Synthetic identity fraud has been a growing issue for the past decade. The darker side of this fraud is that minors are targeted at a much higher rate than adults. This portends a sizable, looming crisis as today’s minors, who have been unknowingly victimized, approach adulthood and uncover the financial crimes committed against them as they apply for driver’s licenses, college loans and employment after high school.

According to AllClear ID research on child identity theft, children may be victimized at a rate approximately 35 times higher than that of adults. Synthetic ID thieves need Social Security numbers (SSNs) with clean histories that are not currently being used, allowing them to attach a different name and date of birth to the number. According to a 2011 CyLab report, minors’ SSNs are valuable because there is currently no process for organizations to check which name and birth date is officially attached to an SSN.

How Does Child Identity Theft Work?

In the case of child identity theft, an identity thief compromises a child’s SSN and attaches a fictitious name and birth date to it. The thief then establishes a credit profile by applying for credit through an authorized user or by working with a data furnisher.

According to the Identity Theft Resource Center (ITRC), there are a few misconceptions about how the credit process works. Credit reporting agencies (CRAs) do not often verify the age of the credit applicant. The fact that credit issuers often do not request adequate proof of identity is a glaring weakness in our credit system; in today’s online world, everything from credit applications to funding can occur at a distance.

Many people believe that CRAs will identify the applicant as a minor and detect a fraudulent application. The fact is, the credit application is the means by which age is established on a credit file. The SSN of a child born in 2013 may have a birth date of 1985 fraudulently associated with it. That SSN would then be associated with an identity that has an “age” of 29.

Child SSNs are often compromised by entities entrusted with safeguarding children’s information, such as schools, doctors’ offices, youth sports organizations and family members. Child SSNs are not typically compromised as part of large data breaches because they often come from smaller-scale incidents. For example, the ITRC says that as of Nov. 18, medical and health care facilities accounted for 42 percent of all year-to-date data breaches; however, they accounted for less than 10 percent of all exposed records. Breaches perpetrated by insiders at doctors’ offices will more likely involve the compromise of a SSN. Meanwhile, the ITRC general business category accounted for 32 percent of incidents and 79 percent of records in which point-of-sale payment information was likely compromised.

Unfortunately, It May Be the Parents

While there is no data available to support an analysis of how often children are victimized by their own parents versus people unknown to the family, there is ample evidence that parents often use their child’s SSN to create new identities to obtain telecommunication services such as cable TV subscriptions or cell phone plans. According to David Howe of SubscriberWise, a national credit reporting agency for the telecom industry, parents often use their children’s SSN to obtain new cable accounts to avoid paying for an unpaid account in their names. Howe and his team have investigated scores of incidents over the past 20 years involving parents who fraudulently created new identities using their child’s SSN to obtain telecom services.

In one recent case, the mother of a 14-year-old in Ohio used her teenage daughter’s SSN to open a new cable account. The mother applied for a new account using her daughter’s legitimate SSN and a fabricated date of birth, changing the middle initial of the child’s name. In that case, the local prosecutor did not bring charges against the mother for many reasons, not the least of which is vague or nonspecific laws related to this type of child crime.

Effects on Children

Children who have been victims of identity theft face potentially severe financial consequences as a result. Since the underlying compromise may go undetected for many years, the potential for a child to be associated with bad debt amounting to tens or hundreds of thousands of dollars is daunting. Children and their families may spend years — and thousands of dollars — to completely resolve the problem.

There are hidden costs, as well. Children may lose the opportunity to attend the college of their choice or get a job after high school because a problem was identified during a background check.

Aside from the clear financial implications of this crime, there are also potential emotional impacts. Children, like any other victim of a crime, may experience emotional trauma if they are old enough to understand what has happened. Picture teenagers who have learned that their parent, whom they implicitly trusted, betrayed and violated their trust. The IRTC provides guidance for dealing with the emotional impacts to children.

Legislative Initiatives

There is currently no federal law or congressional legislative effort to slow down the rate of child ID theft. Howe is spearheading an effort to bring attention to this issue and advocating for the establishment of an index of child SSNs that could be referenced to dramatically reduce child identity theft. The index could be used to alert creditors that a SSN used in an application matches that of a minor. The concept is very similar to the Social Security Death Index produced by the Social Security Administration.

This year, U.S. Sen. Kirsten Gillibrand of New York introduced the Cyber Information Sharing Tax Credit Act, a new piece of legislation that would encourage businesses to share information about cybervulnerabilities through third-party information-sharing organizations. Likewise, several states have enacted laws or are pursuing legislation at the state level. While the objectives of these legislative efforts are positive, they do nothing to prevent synthetic child identity theft.

In 2011, U.S. Rep. Jim Langevin of Rhode Island proposed a provision that would protect children in foster care as part of the Child and Family Services Improvement and Innovation Act, which was signed into law by President Barack Obama. The provision mandates free credit checks for foster youth over 16 years old before they age out of the system and requires that they receive assistance in clearing inaccuracies from their records. While the law will certainly aid some victims, research performed by AllClear ID found that upward of 99 percent of credit reports of children known to have been victimized failed to detect the identity theft.

What Can Parents Do?

Good parents will nurture their children and are generally good at protecting them from physical threats. They are great at teaching their children to look both ways when crossing the street, to not play with matches or run with scissors and, of course, to beware of “stranger danger.” However, it is much more difficult to protect a child from having his or her identity stolen.

There are some steps parents can take to minimize risk. The Federal Trade Commission and ITRC have provided valuable information concerning red flags and steps to take to prevent or detect problems. Additionally, there are professional services that offer specialized assistance.

The following are some general warning signs to look out for:

  • Credit card offers in the name of your child;
  • Calls from collection agencies;
  • Collection notices in the mail;
  • A notification from the Internal Revenue Service that your child’s SSN has already been used in a tax return.

The following are some preventative measures you can take:

  • Keep your child’s SSN private, even to family.
  • Keep sensitive information located within your house.
  • Don’t carry your child’s Social Security card or SSN with you.
  • Use a cross-cut shredder to destroy all personal information when disposing of it.
  • Question and protest the use of SSNs by youth organizations.

If your child’s SSN must be provided, the ITRC offers some advice. Show the papers to the coach or organizer and then place the documents in a sealed envelope. Write your initials over the seal in colored ink to ensure it has not been tampered with when it is returned. Alternatively, initial the back of each document in colored ink to ensure you have received the original. It is also important to ask the organization how and where the documents will be stored during the season or for how long it will possess the documents.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…