abuse of SSNs can lead to significant financial insecurity as criminals exploit a system that has not kept pace with changing criminal tactics. 

The Social Security Administration recognized its role in combating fraud when it created this verification service, and now must adapt it to help protect vulnerable consumers in an increasingly digital age.

Eva Casey Velasquez is president and CEO of the Identity Theft Resource Center, a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud and privacy issues.