Social Security Numbers Can Be Guessed

BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.

good thing

[_ivy_ivy_]

they only put the last 4 digits on my paycheck!

Re:good thing

[SomeJoel]

Even though your post was quite amusing, I think the whole "last 4 digit" thing is overused as well. Since pretty much everyone only needs the "last 4 digits" to verify identity, if one of your conversations is compromised (ever overhear a co-worker's phone call?) then pretty much all of your accounts will be easy to break into. Coupled with the fact that it is next to impossible to actually change a SSN, you are pretty much screwed for life. Why SSNs were used as security devices is beyond me, though I am guessing the fact that "everyone already has one!" was a big part of it.

Re:good thing

[tverbeek]

SSNs started being used because A) "every one has one", B) they can't be changed, C) they're unique nation-wide, and D) they're all the same format nation-wide. If driver licences, phone numbers, checking accounts, or some other ID had met those criteria, we'd be using that instead.

Re:good thing

[Mycroft_VIII]

Actually C) is not entirely true, and NOT guaranteed.
The combination of name and number is supposed to be unique(by being so incredibly unlikely), but the generating process makes no attempt to see if a number is already in use by anyone else.

Mycroft

Re:good thing

[zippthorne]

Incredibly unlikely?? It's one in freaking three. 999999999 means only 1,000 million possible numbers, if the geographic coding didn't exist and the group coding didn't remove many numbers from the available number space, making things much, much worse. For a population of 300 million...

By my count, if there is no checking, the probability of collisions is incredibly high.

Re:good thing

[dbialac]

Well the thing is the article itself is a bit misleading. It didn't take a study to find that you can predict the first 5 digits with 44% accuracy -- it was already a known factor. In fact, the less populous a state, the more likely they are to get it right. In smaller states (population-wise) such as the Dakotas, there may only be one prefix assigned to the state and with the second set of numbers being sequential, that 44% accuracy goes up very close to 100%. This is why the government has always told the private sector it was a bad idea.

Re:good thing

There are (roughly) 3x as many SSNs as living US citizens. Add in some dead folks, account for holes in the numbering system, and let's call it 2x.

If the numbers were assigned at random, I think there would be roughly a 60% (intuition, pardon my laziness) chance that someone else shared your SSN. The claim is that it is "incredibly unlikely" that that person (or one of those people, in the increasingly unlikely situations of multiple collisions) who shares your SSN *ALSO* shares your name.

For a randomly selected person, I agree. However, I expect there are specific counterexamples (remember, 1-in-a-billion things happen to 6 people on Earth every day). There are 50k John Smith in the USA, out of 300M people. 30k of them have SSN collisions with a random other person. There is a ~1/1000 chance that two of them collide with each other. I don't think that 1/1000 is "incredibly unlikely"... I also think you probably aren't named John Smith :)

Re:good thing

[daath93]

I work for social security, its not impossible to change your number, you just have to actually SHOW that you tried to clear up your problem. This is required for many reasons, not the least of which is some freaky people actually rent their social security number out to illegal immigrants, then expect us to replace their number when their identity is compromised.

Re:good thing

[fooslacker]

Mycroft is correct in that they aren't guaranteed unique. In fact I once met a corporate trainer who was issued the SSN of a dead guy by the government. The guy had been dead only two or three years and it was a complete mess for credit etc. The big problem was that there isn't really a way to deal with this and the government tells you it is your responsibility to resolve any issues it causes and that they are not responsible for helping you.

Duh

It was pretty obvious when my sister and I received sequential numbers.

Re:Duh

[JWSmythe]

    If they were filed sequentially, and no other filing happened between your two records, they should.

    Read up on SSN's.

    The first 3 digits is the area (state) which it was issued, which does not necessarily match the state where the person was born.
    The second 2 are a group number. These groups are given out in an odd order. Check the SSA site or wikipedia for the details on that.
    The last 4 digits are a serial number.

    If you know the state where it was issued (either their birth or residence state), and the group number assigned in the likely period when they received a number, then you pretty much have the first two parts of the SSN. I'm curious to how they calculated the last 4 digits.

    I would suspect in 1989, they started automatically issuing SSN's at birth, which made the target much easier, if they had the birth month and year available. And yes, this does bring the number pool way down to 9,999 potential SSNs.

    Someone like me, I was born in one state, but I was not issued a card until I lived in another state, and was a few years older. You can't base it on my birth date nor location. The best guess would be where I lived, but you can't narrow it down to month or year, because you don't know when it happened. Was I 2 months old, or 5 years old? Maybe I simply never got one until I was 16 and wanted a job. I knew people in school who didn't have one, which threw off some of the school's paperwork. :) Someone I knew didn't have one until he was 21, because he didn't have a birth certificate (born at home, no surviving witnesses other than his parents). He finally did get one, and then got his drivers license. :) They wouldn't issue his drivers license until he has a SSN.

