Slashdot Mirror
Social Security Numbers Can Be Guessed
BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.
they only put the last 4 digits on my paycheck!
It was pretty obvious when my sister and I received sequential numbers.
Most of the useful "security" characteristics of the SSN are in the last 4 digits.
If you know the last 4 digits of a SSN, and you get 2 or 3 guesses, then using their model: you can expect to guess the entire SSN correctly.
It's a good thing they only use the last four digits for identification at my school.
I have found there are just two ways to go.
It all comes down to livin' fast or dyin' slow. -REK, Jr.
Naught Naught Naught Naught Naught Naught Naught Naught Two.
Damn Roosevelt!
Who needs to guess when it's so easy to get someone to just give you their social security number if you just present a vaguely legitimate reason? For instance, I could pretend to be hiring people for a new business I am opening. Pretty much every application I've ever filled out has asked for a social security number.
I could also see this technique being combined for some nasty phishing methods. Set up a fake credit check website, ask for their date of birth, the security question is their place of birth, and the last four digits of their social security number is their pin number. Using the technique of these researchers, you can guess a significant portion of people's SS numbers. 40% is probably a huge number for phishing, where most people avoid them, but by shear volume enough get caught to make money off it.
Not news to anyone who knows how SSN assignment works. The first three digits (region code) have always been assigned based on state (with a few exceptions for things like Railroad Retirement and military uses), and since a new region code's only assigned to a state when the old one's nearly exhausted there's usually only a short period when there's 2 regions in use for a state. The middle 2 digits (group code) have always been assigned in a strict order as groups are exhausted. And SSNs are generally only assigned at 2 times: birth, or the first time someone gets a job and has to pay taxes (usually in high school). So if you know the state and date of someone's birth and where they went to high school, it's long been known that you can narrow it down to only a small handful of possible region and group codes. The only thing this research does is extend that into the last 4 digits, and I'm not surprised they found those assigned in some order over time. If I had to guess, frankly I'd've guessed that the last 4 digits were just assigned in order starting from 0000 with a new group code being assigned around 9900.
This isn't really new as the first 3 digits of your SSN already tell you which state you were born in more or less - http://www.google.com/search?q=ssn+by+state and the numbers are issued pretty sequentially from there, so just the year you were born and the state you were born in narrows it down pretty far already.
Morphing Software
When I was young, the back of my social security card has a notice: "Not to be used for identification purposes" (or something similar). When I lost my original card and had to get a replacement, the notice was missing. Our government is solely to blame for allowing the private sector to use social security numbers as identifiers. Congress has had an overabundance of time to pass laws criminalizing the use of social security numbers by the private sector. In my opinion, Congress has been criminally negligent in allowing this to continue for this long.
Social security numbers should be used for one, and only one, purpose: to link an individual to social security benefits. Any other use should be a criminal offense.
With a simple social engineering question of 'where are you from, where where you born?,' that most people think nothing of, you are able to easily acquire the first 3/8 digits of someone's SSN (and the answer to 15% of the standard security questions out there). The rest is just a matter of time and patience.
Honestly, this topic was covered for the umpteenth time when 2600 magazine did it over 10 years ago in a quarterly format available at most Barnes & Nobles stores (if you didn't have a home subscription). I can't lay my hand on the issue without doing a bothersome search of my closet, but really, this is old hat.
I don't know which is worse, the fact that this is making news now, or the fact that I pretty much outed myself as being from the era of AOL script kiddies. I'm sure Phrack or somewhere else probably covered this way before 2600 did. Nothing changes...
who for the first time
For the first time? Is this a joke? The pattern of assignment has been well known for years, whereby everybody born in an area at a particular time had the same prefix.
Any scheme that uses the first 5 digits for authentication is utter crap. It's almost as dumb as using telephone area codes.
If we all have unique id numbers to identify us, then someone can impersonate us by knowing that number.
But of course, if we did not have unique id numbers to identify us it would be even easier for someone to impersonate us.
And however many digits the number is, and even if it is randomly-generated (as the article proposes) your id number is only as strong as the weakest link among those who have stored your id, meaning the used car dealer, the credit card company, the student loan office, etc.
It is guaranteed to fail since they all involve transmitting and storing the secret.
