Social Security Numbers Can Be Guessed 268
BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.
Social Security Numbers As Identifiers (Score:5, Interesting)
When I was young, the back of my social security card has a notice: "Not to be used for identification purposes" (or something similar). When I lost my original card and had to get a replacement, the notice was missing. Our government is solely to blame for allowing the private sector to use social security numbers as identifiers. Congress has had an overabundance of time to pass laws criminalizing the use of social security numbers by the private sector. In my opinion, Congress has been criminally negligent in allowing this to continue for this long.
Social security numbers should be used for one, and only one, purpose: to link an individual to social security benefits. Any other use should be a criminal offense.
Re:In other words (Score:4, Interesting)
It's even better than that. Consider that the Federal Rules of Civil Procedure call for the redaction of all but the last four digits of an individual's social security number if it must be part of a court record (for example a discovery response).
Much of the discovery I have seen asks for the party's date of birth, place of birth, and social security number. While the rule "protects" the SSN from release by redacting the first five numbers, with a typical set of interrogatory responses, and the techniques pioneered by these researchers, I can get the holy trinity of identity theft information: SSN, DOB, and location of birth.
Even worse, most of the country now uses PACER for electronic filing in Federal Courts. For $.08/page, anyone can access filings in a Federal case. This seems ripe for abuse.
--AC
Damned if you do, damned if you don't (Score:5, Interesting)
If we all have unique id numbers to identify us, then someone can impersonate us by knowing that number.
But of course, if we did not have unique id numbers to identify us it would be even easier for someone to impersonate us.
And however many digits the number is, and even if it is randomly-generated (as the article proposes) your id number is only as strong as the weakest link among those who have stored your id, meaning the used car dealer, the credit card company, the student loan office, etc.
It is guaranteed to fail since they all involve transmitting and storing the secret.
What we need is a national public key infrastructure, with keys stored on smart cards, or similar, along the lines of what they have in Belgium. Of course, even PKI fails in the face of social engineering, so we need citizens to be more aware of the risks as well.
Re:good thing (Score:5, Interesting)
fool-proof method -- who cares? (Score:3, Interesting)
Who cares that there is no fool-proof method? All that matters is that there is a significant probablilty of success.
Probably the only people who are safe from this are immigrants!
Re:Duh (Score:5, Interesting)
If they were filed sequentially, and no other filing happened between your two records, they should.
Read up on SSN's.
The first 3 digits is the area (state) which it was issued, which does not necessarily match the state where the person was born.
The second 2 are a group number. These groups are given out in an odd order. Check the SSA site or wikipedia for the details on that.
The last 4 digits are a serial number.
If you know the state where it was issued (either their birth or residence state), and the group number assigned in the likely period when they received a number, then you pretty much have the first two parts of the SSN. I'm curious to how they calculated the last 4 digits.
I would suspect in 1989, they started automatically issuing SSN's at birth, which made the target much easier, if they had the birth month and year available. And yes, this does bring the number pool way down to 9,999 potential SSNs.
Someone like me, I was born in one state, but I was not issued a card until I lived in another state, and was a few years older. You can't base it on my birth date nor location. The best guess would be where I lived, but you can't narrow it down to month or year, because you don't know when it happened. Was I 2 months old, or 5 years old? Maybe I simply never got one until I was 16 and wanted a job. I knew people in school who didn't have one, which threw off some of the school's paperwork. :) Someone I knew didn't have one until he was 21, because he didn't have a birth certificate (born at home, no surviving witnesses other than his parents). He finally did get one, and then got his drivers license. :) They wouldn't issue his drivers license until he has a SSN.
They really should have never gone with SSN's as an identification. It's bad to have a serial number issued by the government. Really, any American isn't an American, we are our SSN, and the name associated with it is an arbitrary value.
Re:Why guess? (Score:5, Interesting)
Re:Duh (Score:5, Interesting)
The cards have changed over the years, but mine specifically states:
"For social security and tax purposes -- not for identification"
What were the steps that led down the slippery slope of using them for identification?
I always use my State Driver License ID number (Score:3, Interesting)
which I selected to not be my social security number.
The State ID number is a random series of letters and numbers and it is harder to guess.
The usual jokes like Ronald Reagan's social security number was 000-00-0002 because he was the second person to file behind FDR, are funny but historically inaccurate.
