Securing your social security number and what to do if it’s stolen

Published by on February 3, 2017 in Information Security


Social Security

If you want to live in modern society, you’re going to have to accept modern problems. And there’s probably no bigger problem with modern society than identity theft. For Americans, in particular, there’s a large number of ways way to have your identity stolen, with perhaps the easiest being your Social Security Number. It seems like almost every business and government organization has a copy of this supposedly “secure” number. But was it always that way? Not quite.

A secure number for insecure time

Originally created as part FDR’s New Deal as a way to track individual Americans’ Social Security accounts, the 9-digit Social Security Number eventually became a standard personal identifier covering a wide variety of purposes. As all Americans receive this number shortly after birth, or upon becoming a naturalized citizen, the wide use of the number out of the SSA makes a certain kind of sense.

Prior to the issuance of SSNs, there was no easy way to track all Americans beyond just legal names given at birth and physical address. Yet that method, as we all know, is a bit troublesome. Names are not quite that personally identifying, and people change addresses all the time.

Number of names for John

There are nearly 47,000 people named John Smith in the U.S. alone. Unless your name is absolutely unique to you and you alone (many names are not) it’s easy to understand why using people’s names as a standard identifier for hundreds of millions of people is less efficient than using a number. With the name method, you also need birth date, place of birth, middle names, and if that doesn’t help whittle down the list, even parent names. The 9-digit SSN, of which there are 1 billion possible combinations, was and still is a simple solution to this problem. However, it was created in a time and for a purpose markedly different than how it’s so often used today. As we are now learning with growing frequency, it has become far from the most secure method around.

Wider SSN adoption is what created today’s environment

While the SSN was originally designed with a fairly specific purpose, many businesses, other government organizations, schools and the like quickly adopted the use of SSNs as an easy way to track people as well. Why recreate the wheel, after all, when the government has already done the hard work for you? Unfortunately, that same wide adoption of SSNs also created the perfect environment for identity thieves.

As it’s easy to falsely assume someone else’s identity by just using their name, the supposed security of the SSN made that more difficult. However, once someone obtains this supposedly private number, they can more easily pass themselves off as someone else. Since the government does not require photo identification or a biometric scan to verify identity along with an SSN, it’s incredibly easy to pretend to be someone else, especially if that SSN belongs to a child who has no actual credit history.

How do Social Security Numbers usually get stolen?

Identity thieves are always out to get as much information about you as possible. Stealing just your SSN is an important step for them, and indeed almost an integral one. Even if all they get is your SSN, this can help them do a significant amount of damage. How do thieves typically get Social Security Numbers? There are several methods they may employ:

Picking through your trash

This is a less common method now that so many SSNs live online, but it was a far more common method before the proliferation of the internet. Thieves can pick through your trash, find anything that has an SSN on it, and then use that, as well as your name, age, address and date of birth.

Solution:

Never throw away anything that has your SSN on it as a whole, untouched document. Either completely black out the personally identifying information with a heavy, black marker, or use a paper shredder, followed by thoroughly mixing the shreds. For the best results, you may even want to combine both of these methods, which will make if effectively impossible for trash thieves to piece your identity back together.

Don’t have a paper shredder and don’t trust the heavy black marker? You may want to employ alternative methods. Scissors are always a possible alternative, although this method may be tedious if you have a lot of documents. You may also want to consider taking your blacked out documents directly to your area solid waste disposal plant, where they may charge you as little as $2.00 to dump your documents directly into secure receptacles. Of course, you could also get creative, as some others have done:

Phishing websites

Phishing is an online method scammers use to steal data. By creating a fake website or web page, online thieves can trick people into submitting personally identifying data, such as SSNs, credit card numbers, driver’s licenses, physical addresses, birth dates and more. Once you hit submit, there’s simply no way to get that data back. It’s gone for good, into the hands of would-be thieves.

DBIR report

Solution:

Never click on suspicious links, and avoid entering your information into websites that you feel are not legitimate or might be a scam. If a website has already collected your Social Security Number when you created the account (such as an online bank, for example), they will never or should never ask you to enter all 9 digits again. Instead, they will ask for the last 4 digits of your SSN as verification. We’ve written an extensive piece on how to identify scam, fake and fraudulent websites, which may be extremely helpful in your effort to avoid phishing.

Keyloggers

Keyloggers are one threat you may not have even realized you needed to worry about. Keyloggers are a type of malware that hides on a computer, logging any information that you type into your computer. Information from that logger can then be downloaded directly from the computer or may have built-in code that automatically sends the information to a desired remote location when that computer connects to the internet.

The real danger with keyloggers is that you may never know you have one until it’s too late. Indeed, by the time you discover you have a keylogger, you may have already given away your SSN and every other possible piece of personal information you can think off — enough, even, for whoever received the information to not only steal your identity but to blackmail you as well.

