Social Security Numbers Can Be Guessed 268
BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.
good thing (Score:5, Funny)
Re:good thing (Score:5, Insightful)
Re:good thing (Score:5, Interesting)
Re:good thing (Score:4, Interesting)
The combination of name and number is supposed to be unique(by being so incredibly unlikely), but the generating process makes no attempt to see if a number is already in use by anyone else.
Mycroft
Re:good thing (Score:4, Interesting)
Incredibly unlikely?? It's one in freaking three. 999999999 means only 1,000 million possible numbers, if the geographic coding didn't exist and the group coding didn't remove many numbers from the available number space, making things much, much worse. For a population of 300 million...
By my count, if there is no checking, the probability of collisions is incredibly high.
Re:good thing (Score:4, Informative)
There are (roughly) 3x as many SSNs as living US citizens. Add in some dead folks, account for holes in the numbering system, and let's call it 2x.
If the numbers were assigned at random, I think there would be roughly a 60% (intuition, pardon my laziness) chance that someone else shared your SSN. The claim is that it is "incredibly unlikely" that that person (or one of those people, in the increasingly unlikely situations of multiple collisions) who shares your SSN *ALSO* shares your name.
For a randomly selected person, I agree. However, I expect there are specific counterexamples (remember, 1-in-a-billion things happen to 6 people on Earth every day). There are 50k John Smith in the USA, out of 300M people. 30k of them have SSN collisions with a random other person. There is a ~1/1000 chance that two of them collide with each other. I don't think that 1/1000 is "incredibly unlikely"... I also think you probably aren't named John Smith :)
Re: (Score:2, Informative)
Incredibly unlikely?? It's one in freaking three. 999999999 means only 1,000 million possible numbers, if the geographic coding didn't exist and the group coding didn't remove many numbers from the available number space, making things much, much worse. For a population of 300 million...
By my count, if there is no checking, the probability of collisions is incredibly high.
Mycroft was referring to "the combination of name and number", not the number by itself. It would be rather unlikely to have the same name b>and the same number. Additionally, they do check for collisions (or at least try to). They don't just throw the dice and give it to you, come what may; they give out numbers with the expectation it that it has never been used before. It is intended to be a unique key, not only a hash to be used in conjunction with one's name... however, it is fast becoming that w
Re:good thing (Score:4, Interesting)
Re: (Score:3, Informative)
The problem is that it is illegal/unlawful to use the SSN for anything but Social Security. It is NOT supposed to be used as an identity source for everything else. This is just one of those citizen protection laws that have been casually ignored by everyone. I always get strange looks and confusion when I cite the law and even show it to people.
http://www.faqs.org/faqs/privacy/ssn-faq/ [faqs.org] http://www.glr.com/govt/privacy/ssnuse2.html -- this exposes some of the problems in that many common uses are not requ
Re: (Score:3, Informative)
I should have been more clear. It is unlawful in the sense that the intent of the social security act of 1975 was to work against or otherwise discourage the use (mostly by government) of the SSN for purposes other than Social Security. Commercial activities are getting a big exemption on this because it is considered voluntary. (It's not really voluntary any longer as to lead a "normal" life, one needs to maintain that damned number and so there have been recent attempts to reign in the use of the SSN t
Re: (Score:3, Insightful)
Are they actually used as a security device by people? Why do Americans think that SSNs should be somehow secret? What difference does it make if someone knows your SSN without knowing your other details?
The equivalent of SSN in other countries (e.g. the National Insurance number in the UK, DNI in Spain, etc) are not secret in any way, and it causes no problems whatsoever.
Really, if a company is stupid enough to just use your SSN to identify you, with no further checks, they deserve to be defrauded, and cer
Re: (Score:2)
The last 4 digits, or your account pin.
I haven't encountered a company that won't let you change you pin from the default (the last 4 digits of your SSN) to one of your choosing.
No, if you forget your account pin, they'll probably just have you verify your identity with the last four digits of your SSN...
But it at least keeps yous SSN off of your statements, away from the ears of eavesdroppers, etc.
Re: (Score:2)
Consider that simply knowing what credit card you have (and from what bank, etc.) can often nail anywhere from the first 1 to 6 digits (depending on details), plus one receipt holding the last 4 digits, covers more than half the number leaving 6 unknown. The final digit reduces the possibilities by roughly 90%.
