Synthetic identity fraud has been a growing issue for the past decade. The darker side of this fraud is that minors are targeted at a much higher rate than adults. This portends a sizable, looming crisis as today’s minors, who have been unknowingly victimized, approach adulthood and uncover the financial crimes committed against them as they apply for driver’s licenses, college loans and employment after high school.

According to AllClear ID research on child identity theft, children may be victimized at a rate approximately 35 times higher than that of adults. Synthetic ID thieves need Social Security numbers (SSNs) with clean histories that are not currently being used, allowing them to attach a different name and date of birth to the number. According to a 2011 CyLab report, minors’ SSNs are valuable because there is currently no process for organizations to check which name and birth date is officially attached to an SSN.

How Does Child Identity Theft Work?

In the case of child identity theft, an identity thief compromises a child’s SSN and attaches a fictitious name and birth date to it. The thief then establishes a credit profile by applying for credit through an authorized user or by working with a data furnisher.

According to the Identity Theft Resource Center (ITRC), there are a few misconceptions about how the credit process works. Credit reporting agencies (CRAs) do not often verify the age of the credit applicant. The fact that credit issuers often do not request adequate proof of identity is a glaring weakness in our credit system; in today’s online world, everything from credit applications to funding can occur at a distance.

Many people believe that CRAs will identify the applicant as a minor and detect a fraudulent application. The fact is, the credit application is the means by which age is established on a credit file. The SSN of a child born in 2013 may have a birth date of 1985 fraudulently associated with it. That SSN would then be associated with an identity that has an “age” of 29.

Child SSNs are often compromised by entities entrusted with safeguarding children’s information, such as schools, doctors’ offices, youth sports organizations and family members. Child SSNs are not typically compromised as part of large data breaches because they often come from smaller-scale incidents. For example, the ITRC says that as of Nov. 18, medical and health care facilities accounted for 42 percent of all year-to-date data breaches; however, they accounted for less than 10 percent of all exposed records. Breaches perpetrated by insiders at doctors’ offices will more likely involve the compromise of a SSN. Meanwhile, the ITRC general business category accounted for 32 percent of incidents and 79 percent of records in which point-of-sale payment information was likely compromised.

Unfortunately, It May Be the Parents

While there is no data available to support an analysis of how often children are victimized by their own parents versus people unknown to the family, there is ample evidence that parents often use their child’s SSN to create new identities to obtain telecommunication services such as cable TV subscriptions or cell phone plans. According to David Howe of SubscriberWise, a national credit reporting agency for the telecom industry, parents often use their children’s SSN to obtain new cable accounts to avoid paying for an unpaid account in their names. Howe and his team have investigated scores of incidents over the past 20 years involving parents who fraudulently created new identities using their child’s SSN to obtain telecom services.

In one recent case, the mother of a 14-year-old in Ohio used her teenage daughter’s SSN to open a new cable account. The mother applied for a new account using her daughter’s legitimate SSN and a fabricated date of birth, changing the middle initial of the child’s name. In that case, the local prosecutor did not bring charges against the mother for many reasons, not the least of which is vague or nonspecific laws related to this type of child crime.

Effects on Children

Children who have been victims of identity theft face potentially severe financial consequences as a result. Since the underlying compromise may go undetected for many years, the potential for a child to be associated with bad debt amounting to tens or hundreds of thousands of dollars is daunting. Children and their families may spend years — and thousands of dollars — to completely resolve the problem.

There are hidden costs, as well. Children may lose the opportunity to attend the college of their choice or get a job after high school because a problem was identified during a background check.

Aside from the clear financial implications of this crime, there are also potential emotional impacts. Children, like any other victim of a crime, may experience emotional trauma if they are old enough to understand what has happened. Picture teenagers who have learned that their parent, whom they implicitly trusted, betrayed and violated their trust. The IRTC provides guidance for dealing with the emotional impacts to children.

Legislative Initiatives

There is currently no federal law or congressional legislative effort to slow down the rate of child ID theft. Howe is spearheading an effort to bring attention to this issue and advocating for the establishment of an index of child SSNs that could be referenced to dramatically reduce child identity theft. The index could be used to alert creditors that a SSN used in an application matches that of a minor. The concept is very similar to the Social Security Death Index produced by the Social Security Administration.

This year, U.S. Sen. Kirsten Gillibrand of New York introduced the Cyber Information Sharing Tax Credit Act, a new piece of legislation that would encourage businesses to share information about cybervulnerabilities through third-party information-sharing organizations. Likewise, several states have enacted laws or are pursuing legislation at the state level. While the objectives of these legislative efforts are positive, they do nothing to prevent synthetic child identity theft.

In 2011, U.S. Rep. Jim Langevin of Rhode Island proposed a provision that would protect children in foster care as part of the Child and Family Services Improvement and Innovation Act, which was signed into law by President Barack Obama. The provision mandates free credit checks for foster youth over 16 years old before they age out of the system and requires that they receive assistance in clearing inaccuracies from their records. While the law will certainly aid some victims, research performed by AllClear ID found that upward of 99 percent of credit reports of children known to have been victimized failed to detect the identity theft.

What Can Parents Do?

Good parents will nurture their children and are generally good at protecting them from physical threats. They are great at teaching their children to look both ways when crossing the street, to not play with matches or run with scissors and, of course, to beware of “stranger danger.” However, it is much more difficult to protect a child from having his or her identity stolen.

There are some steps parents can take to minimize risk. The Federal Trade Commission and ITRC have provided valuable information concerning red flags and steps to take to prevent or detect problems. Additionally, there are professional services that offer specialized assistance.

The following are some general warning signs to look out for:

  • Credit card offers in the name of your child;
  • Calls from collection agencies;
  • Collection notices in the mail;
  • A notification from the Internal Revenue Service that your child’s SSN has already been used in a tax return.

The following are some preventative measures you can take:

  • Keep your child’s SSN private, even to family.
  • Keep sensitive information located within your house.
  • Don’t carry your child’s Social Security card or SSN with you.
  • Use a cross-cut shredder to destroy all personal information when disposing of it.
  • Question and protest the use of SSNs by youth organizations.

If your child’s SSN must be provided, the ITRC offers some advice. Show the papers to the coach or organizer and then place the documents in a sealed envelope. Write your initials over the seal in colored ink to ensure it has not been tampered with when it is returned. Alternatively, initial the back of each document in colored ink to ensure you have received the original. It is also important to ask the organization how and where the documents will be stored during the season or for how long it will possess the documents.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today