It gets worse, however. Keyloggers may not only allow the hacker to see what you’ve typed in but to also see everything you’re seeing. Some keyloggers are advanced enough to effectively mirror the computer screen of whoever has that keylogger installed, making it even more of a pernicious virus to have on your machine.

Furthermore, if you’re using a public computer, such as one at a library or an internet cafe, you simply have no way of knowing whether someone has manually installed a keylogger on that machine, or whether that machine actually has any active virus software installed.

Solution:

Make sure you have an active virus scanner on your computer, as well as a trusty on-demand virus or malware remover. You will also want to ensure you’ve turned on your web browser’s security features, as this may help prevent you from accessing websites that carry these types of viruses.

You’ll also want to be cautious with the type of links that you click. Often, victims end up installing keyloggers by clicking strange links from emails or on social media networks. This often happens because most viruses are designed to hijack a system and send themselves to others in your contact lists once they gain access to your machine.

Finally, and perhaps most importantly, never use a public computer to sign into any account or enter any personal data. There are simply too many unknowns involved with public machines. Aside from looking up directions, you should avoid using public computers if you can avoid it.

Data breaches

This is perhaps the primary method data thieves are now using to steal Social Security Numbers. For example, in 2015 a major hack of the U.S. Office of Personnel Management resulted in the loss of over 21 million Social Security Numbers. Although this mostly affected government workers, the OPM noted that it was highly likely the breach affected anyone who had received a federal background check going back to the year 2000. (Special note: We have a long-form article covering some of the biggest data breaches in history. Check it out!)

This type of major data breach is only increasing in frequency and size. And given how many websites and government organizations use Social Security Numbers these days, chances are good that if you haven’t already had your SSN stolen, you’re likely going to be a victim at some point.

Data breach numbers

Solution:

As hard as this is to say, there’s no way to completely avoid this situation. You can certainly try to find unique ways to avoid doing business with any company or organization that asks for your Social Security Number, but you can’t avoid having the government use that number. And as we’ve seen, the government itself is not immune to these major data breaches, meaning, quite frankly, neither are you.

There are some things you can do to lessen the damage and risk, however. First, you may want to consider asking any company or non-governmental organization that requests your SSN, to require a different number. The Social Security Administration actually advises many organizations to stop their reliance on SSNs and instead use Alternative Identifiers. Universities and other educational institutions, in particular, are moving away from the use of SSNs.

The Social Security Administration notes that you do not have to provide your SSN if you’re not legally required to, although you may get rejected from whichever business or institution is asking for that number if you refuse to provide it. You may try to instead provide or ask for them to accept an Individual Taxpayer Identification Number, which you can acquire from the Internal Revenue Service.

More pointedly, your best solution for data breaches is to stay proactive with your credit reports. Always acquire your free yearly credit report from the three major credit monitoring organizations. You may also want to create an account on a website such as Credit Karma, which provides free, regularly updated credit reports from 2 of those organizations.

Additionally, you may want to inquire with these credit agencies about getting access to any split or “fragmented” files. Someone who stole your SSN may create a sub-accounts without your knowledge. This can result in split files. Those split files may not appear on your regular credit report, although the damage caused by them may be reflected on the primary account. Credit reporting agencies may not show these sub-accounts unless you ask specifically about them. If there are no split files, you’re in good territory. However, if agencies do find them, it could be a cause for alarm. Split files are not always because of identity fraud, as they can occur as a result of a lot of open accounts and inquiries, or from frequent address changes. That said, any split files should be investigated if you discover them.

If you are prepared to part with $10 to $15 a month there are a number of organisations that will monitor the black markets for criminals trading your SSN, credit card details or other data. These systems are not foolproof but do add an extra layer of security. For more details take a look at our round up some of the best identity theft protection services. 

Stolen wallets and purses

If you lost your wallet or purse, or someone stole it, hopefully, you did not have your Social Security card inside. This is one simple way you may unwittingly lose your SSN. It’s unfortunately not too uncommon for people to carry their Social Security Card in these locations (perhaps aided by the fact that the card is wallet-sized).

Solution:

Simple: don’t carry your Social Security Card on your person. Leave this one at home in a safe place.

A special note on ‘familiar fraud’

There’s a special class of identity theft known as “familiar fraud”. We call it a special class, but it’s unfortunately far too common. “Familiar fraud” occurs when the person committing the identity theft knows the victim. More commonly, this occurs between family members. Typical victims of familiar fraud are the elderly and children. In fact, CNBC reported that 27% of identity theft victims are actually children, while over 500,000 ID theft victims reported that they knew the person who stole their identity.

