The identities of nearly 2.5 million deceased Americans are used improperly to apply for credit products and services each year, according to a new study released today from ID Analytics’ ID:A Labs. This is the first study to examine the extent of fraudsters improperly using a deceased person’s identity to establish credit accounts.

The study compared the names, dates of birth (DOB) and Social Security numbers (SSNs) on 100 million applications during the first three months of 2011 to data in the Social Security Administration’s Death Master File (DMF) to find which applications used personally identifiable information (PII) associated with deceased individuals.

The study found:
• Identity Theft of the Dead – Nearly 800,000 deceased Americans’ identities are intentionally targeted for misuse on applications for credit products and cell phone services by fraudsters each year.
• Inadvertently Misusing SSNs of the Deceased – In approximately 1.6 million applications annually, an identity manipulator inadvertently used the SSN of a deceased person.
• Identity Theft of the Dying – Several hundred thousand potential misuses of dying people’s identities each year.

“This study brings to light a significant problem as we see fraudsters intentionally using identities of the deceased at the rate of more than 2,000 per day,” said Dr. Stephen Coggeshall, chief technology officer, ID Analytics. “While this is clearly a problem for businesses, surviving family members can also be the victims of this identity fraud as they are left to manage the estates of their deceased loved ones. It’s important for people to monitor their deceased family member’s identities for at least one year and a good way is with identity theft protection services.”

Dr. Coggeshall released these findings on April 23rd at the ID360 conference hosted by the Center for Identity at the University of Texas at Austin.

Understanding the Methodology
To conduct the study, ID:A Labs leveraged data within ID Analytics’ ID Network®, the nation’s only real time cross-industry compilation of identity information that examines the flow of applications for credit cards, cell phones, retail and other financial services credit products and services.

When the study projects the 100 million applications examined to the entire annual volume of applications submitted for credit products and services in the U.S., it estimates that nearly 6.8 million applications have at least a partial match to the DMF. Many of these—roughly 2.4 million—are simply SSN typos.

The study also found that approximately 1.6 million applications are instances of a fraudster using a fabricated SSN that unintentionally matches the SSN of a deceased person. Finally, the study uncovered approximately 800,000 instances per year where a deceased person’s identity is deliberately targeted for misuse, as well as several hundred thousand cases where a dying person’s identity is potentially being misused.

The Consumer Privacy Bill of Rights

The centerpiece of the initiative is what the Administration dubs the “Consumer Privacy Bill of Rights” (“CPBR”), a “comprehensive statement of the rights consumers should expect and the obligations to which companies handling personal data should commit.” The CPBR includes seven principles, corresponding roughly to the Fair Information Practice Principles (“FIPPS”) that have guided most privacy practices in this country for the past couple of decades. The CPBR consists of seven elements that apply to the collection and use of “personal information,” defined broadly as data, including aggregations of data, that are linkable to a specific individual, computer, or device.

1. Individual Control: Consumers should be able to control what personal data companies collect from them and how they use it. Companies should provide tools for consumers to control their data that are usable and accessible, including giving consumers clear and simple choices.

2. Transparency: Companies should present privacy-related information in an easily understandable and accessible manner, at times and in places that are most useful for consumers. The disclosures should include what personal data the company collects, why it needs it, how it will use it, when it will delete it, and whether it will share the information with third parties.

3. Respect for Context: Data should be used in ways that are consistent with the context in which consumers provided it. If the data is to be used for other purposes, consumers should have more robust control.

4. Security: Companies should maintain reasonable safeguards to protect personal data.

5. Access and Accuracy: Consumers should have the right to access and correct personal data.

6. Focused Collection: Companies should collect and retain only as much personal data as they need, and securely dispose of it when it is no longer needed.

7. Accountability: Companies should be “accountable” to law enforcement authorities and consumers and should take steps to ensure that employees and third parties with whom they share personal data adhere to the principles. These steps should include audits, training, and control over vendors and other third parties recipients of the data.

Implementation

The Administration instructs the Department of Commerce to convene stakeholders in industry and the privacy community to develop “enforceable” codes of conduct consistent with the CPBR. These codes of conduct should be (1) as interoperable as possible with those our trading partners; and (2) flexible to ensure that privacy rules keep up with changing technologies.