Re: (Score:2)
Re: (Score:2)
Why SSNs were used as security devices is beyond me, though I am guessing the fact that "everyone already has one!" was a big part of it.
Having once worked in the sales realm of the cellular phone industry, I've encountered people with several!
Tax ID number (Score:2)
When I was unfortunately and temporarily employed by AT&T Wireless, some people activated phones using Tax ID or EIN numbers.
"Sorry, that one's no good."
"OK, well, try this one.."
"Nope."
"OK, then try..."
"Hey! It liked that one! Enjoy your new, shadily acquired telecommunications device"
Same digits, different format. Multiple lookups on the backend?
Re: (Score:3, Informative)
Well the thing is the article itself is a bit misleading. It didn't take a study to find that you can predict the first 5 digits with 44% accuracy -- it was already a known factor. In fact, the less populous a state, the more likely they are to get it right. In smaller states (population-wise) such as the Dakotas, there may only be one prefix assigned to the state and with the second set of numbers being sequential, that 44% accuracy goes up very close to 100%. This is why the government has always told
Re:good thing (Score:5, Informative)
Re: (Score:2, Insightful)
Let me see, the FIRST 5 can be guessed by knowing place and date of birht and the LAST 4 can be overheard or read form paychecks etc.
Gee I think that gives out the whole err 5+4 = 9(!) digits doesn't it?
Duh (Score:3, Insightful)
It was pretty obvious when my sister and I received sequential numbers.
Re:Duh (Score:5, Interesting)
If they were filed sequentially, and no other filing happened between your two records, they should.
Read up on SSN's.
The first 3 digits is the area (state) which it was issued, which does not necessarily match the state where the person was born.
The second 2 are a group number. These groups are given out in an odd order. Check the SSA site or wikipedia for the details on that.
The last 4 digits are a serial number.
If you know the state where it was issued (either their birth or residence state), and the group number assigned in the likely period when they received a number, then you pretty much have the first two parts of the SSN. I'm curious to how they calculated the last 4 digits.
I would suspect in 1989, they started automatically issuing SSN's at birth, which made the target much easier, if they had the birth month and year available. And yes, this does bring the number pool way down to 9,999 potential SSNs.
Someone like me, I was born in one state, but I was not issued a card until I lived in another state, and was a few years older. You can't base it on my birth date nor location. The best guess would be where I lived, but you can't narrow it down to month or year, because you don't know when it happened. Was I 2 months old, or 5 years old? Maybe I simply never got one until I was 16 and wanted a job. I knew people in school who didn't have one, which threw off some of the school's paperwork. :) Someone I knew didn't have one until he was 21, because he didn't have a birth certificate (born at home, no surviving witnesses other than his parents). He finally did get one, and then got his drivers license. :) They wouldn't issue his drivers license until he has a SSN.
They really should have never gone with SSN's as an identification. It's bad to have a serial number issued by the government. Really, any American isn't an American, we are our SSN, and the name associated with it is an arbitrary value.
Re:Duh (Score:5, Interesting)
The cards have changed over the years, but mine specifically states:
"For social security and tax purposes -- not for identification"
What were the steps that led down the slippery slope of using them for identification?
Re:Duh (Score:5, Interesting)
Yes... in fact, when they were first suggest, people had many objections (including religious reasons) to not want to be "numbered."
The federal government swore that the only use would be for social security, and nothing else.
So, anything else they promise, GET IT WRITING. When they pass a law, and you say "yeah, but it's so loosely worded that you can use it for [i]this other thing[/i]," and they say "but we won't," get it in writing.
For example, when they say they want to use GPS only to track your miles, get it in writing.
Re:Duh (Score:4, Interesting)
For example, when they say they want to use GPS only to track your miles, get it in writing.
Screw that. Get SOMETHING BETTER.
I'm all for automatic tracking of speeding -- IF we get 100% enforcement, no exceptions. If you're not an emergency vehicle WITH LIGHTS ON, you (personally) get a fine.
I'm all for the Feds having a national ID -- so long as I can query a list of everyone who looks up my info. Forever.
Re: (Score:3, Insightful)
It was in writing; that's why "NOT FOR IDENTIFICATION" was on the cards. As with other well-known governmental entitites, they chose to change the agreement and inform complainers that they should be hopeful there would be no further changes. Whenever a law has potential for abuse, even if langua
Re:Duh (Score:5, Insightful)
Re: (Score:3, Informative)
Social Security "chose" nothing, its an elected congress that passes these rules.
