Shostack + Friends Blog Archive


How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” numbers. Unfortunately, credit issuers do not currently have the ability to verify if a SSN belongs to an adult or a minor. If they knew that the SSN presented belonged to a minor they would automatically deny opening a credit account.

Years ago, the Identity Theft Resource Center envisioned a simple solution to this problem. It is called the Minors 17-10 Database and ITRC has been talking with various government entities and legislators about this concept since July 2005. (…)

The creation of a Minors 17-10 Database would provide credit issuers the tool to verify if the SSN provided belongs to a child. This proposed SSA record file would selectively extract the name, month of birth, year of birth, and SSN of every minor from birth to the age of 17 years and 10 months. This record file, maintained by SSA, would be provided monthly to approved credit reporting agencies. When a credit issuer calls about the creditworthiness of a SSN, if
the number is on the Minors 17-10 Database, they would be told that the SSN belongs to a minor.

That’s from a press release mailed out by the normally very good Identity Theft Resource Center. Unfortunately, this idea is totally and subtly broken.

Today, the credit agencies don’t get lists from the SSA. This is a good thing. There’s no authorization under law for them to do so. The fact that they’ve created an externality on young people is no reason to revise that law. The right fix is for them to fix their systems.

The right fix is for credit bureaus to delete any credit history from before someone turns 18. Birth dates could be confirmed by a drivers license, passport or birth certificate.

Here’s how it would work:

  1. Alice turns 18.
  2. Alice applies for credit and discovers she has a credit history
  3. Alice calls the big three credit agencies and gets a runaround explains she’s just turned 18, and apparently has credit from when she was 13.
  4. The credit agency asks for documents, just like they do today (see “when do I need to provide supporting docs”)
  5. The credit agency looks at the birthday they’ve been provided, and substracts 18 years from the year field.
  6. The credit agency removes the record from the report

It’s easy, and doesn’t require anything but a change in process by the credit bureaus. No wonder they haven’t done it, when they can convince privacy advocates that they should get lists of SSN/name/dob tuples from Uncle Sam.

4 comments on "How not to address child ID theft"

  • calzone says:

    The credit industry is hellbent on brainwashing consumers into thinking identity protection is our responsibility.

    They have all these commercials on TV now about how you can pay for services that help you monitor your credit and detect if your identity has been stolen.

    Even the name “identity theft” is designed to make people think that their very identity has been taken from them. Which is of course impossible. But the idea is to instill fear and an knee-jerk urge to protect that which is our very most precious asset, our self-identity.

    Then there are all the stories of the horrors people face when some criminal has been using their SSN number and flushed their credit down the toilet.

    Next thing you know, they will sell credit insurance that you pay for so that if it ever happens to you, you can rest easy knowing they will fix it for you and keep your credit working.

    It’s a big huge scam. SSN #’s probably shouldn’t be used for credit to begin with. Applying for credit for the first time in your life should, as you note, require proving you are who you say you are and providing a billing address. From that step forward, it’s really the credit card companies responsibility to ensure they don’t lose money to fraud and to track your credit properly.

    If they can’t do that then they shouldn’t be in business.

    It definitely should not ever be my problem or even inconvenience if someone else decides to use my SSN number for something. For that matter, there should be nothing attractive about an SSN number to make it worth stealing.

  • Dissent says:

    Hi Adam,

    I responded to you over on my blog at and Linda Foley of the Identity Theft Resource Center also responded to your proposal in the Comments section on that post.

    So far, I’m not thrilled with any of the proposals I’ve read, but I will be the first to admit that I haven’t come up with anything better.

  • Chris says:

    I think this database is a poor idea.

    A firm extending credit should have sufficient basis to believe the applicant is credit-worthy (or at least, legally permitted to borrow!). A firm that improperly makes this determination should, quite simply, bear the loss.

    Creating yet another database of children makes life easier for would-be creditors (and the CRAs, naturally), but increases the likelihood that any given child’s SSN will be misused.

    The “proactivity” of this proposal lies not so much in protecting children from the adult consequences of childhood ID theft — Adam’s proposal does that by simply wiping the slate clean — but in helping would-be creditors screen applicants. That’s nice, if you’re a would-be creditor, or a CRA acting as an info conduit to same. If you are a child, or a parent, this proposal is nothing to write home about.

  • Randy Henrick says:

    The real problem is that credit bureaus establish multiple people under a single SSN without giving it much of a thought. It would not be hard for a credit bureau to get the numbering algorhythm for SSNs. The middle two digits when combined with the initial 3 digits will give a time range when the SSN was issued.

    But when illegal immigrants and identity thieves set up phony identities (called synthetic identity theft) using an SSN they have bought on the Internet, credit bureaus just set up an account for them even if they are the 50th person to use the SSN. Until that stops, no lists or other solutions are going to work. And that is never going to stop.

    The reason it’s not going to stop is that the federal government is happy to collect Social Security withholdings from people using someone else’s SSN. Those funds go into the Social Security Administration’s Earnings Suspense Account–a slush fund that is keeping Social Security solvent–that I believe has collected over $650 billion since 1988. With the government and the credit bureaus profiting from stolen SSNs and identity theft, it is never going to change. Illegal immigrants view Social Security withholdings as a cost of working in the U.S.

    A credit bureau will never tell you how many people are using your SSN citing “privacy.” But they sell the “10 best names” for a Social to businesses at a hefty price. So they make money coming and going and identity theft continues to proliferate. The credit bureaus could stop it but have every incentive to keep it going and in fact to expand it. So does the Social Security Administration.

Comments are closed.