The legal implications of the CPBR are a bit vague. The Administration contemplates an amalgamation of voluntary, self-enforcing industry codes and government mandates. For example, companies are urged to voluntarily commit to the codes of conduct that will be developed. Those that do give that commitment are subject to Federal Trade Commission enforcement under its authority to prohibit unfair or deceptive practices, on the theory that such a commitment is deceptive if, in fact, the company does not comply with the codes).

Although companies that make no such commitment presumably could avoid FTC enforcement, it appears that the Administration is counting on competitive forces to pressure companies into promising to abide by the codes. At the same time, the Administration is seeking comprehensive privacy legislation to codify the CPBR and give the FTC and state attorneys general specific enforcement authority. The proposed legislation would also establish an FTC-approved enforcement “safe harbor” so that companies can know when they are in compliance.

Behavioral Advertising

Simultaneous with the release of the CPBR, leading Internet and online advertising companies announced that they are committing to use “Do Not Track” technology in most major web browsers. The companies, including Google, Yahoo!, Microsoft, and AOL, represent the delivery of nearly 90% of online behavioral ads. The advertising industry also committed not to release consumers’ browsing data to companies who might use it for purposes other than advertising, such as employers making hiring decisions or insurers determining coverage. The Administration does not propose to mandate “Do Not Track,” however.

The Administration’s proposals are, by necessity, general in nature, to be fleshed out in the course of establishing codes of conduct. Nonetheless, they provide a reasonably clear framework for what companies should do to protect consumers’ privacy…and to stay out of trouble with the law.

The proposed rule defines “larger” credit reporting agencies to cover those that have $7 million or more in annual receipts. Importantly, in calculating annual receipts, CFPB will include only credit reporting activities that fall under Dodd-Frank. That means that there are three limiting factors: (1) a credit reporting agency’s (CRA’s) non-credit reporting activities don’t count towards the total; (2) only reports used for decisioning relating to consumer financial product or service count (for example, employment or rental screening reports are excluded); and (3) only receipts from sales are included, not capital gains from investments or other income sources. CFPB estimates that this threshold would cover fewer than 30 of the 400 or so CRAs in the U.S.

As for debt collection companies, CFPB proposes a threshold of $10 million per year in receipts. As is the case with the Fair Debt Collection Practices Act, all types of collectors are covered – third party collectors, debt buyers, attorneys – except for collections done by the creditor itself. And, again, there are limiting principles: (1) receipts from non-collection activities don’t count; (2) income other than sales receipts are not included; and (3) only collections on accounts that arise from financial products or services count (for example, collections on medical debt are excluded). CFPB estimates that the proposal would cover about 175 of the 4,500 debt collection firms in the U.S.; those 175 account for about 63 percent of all collections.

These two industries are the first ones out of the box; there will be similar rules for other types of financial institutions. The proposed rule is open for a 60-day comment period, and the final rule is due by July 12, 2012. This is an important rule because the CFPB’s supervisory authority is quite broad and will include examinations that some may consider intrusive or burdensome. If you are in the credit reporting or debt collection business, it may be worth reading the proposed rule (59 pages, double spaced) – there is a lot of relevant detail, often in footnotes. And, you should think about whether you want to file a comment. You can link to the Rule here: http://www.consumerfinance.gov/pressrelease/consumer-financial-protection-bureau-proposes-rule-to-supervise-larger-participants-in-consumer-debt-collection-and-consumer-reporting-markets/

The FCRA covers three primary groups: consumer reporting agencies (CRAs) which compile and sell consumer information for business decisioning, the furnishers of that information to the CRAs, and the entities that use consumer reports in making eligibility determinations. The most obvious example of how this works is the credit report, a compendium of a consumer’s past experiences in the marketplace that is used by lenders to assess consumers’ creditworthiness. There are several other types of consumer reports that may be covered by the FCRA as well, including reports used for tenant screening, insurance underwriting, and employment purposes.

The FCRA relies principally on a system of notice and choice to ensure that information in consumer reports is accurate. Consumers who are denied credit (or another benefit) or are offered less favorable terms due to information in their credit report receive notice of this fact, enabling them to obtain a free copy of their report and correct any errors in it. The FCRA also is designed to ensure consumers’ privacy by limiting the disclosure of consumer reports only to those with a “permissible purpose.”

