- The Washington Times - Monday, August 1, 2005

NEW YORK - Recent disclosures of massive data leaks at information brokers, banks and retailers have prompted Congress to once again consider tightening access to Social Security numbers, which have evolved into dangerous master keys for defrauders.

But Social Security numbers already have come under a hodgepodge of restrictions over the years, and many experts question whether the new proposals would truly hinder identity theft.

In fact, reducing some companies’ access to Social Security numbers could even worsen the situation.

Several identity-theft watchdogs say the bills would neglect the deeper reason why financial fraud is relatively easy: Speed, not identity assurance, is the main priority of U.S. financial institutions that issue credit.

To be sure, the fact that many companies use Social Security numbers essentially as a password — not only are they the key to getting credit, but they also can unlock access to an account over the phone — magnifies the problem.

That’s why Congress hopes to hide the numbers better — by reducing the ways they can be sold, for example, or by prohibiting them from being printed on benefits checks.

Even so, keeping the numbers and other personal data out of the wrong hands likely will remain tricky.

“It’s too easy to get to data no matter what the key is, from insiders or hackers or mistakes,” said Jody Westby, head of the security and privacy practice at PricewaterhouseCoopers LLP. “What we have to do is make it harder to use the data.”

Ms. Westby’s solution would be quite simple: universal use of the fraud alert, which identity theft victims are allowed to put on their credit reports for seven years. Before any new credit is granted, a card issuer or loan provider is supposed to call them and double-check that they, rather than an impostor, made the application.

Putting everyone on fraud alert status would be a simple way of bringing more personal control to the system, Ms. Westby argues, just as do-not-call lists let people decide for themselves whether to talk to telemarketers.

In contrast, the data bills pending in Congress would make many changes at once. Consumer advocates like many of the provisions, such as allowing people to refuse to give businesses their Social Security numbers, requiring more encryption of financial records and demanding widespread disclosure of data breaches.

A proposal from Sens. Arlen Specter, Pennsylvania Republican, and Patrick J. Leahy, Vermont Democrat, would prohibit data brokers from selling a Social Security number without the consent of the subject. But there are many exceptions. The numbers could be sold for “research” purposes, for example, or if just the last four digits are listed.

The latter exception “almost nullifies the entire bill,” said Daniel Solove, a law professor at George Washington University and author of “The Digital Person.” That’s because the last four digits of any Social Security number are the only truly random part of the string. A savvy thief sometimes can determine the first five digits, because those are determined by where and when the number was granted.

Even if a defrauder doesn’t get someone’s exact number, he still might be able to obtain credit in that person’s name.

Because the system is built to grant credit in a minute, there’s a built-in tolerance for typographical errors or misprints such as transposed digits in the Social Security number.

“They’re looking for accurate matches, but not exact matches, and that gray area is where fraudsters seek to perpetrate their crime,” said Terrence DeFranco, chief of Edentify Inc. Edentify makes software that scans credit applications for signs of fraud.

To perform that check, Edentify examines information harvested by data brokers, companies like ChoicePoint Inc. or Reed Elsevier PLC’s LexisNexis, which both had breaches that led to the current scrutiny.

Consequently, Mr. DeFranco has lobbied Congress to make sure Social Security numbers still could be sold for fraud-prevention services like his.

Since ChoicePoint discovered that it let identity thieves posing as legitimate customers get information on 145,000 Americans, the company has stopped printing Social Security numbers on background reports.

But James Lee, ChoicePoint’s director of marketing, argues that preventing data brokers from harvesting Social Security numbers would be ill advised. The accuracy of background checks and other reports would suffer, he said, because the numbers remain the best way to differentiate people with similar names and to examine people’s financial histories.

“You have to be very careful of the law of unintended consequences,” he said.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide