C O R P O R A T E S E C U R I T Y
To ultimately protect our identities, we have to rely on the companies with whom we do business to protect the critical information they keep on us. A company that has thousands—or even millions—of customers, has a lot to protect. One security breach could expose all those identities. Most companies use passwords to safeguard your confidential information, but when they are weak and insecure that information can get stolen. And it can get stolen by someone from within the company’s walls or outside.
In yet another scenario, a thief or organization can
pose as one of the top 1,000 companies in the world
by mirroring that corporation’s Web site, but slightly
altering its URL or becoming a new division with a
new shipping address.
Well-organized thieves have a
network of delivery
locations
, trucks, equipment and personnel to move and hide anything they obtain. Once groups or individuals establish a proper association for credit and billing, losses can be overwhelming to any company unfortunate enough to be victimized.
4 8
C H A P T E R 2
Corporate identity theft is not the focus of this book, but hopefully corporations will spruce up their anti-ID theft security in conjunction with consumer aware-ness about personal identity theft so that together, the room to move clandestinely as someone else will get smaller.
If you’re
running a business
, you’ll find that protecting your personal identity in the office is as important as protecting it in your personal life. The lifestyle changes you make in general must include how you work, deal with employees and expect your office to run effectively and safely. Chapter 9 includes some advice for employers, but for the most part, the changes you make to your personal life can easily translate to everyday office practices as well.
When you deal with other companies as a customer, you usually have to deal with passwords. In an ideal world your password should be unique and secret, something no one else can guess. But in reality most passwords are easy to guess: your initials, last name, pet’s name or PIN number. Moreover, too many write down their passwords because they have access to lots of computer systems at work—e-mail, account-ing, the Internet—and they can’t remember them.
Later in this book we’ll look at how IDs work and the ways to manage your passwords effectively. When you understand the mechanics of ID theft, you come to see the ways in which you can prevent it.
C O N C L U S I O N
Anyone is a target for ID theft. Now that you know you can be the next victim, you’re probably wonder-ing
why
this problem has gotten so bad so quickly?
4 9
I T C A N H A P P E N T O Y O U … N O M A T T E R W H O Y O U A R E
The simple answer: existing ID tools are easy to buy, sell and replicate.
But the longer answer is complex and multifaceted.
In the upcoming chapters, you’ll get a full view of the problem and come to understand the reasons behind today’s fastest growing crime…and what you can do about it.
5 0
C H A P T E R 3
3
CAUSED BY
EXISTING ID TOOLS
In this chapter, we’ll consider the main mechanical reason that ID theft is such a problem in the United States:
Fake IDs are easy to make
.
Even though the U.S. has the most complex and extensive consumer credit system in the world, the tril-lions of dollars rely on a handful of basic identification documents that everyone shares. The “
breeder
documents
” basically consist of one federal ID (the Social Security number), one state ID (the driver’s license) and one local ID (the birth certificate).
We’ll start with the ID system that poses the greatest danger of theft and work downward.
S O C I A L S E C U R I T Y N U M B E R S
The Social Security number (SSN) was created by the 1936 Social Security Act as a nine-digit account number assigned to each American worker by the U.S.
government for the purpose of administering the
pension benefit programs
known broadly as Social Security. Even in the 1930s, Congress recognized the
5 1
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
dangers of widespread use of SSNs as universal identifiers.
At first, SSNs were intended to be used exclusively
as a means of tracking earnings and crediting worker
accounts. Over time, however, SSNs were permitted
to be used for purposes unrelated to the administration of the Social Security system. For example, in
1961 Congress authorized the Internal Revenue Service to use SSNs as taxpayer identification numbers.
Oversight agencies like the Government Accounting Office (GAO) repeatedly recommended that the federal government use SSNs as a unique identifier to reduce fraud and abuse in other federal benefits programs. The government was soon using the SSN as an ID for a broad range of
wholly unrelated purposes
—food stamps, Medicaid, Supplemental Security Income and child support enforcement.
By the early 1970s, a major government report on privacy outlined the risks posed by the use and misuse of the SSNs. The report, titled
Records, Computers
and the Rights of Citizens
described the growing use of the SSN as a “Standard Universal Identifier.” The report noted that
private-sector use of SSNs
was promoting invasive profiling (and this was before widespread use of electronic databases).
The report recommended several limitations on the use of the SSN and suggested that legislation should be adopted “prohibiting use of an SSN, or any number represented as an SSN for promotional or commercial purposes.” No such law emerged.
5 2
C H A P T E R 3
By the 1990s, in an effort to learn and share financial information about Americans, companies
trading in
financial information
were the largest private-sector users of SSNs. For example, the three largest credit bureaus in the U.S.—Experian, Equifax and TransUnion—maintain over 500 million files, with financial information on almost 90 percent of the American adult population. These files are organized by individual SSNs. This information is freely sold and traded, with very few legal limitations.
These users create the environment in which identity
theft based on SSN abuse thrives. The financial service industry’s misplaced reliance on SSNs, lax verification procedures and aggressive marketing enable identity thieves to obtain your personal information.
By the early 2000s, people were beginning to realize that
over-reliance on SSNs
was causing—not preventing—identity theft.
In May 2001 congressional testimony, Cory B.