Although the FCRA has been a remarkably effective law, in some ways it is showing its age. Amendments passed by Congress in the 1990s, and then again in the FACT Act of 2003, shored up some of the obvious shortcomings in the law. But, there remain a number of difficult interpretive issues. For example, the FCRA permits lenders to obtain consumer reports for purposes of making a “firm offer of credit” (such as the “you have been pre-approved “credit card mailings that fill our mailboxes). But, how “firm” and how specific does the offer need to be to qualify as a firm offer of credit? Or, how will the FCRA apply to new modes of communication and information exchange, such as social media and mobile devices?

The CFPB has many things on its plate. Let’s hope that at some point in the near future, it focuses on clearing up some of the ambiguities of the FCRA.

We at ID Analytics don’t think that ceasing publication of the list is the best way to deal with this problem. We’ve been in the business of preventing identity theft for many years, and our tools work very well at stopping the theft of deceased identities. We use this SSA Death Master File as an upfront defense to weed out such applications, and our process successfully stops these attempts. If this Death Master File is no longer published this important defense will disappear and it will be much harder to stop these fraud attempts.

The flagging of an application that includes the SSN of a deceased person is an important aspect of identity fraud prevention, and will be substantially hampered by this new decision. If/when the SSA stops publishing this list of SSNs of the deceased, it will indeed be harder for thieves to obtain the SSNs of the deceased, but once obtained the fraudsters will be very hard to stop. Further, the large category of family fraud by spouses, siblings, parents and children in the use of deceased people’s identities will be much easier to commit and much harder to stop. The providers of commercial tools to stop identity fraud will no longer be able to flag applications that use deceased SSNs.

This decision is very similar to another recent decision by the SSA where they decided to issue new SSNs using a randomization process. The randomization of SSNs plugged a small hole of thieves targeting specific people for identity theft, but opened a much larger hole of no longer being able to verify that an SSN has been validly issued, so it’s very easy to invent what looks like a valid new SSN for a fraudulent application. For more information see http://idanalytics.com/idalabs/2011/its-here-randomized-social-security-numbers/

We suggest that the best way to solve the improper use of deceased people’s SSNs is to keep this list public and increase its use as a validity check in the examination of SSNs. If the list is very public and widely used, no dead SSN could be successfully used.

A compromise is to continue to make the list available but only to a smaller group of recognized fraud fighting organizations. This would satisfy all concerned and allow the continuation of the powerful and successful tools that exist today without substantially hampering those trying to protect the public against fraud.

While other studies have examined child identity theft, the ID Analytics study is the first to examine how many parents are perpetrating this criminal act on their own children. This is also the first time that data has been presented on the number of adult children that are manipulating their elderly parents’ identities. Dr. Stephen Coggeshall, chief technology officer of ID Analytics, will discuss these and other findings tomorrow at ID Analytics’ consumer risk conference, Advance 2011: Rediscovering the Consumer, in San Diego, Calif.

Key findings include:

All in the Family—About six million parents and children improperly share identity information, specifically Social Security numbers (SSNs).
Betraying Children’s Trust—Nearly 500,000 children under the age of 18 have had their identities stolen by a parent.
Thanks Mom and Dad—A growing number of adult children have used their parent’s identity information for fraudulent reasons, with more than two million elderly victims in the past few years.

“The realities of familial identity theft are far worse than anything you see in a soap opera. It is the ultimate in family betrayal,” said Dr. Coggeshall. “Most consumers think of this type of manipulation as something inflicted by a stranger or a criminal scamming the system, when in reality a lot of identity manipulation may be a betrayal by a trusted parent, child or another family member.”

Understanding the Methodology
To provide greater insight into the scope of identity manipulations, ID:A Labs conducted a study of more than 300 million consumers in the U.S. The study quantified the extent and severity of deliberate identity manipulation for each of 307 million people, as seen across more than a billion different applications for credit and telecommunications products and services. The study ignored the many instances of data errors/typos by focusing on multiple and systematic improper variation of identity information.
About ID:A Labs

ID:A Labs reveals important trends in consumer behavior by examining identity use to help organizations better manage both the risk and opportunity of an individual consumer. ID:A Labs is a multidisciplinary group of mathematicians, computer scientists, economists, financial experts, cognitive scientists and advisors from ID Analytics and other respected institutions.

