Protecting Personally Identifiable information (PII) has always been a concern but is required now in most states because almost every network is now connected to the Internet. It is easier than ever for a criminal to obtain your social security number and other information needed to “steal” your identity.

Why is it so easy to steal a person’s identity once only a few things are known about a person, such as a social security number and place of birth? Because fake cards can be made with these numbers, and when taken to an agency to get a valid Driver’s license, or open a utility account, or obtain a Birth Certificate.  Using these valid ID’s, other ID’s (Even the social security card that was issued based on the fake ID) can now be obtained.

How do we “break the chain”? This is a battle that has been ongoing for some time; a “National ID Card” is constantly facing challenges by “rights” groups saying loss of personal anonymity would occur. (This is a good place to insert duh!)  Either we can know and verify who you are or we can’t. So the challenge is great, but the solution can be simpler.

SSN’s are guessable, according to a SANS report published last week. The Social Security Administration has issued a statement including: "There effectively is no way you can keep {SSNs} totally confidential."

http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=1

http://www.theregister.co.uk/2009/07/07/ssn_guessing_algorithm/

We should be concentrating on how to mitigate the risks of disclosure, focusing on processes to prevent improper use. For instance, when a SSN is originally issued by the SSA, they require complete up to date information. Before a SSN can be used, similar to a credit card, the information could be checked electronically before an account is opened, job obtained, etc.

For instance;

Employers use a system called “E-Verify” to help verify the validity of social security numbers. This system can be expanded to banks, utility companies, and loan companies to determine if the presented card is valid. So in any case, a federal agency would be the anchor point for any such system. It would be relatively easy to implement and fund.

Forcing companies to use this system and obtain a valid “authorization code” would prevent - almost stop all identity thefts in their tracks. When an identity is stolen, it will be very easy to catch as the credit reporting agencies should also be required to verify their information before publishing it. Any red flags would cause everyone in the chain to receive change notification.

Fraud involving a valid authorization code will spring a federal agency into action to reverse the wrong actions, challenge the information, utilize intelligence and enforce Title 18 laws on a national level.

The banking system is a large part of the problem. The day of walking into a bank to open a credit card account has been replaced by just a signature on a pre-approved form in the mailbox.  But the banks would welcome an automated way to verify a SSN and other PII; this would help cut down on their losses. We know the track record of credit reporting agencies (mainly who they rely on today), and the stories about people’s dogs obtaining credit. The job of the “Feds” would be to provide a vehicle for real verification.

We may never eliminate fraud, but finding ways to make obtaining the information ineffectual will greatly reduce identity theft.