That isn't entirely true. The Social Security Administration (as political appointees on the top tier, but this includes career civil employees as well) often does involve itself in legislative matters that involve that agency. This is true of all governmental bodies... just watch how crowded city hall gets when pay schedules for police or fire fighters is being discussed.
The point is that many of the changes to expand the scope and range of SSNs happened with not just the consultation of SSA employees, b
Re: (Score:3, Insightful)
"What were the steps that led down the slippery slope of using them for identification?"
The problem is not that the SSN is used for identification, with very few corner cases is guaranteed to be unique, so it's a good candidate. The problem is when it's used for *qualified* identification, and not the number but just knowing it. That's the mad part. Proper nouns have been used for ages as an identificative token: "Hi, Joe, this is my friend Mike" and there's no problem with that (given a much limited sco
Re: (Score:3, Interesting)
* To allow use by the States of the SSN in the administration of any tax, general public assistance, driver's license or motor vehicle registration law within their jurisdiction and to authorize the States to require individuals affected by such laws to furnish their SSNs to the States;
* To make misuse of the SSN for any purpose a violation of the Social Security Act;
* To make, under federal la
Re: (Score:2, Interesting)
Indeed. I was completely blown away when I moved to IL a couple of years ago and was told that my previous driver's license was insufficient identification to get a new license, but my little paper SSN card _was_. Insane.
Re: (Score:3, Insightful)
IIRC, around then the IRS started requiring you to submit the SSN's of minor dependents you were claiming as exemptions.
Re: (Score:3, Interesting)
Does New York City have a unique political status of which I am unaware? I imagine that if the state of New York does something, it's reasonable to expect the city does, too. Except, perhaps, vote for republicans.
drivers license (Re:Duh) (Score:2)
They wouldn't issue his drivers license until he has a SSN.
Was that so the SSN could be used as the driver license number?
Around here they stopped putting SSNs on the drivers license some time ago. It must have been fairly routine to do so since I recall that about five years ago one of the staff at the license station started to ask if I wanted my SSN removed from my drivers license only to stop herself once she looked at my license. I don't think I ever had my SSN on my driver license since, even at a young age, I realized the danger in linking those two databa
Re: (Score:3, Interesting)
I was loosely in favor of RealID until states began to protest and revolt. At that point, I became an opponent of it purely for the purpose of seeing the states get some sense of federalism back into the system. I value that far more than I value any of the suggested benefits of RealID.
Re: (Score:3, Interesting)
In order to obtain a Drivers license you must provide a Individual Tax Identification Number. Non-Resident aliens obtain an ITIN from the IRS, Resident aliens and citizens ITIN is the SSN.
No, you are not required to provide your SSN to obtain a non-commercial drivers license. You did not need to provide an ITIN either. My drivers license contains neither of these numbers and, IIRC, I never provided it to the DMV. I took a look at the Social Security Administration website and it states that one is not required to provide a SSN for a non-commercial driver license. To obtain a commercial driver license one is required to provide their SSN, but not non-commercial.
Re: (Score:3, Insightful)
What's worse is, companies usually use the SSN for identification AND authentication. It would be like me using "Cro Magnon" as my ID and password everywhere!
Re: (Score:2, Funny)
The Republicans knew they couldn't win, so they got together with "them" to put "him" in office.
The understanding is, that if anything really objectionable gets signed into law, it can later be nullified on the grounds that Obama wasn't really qualified to start with.
Come on, we all know this is leading up to an Illuminati like climax in a few decades, where someone, with the proper papers and legal claim, becomes the "legitimate" ruler of A
Re: (Score:2, Informative)
Naught (Score:5, Funny)
Naught Naught Naught Naught Naught Naught Naught Naught Two.
Damn Roosevelt!
Why guess? (Score:5, Insightful)
I could also see this technique being combined for some nasty phishing methods. Set up a fake credit check website, ask for their date of birth, the security question is their place of birth, and the last four digits of their social security number is their pin number. Using the technique of these researchers, you can guess a significant portion of people's SS numbers. 40% is probably a huge number for phishing, where most people avoid them, but by shear volume enough get caught to make money off it.
Re:Why guess? (Score:5, Interesting)
Re: (Score:2)
Another problem - you end up with the information of people who are desperate for jobs instead of people who have steady jobs and good credit.