Illegal Immigrants or Undocumented Workers or whatever you want to call them easily generate fake SSNs, and a bulk of them use the same SSN for the same employer and it is usually a SSN of someone who died, and they got it off a death certificate. The current system of checking SSNs is broken.
What we need is a different system that is harder to guess, one that uses letters and numbers like license plates or software serial numbers. One that Social Security keeps on a secure system that can verify the numbers and tell if the new SSN is stolen or the owner of the SSN is dead and someone else may be using it for fraud.
I just hope the new system isn't abused to take away rights and freedoms, that would be bad.
I remember the colleges I went to use to use our SSN as our student number and it was on grade lists. I requested that I be issued a student number not based on my SSN for privacy reasons and they did issue me a student number different from my SSN. The grade lists would be student name, student number, and then grade issued in class and everyone could see them. The professors listed them by the door for the classroom after finals and midterm grades were calculated. Many other systems used to base employee number etc on SSNs.
Re:Duh (Score:5, Interesting)
Yes... in fact, when they were first suggest, people had many objections (including religious reasons) to not want to be "numbered."
The federal government swore that the only use would be for social security, and nothing else.
So, anything else they promise, GET IT WRITING. When they pass a law, and you say "yeah, but it's so loosely worded that you can use it for [i]this other thing[/i]," and they say "but we won't," get it in writing.
For example, when they say they want to use GPS only to track your miles, get it in writing.
Re:good thing (Score:4, Interesting)
The combination of name and number is supposed to be unique(by being so incredibly unlikely), but the generating process makes no attempt to see if a number is already in use by anyone else.
Mycroft
Re:Social Security Numbers As Identifiers (Score:3, Interesting)
You can hardly call this protecting us from ourselves when everything from employment to apartment rental to cell phone plans to education require SSNs.
Actually you are welcome to refuse to give out your SSN for any of those purposes. Of course the person on the other end of the business arrangement is also welcome to refuse to do business with you.....
Same other places too.... (Score:2, Interesting)
Its the same problem in Norway. The person-numbers (Norwegian SSN's) are built this way:
DD MM YY III CC
The three first groups are your date of birth (which is found in all public records).
The next group (III) are individual numbers ranging from 000 to 999. If you are born before 2000 it is under 500, if your born after it is over. If you are male it is a odd number and even for girls. So if you know the date of birth and a persons gender there are 250~ possible numbers.
The last group are control digits used to calculate a valid person-number.
Most (if not all) banks and other important thing use the numbers as both identification and authentication...
Re:In other words (Score:3, Interesting)
Even worse, most of the country now uses PACER for electronic filing in Federal Courts. For $.08/page, anyone can access filings in a Federal case. This seems ripe for abuse.
Actually the majority of modern PACER filings redact the SSN. I looked up my bankruptcy case once upon a time and it was redacted in full on the various documents that were available. Some of the older filings leave them exposed though. Remember Mike Tyson? Looked up his Chapter 11 case awhile ago. His SSN is 089-56-9372. Thank you public record!
SSN's have no error control (Score:5, Interesting)
Change a digit or transpose digits in an SSN and you most likely will transform it into another valid SSN.
The SSN numbering system was developed in the mid 1930's. The modern mathematics of error control were published by Shannon after World War II. (His work or error control was related to work on cryptography.) By "modern" mathematics, I refer to the fact that there was some understanding of error control in old telegraph systems, but it wasn't developed systematically.
Credit cards have check digits that will catch some common errors in data entry. Computer and communications technology use error control in many ways. SSN's are still back in the 1930's.
Perhaps it is time to modernize them by at least adding check digits. Also, the prohibition against using them as personal identifiers should be strengthened and enforced.
Re:good thing (Score:4, Interesting)
Incredibly unlikely?? It's one in freaking three. 999999999 means only 1,000 million possible numbers, if the geographic coding didn't exist and the group coding didn't remove many numbers from the available number space, making things much, much worse. For a population of 300 million...
By my count, if there is no checking, the probability of collisions is incredibly high.
funded by the National Science Foundation (Score:5, Interesting)
Here [nsf.gov] is their grant and proposal abstract from the NSF. It sounds like they did exactly what they'd proposed to do- not every grant meets that metric! Theirs is a 3-year grant for a total of $386927.
There was a cute line in their FAQs:
Re:Hardly news (Score:4, Interesting)
Not news to anyone who knows how SSN assignment works.