    They really should have never gone with SSN's as an identification. It's bad to have a serial number issued by the government. Really, any American isn't an American, we are our SSN, and the name associated with it is an arbitrary value.

Re:Duh

[gznork26]

The cards have changed over the years, but mine specifically states:
"For social security and tax purposes -- not for identification"

What were the steps that led down the slippery slope of using them for identification?

Re:Duh

[gfxguy]

Yes... in fact, when they were first suggest, people had many objections (including religious reasons) to not want to be "numbered."

The federal government swore that the only use would be for social security, and nothing else.

So, anything else they promise, GET IT WRITING. When they pass a law, and you say "yeah, but it's so loosely worded that you can use it for [i]this other thing[/i]," and they say "but we won't," get it in writing.

For example, when they say they want to use GPS only to track your miles, get it in writing.

Re:Duh

[Planesdragon]

For example, when they say they want to use GPS only to track your miles, get it in writing.

Screw that. Get SOMETHING BETTER.

I'm all for automatic tracking of speeding -- IF we get 100% enforcement, no exceptions. If you're not an emergency vehicle WITH LIGHTS ON, you (personally) get a fine.

I'm all for the Feds having a national ID -- so long as I can query a list of everyone who looks up my info. Forever.

Re:Duh

[daath93]

Tax Reform Act of 1976 (P.L. 94-455) included the following amendments to the Social Security Act:

* To allow use by the States of the SSN in the administration of any tax, general public assistance, driver's license or motor vehicle registration law within their jurisdiction and to authorize the States to require individuals affected by such laws to furnish their SSNs to the States;
* To make misuse of the SSN for any purpose a violation of the Social Security Act;
* To make, under federal law, unlawful disclosure or compelling disclosure of the SSN of any person a felony, punishable by fine and/or imprisonment.
* To amend section 6109 of the Internal Revenue Code to provide that the SSN be used as the tax identification number (TIN) for all tax purposes. While the Treasury Department had been using the SSN as the TIN by regulation since 1962, this law codified that requirement.

Social Security Number Chronology

Re:Duh

[El_Oscuro]

"I am altering our agreement. Pray I do not alter it further."

Naught

[sexconker]

Naught Naught Naught Naught Naught Naught Naught Naught Two.

Damn Roosevelt!

Why guess?

[JorDan+Clock]

Who needs to guess when it's so easy to get someone to just give you their social security number if you just present a vaguely legitimate reason? For instance, I could pretend to be hiring people for a new business I am opening. Pretty much every application I've ever filled out has asked for a social security number.

I could also see this technique being combined for some nasty phishing methods. Set up a fake credit check website, ask for their date of birth, the security question is their place of birth, and the last four digits of their social security number is their pin number. Using the technique of these researchers, you can guess a significant portion of people's SS numbers. 40% is probably a huge number for phishing, where most people avoid them, but by shear volume enough get caught to make money off it.

Re:Why guess?

[CastrTroy]

There was a scam going on here in Ontario with the same premise a few years ago. They would advertise a job in a local paper. Get you to send in a resume. Then call you up and give you a fake interview. A few days later, they'd call and say they were considering you for a position and ask you to send all the information to them (DOB, Name, SIN (Social Insurance Number, same as SSN)) plus a bunch of other personally identifying information. People who were pretty desperate for a job would send give them all the info, and then they would have their identity a couple days later. Really ingenious scam when you think about it. When everybody else is watching out for phishing sites, these guys were just using old technology to collect all the information. Problem is, is that once the police figured it out, it was very easy to trace back to the scammers.

Social Security Numbers As Identifiers

[StormReaver]

When I was young, the back of my social security card has a notice: "Not to be used for identification purposes" (or something similar). When I lost my original card and had to get a replacement, the notice was missing. Our government is solely to blame for allowing the private sector to use social security numbers as identifiers. Congress has had an overabundance of time to pass laws criminalizing the use of social security numbers by the private sector. In my opinion, Congress has been criminally negligent in allowing this to continue for this long.

Social security numbers should be used for one, and only one, purpose: to link an individual to social security benefits. Any other use should be a criminal offense.

Re:Social Security Numbers As Identifiers

[Formica]

That notice was for the physical card itself, not the number: http://www.straightdope.com/columns/read/141/why-does-my-old-social-security-card-say-it-cant-be-used-as-id

Re:In other words

[Goobermunch]

It's even better than that. Consider that the Federal Rules of Civil Procedure call for the redaction of all but the last four digits of an individual's social security number if it must be part of a court record (for example a discovery response).

Much of the discovery I have seen asks for the party's date of birth, place of birth, and social security number. While the rule "protects" the SSN from release by redacting the first five numbers, with a typical set of interrogatory responses, and the techniques pioneered by these researchers, I can get the holy trinity of identity theft information: SSN, DOB, and location of birth.

Even worse, most of the country now uses PACER for electronic filing in Federal Courts. For $.08/page, anyone can access filings in a Federal case. This seems ripe for abuse.