What we need is a national public key infrastructure, with keys stored on smart cards, or similar, along the lines of what they have in Belgium. Of course, even PKI fails in the face of social engineering, so we need citizens to be more aware of the risks as well.
When we put more consideration into TCP ISNs than we do an identifier someone has for life. We even worked hard to randomize this so that the connection is not easy to hijack if SSNs are being sent.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I think 8e019226-9a00-41f4-b094-6f1545fd84a9 should be fairly easy to remember.
Because SSNs are supposed to be unique identifiers. Identifiers only. The problem is that they're also being used as the shared secret! There's nothing secret about an SSN, people, and there shouldn't be. I think at this point, the government needs to simply legislate the correct behavior, because companies like Comcast (who asked me for my SSN for 'security reasons' just the other day) just don't get it. Of course, getting the government to know the 'correct behavior' is yet another battle...
hehehe... about 10 years ago CMU was using SSN's as Student ID's.... and CMU researchers were using university data including student ID's in research they were publishing on the web(without notifying students)... oops.
why it pays to google for your SSN every once in a while. ;)
If you use just a number for identification, it will be grossly misused. It is crazy to oppose a real ID card but use a much weaker (in terms of security) SSN as identification means and suddenly a baseless fear of certain forms of identification opens the way to very bad forms of identity theft.
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
This is old news, especially to me. I used this method to invent a plausible SSN for Michael J. Volpe, my legal-drinking-age alter ago when I was in college. I figured that as long as I had a fake ID, I'd see if I could use it to leverage myself into a false identity too. The number I used had the right digits for his supposed data and place of birth; the rest was just random. I never got any real documentation or credit accounts issued for Michael, but that was only because I ran into bootstrapping issues using a SSN with no history, not because the SSN was recognized by anyone as invalid.
They'll never be able to figure out my SSN. 754-6523. No pattern to that one.
Who cares that there is no fool-proof method? All that matters is that there is a significant probablilty of success.
Probably the only people who are safe from this are immigrants!
The real "Libtards" are the Libertarians!
A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'
Yeah, maybe with a wink and a nod. Social Security cards used to say "Not to be used for Identification" or words to that effect written on them in bright red ink. If the Federal Government was serious about not having the private sector use the number for identification purposes, they'd ban the practice.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
I saw a guy on one of those shows...might have been Donahue, do that knowing only the guy's age and state....verifying whether it was the right number.
The whole SSN thing is such a misnomer. There's only so many digits; people think every number has one person....it doesn't work that way. Instead, it's intended to weed out the (possibly) 10,000,000 "Joe Smiths" out there.
--- For a good time mail uce@ftc.gov
Once we make the switch to SSNv6.
Having worked in IT for 9 years at a college, this kind of thing is a nightmare.
One application we used for tracking students allowed a student to enter their SSN, which would then be replaced by their benign student ID and display their name. Even something like this is pretty dangerous.
If I know that most students at the college are going to be residents of a certain, I can limit myself to searching just for SSNs assigned to that state by looking at the first three numbers. The next two numbers are the assignment group, which will vary based on when the SSN was assigned.
But, being from the same area, it was even easier than that. I could assume that there is a good chance that someone might be born in my state and assigned an SSN in the same group as me, which means I only have to guess the last four numbers, starting with the same five numbers that I have. (As a DBA, I had access to all of this information anyways.)
Starting with my SSN, I began incrementing by one. It only took six increments to reach another persons SSN. By using this application, I could type in my variations of a known SSN and find new SSNs, along with the name of the person who belongs to that SSN.
Out of curiosity, I did a 'group by' query on the first five numbers of all the SSNs in the database (roughly 60k SSNs) and found that in the most populous grouping, you would have a 1 in 20 chance of getting an SSN just by guessing the last four numbers of this group.
which I selected to not be my social security number.
The State ID number is a random series of letters and numbers and it is harder to guess.
The usual jokes like Ronald Reagan's social security number was 000-00-0002 because he was the second person to file behind FDR, are funny but historically inaccurate.
Illegal Immigrants or Undocumented Workers or whatever you want to call them easily generate fake SSNs, and a bulk of them use the same SSN for the same employer and it is usually a SSN of someone who died, and they got it off a death certificate. The current system of checking SSNs is broken.
