Government

Stealing Social Security Numbers is not identity theft?

The Colorado Supreme Court handed down a decision recently that could embolden online criminals who are out to steal your Social Security Number for purposes of identity theft and fraud. Michael Kassner looks at the repercussions for your online safety.

The Colorado Supreme Court reversed Montes-Rodriguez v. People, a criminal impersonation conviction pegged to a stolen Social Security Number (SSN). The court decided 4-3 that using a stolen SSN did not automatically constitute criminal impersonation. Seem odd? Let's reserve judgment until we know more about the case....

Initial conviction

Let the court record speak for itself:

"Montes-Rodriguez was convicted of criminal impersonation based on his use of a false social security number on an application for an automobile loan. Montes-Rodriguez admitted to using the false social security number.

However, he contested the criminal impersonation charge. He argued that he did not assume a false identity or capacity under the statute because he applied for the loan using his proper name, birth date, address, and other identifying information. The trial court denied his motion for a judgment of acquittal, and the jury returned a guilty verdict.'

Case overturned

Montes-Rodriguez appealed the conviction. Denied on appeal, the initial verdict held until it was reviewed by the Colorado Supreme Court. Where it was reversed. Let's look at what the judges had to say. First, the jurists defined criminal impersonation:

"A person commits criminal impersonation if he knowingly assumes a false or fictitious identity or capacity, and in such identity or capacity."

Next, the Colorado Supreme Court decided the lower courts were not applying certain statutes correctly; specifically, the concept of false capacity and false identity. Like criminal impersonation, they proceeded to define false capacity and identity in their decision (Section IV). After which, the majority denied People's claim of false capacity:

"The record does not support the majority of the court of appeals' conclusion that Montes-Rodriguez assumed a false capacity to receive a loan because he impliedly asserted his ability to work in this country legally. The prosecution did not present any evidence concerning a person's ability to work legally in this country or whether one must have a social security number to do so."

And People's claim of false identity:

"We conclude that Montes-Rodriguez did not assume a false identity. The evidence failed to show that Montes-Rodriguez assumed either a false identity or capacity in violation of the elements of the criminal impersonation statute."

The court reasoned Montes-Rodriguez used his own address, birth date, and place of employment on the car loan application, so the fact a stolen SSN was used did not establish false capacity or false identity.

What this means

You may ask what this has to do with IT Security. Well, due to current economic conditions, phishing for SSNs via email or malicious web sites has been on the uptick. Rulings like the one from the Colorado Supreme Court could embolden bad guys.

How important is this?

Key to the kingdom

Mari Frank, a victim of identity theft and attorney has been an outspoken advocate for identity-theft prevention. Her latest book, The Complete Idiot's Guide to Recovering from Identity Theft, explains why identity theft is a big deal. Ms. Frank also provides advice on how to recover from an identity theft and prevent it from occurring again.

In the book, Ms. Frank refers to the SSN as the key to the kingdom. That's because, once criminals are in possession of SSNs, they can wreak all sorts of havoc.

Precautions

First and foremost, trying to restore an identity is a nightmare. So, learn how to keep your identity and finances safe. Researching online is one method. Books like the one written by Ms. Frank are another.

If you take my suggestion about research, consider seriously the recommendation about joining a Credit-Reporting Agency (CRA). I belong to Equifax. It costs me less than $100 US per year. Doing so, allows me to be proactive about managing my credit, to keep in touch with credit checks, and to gain peace of mind.

If you join a CRA, Ms. Frank and other experts suggest using the extended-fraud alert feature. If this is in place, credit cannot be issued without your permission. Another option is called the security freeze. It prevents any creditor, real or criminal, from receiving your credit report. Either way, a fraudster is prevented from automatically opening a new account using your credentials.

Not just your credit report

The fact that we require everyone to have a SSN is a boon to criminals, since the SSN remains dormant until the recipient is 18 years old. Think about that for a second. Those SSNs could be misused for many years before any kind of alarm is raised.

I have some personal experience with this. A good friend's son on his twentieth birthday tried to obtain a car loan. Every finance company denied the loan. This is regardless of the fact that he had impeccable credit. It seems other people were fraudulently using the same SSN.

Needless to say, learning others were using his son's SSN was completely unsettling to my friend and, frankly, to me as well. After reading Ms. Frank's book, I guess it should not have been. That's why her suggesting all family members have an account with one of the CRAs makes sense. Bottom line, it's the only way to track credit activity regardless of the account's status.

