Dec. 3, 2010 at 9:00 AM ET
What are the odds someone else has used your Social Security number? One in 7.
That's the stunning conclusion of a San Diego company's analysis of 290 million Social Security numbers, which found that 40 million of them have been attached to more than one name. The study, conducted by the fraud-fighting firm ID Analytics, is the first of its kind that's been made available to the public.
We first wrote about the problem of "SSN-only" identity theft five years ago, and estimated that millions of Americans were on the "secret list of identity theft victims" whose SSNs had been misappropriated by an imposter to obtain work or credit.
The IRS often knows when this happens, when the imposter pays taxes. The Social Security Administration knows, too, for the same reason. And the nation's credit bureaus usually know, because the imposter often ends up applying for some form of credit. Plenty of financial institutions also have access to this information.
But no one is telling you. In short, all these government agencies and financial firms don't think you have a right to know.
We're no closer to finding out who's on that list today, but at least we now know how big the problem is: much bigger than we originally estimated.
ID Analytics is a data collection firm that specializes in helping companies separate imposters from honest consumers. Its client list is long, and includes many major financial firms as well as the Social Security Administration. Over the past decade, it has amassed files on virtually every American who is active in the financial system. It now tracks 290 million Social Security numbers and nearly 300 million people.
Normally, the company receives credit applications from clients and checks them against its vast database, looking for signs of fraud. Criminals do crafty things like apply for a credit card at 10 different banks using SSNs that are only one digit away from each other. Or they use slightly different first names or street addresses in an attempt to evade a poor credit history or crime record. Because ID Analytics receives applications from multiple industries, it can spot these signs of fraud in ways that the individual companies cannot.
20 million use more than one SSN
One typical pattern: An imposter uses one name but alternate Social Security numbers in an attempt to circumvent the credit reporting system; ID Analytics is geared up to spot just that kind of evasion. It's a tough job, because the incidence of multiple numbers connected to the same name is enormous: Dr. Stephen Coggeshall, chief technology officer at the firm, said 20 million Americans have multiple SSNs associated with their names, or 6 percent of the total population.
That doesn't mean there are 20 million identity thieves out there, even though it might feel like that. In many cases, typos are the culprit, Coggeshall said. Any time a consumer gives an SSN to a company, there's a chance it will be incorrectly entered into its system, and the error will then propagate throughout the credit system. Once that happens, SSN No. 2 is forever connected to the rightful holder of SSN No. 1. The incorrect SSN might belong to a real person, which can cause a headache for both people, or it might be "synthetic" -- an unassigned number that becomes a new entity in the credit system. No one knows how many of these synthetic “people” exist in our credit system, but there are likely millions of them.
It's relatively easy to spot innocent mistakes, Coggeshall said, because the number is used only once in connection with the name. It's easy to spot fraud, too -- any time a person shows up in the system using SSN No. 2, or No. 3, or No. 4, over and over again. Deliberate fraud is responsible for less than half of the 20 million names attached to multiple SSNs, but it is still a large percentage.
"A good fraction of that group, maybe 15 to 20 percent, of these mistakes are deliberate," Coggeshall said. "There are systematic variations, deliberate manipulations. ... I see many people who have a lot of Socials (SSNs)."
How many? ID Analytics says it has 3 million to 4 million names that have been used to commit identity fraud.
That's an astonishing number, but it pales in comparison to the next figure.
Five million SSNs attached to three or more people
Recently, Coggeshall decided to reverse his research. Instead of looking for people connected to multiple SSNs, which is most useful for businesses, he looked at SSNs that are connected to multiple people, much more interesting to consumers. In other words, how many people in the U.S. are essentially sharing their identities with someone else?
The answer: 40 million. That means nearly one in 7 SSN holders in the U.S. have two or more names attached to their SSN records.
Please note, this is not an estimate conjured up from a sample. This is ID Analytics looking at its own data, picking out SSNs that have more than one name attached and building its own list. We now know: The secret list of ID theft victims has 40 million people on it.
Coggeshall said it's important to note that not every one of those consumers is hit with fraud. Many are on the list because of typographical errors. For example, if a company incorrectly enters an SSN and the number accidentally belongs to someone else, as explained above, the rightful holder of SSN No. 2 would end up on this list. Coggeshall said he believes many of the 40 million are on the list as the result of such mistakes.
But millions of those SSNs are being used to commit fraud. Some cases are obvious. More than 140,000 SSNs are associated with five or more people, and 27,000 are connected to 10 or more people, for example.
"Once an SSN is connected to even three people, it's pretty clear something is wrong," he said. The firm found that 5 million SSNs have been connected to three or more people.
In addition to criminals committing financial fraud, there's a more controversial reason that some consumers end up on this list: They are essentially sharing identities with undocumented workers who buy or borrow an SSN in order to fill out necessary paperwork to obtain employment.
The number of illegal immigrants using Americans' SSNs to obtain work is unknown, but a series of studies provides some hints.
