Hundreds of online businesses are using computers to find dormant Social Security numbers - usually those assigned to children who don't use them - then selling those numbers under another name to help people establish phony credit and run up huge debts they will never pay off.
Authorities say the scheme could pose a new threat to the nation's credit system. Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved.
"If people are obtaining enough credit by fraud, we're back to another financial collapse," said Linda Marshall, an assistant U.S. attorney in Kansas City. "We tend to talk about it as the next wave."
The sellers get around the law by not referring to Social Security numbers. Instead, just as someone might pay for an escort service instead of a prostitute, they refer to CPNs - for credit profile, credit protection or credit privacy numbers.
Julia Jensen, an FBI agent in Kansas City, discovered the scheme while investigating a mortgage-fraud case. She has given presentations to lenders across the Kansas City area to show them how easy it is to create a false credit score using these numbers.
"The back door is wide open," she said. "We're trying to get lenders to understand the risks."
It's not clear how widespread the fraud is, mostly because the scheme is difficult to detect and practiced by fly-by-night businesses.
But the deception is emerging as millions of Americans watch their credit scores sink to new lows. Figures from April show that 25.5 percent of consumers - nearly 43.4 million people - now have a credit score of 599 or below, marking them as poor risks for lenders. They will have trouble getting credit cards, auto loans or mortgages under the tighter lending standards banks now use.
The scheme works like this:
Online companies use computers and publicly available information to find random Social Security numbers. The numbers are run through public databases to determine whether anyone is using them to obtain credit. If not, they are offered for sale for a few hundred to several thousand dollars.
Because the numbers often come from young children who have no money of their own, they carry no spending history and offer a chance to open a new, unblemished line of credit. People who buy the numbers can then quickly build their credit rating in a process called "piggybacking," which involves linking to someone else's credit file.
Many of the business selling the numbers promise to raise customers' credit scores to 700 or 800 within six months.
If they default on their payments, and the credit is withdrawn, the same people can simply buy another number and start the process again, causing a steep spiral of debt that could conceivably go on for years before creditors discover the fraud.
Jensen compared the businesses that sell the numbers to drug dealers.
"There's good stuff and bad stuff," she said. "Bad stuff is a dead person's Social Security number. High-quality is buying a number the service has checked to make sure no one else is using it."
Credit bureaus can quickly identify applications that use numbers taken from dead people by consulting the Social Security Administration's death index.
Social Security numbers follow a logical pattern that includes a person's age and where he or she lived when the number was issued. Because the system is somewhat predictable, sellers can make educated guesses and find unused numbers using trial and error.
A "clean" CPN is a number that has been validated as an active Social Security number and is not on file with the credit bureaus. The most likely source of such numbers are children and longtime prison inmates, experts said.
Robert Damosi, an analyst with Javelin Strategy & Research, said the crime can come back to hurt children when they get older and seek credit for the first time, only to discover their Social Security number has been used by someone else.
"Those are the numbers criminals want. They can use them several years without being detected," Damosi said. "There are not enough services that look at protecting the Social Security numbers or credit history of minors."
Since the mortgage meltdown of 2008, banks have tightened lending policies, but many credit decisions are still based solely on credit scores provided by FICO Inc. and the three major credit unions: Experian, TransUnion and Equifax.
Federal investigators say many businesses do not realize that a growing number of those credit scores are based on fraudulent information.
"Lenders don't understand that when they pay money to go through a service, they may be receiving false information," Jensen said. "They think when they order the information from credit bureaus, it must be true."
Without special scrutiny, credit profiles created with the scheme are not immediately distinguishable from other newly created, legitimate files.
Investigators say the businesses clearly know they are selling Social Security numbers, but it's difficult to prove. The sellers use complex disclaimers that disavow illegal activity and warn customers against using their numbers in place of Social Security numbers.
The businesses also instruct customers to provide false information when using the number to apply for credit. Customers are told to use their real name and date of birth, but to avoid listing any addresses or phone numbers they've used in the past. They're also told to avoid any other information that connects the new, clean credit profile with the old, damaged one.
Craig Watts, a spokesman for credit reporting agency FICO Inc., said FICO has tools available for businesses to protect themselves from this type of fraud, but they are not cheap. And many lenders are slow to adopt FICO's new formulas, which are updated every few years.
Some companies that sell the numbers have lavish, high-tech websites. Others run no-frills ads on sites like Craigslist.
Jim Buckmaster, president and CEO of the San Francisco-based Craigslist, recently told the AP in an e-mail that there were "fewer than 200" classifieds on his site that used the word "CPN."
Within an hour of that e-mail exchange, dozens of the ads in cities such as Las Vegas, Los Angeles and New York had been pulled from the site. Many were reposted the next day.
An AP reporter called several of the sites, but got only recordings asking callers to leave a message with contact information.
Experts say the fraud will be difficult to stop because it's so easily concealed and targets such vulnerable people. Other than checking with the credit bureaus to see if there is a credit file associated with your child's Social Security number, spokesmen at FICO, the Social Security Administration and the FTC said there are no specific tools for safeguarding the number.
"This is an invisible crime, with invisible victims who don't have enough support out there to help them," said Linda Foley of the ID Theft Resource Center in San Diego.