Forgot your password?
typodupeerror
Privacy Security United States Your Rights Online

How Face Recognition Can Uncover SSNs 103

Posted by CmdrTaco
from the oh-thats-just-fine dept.
nonprofiteer writes "Building on previous work showing that social security numbers are not random, CMU researchers ran experiments in which they predicted students' social security numbers after taking a photo of them with a cheap webcam. Using off-the-shelf facial recognition technology and data-mining publicly available Facebook photos and profile information, they were able to come up with the social security numbers of several of the students. (More impressive, as they note that 60% of the students were foreign, and had no SSNs, leaving them a pool of less than 50)."
This discussion has been archived. No new comments can be posted.

How Face Recognition Can Uncover SSNs

Comments Filter:
  • by Dunbal (464142) * on Monday August 01, 2011 @10:47AM (#36948302)
    Has nothing to do with nuclear submarines.
  • by alphatel (1450715) * on Monday August 01, 2011 @10:48AM (#36948314)
    90% of Americans don't care if you know anything and everything about them, are invading their privacy, tracking their behavior or identifying their SSids. They latch onto kitch phrases like "The government owns Facebook" but they don't really understand what their personal and private freedoms are worth.
    • by MacTO (1161105) on Monday August 01, 2011 @11:10AM (#36948606)

      Life lesson: those who fear that they will lose their freedom if they lose their privacy are usually so busy defending their privacy that they do not have freedom.

      Here's the thing. There's maintaining your privacy, then there's shutting yourself out of the world because you're trying to protect a part of your privacy that aren't very defendable. To some people, having a Facebook profile is like walking on a public street. People on the street know what their name is and know what they look like. Protecting the privacy of their name and likeness would be cutting them off socially. In a very real sense, that sort of privacy would be a loss of their freedom.

      You may draw the line somewhere else. I know that I do. But, for some people, just wouldn't be free if they had to worry about a stranger knowing their name and face or even some of their habits.

      As for the SSN thing, the government is to blame for not assigning numbers properly. The numbers themselves aren't necessarily a problem.

      • by SQLGuru (980662) on Monday August 01, 2011 @11:22AM (#36948746) Journal

        Actually, it's the fault of the banking industry for comandeering a government number for a purpose other than what it was intended. An SSN was not supposed to be a unique identifier for anyone other than Uncle Sam as they go to collect Social Security tax money and then pay it back out.

        • by MacTO (1161105)

          The thing is, our economic growth is based upon credit. (Perhaps too easy credit, but we still need it.) Handing out credit requires some way of knowing who you're giving it to, otherwise the system is easy to cheat. Now SSNs may not have been the perfect solution since it was designed for something else, but it was readily and almost universally available.

          • by TheRaven64 (641858) on Monday August 01, 2011 @12:20PM (#36949488) Journal
            The problem is not using the SSN as a unique identifier (well, that's not the only problem - the fact that they're not actually globally unique makes that a bit of a problem too), it's using SSNs as proof of identity. Banks tend to assume that if you know someone's SSN, then you are that person, in spite of the fact that the SSN is public information. It's like designing an system where you can log in with a username and no password - and usernames are prepended to every message.
            • Oh, like email?
              • by Arlet (29997)

                In what way is e-mail used as proof of identity ?

                • In what way is e-mail used as proof of identity ?

                  For most business correspondence in the modern world. Not formally, but in decision-making, for example.

            • by PatHMV (701344) <post@patrickmartin.com> on Monday August 01, 2011 @03:38PM (#36952158) Homepage

              Mod parent up. TFA says: "the social security number system has a huge security flaw — social security numbers are predictable if you know a person’s hometown and date of birth."

              We should read that as sounding as absurd as: "the phone numbering system has a huge security flaw -- phone numbers are discoverable if you know a person's name." This was NOT a design flaw. Nobody, as best I can tell, ever thought, when designing the system, that an SSN should be treated like a PIN, a number known only to the individual, where knowledge of the PIN is considered strong evidence of the identity of the person.

              The single best thing which could be done for security at this point is to publish a nation-wide database of all SSNs matched with the names registered to those SSNs, to totally destroy the idea that SSNs should be "secret" identifiers.

              The SSN exists to establish that we're identifying the John Doe who was born to Jim and Jane Doe on January 1, 1972 in Madison, Wisconsin, rather than the John Doe who was born on January 8, 1963 in New York City, or the John Doe who was born to Bill and Joan Doe on January 1, 1972 in Madison Wisconsin. It is an identifier, not a PIN.

              I'd like a good class action lawyer to consider a nice lawsuit against any creditor who acts on the assumption that somebody who knows a person's SSN must be that person, or authorized by that person to take action on their behalf.

        • by arth1 (260657)

          More to the point, it was meant as a unique key, not as a secret.

