Daily Alert

02 May 2008

Inexcusable Negligence

ID Theft Safeguard used to Steal IDs (from Laptop Security blog)

Even the most carefully laid plans can go awry. Federal prosecutors charged a Southern Californian woman this week with aggravated identity theft after she used a genealogy website to locate people who had recently died and to take over their credit cards.

Tracy June Kirkland was using Rootsweb.com to find the names, Social Security numbers and birth dates of people who had died. She would then call credit card companies randomly to see if "she" had an account, if "she" did, she would request a mailing address change and, in some cases, would add her own name as an authorized user. Ms. Kirkland repeated this scheme at least 100 times between October, 2005 and last month.

Rootsweb.com is a genealogical research site that, amongst other services, reproduces the Social Security Administration’s Death Index, which is a public list of people who have died, along with their birth dates and Social Security Numbers. The government publishes this list with such detail in order that banks can prevent people from applying for credit under any deceased people’s identities. The information is made public by the Freedom of Information Act.

Tracy Kirkland has found a loophole in the system by, instead of applying for new credit, simply co-opting existing credit accounts. This is the first time this exploit has been found, according to a spokesperson for the Social Security Administration.

"The reason the Social Security Administration has it out there is to prevent fraud, and when it’s used to perpetrate fraud it’s because not all the checks and balances were in place on the financial institution’s end."

So, what do you think? Should the Social Security Numbers be reported on the Death Index? Do you think the benefits to the prevention of identity theft outweigh the risks shown here?

You can feel the full court indictment here [PDF]

Via wired ; Logo: Rootsweb, a part of Ancestry.com and MyFamily.com Inc.Tags: rootsweb, identity theft, id theft, death index, breach

I could see how someone with access to the Social Security Numbers of recently deceased could be successful attempting this sort of fraud. But with consumers who passed away 2 or 3 years ago, there is no excuse for credit issuers to have not updated their electronic records. Anyone who has reviewed their own credit report knows that financial institutions do periodic inquiries in order to verify if their customer is still in the same risk category they were when the credit was first issued. Why is it then, that the issuers who gave out account information didn't notice that line which says "consumer has been reported deceased" and updated their database accordingly?

SS Death Index records are downloaded and incorporated into credit repository data on a regular basis, at the very least a few times a year. For a creditor to not know their customer is deceased is shear stupidity. Besides adding to the cost of total fraud loss, a loss which is passed on to the consumer, the survivors are left to deal with the credit issuer or even debt collectors to resolve the problem. As the article points out, the SS Death Index is public specifically to prevent this sort of fraud.

Stumble Upon Toolbar

No comments:

Sderot QassamCount - via Daled Amos

Nice Jerusalem Video from Yeshiva Beit Orot

The Path To The Final Solution

Who links to my website?