What’s it like to share your SSN with 50 people? Follow a victim’s struggle
By Bob Sullivan
Jonathan Barnett is also Jose Cruz. And Jesus Ramirez. And Pilar Terrones, Pilar Sanchez, Esmeralda Gonzalez and dozens of other people, at least according to the nation’s identity system.
Barnett unintentionally shares his Social Security number with all those people – and probably many more – yet his credit report and Social Security earnings records are completely clean. That seeming contradiction is a big part of his harrowing identity nightmare.
Barnett’s predilection for assiduous recordkeeping offers a rare glimpse into the deeply flawed identity system used by the nation’s creditors and employers. It relies on the secrecy of SSNs. But Barnett’s number is hardly a secret; it’s the fraud connected to his identity that remains off limits, even to the victim.
“It’s like I have a ghost out there,” he said. “Lots of ghosts.”
The canary in Barnett’s identity coal mine was an innocent-looking email from Wells Fargo Bank. It arrived in August, soon after he opened an account there, offering savings tips.
But the email was addressed to someone named “Pilar Sanchez.”
Then he received another, and another – all sent from Wells Fargo to his email account, but addressed to Sanchez.
Barnett, a 27-year-old who lives and works near Austin, Texas, called the bank. An operator told him it was probably a simple error, perhaps a typo, and that he shouldn’t worry. But he knew better.
For years, Barnett had a sense something might be wrong with his identity records. But each time he obtained his credit report or his Social Security statement, his identity was “clean.” This time, however, he was determined to get to the bottom of the problem.
He started doing research and found out, through various news stories, that a certain kind of identity theft can allow imposters to “share” victims’ SSNs without blemishing their credit reports. So he became more assertive with creditors and changed the way he quizzed them.
“I started calling and asking if they had any accounts under my Social Security Number, without giving my name,” he said. “And if the person I got wouldn’t do it, I just called back and tried again.”
Using this method, he got “hits” – confirmation of multiple accounts under a single SSN — from his own creditors. Credit accounts at Lowe’s and Home Depot were among the first he discovered. Emboldened, he began cold-calling every major creditor — cell phone issuers like Verizon, banks like Bank of America — and asking about his SSN.
He discovered his identity was being used at nearly every creditor he could think of.
“The approach I took was just calling up and saying I had an account and asking them to look it up, because if I didn’t say that, they wouldn’t help me at all. … I just started calling random companies, and my SSN seemed like it was everywhere,” he said. It was if he could throw a dart at any U.S. company, and he’d find his SSN at use there. “It was pretty awful.”
Worse yet, none of these creditors would give him any details about the accounts — ironically citing privacy concerns. He knew his SSN was being used, but he didn’t know by whom, when the account was opened or if it was active. So he switched strategies again.
“I’d give them my SSN only, and then just wait, and they might say, ‘OK, you are Jose Cruz?’ And I’d write that down. Or they’d say, ‘You’re in California?’ And I’d write that down,” he said.
Using this investigative technique, he started to build a vague picture of what was happening, but there were many, many blanks to fill in.
“What shocks me is the unwillingness to cooperate with victim,” he said. “It’s baffling that I’ve never know about it until now.”
Barnett had already done all the basics, such as placing fraud alerts on his credit reports and checking his annual Social Security earnings statement. Again, zilch. So he started making phone calls. He called the FBI, which told him to file a report with his local police department. He called the Treasury Department’s inspector general. He called the Office of the Comptroller of the Currency, which told him to file a report online. He filed something at the Internet Computer Crime Complaint Center, but was told not much could be done because the imposters were not using his name.
He had his first real “hit” when talking to his credit union, which was forthcoming about results it found looking up his SSN on a system that tracks individuals who attempt to pass bad checks.
“They were more than happy to talk with me about … what they thought was going on,” he said.
Undocumented workers need to provide Social Security numbers when they begin a new job. Often, they provide stolen or invented SSNs. Because employers often don’t check the accuracy of the numbers, the technique is effective. When a particular SSN is used successfully in obtaining work permission, it is often shared with others. Some who use the SSN at work go on to use it for obtaining credit cards, loans, government benefits and so on. If imposters use their own names — or invented names — on those applications, none of the usual identity theft protections will be triggered, and the rogue accounts are not reported on the standard consumer credit report. Instead, the credit bureaus create what are sometimes called “sub-files” to indicate that multiple identities are associated with that SSN. Consumers are generally only able to obtain information about their own sub-file, attributed to their correct name.
It’s unclear how common sub-files are, but identity protection service ID Analytics provided insight into this critical question last year. After studying more than a billion applications for credit, it revealed that 40 million SSNs have multiple names connected to them. While many of these can be attributed to innocent typographical errors or legitimate name changes, others indicate fraud. About 2 million U.S. adults have three or more SSNs associated with their names, said Stephen Coggeshall, head of research at ID Analytics.
How many Jonathon Barnetts are out there? It’s not as rare as you might expect. More than 140,000 SSNs are associated with five or more people, and 27,000 are connected to 10 or more people, according to ID Analytics.