          Other countries have similar systems where the number is public information, like your name, but unlike your name guaranteed to be unique. Much like a Dunn & Bradstreet number for people.

          And yes, that makes a lot of sense for indices. But to believe it in any way can or should be used for authentication is brain dead.

        • by Arlet (29997)

          There's nothing wrong with using a SSN as an identification. The problem is when you use it as authentication.

          • by Obfuscant (592200) on Monday August 01, 2011 @12:35PM (#36949726)

            There's nothing wrong with using a SSN as an identification.

            Other than the fact that my Social Security Card says quite clearly on the front "not to be used for identification", you would be right. Maybe.

            • by cvtan (752695)
              Amazingly, mine says the same thing! Trying to use that bit of information to avoid giving out your number is never taken seriously though.
            • by Arlet (29997)

              Aside from the assertion the card, why do you think it would be bad ?

              • by Obfuscant (592200)

                Aside from the assertion the card, why do you think it would be bad ?

                I think the promise of the government not to do something when they are trying to get rid of objections to that process should be sufficient to make it a bad idea on its face.

                Beyond that, we're into a discussion of the idea of a national ID card, which is arguably bad, and not an argument I want to get into today.

                • by Arlet (29997)

                  Businesses need to have a unique way to identify their clients.

                  Using a unique number as identification is no different than using a combination of name, birthday, and some other properties, except that the number is much more convenient.

                  Silly irrational reasons aside, of course.

                  • by Obfuscant (592200)

                    Businesses need to have a unique way to identify their clients.

                    So, I see you want to argue a nation id system. Ok.

                    • Businesses are not the US Government.
                    • Every business I have dealt with has been able to create a unique account number of their own for me.

                    I could go on, but that sufficiently deals with the "Businesses need..." argument.

                    Using a unique number as identification is no different than using a combination of name, birthday, and some other properties, except that the number is much more convenient.

                    Other than the fact that the government did not issue me my name, birthday, or "some other properties", you've forgotten that a "state issued number" which lacks any reference to name, gender, height, weight, color of hair, birthdate, pl

                    • by fatphil (181876)
                      > > Businesses need to have a unique way to identify their clients.

                      A better counter to the intended claim would be to support the above claim. Businesses should have a unique way to identify their clients, it should not be a copy of someone else's (the govt's) way.
            • by DavidTC (10147)

              You're using the same word in different ways. 'identify' can mean 'reference' or it can be mean 'authenticate'.

              Your social security is, indeed, used to identify you. As in, it is as a reference, instead of a name, which is not unique. It is a unique 'identifier', that is the entire purpose of it. It is an identifier in the same way that a GPS coordinate is.

              What is printed on your social security card is using the word 'identify' to mean 'authentication'. Knowledge of a social security number does not demo

            • There's nothing wrong with using a SSN as an identification. [The problem is when you use it as authentication.]

              Other than the fact that my Social Security Card says quite clearly on the front "not to be used for identification", you would be right. Maybe.

              [brackets in quote from GP are material from GP which was not quoted in parent, but is very relevant]

              (1) An SSN is not the same thing as the card,
              (2) The sense in which GP uses "authentication" is the sense in which the card uses "identification", that is

      • by psiden (1071350)
        "having a Facebook profile is like walking on a public street" [shouting your name out loud and pushing your ID up everyones face]
      • People on the street know what their name is

        Uh, no they don't. How would they?

        • by Ritchie70 (860516)

          Nobody from a small-town or a friendly neighborhood would ask this....

          • You're right, I'm from neither. But even if you are, only a handful or two of people know your name, not the entire world, so it's nothing like having a public profile page with your name on the Internet, which is accessible by all.

    • by boristdog (133725)

      This is the same problem with the TSA: 75% of Americans only fly about once every 5 to 10 years. So they don't care about the groping. In fact, most haven't even been to an airport since the groping started.

      • by gknoy (899301)

        It makes you wonder how long it will be before the TSA has groped enough people to have pissed everyone off (or enough people to get policy changed).

        • by PRMan (959735)
          It already has. The scanners have been adjusted for radiation levels and now they don't show you naked but show a cartoon instead. At this point, I would have no objection to the scanner.
          • by Anonymous Coward

            I still do. It's an almost useless waste of time, money, and resources. About all we needed was more secure doors for the cockpits and increased public awareness. The TSA is nothing more than security theater to me (even if they aren't violating everyone's privacy, but they currently still are).

          • by treeves (963993)

            The scanners have been adjusted for radiation levels

            Oh, really? How did they do that?
            The showing a "cartoon" software change has been done to SOME scanners, not all, AFAIK.

      • by zachdms (265636)

        Just flew this weekend and made sure to ask for a groping so I knew how it went. Wasn't that bad.

        The larger question of whether they should be doing it at all definitely remains, though.

