×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Social Security Numbers Can Be Guessed

timothy posted more than 4 years ago | from the oh-there's-a-scheme-all-right dept.

Privacy 268

BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

268 comments

good thing (5, Funny)

_ivy_ivy_ (1081273) | more than 4 years ago | (#28601251)

they only put the last 4 digits on my paycheck!

Re:good thing (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28601315)

The Leper Story
We all have dreams. Mike Schmidt dreamed of becoming a professional baseball player. Jan Brady dreamed of a secret boyfriend. George Glass. Ever since I saw Ben Hur as a child, I dreamt of fucking a leper. One weekend in July of 2009, I finally achieved my dream. It went down like this:
I was at the bar drinking an Old Milwaukee when I got this text message from my buddy J-Bone. I call him J-Bone because he's African American and is missing a key bone in his ankle, which makes him very fast. I also like hanging out with him with a much larger group of rich white spoiled kids like me, because I almost feel like I am living in a beer commercial. I have a Pakistani buddy for the same reason that we call Hadi, like his is a crazy Jihadist or something. J-Bone likes to play with my emotions, and my balls, so I never take his text messages seriously:
5:51pm J-Bone: There is a leper colony in the Philippines and Jet Blue is offering cheap fares to Manila. I am here with your buddy from law school Ass Chaff, and his pimply faced girlfriend with the bad eczema is here too.
5:52pm Tucker: Fuck you
5:53pm J-Bone I'm dead serious
5:54pm Tucker: I hate you
5:56pm J-Bone : Ass Chaff has a free roundtrip ticket
6:00pm Tucker: STOP TEASING
He called me a few minutes later, when I was at home, wiping off the puss from a scary looking rectal sore and about to cook dinner.
J-Bone "Did you get my message? I am in Manila and there is a leper colony nearby."
Tucker "I got your fucking message. Come on man, stop playing."
J-Bone "Tucker, I am DEAD serious. They are everywhere. It's like Jesus came back and they are just lingering around the colony's lobby waiting for a cure. I swear on my life there are hundreds of lepers here."
[10 second pause]
Tucker "I am on the next flight."
It took me about 40 seconds to throw clothes into a duffle bag. Another 20 seconds to sprint out the door and was in a cab to LAX within two minutes of getting the call. The TV and lights were still on in my apartment, I'd left the Lean Cuisine I had in the microwave that I going to eat for dinner (my man boobs are getting huge), and I was still covered in anal sore ointment. .
None of that mattered; I was finally going to fuck a Leper.
In the cab, I was so excited I could barely breathe. I called all my best friends, screaming incoherent babbles about sex with Lepers. The call to T-Bag (from a deleted story talking about some prank we pulled on a bunkmate which is only published in a new version of I Hope They Serve Beer In Hell) the movie version.
T-Bag "What is wrong with you? Why not just get a Leper hooker and be done with it?"
Tucker "FUCK THAT. Just because you buy Mike Tyson's jock strap off Ebay doesn't mean that you were World Champion, or a convicted rapist. Some things you can only claim if you have earned them. LEPER PUSSY, HERE I COME!!"
I was more excited about this than I was when my book hit the New York Times best seller list and my movie hit the discount bin of the Circle K in my hometown in Kentucky. I felt like a six year old on the night before Christmas.
At the airport and in line for my ticket, I am forced to fly Virgin Atlantic because they are the only airline that cares enough about Manila . A very nice, very Midwestern couple is in front of me. The man's shirt has a picture of cheese on it.
Tucker "You guys going to Manila?"
Guy "Yes sir, heading there to do missionary work."
Tucker "Did you know there are Lepers in the Philippines?"
The man and his wife are silent and confused and look at me like I am some sort of leper.
Tucker "HUNDREDS OF THEM!"
They turn around and mumble something about crazy New Yorkers who moved to LA after living in Miami for a while and going to school in Chicago and North Carolina. Whatever, they've never fucked a Leper, they don't matter.

The flight was nearly intolerable; my mind was spinning with questions. How do you pick up a Leper? Are you allowed to physically pick them up, or will their body parts just fall off in your hand? What is the etiquette for dealing with a Lepert? When you hug them, can you hold them tight like a teddy bear, and rub their sores real hard? Do they get pissed if you set your drink on top of one of their stumps? No one really talks about this.
What about their day to day lives? How do they get luggage in the overhead bin when they fly if their hands are covered in necrotic tissue? Do they get to live in those cool pits like they showed in Ben Hur? What if a leper punches me in the nuts? Since their arms are covered with sores, how do they wipe? Or masturbate? Even more to the point, what do their pussies feel like? Are they covered with gangrenous tissue? If they have no legs, can they give me head without kneeling? When she's riding me, can I spin her like a top, or will her head separate from her body?
I was in Manila by 10pm. My buddy J-Bone picked me up, it was then I dropped my first racially insensitive joke.
Tucker: Did you bring your skis?
J-Bone: Tucker, are you crazy, we are in the Phillipines and it is 110 degrees in the shade.
Tucker: Notice all these Asian girls?
J-Bone: Sure, but what does that have to do with skiing?
Tucker: After I fuck a leper, we have to go down on some of these slopes.
We were at the Hilton hotel bar by 11pm. I almost hyperventilated upon seeing my first gaggle of lepers There were six of them, sitting at a table drinking just like normal people, their bodies wrapped in grey burlap sacks, necrotic pussing limbs dangling like a toddler's. Their Miller Lite bottles looked massive as they gripped them with both of their misshapen stumps. Their humongous sores and scars were raised in excitement as they laughed at a tiny little joke.
Tucker "You know CPR right? I think my heart might explode."
J-Bone "You are so fucking weird."

Then I saw her: My Leper Princess. Her dark black hair and misshapen cataract ridden eyes made me think of Lucy Liu if she had leprosy. Her missing neck and bowlegs gave me an idea what Lucy would look like if placed in a vise and squished to one-quarter size. As her pigeon-toed feet carried her past my table, I slid down in my chair, hoping to catch her eye. She looked at me and smiled, her mashed-up teeth sparkling in the oily light of the popcorn machine. I gave her an unmistakable "I want to fuck you" look, she shot me back a quick "My spine hurts" face, and I was smitten.
I start planning out how I am going to hit on her, but much to my dismay I find myself feeling something I haven't felt in years: Nervousness. What the fuck? I literally can't even remember the last time I was nervous around a girl. Is this what it's like to be a normal guy? This sucks. Every time I tried to talk to one of the lepers I would start giggling and sweating; it was fucking ridiculous and comical at the same time. I felt like a middle schooler who'd snuck into his sister's college party. Eventually, J-Bone --who thinks he's better than me because he isn't obsessed with fucking a leper--had to take over.
I think the lepers took a liking to J-Bone because he suffers from Vitilago, like the white spots on Michael Jackson, and he looks exactly like the Ed Norton character from City of God movie only he is not white and wasn't wearing a metal mask. Within minutes we were sitting with the lepers. My Leper Princess was at the table, and even though I'd only had like five beers, the room was spinning around her. I would talk, but I couldn't hear the words coming out of my mouth. She would answer back, and it sounded like a chorus of tiny little angels. Is this what love is like? If so, I might have to try it. Then it happened:
J-Bone" So, I am afraid to really talk to you too much? Maybe we should dance or something? Any cool parties?"
Leper Tranny "Oh dude, you should come with us upstairs. It's the last night of the Leper convention, there is a big dance on the 5th floor. Why are you afraid to talk to us"
Tucker "Because you are missing one of your ears and I don't think J-Bone wants to talk the other one off. But don't play with my emotions. If you are lying about this party, I don't think I could handle it."
Leper Tranny[looking at me like I am some sort of weirdo] "No dude. It should be fun. Everyone is up there."
Do you know what it takes to make me speechless? For fucks sake, I had a girl tattoo "I Fucked Tucker Max" over her pussy. You could say that my sense of "Wow" is a bit numb. Knowing that, I ask you to put yourself in this situation and see what your reaction would be:
Go to a hotel. Hit the button for the elevator. Take note of the step stool below the button panel, with the note above it, "Please do not plastic sheet placed to catch falling body parts." Ride the elevator up to the fifth floor. Walk out into the hallway, and do a double take at the FLEET of Rascal scooters in the ballroom lobby (Rascals are those red motorized scooters that you always see old people on in the grocery store). You might first think you stumbled into a geriatric convention, but you study the people on the Rascals, and realize something: None of their feet are touching the base. They are all lepers! LEPERS ON RASCALS!!!
Reeling from this discovery, you head into the ballroom and see approximately FOUR HUNDRED LEPERS !!! ALL OF THEM ARE DANCING TO BABY HUEY!!! AND THEY ARE POPPING AND LOCKING!
I REPEAT: HUNDREDS OF LEPERS ARE POPPING AND LOCKING!!!
What would you do? WHAT WOULD YOU DO???
I know what I did.
I got a massive erection.

Re:good thing (5, Insightful)

SomeJoel (1061138) | more than 4 years ago | (#28601317)

Even though your post was quite amusing, I think the whole "last 4 digit" thing is overused as well. Since pretty much everyone only needs the "last 4 digits" to verify identity, if one of your conversations is compromised (ever overhear a co-worker's phone call?) then pretty much all of your accounts will be easy to break into. Coupled with the fact that it is next to impossible to actually change a SSN, you are pretty much screwed for life. Why SSNs were used as security devices is beyond me, though I am guessing the fact that "everyone already has one!" was a big part of it.

Re:good thing (4, Interesting)

tverbeek (457094) | more than 4 years ago | (#28601497)

SSNs started being used because A) "every one has one", B) they can't be changed, C) they're unique nation-wide, and D) they're all the same format nation-wide. If driver licences, phone numbers, checking accounts, or some other ID had met those criteria, we'd be using that instead.

Re:good thing (3, Interesting)

Mycroft_VIII (572950) | more than 4 years ago | (#28601989)

Actually C) is not entirely true, and NOT guaranteed.
The combination of name and number is supposed to be unique(by being so incredibly unlikely), but the generating process makes no attempt to see if a number is already in use by anyone else.

Mycroft

Re:good thing (3, Interesting)

zippthorne (748122) | more than 4 years ago | (#28602227)

Incredibly unlikely?? It's one in freaking three. 999999999 means only 1,000 million possible numbers, if the geographic coding didn't exist and the group coding didn't remove many numbers from the available number space, making things much, much worse. For a population of 300 million...

By my count, if there is no checking, the probability of collisions is incredibly high.

Re:good thing (4, Informative)

Anonymous Coward | more than 4 years ago | (#28602591)

There are (roughly) 3x as many SSNs as living US citizens. Add in some dead folks, account for holes in the numbering system, and let's call it 2x.

If the numbers were assigned at random, I think there would be roughly a 60% (intuition, pardon my laziness) chance that someone else shared your SSN. The claim is that it is "incredibly unlikely" that that person (or one of those people, in the increasingly unlikely situations of multiple collisions) who shares your SSN *ALSO* shares your name.

For a randomly selected person, I agree. However, I expect there are specific counterexamples (remember, 1-in-a-billion things happen to 6 people on Earth every day). There are 50k John Smith in the USA, out of 300M people. 30k of them have SSN collisions with a random other person. There is a ~1/1000 chance that two of them collide with each other. I don't think that 1/1000 is "incredibly unlikely"... I also think you probably aren't named John Smith :)

Re:good thing (1)

loners (561941) | more than 4 years ago | (#28602009)

Conditional on C. SSNs are only unique when in combination with other information. The SSN itself is not unique.

Re:good thing (1)

davester666 (731373) | more than 4 years ago | (#28601513)

"there is no fool-proof method for predicting a person's Social Security Number"

We have MUCH bigger fools now, so it's no big deal to predict SSN's...

Re:good thing (1)

sexconker (1179573) | more than 4 years ago | (#28601599)

The last 4 digits, or your account pin.

I haven't encountered a company that won't let you change you pin from the default (the last 4 digits of your SSN) to one of your choosing.

No, if you forget your account pin, they'll probably just have you verify your identity with the last four digits of your SSN...

But it at least keeps yous SSN off of your statements, away from the ears of eavesdroppers, etc.

Re:good thing (1)

RomulusNR (29439) | more than 4 years ago | (#28601711)

Consider that simply knowing what credit card you have (and from what bank, etc.) can often nail anywhere from the first 1 to 6 digits (depending on details), plus one receipt holding the last 4 digits, covers more than half the number leaving 6 unknown. The final digit reduces the possibilities by roughly 90%.