Final thoughts

During these tough times, keeping your hard-earned reputation and identity safe (i.e., money) is paramount. It's also important to know if it's being threatened so you can take appropriate action. Right now, it's easier than ever for bad guys to steal it. Don't let them.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

273 comments
johnlandry
johnlandry

I do not where we can categorize it, but for sure it is not identity theft. _________________________ identity theft protection plan

Michael Kassner
Michael Kassner

I read the report linked below. Here is a quote from the report: "Agency staff provided seven examples of incidents where malware was installed on Agency computers, and no software waiver was submitted. Of these seven incidents, SSA determined that, in five cases, the installed software contained keyloggers, and in two instances, the software contained Trojan horses. These vulnerabilities were caused by the installation of non-standard software on workstations." http://www.ssa.gov/oig/ADOBEPDF/A-14-10-21082.pdf

chrisl317
chrisl317

I think we should stop hiring senile old bastards with one foot in the grave to adjudicate decisions like this for the rest of their natural life. I have been a victim twice because my employer required us to wear name tags with our full name emblazened on them. Why didn't this guy use his own S.S.# if he could legally work in the U.S.? What was he hiding?

Dr_Zinj
Dr_Zinj

A social security number is a unique identification of a person who is entitled to benefits associated with that number, as well as deposits to that account. While it is not a sole means of identification, it most certainly is a de facto means of identification. Names are changed on a daily basis. It practically takes an act of Congress to change an SSN. The IRS has a legal requirement to your SSN because they are the collection agency for your contributions. Now Montes-Rodriguez used a SSN belonging to Ms C.F. for an auto loan. When C.F. learned that Montes-Rodriguez had used her social security number, she alerted police. C.F. would never have done so had there not been a confusion of identity due to the fraudulent use of her SSN. Furthermore, use of C.F.s SSN could (and may have) adversely effected her credit rating. AND there have been instances where loans were obtained by fraudulent use of an SSN (e.g. credit cards), under other than the SSN holder's name; where the SSN-holder was held responsible for the value of the loans. I deal with resolving personal record duplications on a daily basis. There are frequently instance were an SSN is the only recorded difference between two different individuals. And constant instances were a false SSN is given, but totally different names the same as this case. They use the SSN for Medicare and Medicaid funding for healthcare; defrauding the government AND screwing up the victims finances. Frankly, those 4 judges need to have all their finances seized by the government, all their loans foreclosed on, and never be permitted to have a bank account, a loan, a credit card or receive payment for anything for the rest of their natural lives. Not identity theft my ass!

kcombs
kcombs

I think it should be illegal for CRA's to use SSN's. Medical insurances can no longer use it because of "privacy" issue. (HIPPA) I cant help but wonder what would happen if you published your SSN. If everyone had it, it could not be used to ID you.

8string
8string

This is a great action item for all of us that spend time posting on places like this. Call or email your legislator and ask that they take this law and modify it to make this kind of action illegal. The courts can't put someone away when the law isn't crystal clear.

JCitizen
JCitizen

as it seems the government is the worst offender in security practices in all cases. DOD thinks it has a handle on it, but they are still amateurs in comparison to the typical savvy civilian!

deepsand
deepsand

I think that we need to have those not sufficiently well versed in the Law stop pontificating. Issue re. privacy are [b]irrelevant & immaterial[/b] to the issue of Identity Theft.

kirk_augustin
kirk_augustin

Does not matter why he wanted to not use his real social security number. He has a right to privacy, and no one can require him to divulge his social security number except for social security purposes. If your employer required you to put your social security number on your employee badge, he was breaking the law.

deepsand
deepsand

The defendant did [b]not impersonate[/b] another. As for creditors relying on an SSN as an identifier, blame for any resulting harm rests squarely with them.

kirk_augustin
kirk_augustin

It is simply illegal to use or require a SSN as an ID. Anyone doing that is breaking the law. And your use of SSN for identity resolution is silly because there are often more than one person with the same SSN. They try to make them unique, but have never succeeded, and it makes no difference.

