Identity theft is a growing concern across the globe and threat actors have already turned their attention to children. A recent report shared that over 1 million children in the U.S. were victims of identity theft in 2017, costing families $540 million in out-of-pocket expenses.
The identities of children make attractive and high value targets for several reasons. Fraudsters know it is unlikely a child’s credit history has already been exploited. When a child’s identity is stolen early, the theft can continue undetected for years, making it profitable and relatively low risk for the fraudsters. Unfortunately, most people do not consider monitoring their children’s credit history, which makes them even more vulnerable over time.
Why it is possible to open credit accounts using minors’ identities
The Privacy Act of 1974 makes it illegal for banks and credit bureaus to access federally-maintained social security number databases, meaning that these organizations must find their own methods to verify identities. According to the Government Accountability Office (GAO), the most accurate way to do this would be to require the customer to sign a verification form sent to the Social Security Administration; however, this process can take up to a week. Banks are in the business of making money and a big part of that is working fast and making it easy for consumers to access credit.
Thinking like a criminal: Where to find the records of children
Knowing that the children’s identities are a veritable treasure trove, fraudsters are turning to the dark web to buy and sell these records. In the example below, we’ll examine a database in which the seller purports the data comes from pediatricians’ databases.
Other targets would be:
- Insurance companies
- Healthcare providers
- Mutual funds or 529 college savings plans
Smaller schools and pediatricians’ offices make an easy target because they often lack the knowledge, skills and budget to effectively protect against cyber threats.
Profiting from identity theft: An example
GroupSense researchers recently discovered a post by the threat actor Skyscraper2 offering a database of SSNDOB fullz, which come from pediatricians’ databases, for the bargain price of 22.31 euros – about US$25. “Fullz” is a dark web term for a full profile of an individual. The profiles include names, addresses, credentials and any other information that would assist any potential buyer in committing identity theft or fraud.
Figure 1: The post by Skyscraper2 claiming to have PII of children from pediatrician databases.
At this time, we have no way of confirming the quantity of records, but the name of the file (“NEW BATCH AUGUST 2019”) suggests this is not the only database collected and sold by this particular threat actor.
In this post, Skyscraper2 claims “the kids are born 2002+ and generally speaking come from good families that can provide medical support. You can’t get your SSNs fresher. They won’t be used for years to come. Perfect for CPN. No jobs or anything reported to them for many years.”
Figure 2: Berlusconi Market is currently unavailable, and the above threat can no longer can be seen there. However, the actor is still active on Cryptonia Market and Empire Market. We don’t have a reason to believe the mentioned offer expired.
Other exploits against children – check out this post about anti-vaxxers turning to the dark web for help in falsifying vaccination records.
Looking out for the children
Knowing about this disturbing trend, we can identify several groups who can take responsibility for doing something about it, including parents, businesses and lawmakers.
Parents should be aware their children may be targeted and subscribe to monitoring services so that they can be alerted to unauthorized activity on their children’s credit history. Perhaps even consider placing a freeze on your child’s credit. Knowing the warning signs, as shown by the Federal Trade Commission, can also help you spot an issue with a child’s personally identifiable information (PII) being misused.
Healthcare providers, insurance companies, schools, and any business collecting the private data of children need to be aware this data is a particularly high value target and protect it accordingly. Creating policies and procedures to safely guard and transfer data, then destroy it when it is not needed is a good start. All databases storing PII should be encrypted to prevent any easy access to the data.
Additionally, businesses such as these should consider a monitoring service to help identify when this information is breached so victims can be notified before their credit is damaged. Cyber risk insurance is also a good idea.
Lawmakers must get involved, simply because protecting the identities of children – and all consumers – is a tall order. Judging by the sheer volume of breaches, it is apparent current regulations and protections are not enough. Addressing this problem at the credit bureau and creditor level could go a long way to making it more difficult for threat actors to exploit identities. The real difficulty lies in finding a balance between the speed and efficiency of obtaining credit and using effective methods of verification.
Securing our children’s future
We live in a new era where protecting children extends far beyond providing food, clothing and shelter, and a series of conditions have made it far too easy for threat actors to exploit the identities of children. Because a stolen identity and damaged credit can have long-lasting implications, we must also ensure our children are kept safe from cyber threats like identity theft.
Awareness is not enough! It is clear that preventive action must be taken by parents, businesses, schools and lawmakers to better protect those who cannot protect themselves. Because the risk is low and the gains are high, fraudsters will continue to target this information, making it important for organizations to conduct external monitoring to quickly identify and contain breaches. Talk to GroupSense to find out how you can get ahead of this disturbing trend.
This post was contributed by Dimitur Elchinov and Viktor Banov of the GroupSense research team.