  • Bad writeup (Score:5, Informative)

    by jandrese (485) <kensama@vt.edu> on Monday August 01, 2011 @10:55AM (#36948402) Homepage Journal
    The writeup made it sound like you could look at a crappy snapshot of a person and magically discover their SSN. What actually happened is that they trolled the Facebook profiles for their hometown and date of birth to discover the SSNs, the webcam was just to match up the person sitting at a terminal currently with their Facebook profile. The story is basically: Off the shelf facial recognition software seems to work pretty good, even with a crappy webcam.
  • by Haedrian (1676506) on Monday August 01, 2011 @10:56AM (#36948420)

    I find this article title to be silly.

    What they do is use facial recognition to match people to their Facebook profile, then use the details stored there to obtain the SSN.

    Up next:

    - How names and surnames can Uncover SSN
    - How giving people your email address can Uncover SSN.
    - How running a facebook search can Uncover SSN

    • Re:Roundabout... (Score:5, Insightful)

      by Jahava (946858) on Monday August 01, 2011 @01:55PM (#36950754)

      I find this article title to be silly.

      What they do is use facial recognition to match people to their Facebook profile, then use the details stored there to obtain the SSN.

      Up next:

      - How names and surnames can Uncover SSN - How giving people your email address can Uncover SSN. - How running a facebook search can Uncover SSN

      Researchers demonstrated a clearly fatal flaw in SSNs. They have shown beyond a shadow of a doubt that the current SSN system is unsuitable for usage. They did this years ago ... and nothing has changed. It's not a political talking point. There's no proposed solution sweeping in to correct the problem. SSNs still are the gateway to every American's private information, and there's no sign that this will stop being the case, despite clearly-fatal flaws.

      I welcome anything that makes this scary enough for people to demand that SSNs be immediately deprecated. This article is just the same researchers shouting louder, but the system does need to change.

      • That's because the only workable solution is to replace the SSN with another government issued ID - Real ID. And that went over like a lead balloon in a lot of places, as people tend to freak out when you explicitly tell them that they will be issued a unique ID number. If it's an SSN people don't freak out because they've had it since birth and accept it as a normal part of life.

  • by Anonymous Coward

    The algorithm found out people hometowns and dates of birth, and used it to determine the first 5 digits of the SSN (not the scarier last 4 digits).

    • by Zerth (26112)

      The same 4 digits that Universities regularly post on the walls of lecture halls because they don't want to post your grade next to your name?

  • The reviewer, unsurprisingly, left off (or didn't emphasize) a quite important part of the study. Still it's pretty neat. From TFA: "At the head of the research team was Alessandro Acquisti, a CMU professor who pointed out in 2009 that the social security number system has a huge security flaw — social security numbers are predictable if you know a person’s hometown and date of birth [emphasis mine] . This study essentially adds a facial recognition component to that study. Acquisti, Ralph Gro
    • FTA: "The researchers sent a follow-up survey to their student participants asking them whether the first five digits of the social security number their algorithm predicted was correct. "

      SS numbers are 9 digits long. Matching the first 5 digits isn't matching 9 digits. The first 3 are associated with place, the second 2 are fairly predictable based on when the SSN was issued, but the last 4 are just assigned sequentially [ssa.gov]. Also, there is no requirement to get an SSN shortly after birth [ssa.gov], so SSNs aren't even
      • by SQLGuru (980662)

        I have a twin. We were (obviously) born in the same place at roughly the same time (three minutes apart). The first five digits of our SSNs differ.....I'll leave it as an exercise for the reader to determine by how much.

        Just saying.

        • But you probably didn't have numbers assigned at roughly the same time. Either applications were sent at different times or they were processed in different piles on different desks in different offices.
          • by SQLGuru (980662)

            My point was that knowing my hometown (place of birth) and birthdate wasn't sufficient to distinguish the first five digits of my SSN given that I have an example of a person with the same place of birth and same birth date (my twin). It's a counter example to the hypothesis that knowing those two bits of information give you the first 5 digits.

            You've added another variable which cannot be gleaned from FB (as far as I know).....that variable is one of a) assignment date, b) application date, or c) pile the

            • What I'm reading from this is that as an individual you'll probably get lost in the crowd, but for someone using this technique they'll be able to get SSNs from a significant proportion of the people they look at. So I'm sleeping at night by thinking attack vectors are possible, but they probably won't hit me.

        • I have triplets. Two of the SSNs are sequential. The third is the second +5.
    • by arth1 (260657)

      the social security number system has a huge security flaw â" social security numbers are predictable if you know a personâ(TM)s hometown and date of birth

      That's not a security flaw - that's a good thing. As long as the SSN is used as intended - as a unique key - everything that makes it easier to find that key is good.
      The flaw is trying to use that key for authentication.