What we need is a different system that is harder to guess, one that uses letters and numbers like license plates or software serial numbers. One that Social Security keeps on a secure system that can verify the numbers and tell if the new SSN is stolen or the owner of the SSN is dead and someone else may be using it for fraud.
I just hope the new system isn't abused to take away rights and freedoms, that would be bad.
I remember the colleges I went to use to use our SSN as our student number and it was on grade lists. I requested that I be issued a student number not based on my SSN for privacy reasons and they did issue me a student number different from my SSN. The grade lists would be student name, student number, and then grade issued in class and everyone could see them. The professors listed them by the door for the classroom after finals and midterm grades were calculated. Many other systems used to base employee number etc on SSNs.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Fingerprints are used already for identification, but they are not foolproof because you leave them everywhere, and people can try to make a mold of it. There are other body parts that are not touched as much... such as toe prints! They are always inside a shoe so they are secret, and if they do not change much over the years, make an excellent identification card.
Social Security Numbers have been around since 1963 (says Wiki). Technology has extended us so much. We can count to numbers we could not have dreamed of in 1963. Why don't we give each person a public and private key, like in Gmail? You'll have to hurt me to get my password! Or we can get those cool chips inserted into our fingers that are individual to us. If the scammer in Nigera wants to know my information, what better way of protecting me than not letting me know my own information. The chip knows it, and it's inside me! If you want to identify me, you'll must have one of those devices that are only available in places like banks and jails. Yay for technology! Yay for toe prints!
Its the same problem in Norway. The person-numbers (Norwegian SSN's) are built this way:
DD MM YY III CC
The three first groups are your date of birth (which is found in all public records).
The next group (III) are individual numbers ranging from 000 to 999. If you are born before 2000 it is under 500, if your born after it is over. If you are male it is a odd number and even for girls. So if you know the date of birth and a persons gender there are 250~ possible numbers.
The last group are control digits used to calculate a valid person-number.
Most (if not all) banks and other important thing use the numbers as both identification and authentication...
you can get a pdf of the actual report by the researchers - no 2nd, 3rd and 4th hand stuff, for free from this url /.ers, who obviously consider themselves above average, make do with 2nd hand reports when they can so easily get the real thing.
http://www.pnas.org/content/early/2009/07/02/0904891106.full.pdf+html?sid=5e51e1ab-8945-420c-8013-29182641090e
which raises an interesting question: why do
actually bothering to take, say, 5 min to find and read the original report would have zeroed out a lot of the nonsense on /. for instance: the report, in its intro, says that the SS administratin openly discloses that the first 3 digits are area number, AN....
Change a digit or transpose digits in an SSN and you most likely will transform it into another valid SSN.
The SSN numbering system was developed in the mid 1930's. The modern mathematics of error control were published by Shannon after World War II. (His work or error control was related to work on cryptography.) By "modern" mathematics, I refer to the fact that there was some understanding of error control in old telegraph systems, but it wasn't developed systematically.
Credit cards have check digits that will catch some common errors in data entry. Computer and communications technology use error control in many ways. SSN's are still back in the 1930's.
Perhaps it is time to modernize them by at least adding check digits. Also, the prohibition against using them as personal identifiers should be strengthened and enforced.
The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches
No, Ubiquitous use of SSNs as a "secret" for anything beyond Social Security has left millions of citizens vulnerable to privacy breaches.
The SSN is a perfectly fine choice as a universal identifier. However, it is a lousy choice as a universal password. That is what most institutions have used it as. A universal identifier and password at the same time. Identification, Authentication, and Authorization are in fact separate activities and require distinctly separate systems.
(Why are people so stupid about this stuff? it's so simple.)
When I was unfortunately and temporarily employed by AT&T Wireless, some people activated phones using Tax ID or EIN numbers.
"Sorry, that one's no good."
"OK, well, try this one.."
"Nope."
"OK, then try..."
"Hey! It liked that one! Enjoy your new, shadily acquired telecommunications device"
Same digits, different format. Multiple lookups on the backend?
Here is their grant and proposal abstract from the NSF. It sounds like they did exactly what they'd proposed to do- not every grant meets that metric! Theirs is a 3-year grant for a total of $386927.
There was a cute line in their FAQs:
It's psychosomatic. You need a lobotomy. I'll get a saw.
