Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Guess your Social Security number!

Guess your Social Security number!

  • Comments 1

I was reading the other day that researchers have figured out a way to guess your social security number.  From the Kansas City Star:

Alessandro Acquisti and Ralph Gross of Carnegie Mellon University report in today’s edition of Proceedings of the National Academy of Sciences that they used public records to determine patterns for number issuance. The research also involved birth dates provided on social networks such as Facebook.

For people born after 1988 — when the government began issuing numbers at birth — the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts.

Social Security spokesman Mark Lassiter said the public should not be alarmed.

“The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” Lassiter said via e-mail.

However, he added: “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year.”

I've wondered whether or not there was a secret code for Social Security Numbers.  Actually, at first I wondered if there was a public code and did a search for it but couldn't find it.  But apparently, there is.  Acquisti and Gross did not publish the full algorithm they used to crack the code, but if they could do it, in theory, so could anyone.

But in real, practical terms, what are the implications of this?  Well, some banks use your social security number as a mechanism for identity verification.  An identity thief could use it to say "Hey, I've forgotten my password... but I know my social security number!  What are my credentials?"

The problem is that yes, this is disturbing, but it is only one tool in the identity thief's arsenal.  A clerk in a store can retain a copy of your receipt if you hand over your credit card information.  Some stores don't obfuscate your credit card number on the receipt, they leave it in plain text.  The thief can retain a copy and note the expiration date and then they have your information.

Thieves can phone up unsuspecting victims posing as an official spokesman for some agency or another and ask for information.  As the Milgram experiment demonstrated, people will comply with someone else if they perceive that the other person is an authority.  Phishing, for years, has proved efficient at stealing someone's personal financial information.  None of these require using a computer to randomly guess the social security number of anyone.  Social engineering techniques are great techniques at obtaining information without the use of expensive computing power.

Where this technique is useful is in its anonymity.  If you can grab someone's name and social security number without anyone knowing, there are all sorts of nefarious things you can do.  But my point is that while it's good that the Social Security Administration is going to randomize the numbers, that in itself solves only a very small part of the problem.  There are plenty of other ways to obtain that information.

Leave a Comment
  • Please add 7 and 2 and type the answer here:
  • Post
  • SSN as 9 random digits as means for security is non-sense.

    Once disclosed - it's impossible to revoke it and change.

    Proper way for security is something like   http://www.id.ee/

Page 1 of 1 (1 items)