Social Security Numbers Can Be Guessed 268
BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.
Re:I'm safe! (Score:2, Informative)
If they are a publicly funded school and utilize parts of your SSN on your student ID, or display it on class rosters, and other places, then they may be in violation of the law. Specifically the Family Educational Rights and Privacy Act [privacyrights.org] restrictions:
Also
Re:Social Security Numbers As Identifiers (Score:5, Informative)
Re:The problem is not that SSNs are easy to guess (Score:5, Informative)
You're spot on about SSN being an identifier only, and was not intended to be a secret.
However, SSNs were never designed to be unique; they are not!
SSNs can be recycled. And it's also possible, though difficult, for one to obtain a new SSN.
In addition, many SSNs are assigned to more than one person - so common that the IRS, as well as many other government agencies, as well as the major credit bureaus, utilize software that allows for SSN duplicates and doesn't rely on SSNs alone to separate people.
Ron
Re:good thing (Score:3, Informative)
Well the thing is the article itself is a bit misleading. It didn't take a study to find that you can predict the first 5 digits with 44% accuracy -- it was already a known factor. In fact, the less populous a state, the more likely they are to get it right. In smaller states (population-wise) such as the Dakotas, there may only be one prefix assigned to the state and with the second set of numbers being sequential, that 44% accuracy goes up very close to 100%. This is why the government has always told the private sector it was a bad idea.
Re:good thing (Score:4, Informative)
There are (roughly) 3x as many SSNs as living US citizens. Add in some dead folks, account for holes in the numbering system, and let's call it 2x.
If the numbers were assigned at random, I think there would be roughly a 60% (intuition, pardon my laziness) chance that someone else shared your SSN. The claim is that it is "incredibly unlikely" that that person (or one of those people, in the increasingly unlikely situations of multiple collisions) who shares your SSN *ALSO* shares your name.
For a randomly selected person, I agree. However, I expect there are specific counterexamples (remember, 1-in-a-billion things happen to 6 people on Earth every day). There are 50k John Smith in the USA, out of 300M people. 30k of them have SSN collisions with a random other person. There is a ~1/1000 chance that two of them collide with each other. I don't think that 1/1000 is "incredibly unlikely"... I also think you probably aren't named John Smith :)
Re:good thing (Score:5, Informative)
Re:good thing (Score:3, Informative)
The problem is that it is illegal/unlawful to use the SSN for anything but Social Security. It is NOT supposed to be used as an identity source for everything else. This is just one of those citizen protection laws that have been casually ignored by everyone. I always get strange looks and confusion when I cite the law and even show it to people.
http://www.faqs.org/faqs/privacy/ssn-faq/ [faqs.org] http://www.glr.com/govt/privacy/ssnuse2.html -- this exposes some of the problems in that many common uses are not required by federal law and that there are few prohibitions on the commercial use and exploitation of it.
However. You can request a federal tax payer ID number and use that when paying taxes. It is the same format as the SSN and can often be effectively used as a replacement for an SSN in many situations.
Re:Duh (Score:2, Informative)
Re:Why guess? (Score:3, Informative)
Pretty much every application I've ever filled out has asked for a social security number.
This is why I've adopted the practice of simply writing "N/A", "-----", or just nothing when asked for a SSN. It's incredibly uncommon that they actually need that information
Ahem...your employer definitely has a legitimate need for that information since they're taking money out of your paycheck to pay your Social Security. You won't get a job without an SSN, so write "N/A" all you like - makes the job market larger for the rest of us.
Re:good thing (Score:2, Informative)
Incredibly unlikely?? It's one in freaking three. 999999999 means only 1,000 million possible numbers, if the geographic coding didn't exist and the group coding didn't remove many numbers from the available number space, making things much, much worse. For a population of 300 million...
By my count, if there is no checking, the probability of collisions is incredibly high.
Mycroft was referring to "the combination of name and number", not the number by itself. It would be rather unlikely to have the same name b>and the same number. Additionally, they do check for collisions (or at least try to). They don't just throw the dice and give it to you, come what may; they give out numbers with the expectation it that it has never been used before. It is intended to be a unique key, not only a hash to be used in conjunction with one's name... however, it is fast becoming that way because despite best intentions, the numbers are not entirely unique. Due to various causes, such as simple incompetence, identity theft, mistakes by the SSA or by people themselves when they fill out applications, and unavoidable collisions when the same number is assigned at the same time, it is possible for people to be given the same SSN. And you are right that there aren't nearly enough of them to be useful even if this weren't true.
Re:Duh (Score:3, Informative)
Social Security "chose" nothing, its an elected congress that passes these rules.
That isn't entirely true. The Social Security Administration (as political appointees on the top tier, but this includes career civil employees as well) often does involve itself in legislative matters that involve that agency. This is true of all governmental bodies... just watch how crowded city hall gets when pay schedules for police or fire fighters is being discussed.
The point is that many of the changes to expand the scope and range of SSNs happened with not just the consultation of SSA employees, but that many of those suggestions came from that organization as well. Not all of them, and yes some congressmen were involved with these decisions, but they can't be completely absolved from this discussion either.
Re:good thing (Score:3, Informative)
I should have been more clear. It is unlawful in the sense that the intent of the social security act of 1975 was to work against or otherwise discourage the use (mostly by government) of the SSN for purposes other than Social Security. Commercial activities are getting a big exemption on this because it is considered voluntary. (It's not really voluntary any longer as to lead a "normal" life, one needs to maintain that damned number and so there have been recent attempts to reign in the use of the SSN through bills in congress but clearly they haven't gone through.)