--AC

Damned if you do, damned if you don't

[Palestrina]

If we all have unique id numbers to identify us, then someone can impersonate us by knowing that number.

But of course, if we did not have unique id numbers to identify us it would be even easier for someone to impersonate us.

And however many digits the number is, and even if it is randomly-generated (as the article proposes) your id number is only as strong as the weakest link among those who have stored your id, meaning the used car dealer, the credit card company, the student loan office, etc.

It is guaranteed to fail since they all involve transmitting and storing the secret.

What we need is a national public key infrastructure, with keys stored on smart cards, or similar, along the lines of what they have in Belgium. Of course, even PKI fails in the face of social engineering, so we need citizens to be more aware of the risks as well.

Re:Damned if you do, damned if you don't

[Todd+Knarr]

Identification != authentication. Failure to understand that is the problem.

Take your e-mail account. Your username identifies you. Your password authenticates you. Your provider (and everyone else in the world) use your username or e-mail address to identify you or to identify who they're sending their mail to. But when you go to log on to read your mail your provider doesn't just assume that if you know who you are that you're authorized to read your e-mail. They ask for your password (which you don't give out to anybody else) to authenticate that you're really who you're claiming to be.

The basic problem is that a lot of businesses want to verify your identity, but they want to do it fast and not waste time or resources actually authenticating you. So they've taken shortcuts. And now it's biting them, and they want someone to make the problem go away. Note: they do not want to fix the problem. To quote someone, "When the users say "When I drop this bowling ball on my foot it hurts. Make it stop hurting.", they mean just that. They don't want to stop dropping the bowling ball on their foot. They want you to make it not hurt when they do.".

Time to start using UUID/GUIDs

[stickrnan]

I think 8e019226-9a00-41f4-b094-6f1545fd84a9 should be fairly easy to remember.

The problem is not that SSNs are easy to guess

[raddan]

Because SSNs are supposed to be unique identifiers. Identifiers only. The problem is that they're also being used as the shared secret! There's nothing secret about an SSN, people, and there shouldn't be. I think at this point, the government needs to simply legislate the correct behavior, because companies like Comcast (who asked me for my SSN for 'security reasons' just the other day) just don't get it. Of course, getting the government to know the 'correct behavior' is yet another battle...

Re:The problem is not that SSNs are easy to guess

[Ron+Bennett]

You're spot on about SSN being an identifier only, and was not intended to be a secret.

However, SSNs were never designed to be unique; they are not!

SSNs can be recycled. And it's also possible, though difficult, for one to obtain a new SSN.

In addition, many SSNs are assigned to more than one person - so common that the IRS, as well as many other government agencies, as well as the major credit bureaus, utilize software that allows for SSN duplicates and doesn't rely on SSNs alone to separate people.

Ron

SSN's have no error control

[grandpa-geek]

Change a digit or transpose digits in an SSN and you most likely will transform it into another valid SSN.

The SSN numbering system was developed in the mid 1930's. The modern mathematics of error control were published by Shannon after World War II. (His work or error control was related to work on cryptography.) By "modern" mathematics, I refer to the fact that there was some understanding of error control in old telegraph systems, but it wasn't developed systematically.

Credit cards have check digits that will catch some common errors in data entry. Computer and communications technology use error control in many ways. SSN's are still back in the 1930's.

Perhaps it is time to modernize them by at least adding check digits. Also, the prohibition against using them as personal identifiers should be strengthened and enforced.

funded by the National Science Foundation

[call+-151]

Here is their grant and proposal abstract from the NSF. It sounds like they did exactly what they'd proposed to do- not every grant meets that metric! Theirs is a 3-year grant for a total of $386927.

There was a cute line in their FAQs:

Q. Were the tests IRB approved?

Yes, they were approved. No SSNs were harmed during the writing of this paper.

Re:Hardly news

[interkin3tic]

Not news to anyone who knows how SSN assignment works.

Yes it is. Knowing it's theoretically possible to figure it out is one thing. Someone actually demonstrating it can be done with high success rate is another. And it's news that matters because maybe this will force some change on the issue, dispels the illusion that it's a super secret identifying code that only you and X large organization knows. ...and maybe there will be a pony waiting for me at home...

The problem isn't that you can't keep SSNs secret.

[jra]

The problem is that you're trying.

To extend, the problem the SSA mentions: using them as identifiers?

That's not what's causing all the trouble. You can do that all you like, and the only people you'll piss off are privacy advocates, worried about unwanted cross-correlation.

The *real* problem, as I note in a piece I wrote for RISKS DIgest last month, is people using knowledge of an SSN (or a mother's maiden name, or any other answer not *made up by the customer*) as an authenticator.

If it is discoverable, and you force a customer to use it, *you* ought to be responsible when someone does, and defrauds the customer, cause you were an accessory before, and now you're on notice; it's been posted here.

Have fun, retail authentication system designers. ;-)