Kravit—a student at the University of Florida—described how his alma mater used SSNs: Students are required to provide their Social Security numbers for virtually everything ranging from registering for classes to ordering a Little Caesar’s pizza using one’s student debit account. …the Social Security number of each and every student is freely available to numerous individuals within the university. This
5 3
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
list includes professors, teaching assistants, dormitory desk clerks, Residence Assistants (RA’s), registrar staff, library staff, Little Caesar’s Pizza employees, bookstore employees, mail carriers and the general student body.
Bad results were already taking place. In 1998, the University’s police department arrested a
desk clerk
working at one undergraduate residence hall after he stole the identities of 23 students. The clerk was charged with mail theft and credit card fraud after spending nearly $70,000 without the students’ knowledge.
Misuse of SSNs is a crime—and it
cuts across demographic and geographic lines
. But, until the early 2000s, many people in government and the personnel offices of big employers didn’t pay much mind to SSN crime.
H O W T O R E A D A S S N
According to the SSA, the first three digits of every Social Security number denote the
area or ZIP code
in the state where the application was filed. Prior to 1973, SSNs were assigned by field offices and the number reflected the state where the card was issued, starting with the lower numbers in the East and increasing geographically westward. Someone from California shouldn’t have a SSN that starts with a “1”
or “2.”
The middle two digits may be most helpful in authenticating a Social Security cardholder. These follow the geographically based three-digit area number. According to the SSA, the two middle digits re-5 4
C H A P T E R 3
flect the chronological order in which a number is assigned within a given geographic area. The group numbers are given first in odd-numbered pairs “01”
up to “09,” then they switch to even-numbered pairs “10” up to “98.” Once used, the pair order reverses, starting with even-numbered pairs “02” through “08”
before reverting to odd-numbered pairs of digits from “11” to “99.” All the while the group numbers are followed by another set of four-digit serial numbers.
It sounds complicated, but SSA publishes on its Web site a monthly table that lists the highest area and group numbers assigned in a given region. So, a 20-year-old with low SSN middle digits that might match the
chronological assignment pattern
for someone much older who lives in the region should be fairly easy to verify by a utility company, bank or creditor.
And for that the only technology needed would be access to the Internet.
B I G R I S K : S S N S O F D E A D P E O P L E
Perhaps the biggest pressure point for SSN abuse is after a legitimate SSN owner dies. It often takes the federal government several months to mark the death in its databases—in the meantime, crooks can use the dead person’s SSN for illegal purposes.
The SSA maintains a
Death Master File
(DMF), consisting of 60 million names and SSNs of dead people. Businesses and law enforcement agencies are always anxious to get this information in the most current form. So, the database is updated on several schedules—quarterly and monthly; and it’s available
5 5
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
for sale by the National Technical Information Service. Its records contain important personal identifiable information, including the name, Social Security number, date of birth, date of death, state or country of residence, ZIP code of last residence and ZIP
code of the dead person’s heirs.
There are limits to the DMF database. Its records
have over a 3 percent error rate, and provide information chiefly on those who died after 1960. As the
NTIS Web site states, “The Social Security Administration does not have a death record for all persons;
therefore, SSA does not guarantee the veracity of the
file. Thus, the absence of a particular person is not
proof this person is alive.”
In his November 2001 congressional testimony on reforms to the DMF, Marc Rotenberg, Executive Director of the Electronic Privacy Information Center, said:
It is remarkable that such a data goldmine is made publicly accessible by SSA and is a so-bering reminder of the urgent need to restrict access to sensitive personally identifiable information. Rather than focusing attention on how these records can be transmitted more rapidly and accurate to commercial and private users, Congress must first consider placing limitations on the use and access to such data.
5 6
C H A P T E R 3
A fair question emerges: Who benefits more from the DMF—government agencies and credit companies…or ID thieves?
Few banks, credit card companies or other commercial firms subscribe to the DMF directly. Instead, they get the information indirectly—through credit bureaus like Experian, TransUnion and Equifax. This is another point at which those three exert
a lot of influence
.
The credit reporting agencies make the data from the DMF available only for subscribers to their
proprietary fraud prevention products
; in contrast, death information reported directly to the credit reporting agencies by credit issuers and family members was made available to all their users—along with other credit information on a customer’s credit history. This information was generally provided within one to two billing cycles.
W H A T T H E S S A I S D O I N G
In fiscal 2000, the Social Security Administration’s office of the Inspector General received 92,847 complaints. Over half of these—46,840—were allegations of SSN misuse, and another 43,456 were allegations of program fraud, which often include implications of SSN misuse.
By mid-summer 2002, the SSA had mailed 750,000
letters to the nation’s employers that said some of their workers’ names and Social Security numbers didn’t match the federal database. The number of “no match” letters sent out that year was up dramati-5 7
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
cally from the 110,000 sent out in 2001, according to Social Security spokesman Mark Lassiter.
The SSA has no enforcement powers, and it cannot
share information with the Immigration and Naturalization Service; but the IRS can. Under Section
6721 of the Internal Revenue Code, employers can be
fined $50 for each invalid Social Security number,
up to $250,000 a year.
In his July 2002 congressional testimony, James G.
Huse, Jr.—Inspector General of the Social Security Administration—described the problem of SSN misuse: The public display of SSNs—on identification cards, motor vehicle records, court documents, and the like—must be curtailed immediately. Those who use the SSN must share the responsibility for ensuring its integrity.