JCitizen
JCitizen

More likely it was incompetence on the District Attorneys charging of the culprit, and his weak arguments to the court. If you had been the one presenting the State's case, the judge may have found for the State's side in the argument. Judges are only required to assess the information and arguments on a case by case, basis. They can look at previous court history, but the biggest factor is the evidence and argument presented by the two sides in the matter. They are not obligated to consider anything outside of that fact. If the DA does a crappy job and he loses, that is not always the judge's fault.

tracy.walters
tracy.walters

...how anyone, especially a Judge in a Court of Law could say this does not constitute Identity Theft is absolutely beyond belief. They need to go back to law school, and people need to step back and look at this situation from a reality-check point of view. This guy may have given some valid information, but he clearly stole and used the SSN of another person to cause confusion to the people loaning the money, hoping the confusion would be enough to just let loan go through based on a 'No Credit' situation. C'mon folks...this was Fraud, pure and simple.

deepsand
deepsand

That practice does in fact continue. Despite the fact that very few entities are legally allowed to require an SSN, very many do so.

JCitizen
JCitizen

smart enough to press the charges. Hopefully you don't have to be a Federal Prosecutor to level these kind of charges. I really don't know the rules on that.

deepsand
deepsand

Not only is there no need for new Law, such should hardly be expected to be of any great impact, given that States and businesses don't obey existing Law.

kirk_augustin
kirk_augustin

No, it can never be legal for anyone to use a SSN as an ID. Nor can anyone ever be required to have a SSN. A SSN is merely a convenience that we can use if we want. The right to work is paramount and constitutionally guaranteed. You don't have to hire people who do not want a SSN, but you can't make them get one and you can't prevent them from earning money. Nor are SSNs even all unique. That often are duplicates. We need less legislation, not more.

Turd Furgeson
Turd Furgeson

I think the option of life in prison would be appropriate for some identiy theft cases

JCitizen
JCitizen

They probably think I'm a certified nut; I call them so much! Thank God for Skype, or my phone bill would kill me! HA!

kirk_augustin
kirk_augustin

Fraud is when you illegally deprive someone of their property. A SSN is not property, has no value, and she was not deprived of it. In fact, she may have gained from it by having more contributions towards her own SS retirement account. So in no way is someone using the SSN of another, fraud.

Michael Kassner
Michael Kassner

That was certainly an interesting article. What did you think about this quote: " When that happens, no one gets credit for the taxes paid by the worker. The money simply ends up in the U.S. Treasury. Since 1983, more than $500 billion in uncredited Social Security wages have been earned by so-called "no match" employees like Rodriguez. That hidden financial benefit for the government is one reason, Holli suspects, that agencies don't act more quickly on reports of SSN-only identity theft."

deepsand
deepsand

Even they are in relatively small numbers.

Michael Kassner
Michael Kassner

Do you feel this is not a crime or did the law enforcement branch mess up.

deepsand
deepsand

To the contrary, it is those here who are not well versed in the Law who need to stop playing Judge. Fact: [b]Fraud[/b] and [b]Identity Theft[/b] are two quite [b]different things[/b]. Fact: Fraud requires, among other things, that a loss actually have occurred. Here, [b]no loss occurred[/b]. Fact: Creditors are [b]not allowed[/b] to use SSN as a means of identification. Fact: The defendant did [b]not [u]impersonate[/i][/b] another.

NickNielsen
NickNielsen

He used an SSN that was not his. Definitely fraud. Identity theft? Completely different animal under the law. Rodriguez used his own name, his own address, and his own place of work. The only thing on the application that wasn't his was the SSN. He never attempted to pass himself off as anybody other than himself. Whose identity did he steal?

NickNielsen
NickNielsen

[i]Nor are SSNs even all unique. That often are duplicates[/i] The SSN is unique and is not duplicated. From http://www.socialsecurity.gov/employer/ssnvshandbk/glossary.htm: SSN - Social Security Number; a [u][b]unique[/b][/u] nine (9)-digit number assigned by SSA to identify an individual when reporting wages, paying taxes and collecting benefits. (my emphasis) Nor does the Social Security Administration reuse or reissue SSNs. http://www.ssa.gov/history/hfaq.html - Q20 If you are seeing duplicate SSNs and not reporting them, you are abetting a crime and therefore a criminal yourself. edit: fix links

JCitizen
JCitizen

in many areas of the US do not use SS as a security blanket, they opted out and used their own private financial instruments. My aunt is way ahead of the curve because of this. Even when the economy takes a nose dive, these instruments do not necessarily go down hill with the economy. A properly managed one, will invest in FDIC insured mutual funds, treasury bonds, etc. for safer results in the end. Had her parents never listed her with SS when she turned of age, she wouldn't have even noticed!

kirk_augustin
kirk_augustin

Except that the use of a SSN is not identity theft, and never can be. The SSN not only can't be used for identity, but is not even necessarily unique.