Re: (Score:2)
It's already common practice for ID thieves to troll Monster and Craigslist posing as potential employers. In most cases, the fake employers are easy to spot, but I imagine the technique will become more sophisticated in the future, if it hasn't already.
Re: (Score:2)
Pretty much every application I've ever filled out has asked for a social security number.
This is why I've adopted the practice of simply writing "N/A", "-----", or just nothing when asked for a SSN. It's incredibly uncommon that they actually need that information, usually it's just stuck on there because the person making the form figures it should be on it. Go to a doctor of any kind? Don't need it unless you're processing your payment through insurance (and not even always then). I'll bet that in al
Re: (Score:3, Informative)
Pretty much every application I've ever filled out has asked for a social security number.
This is why I've adopted the practice of simply writing "N/A", "-----", or just nothing when asked for a SSN. It's incredibly uncommon that they actually need that information
Ahem...your employer definitely has a legitimate need for that information since they're taking money out of your paycheck to pay your Social Security. You won't get a job without an SSN, so write "N/A" all you like - makes the job market larger for the rest of us.
Re: (Score:2)
No, you write "supplied on hire", and then you write it on the W-4.
Re: (Score:3, Insightful)
Ahem...your employer definitely has a legitimate need for that information since they're taking money out of your paycheck to pay your Social Security. You won't get a job without an SSN, so write "N/A" all you like - makes the job market larger for the rest of us.
The SSN should not be on the employment application.... which was the point. Once you have been hired and are filling things out like I-9 documention and the W-4 forms that are explicitly for taxation purposes would the information have to actually be disclosed to an employer. Until then, the only legitimate purpose of asking for the SSN would be to use it for identification purposes... or to do things like performing a credit check on a future employee without their consent.
Still, it is something that wou
Hardly news (Score:2)
Not news to anyone who knows how SSN assignment works. The first three digits (region code) have always been assigned based on state (with a few exceptions for things like Railroad Retirement and military uses), and since a new region code's only assigned to a state when the old one's nearly exhausted there's usually only a short period when there's 2 regions in use for a state. The middle 2 digits (group code) have always been assigned in a strict order as groups are exhausted. And SSNs are generally only
Re:Hardly news (Score:4, Interesting)
Not news to anyone who knows how SSN assignment works.
Yes it is. Knowing it's theoretically possible to figure it out is one thing. Someone actually demonstrating it can be done with high success rate is another. And it's news that matters because maybe this will force some change on the issue, dispels the illusion that it's a super secret identifying code that only you and X large organization knows. ...and maybe there will be a pony waiting for me at home...
This isn't really new (Score:2)
This isn't really new as the first 3 digits of your SSN already tell you which state you were born in more or less - http://www.google.com/search?q=ssn+by+state [google.com] and the numbers are issued pretty sequentially from there, so just the year you were born and the state you were born in narrows it down pretty far already.
Social Security Numbers As Identifiers (Score:5, Interesting)
When I was young, the back of my social security card has a notice: "Not to be used for identification purposes" (or something similar). When I lost my original card and had to get a replacement, the notice was missing. Our government is solely to blame for allowing the private sector to use social security numbers as identifiers. Congress has had an overabundance of time to pass laws criminalizing the use of social security numbers by the private sector. In my opinion, Congress has been criminally negligent in allowing this to continue for this long.
Social security numbers should be used for one, and only one, purpose: to link an individual to social security benefits. Any other use should be a criminal offense.
Re:Social Security Numbers As Identifiers (Score:5, Informative)
Re: (Score:2)
When I was young, the back of my social security card has a notice: "Not to be used for identification purposes" (or something similar). When I lost my original card and had to get a replacement, the notice was missing.
I still have my original, and it does state it. I always assumed that it was still the case, I guess spammers have a better lobby than we thought. ;-)
Our government is solely to blame for allowing the private sector to use social security numbers as identifiers. Congress has had an overabundance of time to pass laws criminalizing the use of social security numbers by the private sector. In my opinion, Congress has been criminally negligent in allowing this to continue for this long.
I agree, but I'd like to know how you plan to punish them. Obviously voting them out of office hasn't worked out so well. Besides, there are probably many more injustices that are far worse that they should be held accountable for.
Social security numbers should be used for one, and only one, purpose: to link an individual to social security benefits. Any other use should be a criminal offense.
I've always refused to give out my social security number other than after I've been hired by an employer. I've liv
Re: (Score:2)
I agree, but I'd like to know how you plan to punish them.
