The University Record, November 12, 1997

Identity theft highlights need to protect SSN

By Theresa Hofer
Information Technology Division

When instructor Jose Benki's wallet was stolen from his gym locker two years ago, he quickly canceled his credit cards, filed a police report, and replaced his identification cards. He thought that was the end of the incident.

In reality, his troubles were only beginning.

"The guy got hold of my Social Security number from my insurance card," says Benki, "and was able to open up new charge accounts in my name. This happened at three or four stores before he was caught at a Sears two states away."

"I got bills in the mail for thousands of dollars worth of stuff. Clearing my credit took at least a year and a half and many, many hours of my time."

Identity theft occurs when someone obtains key pieces of personal information about another person and uses the information to impersonate the victim. The U.S. Public Interest Research Group (PIRG) in its September 1997 report "Identity Theft II: Return to the Consumer X Files" writes: "According to law enforcement agencies, the problem of identity theft has not improved in the last year, and is only getting worse. It is difficult to get a grasp on the actual number of identity theft cases reported to law enforcement because they do not track it as one category of crime and are not able to gather enough evidence in many cases to even pursue them." (The report is available on the Web at http://www.igc.apc. org/pirg/consumer/xfiles/index.htm.)

Many identity thieves use old-fashioned methods of gathering personal information, such as stealing wallets and purses, retrieving unshredded documents from the trash and swiping mail from unlocked mailboxes.

As electronic access to personal information has increased, however, so have the ways that unscrupulous individuals can steal that information and use it against you. Some send false messages on the Internet, posing as legitimate businesses, hoping to get you to enter a credit card number or other information in response to an "offer." Others break into computer databases or use "sniffer" programs to intercept data being sent over a network.

Once an identity thief has your Social Security number (SSN) and a few other pieces of information about you, he or she can open up new charge accounts, apply for loans, rent apartments, claim unemployment benefits and more-all under your name.

The widespread, yet unofficial, use of the SSN as a universal ID number adds to the problem. Only certain government agencies and those who interact with them-such as your employer, your financial institution, and your scholarship or financial aid provider-are required to have your SSN. Yet many other places ask for it as a primary or secondary means of authenticating your identity.

"Lots of people want to use your number," Benki says. "It's always a trade-off between how many hassles you're willing to put up with and how dangerous the loss of privacy is."

"Identity theft is very real," Benki says. "Take precautions with your Social Security number."

In 1996, in response to growing concern about the misuse of SSNs, the U-M instituted a policy that commits the University to moving away from the use of SSNs as identifiers and database keys. The policy, Section 601.14 in the Standard Practice Guide, states: "Systems purchased or developed by the University of Michigan will not use Social Security numbers as identifiers unless required by law or business necessity." It also requires that existing systems migrate from the use of SSNs by 2002.

"We know that the momentum to continue using SSNs is great, but every effort must be made to implement this important policy at the U-M," notes Virginia Rezmierski, assistant for policy studies in the Information Technology Division. For the full text of the policy, see the Standard Practice Guide online at http://www.umich.edu/~spgonlin/.


 

Preventing identity theft

What can you do to keep from becoming the next victim of identity theft? Here are some tips for protecting the privacy of both your Social Security number and those of the people your department serves: Everyone:

 

Do not carry your Social Security card with you. Do not print your SSN on your checks or your homework.

 

Shred documents with your SSN before discarding them.

 

If you are a faculty or staff member whose U-M ID card shows your SSN, go to Room 100, Student Activities Building and request a new card. (Student ID cards will continue to show the number until system conversions are completed in the year 2000.)

 

If a government agency asks for your SSN, ask why it is needed. The Privacy Act of 1974 requires any federal, state or local government agency to tell you if the number is required, what will be done with it, and what will happen if you refuse to provide it. If the number is required, do not say it aloud; write it down for the requester. If it is not required, ask if you can give an alternate number or other means of authenticating your identity.

 

If a business asks for your SSN, ask why it is needed and offer an alternative. If that is not accepted, ask to see the supervisor. Be willing to take your business elsewhere, if necessary. Department Administrators:

 

Review your department's operational procedures. Find ways to use names or secondary information other than SSNs for authenticating identities or locating records.

 

Identify and eliminate unnecessary visual displays of SSNs, such as on system screens, forms, lists and Web sites.

 

If you are buying or developing a new system, make sure that the system does not display SSNs on computer monitors, printed forms or other system output, unless required by law or business necessity.

 

Never ask a user to send an SSN across the network via an unencrypted connection. Install a Secure Socket Layer (SSL) or similar software.

 

Identify ways to convert or eliminate existing systems or databases that require the SSN for identification or as a database key. If it happens to you:

If you discover that your SSN or other key piece of identification has been stolen, immediately do the following:

 

Report the crime to the police and get a copy of your police report.

 

Cancel your credit cards and get replacement cards with new account numbers.

 

Cancel your checking and saving(s) accounts and obtain new ones.

 

Call the fraud units of the three major credit reporting companies&emdash;Experian, (800) 301-7195; Equifax, (800) 525-6285; and Trans Union, (800) 680-7289&emdash;and ask that your accounts be flagged. As of October 1997, federal law requires that victims of identity theft be given free annual credit reports so they can check for unusual or unauthorized activity.

For more information, see Fact Sheet 17a, "Identity Theft: What To Do If It Happens to You," published by the Privacy Rights Clearinghouse. You can obtain it on the Web at http://www.privacyrights.org/fs/fs17a.html or by calling (619) 298-3396.