Fuck....Nevermind the fact that if you've ever been in the military your SSN has been passed around more than a two dollar whore. Such much for security through obscurity :\
They wouldn't issue his drivers license until he has a SSN.
Was that so the SSN could be used as the driver license number?
Around here they stopped putting SSNs on the drivers license some time ago. It must have been fairly routine to do so since I recall that about five years ago one of the staff at the license station started to ask if I wanted my SSN removed from my drivers license only to stop herself once she looked at my license. I don't think I ever had my SSN on my driver license since, even at a young age, I realized the danger in linking those two databases.
What really boggled my mind was that co-workers of mine were perplexed at my distaste for RealID even after pointing out the dangers of one's SSN getting into the wrong hands. If you think Social Security Numbers are scary you need to look at how RealID can really mess with your life.
I am armed because I am free. I am free because I am armed.
Ok, let's say that you have one of those ID chips inserted in your fingers, and that I'm mugging you. You don't have any cash on you, but you have your ATM card in your wallet. If the ATM is using biometrics as you propose then it would make sense for me to take your ATM card, then just cut your finger and use it to authenticate.
Okay, guessing all 9 digits is good, so I'm not downplaying the success of this research. My sister and I were born 3 minutes apart and our SSNs are 20 values apart.
But the first 5 have always been not too difficult for some areas as it's based on date and location of birth (or date of issue, but there's obviously a correlation between the two). This makes it invaluable as a social hacking tool.
Just like the easy-to-guess Soundex numbers found on many state licenses, as well as the fact that credit cards use a system for numbering, simply correctly identifying the first few digits of a number can sometimes gain someone's trust ("Okay, I'm going to verify the first 4 digits of your Driver's License, but I won't disclose the whole thing over the phone. After I've verified this information, I will need...")
The point that I haven't seen anyone hit on yet is the fact that they designed it for THEIR use, not ours and not the private sector. They've even gone so far as to require that it's redacted to some degree (even though as proven a bazillion times) it's trivial to guess what's been redacted. The fact is that everyone else has adopted it because if any legal matters came up, that's the only way the law was going to identify you. The problem is that the lazy private sector doesn't have anything else that's "consistent" (and I use that term extremely loosely) across all entities to manage your identity. Hell FINGERPRINTS would be a better way of managing the authentication - the level of security required can be increased by simply requiring more fingers be scanned. Signing into a basic forum where you don't care? Swipe a digit. Logging into your bank? Swipe more, PLUS use an SSN. I'd certainly be happy to go spend the few bucks on a USB fingerprint reader for my desktop - laptop's already got it.
Let's face it - the US Government isn't known for developing numbering systems with security in mind - take a look at IPv4. What the world needs is a commercial solution for a commercial problem. What good is my SSN when doing business outside the US?
When I learned my father's # was eerily similar to mine. We were born in the same hospital some 25 years apart, that was about the time I wondered how hard it would be to do what these guys did.
Obviously, I didn't think too hard about it.
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
Off-topic, but...
Aren't we going to run out of SSNs? They are never reused (according to the Social Security Administration).
They're nine digits, so theoretically they're good for a billion people, but in reality they're broken up by state. Most states have three or four sets of starting three-digit numbers (with bigger states having more), and there are prefixes reserved for immigrants, etc. So the nine-digit space is actually smaller.
There are ~300 million Americans, so how many more generations can the current system support? Particularly as today, people get SSNs much earlier than they did in the past. You can't open a college savings account for a kid without one, for example.
Yes, it would be easy to just add another digit, but I strongly suspect that is going to be another Y2K-style programming effort. Gov't will mandate that by Jan 1, 20XX, everyone must support 12-digit SSNs, industry will spend hundreds of millions of dollars, COBOL programmers will be in demand again, congressmen will introduce legislation repeatedly to delay introduction, etc...bleh.
Advice: on VPS providers
You could also go backward and pick random 7 numbers (more or less) and use their very simple numbering method to trace back to who owns that number, too. SSNs are simply a joke. How can you use something determined by public records for privacy and security?
Yes, it's the came as the combination on my luggage. No, the government won't issue a new one.
You see? You see? Your stupid minds! Stupid! Stupid!
Anybody or organization using an SSN as both an identifier and a form of authentication is stupid, irresponsible and should be held accountable 100% for breach of whatever resource they control. The problem is in the "shared secret" type use of a damn 9-digit number, with a few of the digits already known based on state of birth.
