Child ID theft, among the more tragic and vexing 21st Century crimes, is much more common than previously thought, suggests a report being published Friday by a Carnegie Mellon University fellow.
Data examined by Richard Power, a distinguished fellow at the school's CyLab research center, offers hints that identity thieves are specially targeting children when picking victims.
"They make perfect targets because they have no records and don't discover the crime for years," he said.
Using data supplied by identity monitoring company Debix, Power examined 40,000 children's profiles and found more than 10 percent had identities that were tainted in some way.
"These were 4,000 kids in there with gun licenses, mortgages, car loans and driver's licenses. That's crazy," Power said.
Among the victims described in the report: A 16-year-old girl in Arizona with 33 credit accounts linked to her name, including three mortgages; a college student with $300,000 in debt that was the result of the transposition of numbers; a college student from Texas who lost an internship because her background check classified her as "unemployable"; and a 30-year-old woman in Arizona whose identity was compromised when she was 12 and who is still haunted by her imposter. When she tried to buy a home recently, her bank told her she had a recent foreclosure on her record.
Among the 4,311 children found to have distressed identity records, 300 were under 5 years old. Nearly 1,800 cases involved utility service records, such as bogus electricity service accounts. There were also 500 kids' names attached to mortgages or foreclosures, and 415 of the kids had driver's licenses.
"This is an existential threat to our society," Power said. "The elephant in the room is that obviously we are not properly authenticating people at all."
Bigger threat than bullies, predators?
Power said the report was the first real attempt to quantify the problem of child ID theft. Hard numbers on the crime are nearly impossible to come by, as child victims often don't discover the thefts for a decade or more. When a child's identity is either stolen or tainted through some kind of error, the problem usually isn't found until the child applies for college financial aid, a car loan, or attempts to obtain employment. Then, because the unpaid debts or other blemishes can be 10 or more years old, efforts to clean the child's record can be monumental.
"You could be quite effective at warding off online predators and cyberbullies, as well as proving quite successful at guarding your own hard earned good credit, only to find that your child's identity has been violated, and your family's financial and emotional well-being threatened in an almost inconceivable way," Power says in the report, which is being released Friday.
Reporting issues have stymied researchers trying to pinpoint how prevalent child ID theft is. Because the crimes frequently go undetected for so long, police are reluctant to pursue prosecution. That also means publicly available data studied by researchers might only reflect crimes committed in the late 1990s or early part of the last decade.
Carnegie Mellon was recently approached by private corporation Debix with an offer that promised to open a window into this confusing world. Debix is one of several firms that offer identity monitoring to consumers who've had their personal information compromised in a data breach incident. During a 12-month span ending in November 2010, 800,000 consumers signed up for the service. Of that group, 40,000 were children enrolled by their parents, which gave the firm permission to investigate their records for signs of distress.
Debix offered the database to the school for research purposes, and Power jumped at the rare chance to examine data related to child ID theft.
Not scientific; still striking
The study is not scientific; the data sample is not necessarily representative of the public as a whole, so it's not possible to extrapolate the findings and declare that millions of children are currently ID theft victims and their parents don't know it. On the other hand, the data represent a group that has demonstrated above-average sensitivity to identity issues by signing up with Debix -- only about 10 percent of consumers take companies up on their offer of free credit monitoring after a data leak. And the data is consistent with other research suggesting criminals often use randomly selected Social Security numbers to obtain employment or credit, which puts children at equal risk as adults.
Earlier research by identity firm ID Analytics found that one in seven Social Security numbers are attached to more than one name, and there's no reason to believe children's numbers are exempt from that. Other experts briefed on the data said the report's findings were consistent with real-world experience.
"I personally think that the results are informative, giving us the best insight available into the potential scope and nature of the problem," said Steven Toporoff, the child ID theft expert at the Federal Trade Commission.
Power said the report offers the first real evidence that organized criminals are specifically targeting children for identity theft. Because their credit records are empty, and their Social Security numbers may not appear in any credit databases, children's identities are extremely valuable to criminals. They often can create new records using a child's number but a different name, an easy path to so-called "new account fraud," allowing risk-free creation of cell phone accounts, bank accounts, even mortgages.
Criminals have also figured out that they can get away with using the child's ID for years, while a stolen adult identity has a far shorter shelf-life. Adults discover identity problems in an average of 59 days, according to earlier research from Javelin Strategy and Research.
"ID thieves are targeting children because their IDs are pure," Power said. "This is organized crime, in some cases international organized crime."
The secret list of ID theft victims
It's unclear whether criminals can identify children's identities as targets; the research provides no insight on that. In some cases, it's likely dumb luck – the criminals randomly enter a Social Security number on an application that belongs to a child, or one that has yet to be issued.
In many cases, child ID crimes fall into the realm of SSN-only ID theft, in which a criminal uses only a victim's number -- not their name or other identifying information -- when committing crimes. The topic has been covered at length in a series called "The secret list of ID theft victims." One main driver of this type of ID theft is undocumented workers who use randomly selected numbers, or numbers purchased on the black market, with their real names to obtain employment.
In Power's report, there were 5,497 erroneous names associated with the 4,311 victims -- some of whom had more than one imposter. He concluded the illegal immigration is also a driver of the child ID theft he uncovered.
"The primary drivers for such attacks are illegal immigration (e.g., to obtain false IDs for employment), organized crime (e.g., to engage in financial fraud) and friends and family (e.g., to circumvent bad credit ratings, etc.)," the report says.
Michelle Dennedy, former chief privacy officer of Sun Microsystems, was briefed on the report. She has a child who's been a victim of ID theft twice and believes organizations aren't doing enough to protect kids from the crime.
"You can't sign your kid up for soccer teams today without giving up your kid's Social Security number," she said. "There are these places where they are vulnerable."
Parents need to be aware of the potential that their children might be victims, she said, urging much more vigilance in monitoring.
"If we get guardians to look (at their kids' records) the value of their identities starts to drop," she said, as crimes will be discovered more quickly. "The softness of the target starts to go away."
RED TAPE WRESTLING TIPS: What parents should do
Advice for concerned parents is nuanced, however. Neither the FTC nor the nonprofit Identity Theft Resource Center recommends that parents check kids' credit reports on a regular basis. That could actually cause a credit bureau to prematurely create a report, which might make kids' identities more vulnerable, according to the FTC.
Both agencies agree that parents should attempt to obtain a credit report on the child's 16th birthday. Ideally, there won't be one; but if there is and it's full of errors, there should be ample time to deal with the problem. Before age 16, under normal circumstances, an occasional check -- perhaps every three or four years -- is sufficient, said the FTC's Toporoff.
But if there is a reason to suspect foul play, parents should immediately contact credit bureaus and request a report, he said. They should also consider placing a credit freeze on the child's records, following their state's particular policies.
"Parents should also be on guard for warning signs of potential child ID theft, such as credit offers, credit cards offers, bank offers coming to a child," Toporoff said.
Jay Foley, executive director of the Identity Theft Resource Center, says parents don't need to panic over evidence of identity theft, but they should realize they are facing an uphill battle. Obtaining information on SSN-only ID theft can be tricky.
"Unless the child is being chased by collection agencies, my suggestion is to wait until the child is 16 years old and then the parents need to write a letter to the credit reporting agencies requesting any information on the child's name in combination with the SSN and any information on the SSN alone," he said. "If at that time they find something wrong we have roughly two years (in most cases) to get it fixed or replaced."