That is certainly the problem. It's a "who watches the watchers" conundrum. Congress needs to be punished for many misdeeds, but it's Congress that determines what's punishable. It's no secret how they're going to view this.
Re: (Score:3, Insightful)
Because Congress must pass laws to protect us from ourselves?
You can hardly call this protecting us from ourselves when everything from employment to apartment rental to cell phone plans to education require SSNs.
Re: (Score:3, Interesting)
You can hardly call this protecting us from ourselves when everything from employment to apartment rental to cell phone plans to education require SSNs.
Actually you are welcome to refuse to give out your SSN for any of those purposes. Of course the person on the other end of the business arrangement is also welcome to refuse to do business with you.....
Re: (Score:2)
Actually you are welcome to refuse to give out your SSN for any of those purposes. Of course the person on the other end of the business arrangement is also welcome to refuse to do business with you.....
And the current story proves that even that is pretty useless.
Re: (Score:2)
And the current story proves that even that is pretty useless.
Yeah, it's useless. So you take steps to protect yourself. In many states (NYS included) you can freeze your credit files for free and require a password and/or pin number before someone can apply for credit in your name. In other states you can do it for a small (usually
Maybe I should start a business teaching people common sense like this. Or I could start another business charging them money for doing what they can do for free themselves. Maybe I'll get some crazy jackass willing to have his own S
Re: (Score:2)
Employment requires it because the large chunk of your taxes are targeted at funding the Social Security program, and your employer is required to contribute before you even get your check. Granted, it goes to someone else's benefits right now, but the program is naively designed under the assumption that someone else's taxes will be paying your benefits in the future.
As for apartment rental, cell phone plans and education, are there legal requirements for them to demand your SSNs? If not, then it's the f
Re: (Score:2)
The US government is responsible for Social Security Numbers, yes. If the security of that system is vulnerable to social engineering, then it should take reasonable steps to eliminate that security hole.
Re: (Score:2)
"The US government is responsible for Social Security Numbers, yes. If the security of that system is vulnerable to social engineering, then it should take reasonable steps to eliminate that security hole."
And what exactly the security problem is?
Let's accept that SSNs are in fact unique. Then, what's the problem with using them in order to qualify you as "you"? And provided that SSNs are a good and acepted way to stablish you as "you" what's the problem with letting know your SSN to whichever you want t
Damned if you do, damned if you don't (Score:5, Interesting)
If we all have unique id numbers to identify us, then someone can impersonate us by knowing that number.
But of course, if we did not have unique id numbers to identify us it would be even easier for someone to impersonate us.
And however many digits the number is, and even if it is randomly-generated (as the article proposes) your id number is only as strong as the weakest link among those who have stored your id, meaning the used car dealer, the credit card company, the student loan office, etc.
It is guaranteed to fail since they all involve transmitting and storing the secret.
What we need is a national public key infrastructure, with keys stored on smart cards, or similar, along the lines of what they have in Belgium. Of course, even PKI fails in the face of social engineering, so we need citizens to be more aware of the risks as well.
Re:Damned if you do, damned if you don't (Score:5, Insightful)
Identification != authentication. Failure to understand that is the problem.
Take your e-mail account. Your username identifies you. Your password authenticates you. Your provider (and everyone else in the world) use your username or e-mail address to identify you or to identify who they're sending their mail to. But when you go to log on to read your mail your provider doesn't just assume that if you know who you are that you're authorized to read your e-mail. They ask for your password (which you don't give out to anybody else) to authenticate that you're really who you're claiming to be.
The basic problem is that a lot of businesses want to verify your identity, but they want to do it fast and not waste time or resources actually authenticating you. So they've taken shortcuts. And now it's biting them, and they want someone to make the problem go away. Note: they do not want to fix the problem. To quote someone, "When the users say "When I drop this bowling ball on my foot it hurts. Make it stop hurting.", they mean just that. They don't want to stop dropping the bowling ball on their foot. They want you to make it not hurt when they do.".
Re: (Score:2)
If we all have unique id numbers to identify us, then someone can impersonate us by knowing that number. But of course, if we did not have unique id numbers to identify us it would be even easier for someone to impersonate us.
Without ID: "I am Napoleon!" "Here's a white coat, sire. Long Sleeves, befitting Imperial majesty."
