Vulnerabilities / Threats

4/27/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

More Than 1M Children Victims of Identity Fraud in 2017

Total fraud against kids amounted to $2.6 billion and more than $540 million in out-of-pocket costs to families, a new report finds.

Data breaches are bad news for all victims but especially harmful to children. More than one million children were victims of identity fraud last year, costing $2.6 billion in total and $540 million in out-of-pocket costs to families.

The 2018 Child Identity Fraud Study, conducted by Javelin Strategy & Research and sponsored by Identity Guard, found 11% of households had at least one minor's data compromised in a breach last year. Nearly 40% of minors who found out their data was breached became victims of fraud. In comparison, only 19% of adults who were notified eventually became targeted.

High-profile breaches typically garner more attention; as a result, many people overlook the effects of identity fraud on minors. Children have limited financial histories, which presents a larger opportunity for fraudsters to leverage their information and build account networks. This "blank slate" lets perpetrators slowly grow accounts over time before tapping them.

Because children have no credit history, fraudsters usually fly under the radar as they build their schemes. They combine data from multiple victims to create identities. Social security numbers are particularly useful here because minors haven't yet established financial histories; as a result, their SSNs don’t raise red flags when they're used in identity fraud.

That said, the lack of history also makes things harder for perpetrators, who will have a tougher time getting high-value personal loans or credit cards using a minor's identity.

Sixty percent of child identity fraud victims personally know the fraudster using their data; the same can be said for only seven percent of adult fraud victims. Identity fraud against minors is hard to prevent because many perpetrators have legitimate access to the children's information. Two-thirds of child fraud victims are under the age of eight, 20% were between the ages of 8 and 12, and 14% were aged between 13 and 17.

Cyberbullied

Researchers also noticed a strong relationship between cyberbullying and fraud. Minors who were bullied online (6.67%) were more than nine times more likely to be fraud victims than those were not bullied (0.72%). The average fraud amount among bullying victims was $4,075, more than four times the average total among non-bullied targets.

"In many cases, fraud and bullying are not perpetrated by the same individual but arise from the same underlying vulnerabilities," says Al Pascual, senior vice president of research and head of Fraud & Security at Javelin. "Children who are unprepared to protect themselves from online risks are likely to encounter individuals who wish to target them emotionally or financially."

Most kids targeted with identity fraud are hit with new-account fraud, which affected 0.96% of minors in 2017, because they don’t have existing financial accounts. Adults, in contrast, usually experience existing-card fraud (ECF) because they're targeted for the value of their accounts.

Fraudsters do more than misuse children's identities to open new accounts and drain existing ones. Between 410,000 and 560,000 kids were affected by false tax claims in 2017, and attackers also use their data to gain unlawful employment or avoid punishment for crimes.

Ultimately, targeting minors leads to a bigger payout for perpetrators, who stole $2,303 when misusing the identities of children -- more than twice the mean fraud total for adult victims. It's also easier for adults to avoid liability for fraud, as they only have to pay an average of $104 per incident. The families of child identity fraud victims pay an average of $541 out of pocket.

Teaching kids to be cautious online lowers the likelihood of fraud. Only 0.69% of children of "highly cautious" guardians were affected by identity fraud in the past year, compared with 3.64% of dependents of less cautious guardians. More caution led to lower prevalence of fraud, and when fraud happened, it was for a lower amount and more easily contained.

You can monitor for new-account fraud by checking children's credit histories. Setting a credit freeze is among the most effective ways to prevent new accounts from opening in a child's or adult's name. Many states let parents or guardians freeze a child's credit.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2018 | 10:54:23 PM
Monitoring
Only thing that can be done now is monitoring unfortunately now that the information has already been lost. There are services that can be leveraged both paid and free, just depends on how much manual oversight you wish to put into this endeavor.
mmckeown
50%
50%
mmckeown,
User Rank: Apprentice
4/29/2018 | 11:55:13 PM
Re: Pending Review
Excelent summary.  Appreciate the report.  As a parent what are our recourses.  I was part of the OMB breach, which had information of my child in the data.  How do we confirm their information is safe until they take over control of maintaining their information.  Thanks, again for your article.
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.