Despite widespread acknowledgment of the problem, Barnett has spent the past four months running into one wall after another when trying to get details about how his identity was compromised and the status of those fraudulent accounts.
“When I call, the data in their records is obviously false. Anyone can see it. I can tell by the tone in the (operator’s) voices that they want to tell me more, but they are hesitant because they’d been instructed not to,” he said. “I found that when I called the California state tax office. I asked them, and the woman told me, ‘Yes, it was very common.’ So common they just issued a different number (to the imposter). I was told not to worry about it if I hadn’t received a letter from them. That just worries me more.”
Barnett later turned to a company named Identity Guard and paid to get a report detailing potential compromises. For the first time he got a sense of the depth of his problems.
Nearly 50 names were connected to his SSN.
“I really gulped when I saw that list,” he said.
Identity Guard says it uses data from a long list of providers to create a database that goes far beyond what consumers get when they obtain a credit report. Public records, such as dog licenses or legal filings, billing applications and payday loans are also included in its database. The firm declined to provide additional detail during an interview.
“If I had to take a guess, I’d say most of this is employment fraud,” said Tim Rohrbaugh, vice president of information security at Intersections Inc., which operates Identity Guard. “If you look at the surnames, that’s what would appear to me.” Because the SSN is not used for financial identity theft, such as opening a credit card and not paying the bill, the compromise often isn’t discovered for years, he said.
The credit industry sometimes refers to this as creation of a “synthetic identity,” because the SSN and name combination don’t actually represent a real person, but merely an entry in a database.
“It stays at a low level so, so the SSN is usable over and over to get a job, or to open utilities. … But it can be just as damaging as credit-based stuff,” Rohrbaugh said.
As Barnett worked his way through the Identity Guard “hit list,” the news got progressively worse.
In September, he found two active bank accounts at Chase; both have been closed by the bank. He found three active AT&T accounts, since closed, and a fourth attempt to open an account. In October, he found a Capital One checking account, an attempted account opening at Bank of America and a federal tax return filed in February using his SSN.
Perhaps most unnerving of all, he found a Verizon account closed back in 2002. He has no idea when it was opened. The discovery means the secret life of his SSN has a long history.
He then recalled an incident when he was in college in 2004, when Bank of America sent him a debit card with someone else’s picture on it.
“They told me it was just a mistake. I was naive about it at the time,” he said.
Two weeks ago, Barnett contacted msnbc.com and asked for help. At msnbc.com’s request, ID Analytics ran his information through its database and found 17 active users of his SSN. Again, because of privacy rules, ID Analytics cannot share the information directly with the victim. But the company shared it with the nonprofit Identity Theft Resource Center, which maintains confidentiality agreements with the credit industry. That agency is now calling special contacts within fraud departments at the various creditors and helping close the offending accounts.
The nonprofit agency confirmed it is working to help Barnett, but said it was unable to divulge details about his imposters. Karen Barney, program director at the Identity Theft Resource Center, did say the agency has since found abuse of Barnett’s SSN dating back as far as 1995.
Barnett feels like he’s finally getting on top of some of the identity abuse he’s discovered. This week, he also heard from his local police department, which said officers had passed along two potential suspects’ names he’d discovered to local police in other jurisdictions. Such leads are precious — he wants identity criminals to be prosecuted so they won’t continue to abuse his SSN, and so he might ultimately get to the bottom of the problem.
But it’s just a start.
“I could do a lot more if I had names and addresses of all the imposters,” he said. “I feel a little conflicted. I feel good now that I am finding places that can verify the information is stolen. It’s still disconcerting — not only the ID theft, but I’m still hitting walls with companies that have the information.”
Want to share your story as an ID Theft victim? Leave it in comments below or e-mail
Barnett’s father worked in finance, and he was raised to pay close attention to his credit report, his credit card interest rates and anything else connected to his financial life. Many companies he’s dealt with during his ordeal have assured him that he’s suffering no harm; no unpaid bills have surfaced on his credit report, for example. But he’s suspicious of that, and he’s convinced that an unexpected delay in his mortgage application during 2010 can be attributed to his identity problems.
Still, after spending several months obsessing over the problem, he’s come to terms with it.
“It really wasn’t until last couple of weeks that I started taking it in stride. I did let it get to me for a while,” he said. “Now, sometimes, it’s almost like a game for me to call these companies and get more details out of them.”
No one knows how many imposters have his SSN, and no one can really stop others from using his SSN on an application in the future. But better fraud-fighting tools would render a stolen SSN useless to would-be imposters.
“I know a lot of people are working on this problem, but it’s still here. And it begs the question as to why it’s all possible,” he said.
RED TAPE WRESTLING TIPS
SSN-only ID Theft is particularly vexing; it’s almost always discovered by accident, as in this case. Victims might be tempted to request a change of SSN, but the Identity Theft Resource Center strongly recommends against this strategy. The consequences of dropping an old SSN — losing a lifetime of credit history, along with college records, employment history, and so on – are more severe than fighting fraudulent accounts, Barney says. Also, creditors almost always end up linking the new and the old SSN anyway, so the potential benefits of changing are quickly lost. A new SSN only makes sense for very young victims who have no established history, she said.