With ID: "I am Napoleon! Release me!" *displays falsified ID* "At once! Please forgive us you majesty!"
In other words, once people get used to using ID numbers, they stop getting used to thinking and using webs of trust. "I called Jim over in the hospital, Mr. Napoleon. It seems he knows you. He's coming by to visit you in a few minutes. Juice?"
Re: (Score:2)
"Without ID: "I am Napoleon!" "Here's a white coat, sire. Long Sleeves, befitting Imperial majesty."
With ID: "I am Napoleon! Release me!" *displays falsified ID* "At once! Please forgive us you majesty!""
And then you are basically talking about a no-problem.
Without money, at the restaurant: I'm hungry, give me a roast-beef. Sorry sir, no money, no menu.
With falsified money, at the restaurant: I'm hungry, give me a roast-beff. Well, in theory the restaurant owner has now a problem, in fact, falsifie
Re: (Score:2)
"If we all have unique id numbers to identify us, then someone can impersonate us by knowing that number."
That's plain stupid.
Here, on Slashdot you are identified as Palestrina. If you were right I could impersonate you on Slashdot by knowing that you are identified here as Palestrina which I already know. See the stupidness? One thing is your identification which, by definition must be public, and a completly different thing is how to stablish the link between you, the real person, and your identifying
Re: (Score:2)
Re: (Score:2)
This is the reason why identification by numbers sucks. A photo ID is a much better method of identification - it doesn't need to be stored and it is (yet) difficult to steal a face.
Its pretty sad (Score:2)
When we put more consideration into TCP ISNs than we do an identifier someone has for life. We even worked hard to randomize this so that the connection is not easy to hijack if SSNs are being sent.
Time to start using UUID/GUIDs (Score:5, Funny)
I think 8e019226-9a00-41f4-b094-6f1545fd84a9 should be fairly easy to remember.
Re: (Score:2)
I think 8e019226-9a00-41f4-b094-6f1545fd84a9 should be fairly easy to remember.
Throw a couple colons in there somewhere and I'd have guessed that was an IPv6 address. Probably something simple like the default address for a Linksys residential router. "Simply type http://8e01::9226:9a00:41f4:b094::6f1545fd84a9 into your web browser to launch our easy setup wizard (which requires Java 1.6.0.23.0.5b, no more, no less). When asked for a username, use admin and when asked for a password, type the first 42 digits of pi in reversed order. Thank you for your purchase."
The problem is not that SSNs are easy to guess (Score:5, Insightful)
Re:The problem is not that SSNs are easy to guess (Score:5, Informative)
You're spot on about SSN being an identifier only, and was not intended to be a secret.
However, SSNs were never designed to be unique; they are not!
SSNs can be recycled. And it's also possible, though difficult, for one to obtain a new SSN.
In addition, many SSNs are assigned to more than one person - so common that the IRS, as well as many other government agencies, as well as the major credit bureaus, utilize software that allows for SSN duplicates and doesn't rely on SSNs alone to separate people.
Ron
Re: (Score:2)
What the parent said. SSN should only be used as a uniquifier, to distinguish John Smith 123-45-6789 from John Smith 123-99-4321. The government should pick a date, say 5 years from now, and state that on that date they will publish the full list of Name & SSN data. Everyone using SSN as a shared secret must fix their databases.
That is the problem when using SSN as ID (Score:3, Insightful)
If you use just a number for identification, it will be grossly misused. It is crazy to oppose a real ID card but use a much weaker (in terms of security) SSN as identification means and suddenly a baseless fear of certain forms of identification opens the way to very bad forms of identity theft.
Re: (Score:2)
The problem with a real ID card is that it would just be another number if we did it right now. Although the technology exists to do far better, the mindshare of cryptography is appallingly low.
We really need a "cryptology spokesman" with charisma to go out there and extol the virtues of not blabbing your freakin' financial information to everyone who asks. Or having a stupid number somewhere that does the same crap for you.
Not being careful with your personal data is like not being careful with your pers
Re: (Score:3, Insightful)
Not if the number of the real ID would be just its serial number and meaningless otherwise. Since the ID card itself is a proof of your identity, the number of it wouldn't be saved anywhere.
fool-proof method -- who cares? (Score:3, Interesting)
Who cares that there is no fool-proof method? All that matters is that there is a significant probablilty of success.
Probably the only people who are safe from this are immigrants!
I always use my State Driver License ID number (Score:3, Interesting)
which I selected to not be my social security number.