The Pew Hispanic Center estimates that there are about 12 million unauthorized immigrants in the United States. Those who are working are required to give a SSN to their employer. In 2007, the IRS said it believes 6 million undocumented workers paid federal taxes. And every year, according to the Social Security Administration, nearly 10 million workers pay taxes using the wrong SSN, ending up in what the agency calls a "no-match" situation.
Again, no study has been conducted to identify precisely how many of those can be attributed to mistakes and how many to undocumented immigrants. In 2006, the Social Security Administration sampled its records and determined that 12.7 million out of 17.8 million discrepancies were caused by clerical errors. On the other hand, an earlier study by congressional investigators found the majority of filers on the no-match list worked in industries like restaurants and agriculture, where the presence of undocumented workers is high.
Workers who pay taxes using the wrong Social Security number are a boon to government tax revenues. Social Security taxes paid in such situations don't earn proper "wage credits," because the agency doesn't know whom to give credit to. The funds are tracked in what's called the Earnings Suspense File, which has shown explosive growth this decade. From 1932-1999, the fund accumulated $300 billion. By 2005, the most recent data available, the file accounted for nearly $585 billion in uncredited wage credits, ultimately adding roughly $40 billion to the U.S. Treasury during that six-year span.
The issue of "shared identities" is among the forgotten elements of the immigration debate, but it rears its head once in a while. Recently, two U.S. courts ruled that using someone else's SSN is not an identity theft crime, drawing widespread criticism.
SSN is not a secret
Viewed purely as an identity management problem, Coggeshall said his study produced one clear result: "The Social Security number is not a secret," he said. "It was never intended to be a secret. In today's world, it is used incorrectly. A lot of businesses have the assumption it's a number known only to you. That's not the case."
Unfortunately, the actual list of victims remains a secret, for now. ID Analytics has contracts with its data providers that forbid it from sharing the information with the public.
"The way we've been able to get visibility into the data … is by assuring companies we will not release this data," Coggeshall said.
The firm has presented some of its findings, including the location of fraud rings, to law enforcement and "that information was well received." But generally the company does not work with law enforcement on specific cases.
"ID Analytics provides a service to our customers and only they can determine whether or not to pursue law enforcement actions," Coggeshall said.
The firm does offer a Web-based tool that allows consumers to get a sense of their risk, called MyIDScore.com, but that only generates a score based on a 1-1,000 scale suggesting the likelihood that someone else might be using your SSN or other elements of your identity. The tool is free, and consumers can check their score without supplying their SSN, but the website includes advertising for paid identity theft protection services.
Further, even if there's a second SSN connected to your name, your score might not be high -- if ID Analytics believes that incident is an accident, as opposed to a malicious data theft.
And if your score is high? The tool points you to the nonprofit Identity Theft Resource Center and the Federal Trade Commission. Neither of those agencies can tell you if someone else has your SSN either. But they can help you clean up an identity theft mess after the fact.
Consumers who obtain their credit report hoping to see if anyone else might be using their SSN are often disappointed; records of such imposters are often kept on separate reports, sometimes called sub-files, which cannot be view by the rightful holder of the SSN.
Annual Social Security wage earnings statements also don't include the data, because wages earned by workers using their SSNs go into that Earnings Suspense File and don't show up on the report.
The most recent systematic effort to deal with the problem occurred in 2007, but it didn't involve victims. Instead, the Social Security Administration announced it was sending a round of so-called "no-match" letters to businesses with employees whose names and SSNs didn't match on their employment verification forms. Simultaneously, the Department of Homeland Security said it would crack down on companies that didn't respond to the letters. Citing widespread inaccuracy of the data, immigration rights groups sued and managed to stop the process.
Credit bureau Experian, when asked about the report, said that it believes most errors surrounding SSNs involve honest mistakes.
"Social Security numbers can be associated with multiple individuals, and that individuals can have multiple SSNs associated with them. The majority of these conditions are associated with data entry errors during a creditor's reporting process to a credit reporting agency like Experian, or joint account activity related to family members or legitimate associations," said spokeswoman Susan Henson. "Only a small percentage of these conditions are related to malicious intent, and Experian's fraud prevention tools detect and compensate for the majority of these cases."
Credit bureau Equifax declined to comment, and Trans Union did not immediately respond to requests for comment.
Coggeshall said he believes consumers should have the right to know more about what has been called the "secret life" of their SSN, and the recent court cases that seemed to downplay risk of SSN-only ID theft concern him.
"Certainly you are causing harm" to the victim, he said. Even if the number is used only for employment purposes, eventually it "gets around," he said.
But solutions to the problem are hard to come by. One agency he doesn't blame: The Social Security Administration.
"Certainly, they know there are problems. They are the first to understand this," he said. "It's not a problem of them issuing numbers. They were never intended to be a unique identifier ... but in the past few decades, businesses have used it because it's easy."