Want a list of ssn's for every state? Here's all of them. Have fun.
-Michael
The problem is that you're trying.
To extend, the problem the SSA mentions: using them as identifiers?
That's not what's causing all the trouble. You can do that all you like, and the only people you'll piss off are privacy advocates, worried about unwanted cross-correlation.
The *real* problem, as I note in a piece I wrote for RISKS DIgest last month, is people using knowledge of an SSN (or a mother's maiden name, or any other answer not *made up by the customer*) as an authenticator.
If it is discoverable, and you force a customer to use it, *you* ought to be responsible when someone does, and defrauds the customer, cause you were an accessory before, and now you're on notice; it's been posted here.
Have fun, retail authentication system designers. ;-)
I signed up for my SSN 2000 miles from where I was born, in the 1960s, where the facility that issued me the card (I still have) had the man pull the card off of a stack - I just picked a day and time to apply and was handed that card as a 14 year-old. I suspect I'm damn random.
Working for a department store (silly store cards), you'd be surprised how many people are just ready and willing to tell me.
I've been doing a lot of federal contract work over the bast 6-7 years and I can guess the first 4-5 digits of most people's SSN's off the top of my head. The first three digits are a easy.
It's called a Social Security Number for a reason. Clearly if we use it, things will be secure.
The government says not to use your SSN for indentification...but you can't get a bank account, car loan, mortgage, student loan, go to school even, etc. For fooksake, your SSN is everywhere out there. The moronic government is just covering their collective arses by making that statement.
Two words..."Life Lock"....it sucks to have to pay for it but protecting your SSN and identity is super important.
No encryption/digital signature = fail
My first program:
Hell Segmentation fault
As someone from Sweden I fail to see the severety of this...
let me reveal the secret algorithm for Swedish SSNs:
Date of birth 6 digits: next 2 digits used to be place of birth, but not any more. Then there is a digit that is odd for males and even for females and then a checksum digit
YYMMDD-XXGC
The fact this made news at all is not a sign of how broken the SSN is, but rather how stupid the target audience is. The methodology of social security number assignment is not a secret. The "research" paper is simply repeating known information that anyone could do.
Step 1: Get zip code of origin (city of birth works well for anyone born after 88.) - you got the first 3 numbers.
Step 2: Get date of issuance (usually date of birth) - you got the 4th and 5th number almost guaranteed. The final 4, you can narrow down to a range by looking at the publicly available SSN of the deceased. If the date was May 15 and you have on record a SSN ending in 3485 issued May 14th and 3809 on May 16th for the same first 5 digits you know the last 4 are between 3485-3808.
They took 3 years to do this?
Actually, only one digit is used for the checksum on most credit cards.
For a 16-digit number, there is a 6-digit issuer identification number (including 1-digit major-industry identifier), followed by 9 unique digits for the customer, followed by one check-digit. Some Visa numbers used to be 13 digits, which would have been much less unique, but those seem to have been converted to 16-digit numbers now (all this from Wikipedia).
This about SSN's is: bad thing.
Background: military medic where EVERYTHING in the military goes by your SSN, to include Healthcare.
I'm a numbers geek and can memorize strings almost instantaneously. At first it helped for the frequent fliers in the ER as I'd see them at the door, and start the paperwork, already knowing thier chief complaint AND their SSN. Then as I learned more and more numbers I started putting them together. Researched a bit, and found a little matrix I kept running in my head--> where they were from.
Initial Use: I would use where they were from. I used it once in a rape with great success. "So where are you from in Colorado", putting them in a mental "safe place" for a moment, enabling me to start treatment. Used it thereafter on emotionally straining occurrences.
Second: Profit. While deployed I would bet people coming into the clinic $5 I could guess where they were from stateside by their heartbeat. Of course they'd take the bait as I warmed my stethoscope. Glancing at their dog tags would be all I'd need to get state, and in several instances ->Cities. "Hrm your from... grr (feigned mental anxiety on my part) TEXAS! actually --> (455-xx-xxx) San Antonio! *Showmanship wins* $5 please or a pack of Marlboro's
My PROBLEM with our set up is if I'm captured I'm required to give the Enemy my NAME, RANK, SSN. Give me anyone's SSN and I can find out way too much information on you, to include where your FAMILY LIVES! Useful to an enemy combatant? I think so. I'd prefer the use of a Military issued ID number that wasn't associated with any other number that identifies you, except to our military; such was used in my grandfathers time in service.