The State ID number is a random series of letters and numbers and it is harder to guess.
The usual jokes like Ronald Reagan's social security number was 000-00-0002 because he was the second person to file behind FDR, are funny but historically inaccurate.
Illegal Immigrants or Undocumented Workers or whatever you want to call them easily generate fake SSNs, and a bulk of them use the same SSN for the same employer and it is usually a SSN of someone who died, and they got it off a death certificate. The current system of checking SSNs is broken.
What we need is a different system that is harder to guess, one that uses letters and numbers like license plates or software serial numbers. One that Social Security keeps on a secure system that can verify the numbers and tell if the new SSN is stolen or the owner of the SSN is dead and someone else may be using it for fraud.
I just hope the new system isn't abused to take away rights and freedoms, that would be bad.
I remember the colleges I went to use to use our SSN as our student number and it was on grade lists. I requested that I be issued a student number not based on my SSN for privacy reasons and they did issue me a student number different from my SSN. The grade lists would be student name, student number, and then grade issued in class and everyone could see them. The professors listed them by the door for the classroom after finals and midterm grades were calculated. Many other systems used to base employee number etc on SSNs.
Re: (Score:2)
No, what we need is some kind of pairing device. Your name ought to be a sufficient identifier, or your name plus a number if you couldn't think of an original name....
But if you want two groups to be able to share information on your behalf (say, a bank and a utility), there ought to be some kind of pairing process like with bluetooth, or SSL, or wireless networking...
Ideally, there would be some kind of smart device, possibly about the size of a library card so it would be convenient that could store and
Re: (Score:2)
The State ID number is a random series of letters and numbers and it is harder to guess
In New Hampshire, if you know somebody's name, DOB and a couple of other things you can extrapolate someone's driver's license number. (I can't remember what else was in there and they confiscated it when I got my PA one. Eye color, maybe.)
Same other places too.... (Score:2, Interesting)
Its the same problem in Norway. The person-numbers (Norwegian SSN's) are built this way:
DD MM YY III CC
The three first groups are your date of birth (which is found in all public records).
The next group (III) are individual numbers ranging from 000 to 999. If you are born before 2000 it is under 500, if your born after it is over. If you are male it is a odd number and even for girls. So if you know the date of birth and a persons gender there are 250~ possible numbers.
The last group are control digits use
the real paper (Score:2)
you can get a pdf of the actual report by the researchers - no 2nd, 3rd and 4th hand stuff, for free from this url /.ers, who obviously consider themselves above average, make do with 2nd hand reports when they can so easily get the real thing.
http://www.pnas.org/content/early/2009/07/02/0904891106.full.pdf+html?sid=5e51e1ab-8945-420c-8013-29182641090e [pnas.org]
which raises an interesting question: why do
actually bothering to take, say, 5 min to find and read the original report would have zeroed out a lot of the non
SSN's have no error control (Score:5, Interesting)
Change a digit or transpose digits in an SSN and you most likely will transform it into another valid SSN.
The SSN numbering system was developed in the mid 1930's. The modern mathematics of error control were published by Shannon after World War II. (His work or error control was related to work on cryptography.) By "modern" mathematics, I refer to the fact that there was some understanding of error control in old telegraph systems, but it wasn't developed systematically.
Credit cards have check digits that will catch some common errors in data entry. Computer and communications technology use error control in many ways. SSN's are still back in the 1930's.
Perhaps it is time to modernize them by at least adding check digits. Also, the prohibition against using them as personal identifiers should be strengthened and enforced.
No... (Score:2)
The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches
No, Ubiquitous use of SSNs as a "secret" for anything beyond Social Security has left millions of citizens vulnerable to privacy breaches.
funded by the National Science Foundation (Score:5, Interesting)
Here [nsf.gov] is their grant and proposal abstract from the NSF. It sounds like they did exactly what they'd proposed to do- not every grant meets that metric! Theirs is a 3-year grant for a total of $386927.
There was a cute line in their FAQs:
Military service (Score:2)
Fuck....Nevermind the fact that if you've ever been in the military your SSN has been passed around more than a two dollar whore. Such much for security through obscurity :\
Impressive, not *too* surprised (Score:2)
Okay, guessing all 9 digits is good, so I'm not downplaying the success of this research. My sister and I were born 3 minutes apart and our SSNs are 20 values apart.
