Social Security Numbers Can Be Guessed

BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.

Duh

It was pretty obvious when my sister and I received sequential numbers.

Re:Duh

[DerekLyons]

I would suspect in 1989, they started automatically issuing SSN's at birth, which made the target much easier, if they had the birth month and year available.

IIRC, around then the IRS started requiring you to submit the SSN's of minor dependents you were claiming as exemptions.

Re:Duh

[turbidostato]

"What were the steps that led down the slippery slope of using them for identification?"

The problem is not that the SSN is used for identification, with very few corner cases is guaranteed to be unique, so it's a good candidate. The problem is when it's used for *qualified* identification, and not the number but just knowing it. That's the mad part. Proper nouns have been used for ages as an identificative token: "Hi, Joe, this is my friend Mike" and there's no problem with that (given a much limited scope, of course). But you really know that me calling myself "John Doe" doesn't give to that token too much authority.

The problem is not identifying somebody as being 1243839845B, which is not a bad idea provided there's only one 1243839845B and there's an interest on univocally identifying people (which is a different problem). The problem comes when all the comprobation you do is the like to "Hey, he must certainly be 1243839845B. How do you know? Because so he says".

This is in fact an acknowledged problem almost everywhere but USA: that's why you are identified as 1243839845B, not because you say so but because you say so *and* can produce an ID card with that number, your photograph and your fingerprints on it.

Disregarding the question of nationwide identification being good or bad (and in fact, USA has already disregarded this problem too or else the SSN wouldn't be used for identification purpouses) this news seems to be absourd out of USA: well, my ID number is 34980233, there you have... so what?

Re:Duh

[russotto]

So, anything else they promise, GET IT WRITING. When they pass a law, and you say "yeah, but it's so loosely worded that you can use it for [i]this other thing[/i]," and they say "but we won't," get it in writing.

It was in writing; that's why "NOT FOR IDENTIFICATION" was on the cards. As with other well-known governmental entitites, they chose to change the agreement and inform complainers that they should be hopeful there would be no further changes. Whenever a law has potential for abuse, even if language is specifically written to preclude that abuse, instead
1) Assume they're lying.
and
2) Assume that even if they aren't, some future opportunist will break the promises made by the earlier legislation.

Re:Duh

[El_Oscuro]

"I am altering our agreement. Pray I do not alter it further."

Why guess?

[JorDan+Clock]

Who needs to guess when it's so easy to get someone to just give you their social security number if you just present a vaguely legitimate reason? For instance, I could pretend to be hiring people for a new business I am opening. Pretty much every application I've ever filled out has asked for a social security number.

I could also see this technique being combined for some nasty phishing methods. Set up a fake credit check website, ask for their date of birth, the security question is their place of birth, and the last four digits of their social security number is their pin number. Using the technique of these researchers, you can guess a significant portion of people's SS numbers. 40% is probably a huge number for phishing, where most people avoid them, but by shear volume enough get caught to make money off it.

Re:Why guess?

Credit is credit, and almost anyone can qualify for new accounts.

A good way to do this would be to advertise summer jobs right after college terms are over. College students are well known for being offered new credit constantly, and not keeping track of their credit rating at all.

Re:Why guess?

[Teancum]

Ahem...your employer definitely has a legitimate need for that information since they're taking money out of your paycheck to pay your Social Security. You won't get a job without an SSN, so write "N/A" all you like - makes the job market larger for the rest of us.

The SSN should not be on the employment application.... which was the point. Once you have been hired and are filling things out like I-9 documention and the W-4 forms that are explicitly for taxation purposes would the information have to actually be disclosed to an employer. Until then, the only legitimate purpose of asking for the SSN would be to use it for identification purposes... or to do things like performing a credit check on a future employee without their consent.

Still, it is something that would make you stick out as a potential troublemaker when applying for a job, and something that may be used as rationale for not hiring a potential candidate... even if demanding the information is illegal and could land the potential employer in legal trouble if a consistent pattern of turning down applications was based on this criteria.

Re:good thing

[SomeJoel]

Even though your post was quite amusing, I think the whole "last 4 digit" thing is overused as well. Since pretty much everyone only needs the "last 4 digits" to verify identity, if one of your conversations is compromised (ever overhear a co-worker's phone call?) then pretty much all of your accounts will be easy to break into. Coupled with the fact that it is next to impossible to actually change a SSN, you are pretty much screwed for life. Why SSNs were used as security devices is beyond me, though I am guessing the fact that "everyone already has one!" was a big part of it.

