Net Aids Theft of Sensitive ID Data
By Jonathan Krim
The Washington Post
Monday 4 April 2005
Critical Social Security numbers widely available.
Want someone else's Social Security number?
It's $35 at www.secret-info.com. It's $45 at Iinfosearch.com, where users can also sign up for a report containing an individual's credit-card charges, as well as an e-mail with other "tips, secrets & spy info!" The Web site Gum-shoes.com promises that "if the information is out there, our licensed investigators can find it."
Although Social Security numbers are one of the most powerful pieces of personal information an identity thief can possess, they remain widely available and inexpensive despite public outcry and the threat of a congressional crackdown after breaches at large information brokers.
Brokers such as ChoicePoint Inc. and LexisNexis have pledged to restrict the availability of such data after personal information on more than 175,000 people was purloined from the two firms by identity thieves posing as legitimate businessmen.
So far, neither those moves nor revelations of a series of breaches at major banks and universities has curbed a multi-tiered and sometimes shadowy marketplace of selling and re-selling personal data that is vulnerable to similar fraud.
A simple Internet search yields more than a dozen Web sites offering an array of personal data.
Some are run by small data brokers and other re-sellers. Others are run by private investigators, many of whom have complained that recently announced restrictions on the availability of Social Security numbers would hurt their ability to assist law-enforcement, track down dead-beat dads or locate witnesses.
Yet with only scant checks to verify whether someone requesting data is legitimate, several sites sell full Social Security numbers, potentially contributing to an epidemic of identity theft or fraud that touched about 10 million Americans in the past year.
No law prohibits the sale of Social Security numbers, but privacy experts and some government agencies have warned for years that the number is over-used and under-protected.
Inaugurated in 1936, the nine-digit number was intended to match citizens to the retirement money they would eventually receive. Over time, the number became essential for getting or verifying credit and for employment background checks.
Eventually, it became so deeply linked to personal data throughout the economy that it became a de-facto national identifier.
"For identity thieves, it's their magic key . . . that gets into every door," said Daniel J. Solove, a George Washington University law school professor who specializes in privacy law. Getting a number can make it possible for criminals to access to bank or credit-card accounts, establish credit to make purchases, or find someone they wish to harm.
Nonetheless, some insurance companies still use the Social Security number as an individual's account number, printing it on identification cards, leaving people vulnerable if wallets are stolen or lost. Medical offices routinely request Social Security numbers, often when initial appointments are made, and many universities use it as a student identification number.
According to a recent study commissioned by Unisys Corp., a technology consulting company, about half of large financial institutions use Social Security numbers to verify the identities of customers who call in for services. Some even use it to identify customers as part of the log-in process when they want to access accounts via the Internet.
So vital are Social Security numbers in this sea of information that ChoicePoint warned investors in a recent Securities and Exchange Commission filing that its business could suffer if the rules on distribution of Social Security numbers were tightened.
The mass breaches of data at ChoicePoint and LexisNexis forced the companies to be proactive.
Executives of both firms told Congress last month that for many of their non-law-enforcement clients, Social Security numbers would be truncated so that only five digits would appear on reports.
But plenty of sources of the information still exist. Using an intermediary, The Washington Post was able to obtain the full Social Security number of a reporter within 24 hours from two of three online providers the intermediary contacted.
Not all of the providers advertise Social Security numbers, and those that do promise to verify that the buyer has a legitimate reason for seeking the number, such as to complete tax forms of an employee or to find someone involved in a court action.
The intermediary, a security consultant who helped the Federal Trade Commission identify illegal data sales in 1999, told the providers he needed the number for tax purposes. Two providers accepted that reason without question or requests for documentation. A third provider refused to provide Social Security numbers.
Robert Douglas, the intermediary, operates the consulting firm PrivacyToday.com. Douglas, who chose the method of acquiring the numbers on his own, said he used the pretext of tax preparation because that would be a common trick used by an identity thief at this time of year.
Michael Leighton, a North Carolina private investigator who operates secret-info.com, acknowledged that he did not request further documentation from Douglas. But he said the company verifies that a requester is calling from a land-based phone line with a valid address. Douglas said he used a cell phone.
"We get on average between 30 and 75 requests a week," Leighton said. "We maybe do less than 10" because others did not have a valid reason for seeking a Social Security number.
Leighton declined to say whether he received the data directly from a large data broker, or from other re-sellers.
The other site that provided the reporter's number, USRecordsearch.com, does not advertise that it sells the numbers. But with the same explanation for why he wanted the data, Douglas received the reporter's full number.
A principal of the Florida-based company did not respond to phone messages seeking comment.
Under a law that took effect in 2001, non-public data from financial records cannot be sold or transferred without giving individuals a chance to opt out. There are several exceptions, however, including employment checks, for tax filing, or to process a financial transaction.
But the system relies on the honesty of the person seeking data, and the diligence of the person selling it.
"Until Congress understands about the re-sale market here, they are not going be able to get a handle on this problem," Douglas said.
Bruce Hulme, chairman of the legislative committee of the National Council of Investigation & Security Services, the largest investigators' trade group, said he could not condone investigators who make a side business out of indiscriminately selling data.
"They should pull those Web sites down," he said. "They better know the client."
Still, Hulme said private investigators have generally proved to be more careful stewards of private data than are information brokers. His organization is beginning a lobbying campaign to ensure that any new laws don't cut off private investigators' access to data they say they need.
Several members of Congress are sponsoring new privacy legislation, including bills that would ban the sale of Social Security numbers without individuals' permission.
Private investigators are clearly worried. In Internet chat groups, they exchange information on which data brokers are still selling full Social Security numbers, while bemoaning how they are being punished for the security lapses of the brokers.
For their part, ChoicePoint and LexisNexis say they are "re-credentialing" all non-government clients. At ChoicePoint, those who use the Internet to request information were greeted with a pop-up notice indicating that privileges might be restored after the certification process was complete.
ChoicePoint declined to provide an executive for an interview. Spokeswoman Kristen McCaughan said the company plans to give full access only to government or law-enforcement agencies, banks and insurance companies. She declined to say how many of its customers, including private investigators, would end up with restricted access.
McCaughan said the company sells data to fewer than 15 other brokers or re-sellers, and that their access will now be subject to stricter guidelines.
A LexisNexis spokesman said clients downgraded to restricted access included law firms, media and private investigators.
The financial services industry argues that it has steadily reduced its reliance on the Social Security number for several years, but that the number's use has benefits for consumers.
Nessa Feddis, senior federal counsel of the American Bankers Association, said that with so many numbers consumers already must remember, using Social Security numbers to verify accounts makes sense.
If a credit-card is lost or stolen, she said, a consumer can quickly report the missing card to a bank by knowing his or her Social Security number. If the only accepted identifier was a separate account number, she said, the person would have to wait until he or she could get to a credit-card statement at home.
Privacy experts argue that at the very least, institutions should employ multiple test questions when people call in, rather than just the Social Security number. And they point out that if the number is compromised, it is hard to limit the damage because new numbers are almost never issued.
"The current system has the worst of all worlds," Solove said. "Anyone can easily find it [the Social Security number] out . . . It's used everywhere, and it's really hard to change if it falls in the wrong hands. How could you come up with a worse system?"