ID:A Labs conducts research and analysis in the areas of identity fraud, credit risk, marketing and segmentation, authentication and identity proofing. The Labs leverage the ID Network®, the nation’s first network of cross-industry consumer behavioral data. Backed by patented technology, world-class analytics and the ID Network, ID:A Labs researches, analyzes and reports on developments in consumer behavior, identity- and credit-related issues, the regulatory landscape and innovations in analytics around modeling and machine learning.
About ID Analytics, Inc.

ID Analytics is transforming consumer risk management with patented analytics, proven expertise, and real-time insight into consumer behavior. By combining proprietary data from the ID Network®—one of the nation’s largest networks of cross-industry behavioral data—with advanced science, ID Analytics provides unprecedented visibility into identity risk and creditworthiness. Every day, the largest U.S. companies and critical government agencies rely on ID Analytics to make risk-based decisions that enhance revenue, reduce fraud, drive cost savings, and protect consumers. Please visit us on the web at www.idanalytics.com.

ID Analytics is a registered trademark of ID Analytics, Inc. All other trademarks and registered trademarks are the property of their respective holders.

The ID:A Labs study is based on a review of over 172,000 children whose identities were protected through ID Analytics Consumer Notification Service (CNS) from April 1, 2010 to March 31, 2011. CNS directly connects consumers and companies to alert consumers in real-time when their identity is used for consumer transactions, potentially without their permission. In addition to the rate of child identity fraud, the study also found:

Credit card and wireless activity most common—60 percent of the potential fraudulent identity use alerts sent to minors originated from the credit card industry. The vast majority of the remaining alerts were from the telecommunications industry, mostly wireless providers.
Take the alerts seriously—minors who received an alert through the service were seven times more likely to experience fraud than an adult. They received 0.5 percent of the identity use alerts, but yielded 3.5 percent of the cases of fraud.

“Child identity fraud poses complex challenges to consumers, businesses and regulators. Unfortunately, minors’ identities are particularly appealing to fraudsters because their personal data is untainted, legitimate and less likely to be monitored for misuse,” said Tom Oscherwitz, chief privacy officer at ID Analytics. “This new study finds that child identity fraud is more than a hypothetical risk. Well over 140,000 U.S. kids are victims of the crime today. Our children need better protection. A comprehensive solution to child identity fraud requires a layered approach reflecting advances in technology and business processes, legislative guidance and consumer education.”

Osherwitz will speak about these findings and child identity fraud today in Washington DC at “Stolen Futures: A Forum on Child ID Fraud” sponsored by the Federal Trade Commission (FTC) and the Office for Victims of Crime (OVC), Office of Justice Programs, U.S. Department of Justice.

Understanding the Methodology
To provide greater insight into the scope of child identity fraud, ID:A Labs conducted a study of more than 172,523 children enrolled in ID Analytics’ Consumer Notification Service at some point during the 12-month period, from April 1, 2010 to March 31, 2011. Seventy percent of the enrolled minors were 13 or under. Parents and/or custodial guardians of the enrolled children identified over 600 possible cases of child identity fraud, 330 of which were confirmed by credit card issuers and service providers as actual identity fraud. In total, 55 percent of the possible fraud cases identified turned out to be fraud.

Because the CNS leverages the actual use or misuse of identity information, and is therefore able to operate independently of credit reports, it fills a historical gap in child identity theft protection by allowing parents to monitor the use of their child’s identity information to detect use or misuse. Through the CNS, ID Analytics monitors real-time transactions throughout the United States for use and misuse of a child’s SSN, name, date of birth, or other information. While adults have historically had access to credit monitoring services built on credit files, the CNS now provides parents and guardians with visibility into the real time use of their child’s personal information.

When the unauthorized use of an identity is discovered, the CNS provides consumers with a mechanism to say “that’s not me” and shut down the application, often before it is approved and can result in harm.
About ID:A Labs

ID:A Labs reveals important trends in consumer behavior by examining identity use to help organizations better manage both the risk and opportunity of an individual consumer. ID:A Labs is a multidisciplinary group of mathematicians, computer scientists, economists, financial experts, cognitive scientists and advisors from ID Analytics and other respected institutions.

ID:A Labs conducts research and analysis in the areas of identity fraud, credit risk, marketing and segmentation, authentication and identity proofing. The Labs leverage the ID Network®, the nation’s first network of cross-industry consumer behavioral data. Backed by patented technology, world-class analytics and the ID Network, ID:A Labs researches, analyzes and reports on developments in consumer behavior, identity- and credit-related issues, the regulatory landscape and innovations in analytics around modeling and machine learning.
About ID Analytics, Inc.

ID Analytics is transforming consumer risk management with patented analytics, proven expertise, and real-time insight into consumer behavior. By combining proprietary data from the ID Network®—one of the nation’s largest networks of cross-industry behavioral data—with advanced science, ID Analytics provides unprecedented visibility into identity risk and creditworthiness. Every day, the largest U.S. companies and critical government agencies rely on ID Analytics to make risk-based decisions that enhance revenue, reduce fraud, drive cost savings, and protect consumers. Please visit us on the web at www.idanalytics.com.

ID Analytics is a registered trademark of ID Analytics, Inc. All other trademarks and registered trademarks are the property of their respective holders.

An ID:A Labs study released today found an estimated 45 million people in the U.S. have deliberately manipulated their identities in applications for credit, cell phone service, auto loans or other credit transactions.  Looking beyond typos and name changes, this study examined deliberate and improper variations of Social Security numbers (SSNs), names and dates of birth (DOBs).

The top three identity manipulators used a total of 417 SSNs. Examples of information on three of the most prolific offenders: 

• #1: 165 SSNs, 44 DOBs and 3 different first names; resides in Philadelphia, PA.
• #2: 146 SSNs, 8 DOBs and 8 different first names; resides in Brooklyn, NY.
• #3: 106 SSNs, 12 DOBs and 6 different first names; resides in Cleveland, OH.

 ”This is the first national study of people who are explicitly manipulating identity information,” said Dr. Stephen Coggeshall, chief technology officer for ID Analytics.  “While there is extensive research on the crime of identity fraud and its victims, there is far less on the actual perpetrators of the crime. Now for the first time, there is a comprehensive view of who identity manipulators are, where they are living and specifically how they are manipulating their personal information.” 

The study found multiple patterns of deliberate identity manipulation:

• Multiple Social Security Numbers: Eight million people are using two or more SSNs.
• Multiple Dates of Birth: 16 million people used multiple DOBs.
• Spouses using their partner’s identity: 10 million people manipulated their identities by co-mingling some of their spouse’s information (SSN or DOB) into their own identity.

“Deliberate identity manipulation is far more prevalent than we imagined. We aren’t including people using nicknames or making a typo on a Social Security number or date of birth, but rather repeated and intentional alteration of key identity elements, in some cases by spouses and parents,” said Dr. Coggeshall. “The study uncovered fraudsters, people manipulating their identity to hide in plain sight, as well as those seeking to avoid poor credit ratings.  We’re just beginning to get insight into the range of modes underlying identity manipulation—it is a fruitful area for further research.”

 Understanding the Methodology

To conduct the study, ID:A Labs leveraged data within ID Analytics’ ID Network^®, the nation’s only real time cross-industry compilation of identity information. It contains more than 1.4 billion unique identity events such as applications for products and services where identity information is required. The study resolved the identity events into 300 million distinct people in the U.S., who were then individually examined for consistency of identity information usage.

To increase the accuracy of the results, the study excluded false positives—such as people who have changed their last name, used nicknames (i.e. Fred, Frederick, Freddie), as well as typos. This was accomplished by only considering instances of multiple, independent, systematic variations in SSN and DOB, as well as first name variations beyond nicknames. It also excludes information gleaned from those registering for websites and other services where accurate identity information is not legally required and therefore tends to be less reliable. This enabled ID:A Labs to more accurately determine who was deliberately and improperly manipulating their identity.

The study revealed that the severity of identity manipulation occurs in a continuum beginning with people simply being inconsistent with their names, to obvious malicious misuse via multiple and systematic variations of identity elements.  There are many reasons people manipulate identity information. Some people apply for products using slight variations of their true identity to avoid past delinquent history. People may use their spouses’s Social Security number to leverage a better credit score. Sex offenders and illegal immigrants commit identity manipulation to live under aliases to avoid detection, while other identity manipulators seek to gain improper access to health care or government services and benefits.

