The Colorado Supreme Court handed down a decision recently that could embolden online criminals who are out to steal your Social Security Number for purposes of identity theft and fraud. Michael Kassner looks at the repercussions for your online safety.
The Colorado Supreme Court reversed Montes-Rodriguez v. People, a criminal impersonation conviction pegged to a stolen Social Security Number (SSN). The court decided 4-3 that using a stolen SSN did not automatically constitute criminal impersonation. Seem odd? Let's reserve judgment until we know more about the case....
Let the court record speak for itself:
"Montes-Rodriguez was convicted of criminal impersonation based on his use of a false social security number on an application for an automobile loan. Montes-Rodriguez admitted to using the false social security number.
However, he contested the criminal impersonation charge. He argued that he did not assume a false identity or capacity under the statute because he applied for the loan using his proper name, birth date, address, and other identifying information. The trial court denied his motion for a judgment of acquittal, and the jury returned a guilty verdict.'
Montes-Rodriguez appealed the conviction. Denied on appeal, the initial verdict held until it was reviewed by the Colorado Supreme Court. Where it was reversed. Let's look at what the judges had to say. First, the jurists defined criminal impersonation:
"A person commits criminal impersonation if he knowingly assumes a false or fictitious identity or capacity, and in such identity or capacity."
Next, the Colorado Supreme Court decided the lower courts were not applying certain statutes correctly; specifically, the concept of false capacity and false identity. Like criminal impersonation, they proceeded to define false capacity and identity in their decision (Section IV). After which, the majority denied People's claim of false capacity:
"The record does not support the majority of the court of appeals' conclusion that Montes-Rodriguez assumed a false capacity to receive a loan because he impliedly asserted his ability to work in this country legally. The prosecution did not present any evidence concerning a person's ability to work legally in this country or whether one must have a social security number to do so."
And People's claim of false identity:
"We conclude that Montes-Rodriguez did not assume a false identity. The evidence failed to show that Montes-Rodriguez assumed either a false identity or capacity in violation of the elements of the criminal impersonation statute."
The court reasoned Montes-Rodriguez used his own address, birth date, and place of employment on the car loan application, so the fact a stolen SSN was used did not establish false capacity or false identity.
What this means
You may ask what this has to do with IT Security. Well, due to current economic conditions, phishing for SSNs via email or malicious web sites has been on the uptick. Rulings like the one from the Colorado Supreme Court could embolden bad guys.
How important is this?
Key to the kingdom
Mari Frank, a victim of identity theft and attorney has been an outspoken advocate for identity-theft prevention. Her latest book, The Complete Idiot's Guide to Recovering from Identity Theft, explains why identity theft is a big deal. Ms. Frank also provides advice on how to recover from an identity theft and prevent it from occurring again.
In the book, Ms. Frank refers to the SSN as the key to the kingdom. That's because, once criminals are in possession of SSNs, they can wreak all sorts of havoc.
First and foremost, trying to restore an identity is a nightmare. So, learn how to keep your identity and finances safe. Researching online is one method. Books like the one written by Ms. Frank are another.
If you take my suggestion about research, consider seriously the recommendation about joining a Credit-Reporting Agency (CRA). I belong to Equifax. It costs me less than $100 US per year. Doing so, allows me to be proactive about managing my credit, to keep in touch with credit checks, and to gain peace of mind.
If you join a CRA, Ms. Frank and other experts suggest using the extended-fraud alert feature. If this is in place, credit cannot be issued without your permission. Another option is called the security freeze. It prevents any creditor, real or criminal, from receiving your credit report. Either way, a fraudster is prevented from automatically opening a new account using your credentials.
Not just your credit report
The fact that we require everyone to have a SSN is a boon to criminals, since the SSN remains dormant until the recipient is 18 years old. Think about that for a second. Those SSNs could be misused for many years before any kind of alarm is raised.
I have some personal experience with this. A good friend's son on his twentieth birthday tried to obtain a car loan. Every finance company denied the loan. This is regardless of the fact that he had impeccable credit. It seems other people were fraudulently using the same SSN.
Needless to say, learning others were using his son's SSN was completely unsettling to my friend and, frankly, to me as well. After reading Ms. Frank's book, I guess it should not have been. That's why her suggesting all family members have an account with one of the CRAs makes sense. Bottom line, it's the only way to track credit activity regardless of the account's status.
During these tough times, keeping your hard-earned reputation and identity safe (i.e., money) is paramount. It's also important to know if it's being threatened so you can take appropriate action. Right now, it's easier than ever for bad guys to steal it. Don't let them.