Child identity theft

Why is familiar ID fraud, such as child ID theft and elderly ID theft, so common? For the most part, because it’s far too easy. Family members may target related children because they will be able to get away with that ID theft for years before it’s ever discovered. A 10-year-old child whose Social Security Number is stolen and used to create credit card accounts likely won’t discover he or she is a victim until well until their 20s when it really starts to matter.

Meanwhile, some people may choose to take advantage of elderly family members or friends for similar reasons. The ID theft is likely to go undiscovered for a long time, and many elderly people may simply pay the associated bills, often assuming that they’re related to other expenses such as healthcare spending.

Solution:

Check the credit scores for your children and your elderly parents and family members regularly. While children cannot do this themselves, as a parent, you have the right to access your children’s’ credit scores. For example, you can request this information from Experian through their Fraud Center. Additionally, you can add fraud alert or even a credit freeze.

The credit freeze, especially, is a good step to help prevent identity theft against children. This will not impact a child’s credit score from going up or down (not that it should at this point anyway), but it will significantly restrict access to the credit report. This is important, as creditors, such as credit card companies, require access to a credit report in order to determine how much credit to extend to an individual if any at all. If creditors cannot gain access, they’re more likely to reject credit card applications, thwarting identity thieves.

Obviously, this is not the way to go for your elderly family members and friends. In this case, you’ll want to be proactive in helping them access their credit reports regularly, and going over those reports with them to help them identify suspicious activity. You may also want to set up credit monitoring with them and have them add you as a recipient for their fraud reports.  

My Social Security Number was stolen! What should I do now?

As someone who has had his data stolen in a number of local and national data breaches (this, this, and this, to name a few) I can empathize with the feeling that comes immediately after knowing you’re a victim. It can be a numbing, scary experience, full of unknowns and unanswered questions. Thankfully, many organizations, such as banks, are readily monitoring your accounts for suspicious activity. For me, the only time my stolen data was actually utilized (stolen credit card information), my bank called me up and asked me if I was currently using my card somewhere halfway across the country (I wasn’t). They quickly shut it down and issued me a new card as well as contacted local police on my behalf.

For stolen SSNs, that’s a bit more difficult. Unless you’ve actually witnessed the theft firsthand, chances are you won’t find out about your stolen SSN until the damage has already been done. At that point, you’re working to minimize or put a stop to any further damage, reduce the overall impact on your life and recover from the loss you’ve suffered as a result. The moment you discover that you’re a victim, you’ll want to take the following steps:

1. Check your credit report

This is no different than our earlier stated advice but is a necessary step once you know or suspect that your SSN has been stolen. This may be an important step immediately following a data breach that has impacted you, or if you discover a keylogger on your computer.

2. Contact any companies where fraud is occurring

Someone actively stealing your SSN is generally intent on using it for monetary gain. This either means selling it to someone who can use it to get a job or using the information themselves. This typically involves creating a credit card account, which may show up on your credit report. If you see accounts open that you know or suspect you did not open yourself, contact those crediting companies and explain to them the situation. They may not take immediate action beyond shutting down or suspending the suspicious accounts, but this will start the process.

3. Place a fraud alert on your credit report

If, after checking your credit report, you do find that there is suspicious activity, make sure you have had a fraud alert placed on your report. This will be a boon to you, as any credit inquiries will see the fraud alert and recognize that any irregular credit activity, including falling credit scores, may not be your fault.

4. Contact the FTC

You’ll want to head over the IdentityTheft.gov, the FTC’s official website for reporting identity theft. The site will walk you through the process of explaining what happened, and include going through the recovery process. You can also call the FTC at 1-877-438-4338.

5. Obtain records of your checking and banking accounts

This may be time-consuming, but you’ll want to go back through your accounts to see if you can identify where the first hints of suspicious activity began.

6. Submit a report to the Social Security Administration

If your SSN has been stolen, this is an important step. By submitting a report here, or calling the SSA at 1-800-269-0271,  the SSA may be able to help track how your number is being used, and by whom. The organization may also allow you to apply for a new number if the damage is particularly extensive. Keep in mind: if you do get a new number, you will have to start building your credit history from scratch.

7. Contact your local police

This may seem like a strange step, but it’s a potential helpful option. At this point, your goal is to create a paper trail to prove that you were actively trying to solve the problem. This can go a long way to helping expedite the complaint and add proof to any courts or legal authorities that you need a new SSN or need assistance.

8. File a complaint with the FBI’s Internet Crime Complaint Center

As with contacting the local police, SSA, and FTC, filing a report with the FBI’s Internet Crime Complaint Center, this is all about creating a solid paper trail. This is a useful step if you’re fairly certain that your SSN was stolen via an online method, and not due to stolen physical documents. The FBI will likely forward this complaint to the FTC. However, if multiple complaints connect, it may otherwise help your case.

Social Security Card” by 401(K) 2012 licensed under CC BY-SA 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *