Alan Brill has scoured computers for intelligence left by Iraqi forces retreating from Kuwait. He has probed a bank in Bosnia suspected of funding ethnically targeted mass murder. He has investigated the work of hackers who got inside the 2008 presidential campaign networks of Barack Obama and John McCain.
What’s on his radar now? Your kids.
As school ends and camp and summer jobs begin, scammers are after their identities, which can be teased out from information given in application forms. Identity thieves can use a child’s Social Security number, for example, to “apply for government benefits, open bank and credit card accounts, apply for a loan or utility service, or rent a place to live,” the Federal Trade Commission warns on its website.
“When you think about kids, in some ways they have the most vulnerable identities, but they are the ones people think about least,” says Brill, senior managing director for cybersecurity and investigations at the New York security firm Kroll. “It’s kind of a perfect storm for the bad guys.”
Kids’ identities, which can be used for a long time, are low-hanging fruit. In addition to requesting a Social Security number, camps, sports leagues, and potential employers may ask for insurance information and other personal data. Criminals see computer systems at camps and other extracurricular programs as easy hacking targets. At the same time, there are no potentially lucrative financial accounts tied to a child’s identity. So while the future damage can be incalculable, your child’s identity goes for cheap — $10 to $25 on the dark web, depending on supply and demand.
While it isn’t clear how many child identity thefts are committed annually in the U.S., says Brian Lapidus, who heads the identity theft and breach notification practice at Kroll, “this is a big problem that we’re seeing an increase in year over year, as criminals get more savvy.”
Here, Brill and Lapidus offer their thoughts on child ID theft. Kroll and ID protection company LegalShield launched a service called IDShield two years ago, but such services aren’t the first line of defense for concerned parents. It’s simple awareness of the problem.
Both men quizzed their children’s or grandchildren’s camps on their cybersecurity practices and safeguards. You can imagine it was a pretty good grilling. Here’s what to do and what to look out for in guarding your own young ones’ identities from thieves.
How do you even know if your child’s identity has been stolen?
Brill: Unfortunately, in many cases you find out the hard way. Either your kid eventually applies for credit and discovers he has a terrible record, or someone has been using your kid’s information for something like W-2 fraud, using it to work when they’re not supposed to be working, and a year and a half later your child gets a nasty letter from the IRS saying, “We have W-2’s for you, why haven’t you filed your taxes?”
Or your kid looks to go to college, and the college says, “Why do you owe AmEx $37,000 on a credit card, and why do you have bankruptcies on your record?” It can cause problems for the kid, and for parents who want to protect the identity of the of kid.
Another thing we see that is scary is how criminals use your kid’s identity to get medical services for another kid. In this age of electronic medical records, there may be a fairly extensive record under your child’s identity, but it has a different medical history and blood type than your child. The last thing you want is your child to go into the hospital and the medical staff to have the wrong information and your child’s medical history and all else.
What are other areas in a child’s world where identity theft issues come up?
Brill: The internet of things. You probably read about the [bluetooth-enabled] doll marketed in Germany that recorded a lot more than you, as a parent, would want and sent it to a cloud-based server. A lot of American toy companies follow the Children’s Online Privacy Protection Act about collecting information from kids. But when you get knockoff versions of a product that is imported, that’s not necessarily the case, and you don’t know where the data is going, how it is being protected, if it is being misused.
Lapidus: Also, you have teenagers applying for jobs in the summer, and with a lot of applications, they have to give their Social Security number. You see job fairs where someone shows up saying, “I’m from X organization,” and people fill out applications. What the group really is is an identity theft ring. Say it’s a popular job fair, they get 500 applications, they walk out the door and have 500 identities to sell on the dark web that day. So in that case does a parent just tell their teen not to give out a Social Security number?
I’m not sure most 16-year olds would say this, but conceivably they could say, “Hey, I’m really interested in working for your organization, but I’m not going to give you my Social Security until you are ready to make an offer, because my dad is in security, and I worry about things like that. It’s about having that dialogue with your child and that sense of awareness.”
Where are the attacks coming from? What kind of cybercriminals are we talking about?
Brill: In large part, the nation/state actors don’t care about your kid’s data. If they were to get it, it would just be accidental along with other stuff they grabbed. The people that traffic in this data are mostly commercial cybercriminals who are going to use it for credit frauds, medical frauds, and W-2 frauds. It tends to be very low-level hackers who aren’t very creative. But if the place where the data is stored hasn’t done the security basics, they can run an attack that might get them that data.
Aside from warning your kids, what can a parent really do?
Brill: To me it’s really an area where parents can do quite a bit, but not if they aren’t thinking about it. The first question to ask a company is how are you protecting my kid’s data? If they look at you like you are speaking Klingon, that’s probably not a good thing. You want to hear something that makes sense, for them to have an answer that shows they have thought about it. They might tell you how they limit access to data, how they limit the information they collect. I’ve found that once you ask that question and listen to the answer, you tend to get a good or bad feeling about whether they are serious about it or not.
It all comes down to consciousness of this as an issue, asking questions, and in some cases working together. Very often a camp will have a parents association, and if your kid was there last year and is going again this year, you probably have some contacts that you can speak with and take a little collective action.
And you want to monitor your kid’s Social Security record just as you would for an adult to see if anything is reported.
Lapidus: You can see if a credit file is available on your child. A lot of products have the capability to do some kind of monitoring for minors. There are some indicators of [identity] compromise. There’s monitoring of the dark web. One thing I always find interesting is if a child gets an explanation of benefits from an insurance company and it has nothing to do with them. You might think that was just a clerical mistake, but it would be an indicator that something is awry. We had a case a few years ago where an 87-year-old woman received an EOB for a rhinoplasty. She called us up and said, “Hey, I have not had a nose job.”