But the first 5 have always been not too difficult for some areas as it's based on date and location of birth (or date of issue, but there's obviously a correlation between the two). This makes it invaluable as a social hacking tool.
Just like the easy-to-guess Soundex [wikipedia.org] numbers found on many state licenses, as well as the fact that credit cards us [merriampark.com]
Aren't we going to run out of SSNs? (Score:2)
Off-topic, but...
Aren't we going to run out of SSNs? They are never reused (according to the Social Security Administration).
They're nine digits, so theoretically they're good for a billion people, but in reality they're broken up by state. Most states have three or four sets of starting three-digit numbers (with bigger states having more), and there are prefixes reserved for immigrants, etc. So the nine-digit space is actually smaller.
There are ~300 million Americans, so how many more generations can th
123-456-7890 (Score:2)
Yes, it's the came as the combination on my luggage. No, the government won't issue a new one.
SSN is an IDENTIFIER, not AUTHENTICATOR (Score:3, Interesting)
Anybody or organization using an SSN as both an identifier and a form of authentication is stupid, irresponsible and should be held accountable 100% for breach of whatever resource they control. The problem is in the "shared secret" type use of a damn 9-digit number, with a few of the digits already known based on state of birth.
Want a list of ssn's for every state? Here's all of them. [aggiegeeks.com] Have fun.
-Michael
The problem isn't that you can't keep SSNs secret. (Score:4, Insightful)
The problem is that you're trying.
To extend, the problem the SSA mentions: using them as identifiers?
That's not what's causing all the trouble. You can do that all you like, and the only people you'll piss off are privacy advocates, worried about unwanted cross-correlation.
The *real* problem, as I note in a piece I wrote for RISKS DIgest last month [ncl.ac.uk], is people using knowledge of an SSN (or a mother's maiden name, or any other answer not *made up by the customer*) as an authenticator.
If it is discoverable, and you force a customer to use it, *you* ought to be responsible when someone does, and defrauds the customer, cause you were an accessory before, and now you're on notice; it's been posted here.
Have fun, retail authentication system designers. ;-)
Re:In other words (Score:4, Interesting)
It's even better than that. Consider that the Federal Rules of Civil Procedure call for the redaction of all but the last four digits of an individual's social security number if it must be part of a court record (for example a discovery response).
Much of the discovery I have seen asks for the party's date of birth, place of birth, and social security number. While the rule "protects" the SSN from release by redacting the first five numbers, with a typical set of interrogatory responses, and the techniques pioneered by these researchers, I can get the holy trinity of identity theft information: SSN, DOB, and location of birth.
Even worse, most of the country now uses PACER for electronic filing in Federal Courts. For $.08/page, anyone can access filings in a Federal case. This seems ripe for abuse.
--AC
Re: (Score:3, Interesting)
Even worse, most of the country now uses PACER for electronic filing in Federal Courts. For $.08/page, anyone can access filings in a Federal case. This seems ripe for abuse.
Actually the majority of modern PACER filings redact the SSN. I looked up my bankruptcy case once upon a time and it was redacted in full on the various documents that were available. Some of the older filings leave them exposed though. Remember Mike Tyson? Looked up his Chapter 11 case awhile ago. His SSN is 089-56-9372. Thank you public record!
Re: (Score:2)
Funny, then, that employers put the least common numbers of your SSN on your pay check (as if it were 'randomized' in the same fashion as a credit card, which until fairly recently was pretty damn easy to fake/guess as well).
I wouldn't be surprised that, in states with lower populations/birth rates, the ease of guessing a person's SSN increases. I remember comparing/talking about SSN with friends in high school; the numbers of the (admittedly small) sample of local-born friends were sequentially matched to
Re: (Score:2, Informative)
If they are a publicly funded school and utilize parts of your SSN on your student ID, or display it on class rosters, and other places, then they may be in violation of the law. Specifically the Family Educational Rights and Privacy Act [privacyrights.org] restrictions:
Re: (Score:2)
Re: (Score:2)
That was my first thought when I read this, too. I immediately went and double checked to make sure I was remembering right. I need to become a researcher. That job sounds way easier than mine.
Re: (Score:2)
Re: (Score:2)
absolutely false, since I've worked with this issue: duplicate issuing of numbers is detected in over 4,000 tax returns per year in the USA - other means are used to help identify unique people. So problem is probably on the order of 10,000 duplicate numbers in existence.