Friday, April 1, 2011

Child Identity Theft; A Lot of Questions Need to Be Answered, But the Most Important One is "Has It Happened to Your Child?"

Child Identity Theft: A Lot of Questions Need to Be Answered, But the Most Important One is "Has It Happened to Your Child?"

By Richard Power

Wouldn't you want to know if your eight-year-old was in foreclosure on a home in another state? Wouldn't you want to know if your three-year-old was in collection for a huge utility bill across town? Wouldn't you want to know that if someone somewhere had a hunting license in the name of your five-year-old? Wouldn't you want to know that your nine-year-old had a driver's license and a car registered in his or her name? Wouldn't you rather find out now than on when he or she is applying for student loans on the eve of going away to college?

Late last year, knowing of CyLab's vital work in privacy and cyber security research, an identity protection company (AllClear ID, a.k.a. Debix) approached me about some data with disturbing implications. The story that jump out from the numbers is a compelling one. It suggest that not only are child identities exploited for various types of fraud, indeed child identities may be the hottest ticket in the underground market for stolen IDs.

In going through the data, two over-arching themes emerged:

1. The issues surrounding child identity theft (e.g., how prevalent is it in the general population, and is the threat a growing one) should be the subject of serious academic research; and that time and resources should be dedicated to a scientific analysis of this and similar data, to determine what it really means, and if the trends that seem to present themselves hold up under rigorous investigation.

2. Regardless of what the results of such serious scientific research prove, an existential threat exist. One that is tangible, and immediate for children and their parents. Child IDs are being stolen, and exploited to commit fraud, etc. If it happens to your child, it won't matter to you what the national average is, or if the problem is trending up or down.

While privacy and security researchers explore the data's broader implications from academic and scientific perspectives; as a journalist, I could certainly tell the simple story of what this data reveals in and of itself.

As someone who has studied the evolution of cyber crime over the last two decades, I could certainly address the existential threat and contribute to raising the level of public awareness.

And that's the origin of "Child Identity Theft: New Evidence Indicates Identity Thieves are Targeting Children for Unused Social Security Numbers."

To download the full report ...

Expert Perspectives

CyLab researcher Alessandro Acquisti, co-author of the blockbuster paper, Predicting Social Security Numbers from Public Data (Proceedings of the National Academy of Science, July 7, 2009), remarks that there is other evidence that child identity is an issue that demands further study.

"In our investigation of the predictability of Social Security numbers we found evidence of two trends that, combined, are particularly worrisome: criminals are increasingly targeting minors' (even infants') SSNs for identity theft, and the SSNs of younger US residents are much easier to predict than the SSNs of those born before the 1990s. Ultimately, this reminds us that our current identity-verification infrastructure is flawed and vulnerable, as it relies on authentication of numbers too widely available and too easy to compromise."

Dena Haritos Tsamitis, CyLab's Director of Education, Training and Outreach, and the developer of Carnegie Mellon University's, a free educational resource on cyber security and privacy for children and their parents, concurs on the need for raising public awareness.

"With increased cyber-awareness, individuals are seeking ways to secure their personal financial information more than ever before. Based on this report, it's clear they need to go further and extend that protection for their children. Parents are already struggling to handle the threats of cyberspace, including securing their own computers and talking with their children about the many risks in cyberspace from online predators to cyber-bullying. The trend in child identity theft is added weight on their shoulders. Although it will be a challenge for them to manage, it is essential to safeguarding their children's futures."

Christopher Burgess, my co-author on Secrets Stolen/Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century, is also an online safety advocate (, with a particular focus on issues related to children on-line. I asked him to take a look at the report.

"The responsibility for the online safety and security of our families lay with the individual family. One should not expect anyone to have as vested an interest in the protection of your families data at a greater level than you. The malevolent criminal entity is attempting to monetize based on the availability of information. I've long advocated to teach our young that the internet is a reception device, and sharing of information, to include registration data should only be accomplished under the supervision of their parent. While online entities are required to acquire an attestation of age from their registrants in the United States, it does not require a provision of specific birth date. Too many overlook the ability of information aggregators to compile a complete profile based on disparate pieces of information, and with the collated data set subsequently compromise the identity of the individual. Additionally, how many different forms does a parent fill out for their child - any number of which could be compromised by an attack on the host - take for example the number of data breaches which occur at educational institutes - this data may be warehoused and bartered by the criminal elements for future aggregation. This data can and does provide the 'root' upon which to build the 'persona' at the level required to financially manipulate and thus commit identity theft fraud."

Looking into all too near future, Burgess sees even more serious issues stemming from such identity theft.

"The theft of our children's identities for manipulation in the financial world is tragic, but think of the tragedy which could occur when the identity theft is focused on medical identity. What effect would a change in blood type in the hospital's file do to a child with A+ blood being provided B+, because someone had stolen their medical identity in order to obtain medical services. As the costs of medical services becomes more dear, and the number of uninsured increases, the theft of identities for the purposes of obtaining medical care will increase. Unlike the monetary disruption which occurs with financial identity theft, the theft of one's identity could have mortal consequences. The topic of medical identity theft is an area requiring further investigation."