Social Security Numbers Can Be Guessed

BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.

Re:Social Security Numbers As Identifiers

[Formica]

That notice was for the physical card itself, not the number: http://www.straightdope.com/columns/read/141/why-does-my-old-social-security-card-say-it-cant-be-used-as-id

Re:The problem is not that SSNs are easy to guess

[Ron+Bennett]

You're spot on about SSN being an identifier only, and was not intended to be a secret.

However, SSNs were never designed to be unique; they are not!

SSNs can be recycled. And it's also possible, though difficult, for one to obtain a new SSN.

In addition, many SSNs are assigned to more than one person - so common that the IRS, as well as many other government agencies, as well as the major credit bureaus, utilize software that allows for SSN duplicates and doesn't rely on SSNs alone to separate people.

Ron

Re:good thing

[dbialac]

Well the thing is the article itself is a bit misleading. It didn't take a study to find that you can predict the first 5 digits with 44% accuracy -- it was already a known factor. In fact, the less populous a state, the more likely they are to get it right. In smaller states (population-wise) such as the Dakotas, there may only be one prefix assigned to the state and with the second set of numbers being sequential, that 44% accuracy goes up very close to 100%. This is why the government has always told the private sector it was a bad idea.

Re:good thing

There are (roughly) 3x as many SSNs as living US citizens. Add in some dead folks, account for holes in the numbering system, and let's call it 2x.

If the numbers were assigned at random, I think there would be roughly a 60% (intuition, pardon my laziness) chance that someone else shared your SSN. The claim is that it is "incredibly unlikely" that that person (or one of those people, in the increasingly unlikely situations of multiple collisions) who shares your SSN *ALSO* shares your name.

For a randomly selected person, I agree. However, I expect there are specific counterexamples (remember, 1-in-a-billion things happen to 6 people on Earth every day). There are 50k John Smith in the USA, out of 300M people. 30k of them have SSN collisions with a random other person. There is a ~1/1000 chance that two of them collide with each other. I don't think that 1/1000 is "incredibly unlikely"... I also think you probably aren't named John Smith :)

Re:good thing

[daath93]

I work for social security, its not impossible to change your number, you just have to actually SHOW that you tried to clear up your problem. This is required for many reasons, not the least of which is some freaky people actually rent their social security number out to illegal immigrants, then expect us to replace their number when their identity is compromised.