The problem is not that SSNs are easy to guess

[raddan]

Because SSNs are supposed to be unique identifiers. Identifiers only. The problem is that they're also being used as the shared secret! There's nothing secret about an SSN, people, and there shouldn't be. I think at this point, the government needs to simply legislate the correct behavior, because companies like Comcast (who asked me for my SSN for 'security reasons' just the other day) just don't get it. Of course, getting the government to know the 'correct behavior' is yet another battle...

That is the problem when using SSN as ID

[dunkelfalke]

If you use just a number for identification, it will be grossly misused. It is crazy to oppose a real ID card but use a much weaker (in terms of security) SSN as identification means and suddenly a baseless fear of certain forms of identification opens the way to very bad forms of identity theft.

Re:That is the problem when using SSN as ID

[dunkelfalke]

Not if the number of the real ID would be just its serial number and meaningless otherwise. Since the ID card itself is a proof of your identity, the number of it wouldn't be saved anywhere.

Re:Damned if you do, damned if you don't

[Todd+Knarr]

Identification != authentication. Failure to understand that is the problem.

Take your e-mail account. Your username identifies you. Your password authenticates you. Your provider (and everyone else in the world) use your username or e-mail address to identify you or to identify who they're sending their mail to. But when you go to log on to read your mail your provider doesn't just assume that if you know who you are that you're authorized to read your e-mail. They ask for your password (which you don't give out to anybody else) to authenticate that you're really who you're claiming to be.

The basic problem is that a lot of businesses want to verify your identity, but they want to do it fast and not waste time or resources actually authenticating you. So they've taken shortcuts. And now it's biting them, and they want someone to make the problem go away. Note: they do not want to fix the problem. To quote someone, "When the users say "When I drop this bowling ball on my foot it hurts. Make it stop hurting.", they mean just that. They don't want to stop dropping the bowling ball on their foot. They want you to make it not hurt when they do.".

Re:Social Security Numbers As Identifiers

[frosty_tsm]

Because Congress must pass laws to protect us from ourselves?

You can hardly call this protecting us from ourselves when everything from employment to apartment rental to cell phone plans to education require SSNs.

Re:good thing

[pearl298]

Let me see, the FIRST 5 can be guessed by knowing place and date of birht and the LAST 4 can be overheard or read form paychecks etc.

Gee I think that gives out the whole err 5+4 = 9(!) digits doesn't it?

The problem isn't that you can't keep SSNs secret.

[jra]

The problem is that you're trying.

To extend, the problem the SSA mentions: using them as identifiers?

That's not what's causing all the trouble. You can do that all you like, and the only people you'll piss off are privacy advocates, worried about unwanted cross-correlation.

The *real* problem, as I note in a piece I wrote for RISKS DIgest last month, is people using knowledge of an SSN (or a mother's maiden name, or any other answer not *made up by the customer*) as an authenticator.

If it is discoverable, and you force a customer to use it, *you* ought to be responsible when someone does, and defrauds the customer, cause you were an accessory before, and now you're on notice; it's been posted here.

Have fun, retail authentication system designers. ;-)

Simple enough

[fph+il+quozientatore]

No encryption/digital signature = fail

Re:good thing

[Serious+Callers+Only]

Are they actually used as a security device by people? Why do Americans think that SSNs should be somehow secret? What difference does it make if someone knows your SSN without knowing your other details?

The equivalent of SSN in other countries (e.g. the National Insurance number in the UK, DNI in Spain, etc) are not secret in any way, and it causes no problems whatsoever.

Really, if a company is stupid enough to just use your SSN to identify you, with no further checks, they deserve to be defrauded, and certainly couldn't use that as a reason to hold you liable for the fraud. They're not even unique.

Re:Social Security Numbers As Identifiers

[maxume]

Using it for identity isn't that big a deal. Using it for authentication of identity is the problem.

Re:drivers license (Re:Duh)

[Cro+Magnon]

By using the SSN for identification or authentication is a bad idea since it makes fraud that much easier, the crooks only have to find one number to really mess with your life.

What's worse is, companies usually use the SSN for identification AND authentication. It would be like me using "Cro Magnon" as my ID and password everywhere!