Yes it is. Knowing it's theoretically possible to figure it out is one thing. Someone actually demonstrating it can be done with high success rate is another. And it's news that matters because maybe this will force some change on the issue, dispels the illusion that it's a super secret identifying code that only you and X large organization knows. ...and maybe there will be a pony waiting for me at home...
Re:Duh (Score:4, Interesting)
For example, when they say they want to use GPS only to track your miles, get it in writing.
Screw that. Get SOMETHING BETTER.
I'm all for automatic tracking of speeding -- IF we get 100% enforcement, no exceptions. If you're not an emergency vehicle WITH LIGHTS ON, you (personally) get a fine.
I'm all for the Feds having a national ID -- so long as I can query a list of everyone who looks up my info. Forever.
Re:Duh (Score:3, Interesting)
* To allow use by the States of the SSN in the administration of any tax, general public assistance, driver's license or motor vehicle registration law within their jurisdiction and to authorize the States to require individuals affected by such laws to furnish their SSNs to the States;
* To make misuse of the SSN for any purpose a violation of the Social Security Act;
* To make, under federal law, unlawful disclosure or compelling disclosure of the SSN of any person a felony, punishable by fine and/or imprisonment.
* To amend section 6109 of the Internal Revenue Code to provide that the SSN be used as the tax identification number (TIN) for all tax purposes. While the Treasury Department had been using the SSN as the TIN by regulation since 1962, this law codified that requirement.
Social Security Number Chronology [ssa.gov]
Re:Duh (Score:3, Interesting)
Does New York City have a unique political status of which I am unaware? I imagine that if the state of New York does something, it's reasonable to expect the city does, too. Except, perhaps, vote for republicans.
Re:Duh (Score:2, Interesting)
Indeed. I was completely blown away when I moved to IL a couple of years ago and was told that my previous driver's license was insufficient identification to get a new license, but my little paper SSN card _was_. Insane.
Re:drivers license (Re:Duh) (Score:3, Interesting)
I was loosely in favor of RealID until states began to protest and revolt. At that point, I became an opponent of it purely for the purpose of seeing the states get some sense of federalism back into the system. I value that far more than I value any of the suggested benefits of RealID.
SSN is an IDENTIFIER, not AUTHENTICATOR (Score:3, Interesting)
Anybody or organization using an SSN as both an identifier and a form of authentication is stupid, irresponsible and should be held accountable 100% for breach of whatever resource they control. The problem is in the "shared secret" type use of a damn 9-digit number, with a few of the digits already known based on state of birth.
Want a list of ssn's for every state? Here's all of them. [aggiegeeks.com] Have fun.
-Michael
Re:Duh (Score:1, Interesting)
1987: SSA initiated a demonstration project on August 17 in the State of New Mexico enabling parents to obtain Social Security numbers for their newborn infants automatically when the infant's birth was registered by the State. The program was expanded nationwide in 1989. Currently, all 50 States participate in the program, as well as New York City, Washington, D.C., and Puerto Rico.
I'm posting this anonymously because I'm about to reveal information about my self that might enable the theft of either my identity or members of my immediate family.
My mother got SSNs for all of her kids at the same time, so my siblings and I have consecutive numbers. This was before computer networks, so the numbers were pre-printed on the forms. Since the clerk counted out the forms one at a time, the eldest child got the largest number and the youngest, the smallest.
My oldest kids were born before 1989, and I deliberately delayed getting them registered; when they did get registered, it was in a city where we'd never lived. By then, the Social Security Administration didn't assign your number until the form was entered into the computer. As a result, their numbers aren't consecutive, but they are pretty close to each other. My youngest kids were born overseas and didn't get SSNs until the April after we were back in the US. That leaves the kids who were born in a US hospital and had an SSN before going home. They are at risk for this attack and will have to be warned to conceal their date and location of birth.
Re:good thing (Score:4, Interesting)
Re:drivers license (Re:Duh) (Score:3, Interesting)
In order to obtain a Drivers license you must provide a Individual Tax Identification Number. Non-Resident aliens obtain an ITIN from the IRS, Resident aliens and citizens ITIN is the SSN.
No, you are not required to provide your SSN to obtain a non-commercial drivers license. You did not need to provide an ITIN either. My drivers license contains neither of these numbers and, IIRC, I never provided it to the DMV. I took a look at the Social Security Administration website and it states that one is not required to provide a SSN for a non-commercial driver license. To obtain a commercial driver license one is required to provide their SSN, but not non-commercial.