 Geographic Distribution of Identity Manipulation

The study found that the worst cities for identity manipulation are metro areas in Michigan including Detroit, Flint and Lansing, and Texas including Dallas and Houston, as well Texas border and coastal towns such as Corpus Christi, El Paso and McAllen. The map above shows the locations of the top and bottom 25 percent by five-digit ZIP code.

 Some of the worst offenders are provided in the following table:

About ID:A Labs

ID:A Labs reveals important trends in consumer behavior by examining identity use to help organizations better manage both the risk and opportunity of an individual consumer. ID:A Labs is a multidisciplinary group of mathematicians, computer scientists, economists, financial experts, cognitive scientists and advisors from ID Analytics and other respected institutions.

ID:A Labs conducts research and analysis in the areas of identity fraud, credit risk, marketing and segmentation, authentication and identity proofing. The Labs leverage the ID Network®, the nation’s first network of cross-industry consumer behavioral data. Backed by patented technology, world-class analytics and the ID Network, ID:A Labs researches, analyzes and reports on developments in consumer behavior, identity- and credit-related issues, the regulatory landscape and innovations in analytics around modeling and machine learning.

About ID Analytics, Inc.

ID Analytics is transforming consumer risk management with patented analytics, proven expertise, and real-time insight into consumer behavior. By combining proprietary data from the ID Network®—one of the nation’s largest networks of cross-industry behavioral data—with advanced science, ID Analytics provides unprecedented visibility into identity risk and creditworthiness. Every day, the largest U.S. companies and critical government agencies rely on ID Analytics to make risk-based decisions that enhance revenue, reduce fraud, drive cost savings, and protect consumers. Please visit us on the web at www.idanalytics.com.

ID Analytics is a registered trademark of ID Analytics, Inc. All other trademarks and registered trademarks are the property of their respective holders.

The Supplement reflects the FFIEC’s conclusion that financial institutions and their customers are facing increasing online risks. Consistent with the 2005 Guidance, the Supplement does not endorse any specific technology to mitigate risks, but it does emphasize the need for performing risk assessments, educating consumers, and deploying effective strategies to combat risks.

The FFIEC has indicated that it will direct its examiners to evaluate financial institutions based on the Guidance starting in 2012.

FFIEC Press Release: http://www.ffiec.gov/press/pr062811.htm
FFIEC Guidance Supplement: Auth-ITS-Final 6-22-11 (FFIEC Formated)

Since the issuance of SSNs in 1936 these numbers have slowly evolved into being used in two ways that were never intended. First, they are now widely used as supposedly unique individual identifiers with businesses. Second, they have been considered as known only to the holder, so they have migrated into a supposed secret that only you know. Thus they are frequently used as an authenticator–that you are really you if you know the number. Both of these unintended uses have lead to widespread problems around this incorrectly assumed unique and secret number.

The root of the problem in the previous system is that if I want to guess a particular person’s SSN I can get pretty close if all I know is his date and place of birth. This relatively recent revelation, along with the widespread improper use of the SSN as a “secret number,” has led the SSA to change the way it will issue SSNs going forward. This new issuance method will successfully eliminate the problem of being able to accurately guess any individual person’s SSN based on date and place of birth, but we believe that this new issuance process will actually make it easier to commit identity fraud.

Today many companies use the published issued-SSN tables as a first line of defense in identity fraud prevention. With these tables it is relatively easy to see if an asserted SSN is at least valid, and many product application attempts are made with invalid SSNs. With the new issuance procedure it will be impossible for these companies to use the current methods to validate SSNs, so they will have to rely on other defenses. Yes, one can query the SSA on the validity of an SSN, but it is both expensive and slow and thus not feasible for systems that need to process millions of events each day with real time decisions. The end result of this new SSN issuance process will be that it will indeed be harder to commit identity theft targeted at a particular, selected individual, but it will be easier to commit identity fraud in general. Those working to protect consumers from fraud see this randomization as putting a knife in the very heart of meaningful fraud prevention efforts.

The true underlying issue here is that the SSA never intended to get into the personal identifier business to begin with. Over time, this randomization system may get the SSA out of the personal identifier business. And organizations will have to find a better way of uniquely identifying individuals, as well as use more sophisticated identity fraud prevention tools.