Big problem increasing year-over-year
While it isn't clear how many child identity thefts are committed annually in the United States, it is a big problem that's increasing year-over-year as criminals get more savvy.
Here’s what to do and what to look out for in guarding your own young ones' identities from thieves:
Q: How do you even know if your child’s identity has been stolen?
Unfortunately, in many cases, you find out the hard way. Either your kid eventually applies for credit and discovers he has a terrible record, or someone has been using your kid’s information for something like W-2 fraud, using it to work when they’re not supposed to be working, and a year and a half later your child gets a nasty letter from the IRS saying, “We have W-2’s for you, why haven’t you filed your taxes?”
Or your kid looks to go to college, and the college says, “Why do you owe AmEx $37,000 on a credit card, and why do you have bankruptcies on your record?” It can cause problems for the kid, and for parents who want to protect the identity of the of kid.
Another thing we see that is scary is how criminals use your kid’s identity to get medical services for another kid. In this age of electronic medical records, there may be a fairly extensive record under your child’s identity, but it has a different medical history and blood type than your child. The last thing you want is your child to go into the hospital and the medical staff to have the wrong information and your child’s medical history and all else.
Q: What are other areas in a child’s world where identity theft issues come up?
The Internet of Things. You probably read about the [bluetooth-enabled] doll marketed in Germany that recorded a lot more than you, as a parent, would want and sent it to a cloud-based server. A lot of American toy companies follow the Children's Online Privacy Act about collecting information from kids. But when you get knockoff versions of a product that is imported, that’s not necessarily the case, and you don’t know where the data is going, how it is being protected, if it is being misused.
Also, you have teenagers applying for jobs in the summer, and with a lot of applications, they have to give their Social Security number. You see job fairs where someone shows up saying, "I’m from X organization," and people fill out applications. What the group really is is an identity theft ring. Say it’s a popular job fair, they get 500 applications, they walk out the door and have 500 identities to sell on the dark web that day.
Q: So, in that case, does a parent just tell their teen not to give out a Social Security number?
I’m not sure most 16-year olds would say this but conceivably they could say, "Hey, I’m really interested in working for your organization, but I’m not going to give you my Social Security until you are ready to make an offer, because my dad is in security, and I worry about things like that. It’s about having that dialogue with your child and that sense of awareness."
Q: Where are the attacks coming from? What kind of cybercriminals are we talking about?
In large part, the nation/state actors don’t care about your kid’s data. If they were to get it, it would just be accidental along with other stuff they grabbed. The people that traffic in this data are mostly commercial cybercriminals who are going to use it for credit frauds, medical frauds, and W-2 frauds. It tends to be very low-level hackers who aren’t very creative. But if the place where the data is stored hasn’t done the security basics, they can run an attack that might get them that data.
Q: Aside from warning your kids, what can a parent really do?
It’s really an area where parents can do quite a bit, but not if they aren’t thinking about it. The first question to ask a company is how are you protecting my kid’s data? If they look at you like you are speaking Klingon, that’s probably not a good thing. You want to hear something that makes sense, for them to have an answer that shows they have thought about it. They might tell you how they limit access to data, how they limit the information they collect. I’ve found that once you ask that question and listen to the answer, you tend to get a good or bad feeling about whether they are serious about it or not.
It all comes down to consciousness of this as an issue, asking questions, and in some cases working together. Very often a camp will have a parents association, and if your kid was there last year and is going again this year, you probably have some contacts that you can speak with and take a little collective action.
And you want to monitor your kid’s Social Security record just as you would for an adult to see if anything is reported.
You can see if a credit file is available on your child. A lot of products have the capability to do some kind of monitoring for minors. There are some indicators of [identity] compromise. There’s monitoring of the dark web. One thing that's interesting is if a child gets an explanation of benefits from an insurance company and it has nothing to do with them. You might think that was just a clerical mistake, but it would be an indicator that something is awry. We had a case a few years ago where an 87-year-old woman received an EOB for a rhinoplasty. She called us up and said, “Hey, I have not had a nose job.”