wayoutinva
wayoutinva

Which ever party is on power they will suddenly "find" this money and save SS from going broke just in time for elections..that's my prediction

Neon Samurai
Neon Samurai

I find myself using counts a little. It's more about recognizing that the number has changed rather than remembering what it was previously. My big one has been history. If new "update" lines appear that are not grayed down as "visited links" by the browser then they must be new posts. If you clear browser data, this doesn't work so it's a "for use during same session" thing. It struck me a few weeks back; I have a pretty good idea of what time I last scanned the updates. heck, make it a time since updated; if it's been five minutes and the update line says "updated 2 minutes ago" then it's new. A $H:$M or "$M last updated" would be easy to include into the scripting.

NickNielsen
NickNielsen

[i]I'd also like to see times on the updates. They currently show dates which lets me see what today's updates are. I'd love to see time added to that. [/i] I find myself trying to remember the number of posts the last time I checked for updates. A time would work much better for this purpose.

Neon Samurai
Neon Samurai

I regularly hit the 404 error and seem to loose my updates at least twice a week. The 404 is obvious; lot new page, reload page, page load curing comment post and get a "not found" error. The missing updates is more of a pain since it's a primary way of tracking discussions. I may get one or two information rows in the updates display but it ends abruptly; normally midway through a line. It looks like an html error that stops the rest of the updates block from rendering. I'd also like to see times on the updates. They currently show dates which lets me see what today's updates are. I'd love to see time added to that. I know when I last scanned for updates; let me easily identify which updates came in since my last check-in.

AnsuGisalas
AnsuGisalas

One is the 404. In the other, I can't see my Updates, except for the "1 has added you to McNarlgminc's Contacts" type of messages...

NickNielsen
NickNielsen

IIRC, a couple of years ago they determined it was most likely related to network latency between servers and storage. When I refresh my Workspace, I almost always get the 404 the first time. If I let the page render, then refresh again, it will usually come up right.

AnsuGisalas
AnsuGisalas

would one develop such cool?` BTW: methinks the workspace 404 problem is a cookie thing.

deepsand
deepsand

Didn't know Fonzie was from the Pensacola area.

AnsuGisalas
AnsuGisalas

Savvy Sevillean? Coz that's out there... But last I checked, the Fonze wasn't in fatigues.

JCitizen
JCitizen

I'm actually an incurable optimist! :D

NickNielsen
NickNielsen

Oxymoron. Military intelligence is more likely to exist. :p

deepsand
deepsand

While it is clearly not a case of ID Theft, the mis-use of the SSN may or may not have been a criminal act, depending on the intent and the various applicable laws.

santeewelding
santeewelding

Usually demands but little in the way of case-building. But, slam someone, and you better have your goddamned ducks in a righteous row. Particularly in terms of criminal prosecution. Goes the same for a TR thread, far as I am concerned. Thank you, Deepsand, for your acumen.

deepsand
deepsand

only [b]if[/b] the [b]length[/b] of the SSN is [b]never expanded[/b].

NickNielsen
NickNielsen

The last four. Those numbers are issued in sequence. When they reach 9999, they go back to 0001. I don't think they use 0000. But I think they take steps to ensure that a certain set of area and group numbers is never assigned to the same sequence number twice. My sons got theirs at the same time and have the same first 5 digits, but the last four are different.

Neon Samurai
Neon Samurai

I'd only ever hear that SSN where unique within the issuing state and that they would duplicate between states and duplicate, to a far lesser degree, within states due to recycling. Very interesting if they are nationally unique and never recycled.

kirk_augustin
kirk_augustin

It has never been legal to use a SSN as an ID, and never will be. The law has always been perfectly clear on that.

hground
hground

From my memory of stuff I heard recently. There are 2 different issues with SS. 1) There is definitely enough money to pay benefits into the near future in the SS account, so it is not insolvent. HOWEVER: 2) The amount of money being paid into SS by taxpayers has already or by next year will reach the crossover point where more money is being paid out in benefits than is being received from taxpayers. Obviously this means that at some point in the future the reserves will be depleted and benefits will have to be cut to match what is coming in, or perhaps SS taxes will have to be raised. Since the large "Baby-Boomer" generation is now reaching retirement age and will start drawing SS - it may be "bankrupt" sooner than later. Hope that helps.

Michael Kassner
Michael Kassner

One day, I hear that SS is in deep trouble. The next day some other expert points out that SS is totally solvent. Not sure what to believe.