Researchers Find Social Security Numbers Can Be Guessed
Tuesday, July 07, 2009 at 02:08 PM EDT
Todayâ€™s Washington Post has a story by Brian Krebs (who also writes the â€œSecurity Fixâ€ blog) about some research done at Carnegie Mellon University on the possibility of guessing a personâ€™s Social Security number. They used public information on how Social Security numbers [SSNs] are assigned:
(It was pretty common in the early days of building data bases to use identifiers that encoded some information, just as the telephone Area Code originally specified a geographic area. We now have learned that this is usually a Bad Idea, but then Social Security was started in the late 1930s.)
They also used a data base that I had not heard of before, the Social Security Administrationâ€™s rather grimly named â€œDeath Master Fileâ€. This apparently contains names, SSNs, state, and dates of birth and death for everyone who had a SSN and is deceased (to the knowledge of the Social Security Administration).
The researchers, Alessandro Aquisti and Ralph Gross, found that, by using this information and an individualâ€™s place and date of birth, they could get a good start on discovering someoneâ€™s SSN:
Their success rate was materially better for people born after 1988:
Now, a thousand tries may seem like a lot, but there are lots of Internet sites that allow on-line credit applications; it is not much of a stretch to imagine an enterprising crook writing a small computer program to automate the probing process â€“ and then deploying it using a â€œbotnetâ€ of compromised PCs. As Krebs points out in his blog post, some sites do not even require all nine digits to be correct, to make life easier despite data base errors.
There will probably be some reaction to the effect that the process of assigning numbers needs to be changed. That entirely misses the point: the SSN was only supposed to be an account number for keeping track of Social Security taxes. My original Social Security card (yes, I still have it) says across the front, â€œNot to be Used for Identificationâ€. Unfortunately, financial services firms and others more or less appropriated the SSN for an authentication role it was never meant to play. Undoubtedly, it was easier than devising a new method: virtually every working person had a number, and all you needed to do was put a 9-digit field in your data base. And, as is so often the case, the people and organizations responsible for designing the data bases and selling them for commercial purposes donâ€™t bear the direct cause of the fraud that this sloppy design enables.
Perhaps it will be possible at some point to convince policy makers to do something about this:
Iâ€™m personally not holding my breath.
The complete study is available for free download at the Proceedings of the National Academy of Science web site. The authors have put together a FAQ that covers the substance of their results. Perhaps the most important lesson one can draw is summarized there:
The fact that so much data is now available on the Internet has significantly reduced the effort involved in finding out a great deal of information about a person that heretofore would have been scattered around in various paper files. I donâ€™t think we as a society have really come to grips with this yet.
This article originally appeared on Rich's Random Walks.