Slashdot Mirror
Social Security Numbers Can Be Guessed
BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.
When I was young, the back of my social security card has a notice: "Not to be used for identification purposes" (or something similar). When I lost my original card and had to get a replacement, the notice was missing. Our government is solely to blame for allowing the private sector to use social security numbers as identifiers. Congress has had an overabundance of time to pass laws criminalizing the use of social security numbers by the private sector. In my opinion, Congress has been criminally negligent in allowing this to continue for this long.
Social security numbers should be used for one, and only one, purpose: to link an individual to social security benefits. Any other use should be a criminal offense.
If we all have unique id numbers to identify us, then someone can impersonate us by knowing that number.
But of course, if we did not have unique id numbers to identify us it would be even easier for someone to impersonate us.
And however many digits the number is, and even if it is randomly-generated (as the article proposes) your id number is only as strong as the weakest link among those who have stored your id, meaning the used car dealer, the credit card company, the student loan office, etc.
It is guaranteed to fail since they all involve transmitting and storing the secret.
What we need is a national public key infrastructure, with keys stored on smart cards, or similar, along the lines of what they have in Belgium. Of course, even PKI fails in the face of social engineering, so we need citizens to be more aware of the risks as well.
SSNs started being used because A) "every one has one", B) they can't be changed, C) they're unique nation-wide, and D) they're all the same format nation-wide. If driver licences, phone numbers, checking accounts, or some other ID had met those criteria, we'd be using that instead.
http://alternatives.rzero.com/
If they were filed sequentially, and no other filing happened between your two records, they should.
Read up on SSN's.
The first 3 digits is the area (state) which it was issued, which does not necessarily match the state where the person was born.
The second 2 are a group number. These groups are given out in an odd order. Check the SSA site or wikipedia for the details on that.
The last 4 digits are a serial number.
If you know the state where it was issued (either their birth or residence state), and the group number assigned in the likely period when they received a number, then you pretty much have the first two parts of the SSN. I'm curious to how they calculated the last 4 digits.
I would suspect in 1989, they started automatically issuing SSN's at birth, which made the target much easier, if they had the birth month and year available. And yes, this does bring the number pool way down to 9,999 potential SSNs.
Someone like me, I was born in one state, but I was not issued a card until I lived in another state, and was a few years older. You can't base it on my birth date nor location. The best guess would be where I lived, but you can't narrow it down to month or year, because you don't know when it happened. Was I 2 months old, or 5 years old? Maybe I simply never got one until I was 16 and wanted a job. I knew people in school who didn't have one, which threw off some of the school's paperwork. :) Someone I knew didn't have one until he was 21, because he didn't have a birth certificate (born at home, no surviving witnesses other than his parents). He finally did get one, and then got his drivers license. :) They wouldn't issue his drivers license until he has a SSN.
They really should have never gone with SSN's as an identification. It's bad to have a serial number issued by the government. Really, any American isn't an American, we are our SSN, and the name associated with it is an arbitrary value.
Serious? Seriousness is well above my pay grade.
There was a scam going on here in Ontario with the same premise a few years ago. They would advertise a job in a local paper. Get you to send in a resume. Then call you up and give you a fake interview. A few days later, they'd call and say they were considering you for a position and ask you to send all the information to them (DOB, Name, SIN (Social Insurance Number, same as SSN)) plus a bunch of other personally identifying information. People who were pretty desperate for a job would send give them all the info, and then they would have their identity a couple days later. Really ingenious scam when you think about it. When everybody else is watching out for phishing sites, these guys were just using old technology to collect all the information. Problem is, is that once the police figured it out, it was very easy to trace back to the scammers.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The cards have changed over the years, but mine specifically states:
"For social security and tax purposes -- not for identification"
What were the steps that led down the slippery slope of using them for identification?
Yes... in fact, when they were first suggest, people had many objections (including religious reasons) to not want to be "numbered."
The federal government swore that the only use would be for social security, and nothing else.
So, anything else they promise, GET IT WRITING. When they pass a law, and you say "yeah, but it's so loosely worded that you can use it for [i]this other thing[/i]," and they say "but we won't," get it in writing.
For example, when they say they want to use GPS only to track your miles, get it in writing.
Stupid sexy Flanders.
Change a digit or transpose digits in an SSN and you most likely will transform it into another valid SSN.
The SSN numbering system was developed in the mid 1930's. The modern mathematics of error control were published by Shannon after World War II. (His work or error control was related to work on cryptography.) By "modern" mathematics, I refer to the fact that there was some understanding of error control in old telegraph systems, but it wasn't developed systematically.
Credit cards have check digits that will catch some common errors in data entry. Computer and communications technology use error control in many ways. SSN's are still back in the 1930's.
Perhaps it is time to modernize them by at least adding check digits. Also, the prohibition against using them as personal identifiers should be strengthened and enforced.
Here is their grant and proposal abstract from the NSF. It sounds like they did exactly what they'd proposed to do- not every grant meets that metric! Theirs is a 3-year grant for a total of $386927.
There was a cute line in their FAQs:
It's psychosomatic. You need a lobotomy. I'll get a saw.