My experiences with SSN's, please do not try this at home, never shower with power tools.
In many less developed societies, it's common for people to believe that knowing someone's "true name" allows you to perform magic on that person. That cognitive process is still active today, however: we just consider social security numbers our "true names" and treat them accordingly.
Frankly, it's ridiculous either way. Social security numbers are just identifiers, and we need to stop treating mere identifiers as tokens imbued with power.
I've always wondered why people have to use the last four numbers as an identifier so often, but it makes sense from the perspective of it being the most unique part of the number. I can't say I'm surprised by this given that I'd already figured out the 005 start means you were born in Maine for example. So because I knew that everyone in my family had a double zero start, and none of my friends or their family did, I correctly surmised that the first three digits related to where you were born. A little research later and I realized all other numbers are a function in some way shape or form of time. This was all before I'd seen an explanation about how the numbers are assigned. So I'd already known for the last decade it wasn't a random number at all, and I'd also assumed it makes the most logical sense for the last four numbers to be assigned in some sort of serial fashion. I would think that with computing becoming as powerful as it is that we'd be looking at a situation where the whole number is guessable if you know the time of birth. If someone got access to say a hospital log of when new babies were born, and it was the only hospital in the zipcode as long as you could verify the SSN of any one of the babies in the log you'd then have the SSN of all babies in the log. I knew this some nine or ten years ago when I was in college.
9 digits = 1 billion total possible combinations.
The population of the US = what, 400 million?
So, we're almost to the point where you can just hit 9 random numbers and have about a 50/50 chance of getting SOMEBODY's number.
Seems like we just had this problem with 7 digit phone numbers... and 4 part IP addresses...
Social Security Numbers have been around since 1963 (says Wiki).
I think you've got an accidental transposition here... According to the SSA, the first card was issued in 1936, not 1963.
When politicians are involved, everyone loses.
Comment removed based on user account deletion
1. make ssn's alphanumeric. this keeps it down to 9 letters/ numbers that you can remember. it also makes it backwards compatible so you don't have to issue everyone new SSNs. make it so there is no relationship whatsoever between birth place/ date/ name and SSN. (10 numbers + 26 letters)^9 = 101,559,956,668,416. 101.5 trillion is a nice enough space, and certainly better than the current 1 billion. you may even have idiots requesting vanity SSNs like vanity license plates. i reserve FUK-YU-IRS1
2. issue a password along with the SSN. now you have security at least as robust as something like gmail. not ironclad security, but you're never going to get that level with SSNs, and you are not introducing a system too cumbersome for you average joe, since he is already used to this security model. websites that "require" SSN can have authentication done a la openID: SSN+password goes to the government's server, and the government's server gives a thumbs up/ thumbs down before the requesting website proceeds with processing. limit, of course, the websites that can request such authentication to a white list (state dmvs, medicaid, student loan sites, etc.). all legacy application processes that require you to write down your SSN on a piece of paper: do away with it. we are at the point where the government can require all use of SSNs to be done via HTTPS only. you can get that on celphones nowadays. the government can set the standard, and the standard is not difficult to meet, even in the municipal office of red lodge montana or on the crabbing boat in alaska when you apply for that fishing boat job
3. make it a lot easier to get a new SSN/ password. compromise will happen, or at least suspected compromise. for peace of mind, make it so individuals can generate a new SSN/ password easily and quickly and without red tape, as easy as getting a new email account
none of this is very difficult or groundbreaking
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I've known a "mentalist" that part of his act was to reveal a person's SSN, which he did with amazing accuracy. He's been doing this trick for over 25 years.
He uses a formula from a person's birthplace and age to get most of the digits. He used other cues for the remaining digits, but I'm fuzzy about this process.
Mine is 078-05-1120.
Knock yourself out.
Yup, you're right. I read the number wrong haha. 1936 makes sense because it was around Great Depression time when Social Security was a good idea.
The solution is for the Federal Government to start fresh with a new numbering system and then post, online, each number along with the name of its owner, in order to preclude any chance of using them for authentication.
I would also add in check digits and a version number.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.