  • Which makes sense, since you couldn't more than guess at the last 4 no matter how much info you have.

    Is it really an issue that people can use a webcam to make up a number which shares 5 digits with my SSN?

  • Finding SSNs by using facial recognition software is just one use of this, more importantly is that facial recognition can be used to search for people and find who they are. Sure, SSN is part of that data, but it looks like more important part here is connecting the face to the name and location.

  • by Anonymous Coward

    first thought: "... how could the government know what your face will look like when they give you your ssn?"

    The real headline should be: "Access to your Facebook Profile can uncover your SSN"
    First line: "Oh btw, you can figure out whose facebook profile to troll by using facial recognition."

  • by vlm (69642) on Monday August 01, 2011 @11:10AM (#36948602)

    Finally, the third experiment was the one to link faces to their unique nine digits

    For those participants who had date of birth and city publicly available on their account, the researchers could predict a social security number (based on the work from their 2009 study). The researchers sent a follow-up survey to their student participants asking them whether the first five digits of the social security number their algorithm predicted was correct.

    I'm missing a little something here.

    Until recently, the first five digits, were, by definition, based on state/city and birthdate. Ask a genealogist or anyone interested in "private eye" stuff from the past couple decades... they probably have a table you can look up the first five vs location. The first three were strictly based on state; I was born in WI in the 70s; We all have the same first 3. The next two were issued more or less by city/hospital. So everyone born in the same hospital, pretty much for that year, has the same first five. At most, they had a rather shallow pool of a couple to draw from. Why they needed a study in 2009 to "discover" something that has been in endless publications is a mystery. Its like saying we need a "study" to "discover" how to fill out a IRS 1040 form based on neural network analysis of a statistical sample of tax returns, or we could just RTFM or RTF govt publication explaining in great detail what the answer already is.

    You don't even need a statistical sample study. Just pull the SSDI and chug away. Social Security Death Index. Notice anything interesting about the publicly available SSNs for people born in Milwaukee in the mid 70s who are already dead? You have to wonder about old people, if the only person left alive from my Grandma's birthplace/birthyear is granny, and all SSNs for that year and hospital are in the SSDI except for the one ending in 1234, and she's the only one left alive, hmm, I wonder what grannies SSN might be? The point being that the "secret" is by no means 4 digits long = 1 out of 1e4. Its more like 1 out of (1e4 minus the number of dead people per the SSDI) I would imagine some entire swaths of the SSN namespace are dead people in the SSDI, except for the few elderly still living.

    The other mystery is all they verified was the "public" half of the SSN. The "private" 4 digits was not verified. So, they've accomplished ... nothing.

  • by Anonymous Coward

    The article says they used a $35 webcam. Imagine what they could have done if the had a $100 webscam! That would be almost 3 times the facial recognition and 3 times the SSN cracking! Oh noes! Don't give them any more funding! -www.awkwardengineer.com [awkwardengineer.com]

  • "The researchers sent a follow-up survey to their student participants asking them whether the first five digits of the social security number their algorithm predicted was correct."

    No word on how well they did, either.

    From the Schneier Study: "Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data and found that fo
    • by Ritchie70 (860516)

      And in fact, if I recall correctly, they are moving away from the old method with newly issued numbers.

      It's not the birthdate that matters as much as the date of SSN issue though. For those of us the age of college students parents, we weren't issued numbers at birth.

      My sister, three years younger, and I both got ours at the same time. They differ by the last two digits.

  • The problem is not our inability to keep SSN confidential. The problem is banks and credit card companies are willing to lend without any checks. They fight tooth and nail any law that will give me the ability to "freeze" my credit lines. They prevent me from taking any steps that will make it more difficult for the identity thieves to impersonate me. Then they come dunning for the money they "lost" and they come begging for bail outs.

    As long as the Republicans are in the pockets of these banks and fight

  • Hate to intrude with an original thought. We have fairly strict libel laws to prevent slathering misinformation about a person hither and yon, whether the SOB deserves it or not.

    Linking vast swathes of electronic records together of dubious provenance, accuracy, and agenda is in many ways worse than public slander: it only takes place in closed rooms behind your back with your immediate financial interests at stake, it's hard or impossible to prove this is going on, and recourse under the law heavily favo

  • did they use to get past all the duckface and tongue hanging out pictures?
  • by Nyder (754090)

    First off, hometown don't mean shit.

    I didn't get assigned my SSN in my hometown, i was across the country at the time.

    In fact, i've had local pigs claim i was giving them a fake SSN back when i would get hassled more (when i was a junkie).

    Of course, the average IQ of the local police is like 12 or something.

    But whatever.

    The other weird part is, most peeps I grew up with, don't live here anymore. So once again, what does hometown have to do with shit?

Many people are unenthusiastic about their work.

Working...