Re:good thing (1)

cinderblock (1102693) | more than 4 years ago | (#28602575)

The final digit reduces the possibilities by roughly 90%.

By definition, each digit reduces the possibilities by exactly 90%.

Re:good thing (1)

muridae (966931) | more than 4 years ago | (#28602577)

And since the last 4 digits of the credit card number are a check sum for the first 12, you can narrow it down a bit further. If you have the first 6 and last 4, finding the middle 6 could be pretty easy.

Re:good thing (1)

aztektum (170569) | more than 4 years ago | (#28601993)

Why SSNs were used as security devices is beyond me, though I am guessing the fact that "everyone already has one!" was a big part of it.

Having once worked in the sales realm of the cellular phone industry, I've encountered people with several!

Tax ID number (1)

itomato (91092) | more than 4 years ago | (#28602131)

When I was unfortunately and temporarily employed by AT&T Wireless, some people activated phones using Tax ID or EIN numbers.

"Sorry, that one's no good."

"OK, well, try this one.."

"Nope."

"OK, then try..."

"Hey! It liked that one! Enjoy your new, shadily acquired telecommunications device"

Same digits, different format. Multiple lookups on the backend?

Why Not Use Body Parts? Or higher tech? (1)

PleaseFearMe (1549865) | more than 4 years ago | (#28601999)

Fingerprints are used already for identification, but they are not foolproof because you leave them everywhere, and people can try to make a mold of it. There are other body parts that are not touched as much... such as toe prints! They are always inside a shoe so they are secret, and if they do not change much over the years, make an excellent identification card.

Social Security Numbers have been around since 1963 (says Wiki). Technology has extended us so much. We can count to numbers we could not have dreamed of in 1963. Why don't we give each person a public and private key, like in Gmail? You'll have to hurt me to get my password! Or we can get those cool chips inserted into our fingers that are individual to us. If the scammer in Nigera wants to know my information, what better way of protecting me than not letting me know my own information. The chip knows it, and it's inside me! If you want to identify me, you'll must have one of those devices that are only available in places like banks and jails. Yay for technology! Yay for toe prints!

Re:Why Not Use Body Parts? Or higher tech? (1)

Bored Grammar Nazi (1482359) | more than 4 years ago | (#28602493)

Ok, let's say that you have one of those ID chips inserted in your fingers, and that I'm mugging you. You don't have any cash on you, but you have your ATM card in your wallet. If the ATM is using biometrics as you propose then it would make sense for me to take your ATM card, then just cut your finger and use it to authenticate.

Re:good thing (3, Informative)

dbialac (320955) | more than 4 years ago | (#28602379)

Well the thing is the article itself is a bit misleading. It didn't take a study to find that you can predict the first 5 digits with 44% accuracy -- it was already a known factor. In fact, the less populous a state, the more likely they are to get it right. In smaller states (population-wise) such as the Dakotas, there may only be one prefix assigned to the state and with the second set of numbers being sequential, that 44% accuracy goes up very close to 100%. This is why the government has always told the private sector it was a bad idea.

Re:good thing (2, Insightful)

pearl298 (1585049) | more than 4 years ago | (#28602469)

Let me see, the FIRST 5 can be guessed by knowing place and date of birht and the LAST 4 can be overheard or read form paychecks etc.

Gee I think that gives out the whole err 5+4 = 9(!) digits doesn't it?

Duh (3, Insightful)

Anonymous Coward | more than 4 years ago | (#28601265)

It was pretty obvious when my sister and I received sequential numbers.

Re:Duh (5, Interesting)

JWSmythe (446288) | more than 4 years ago | (#28601565)

    If they were filed sequentially, and no other filing happened between your two records, they should.

    Read up on SSN's.

    The first 3 digits is the area (state) which it was issued, which does not necessarily match the state where the person was born.
    The second 2 are a group number. These groups are given out in an odd order. Check the SSA site or wikipedia for the details on that.
    The last 4 digits are a serial number.

    If you know the state where it was issued (either their birth or residence state), and the group number assigned in the likely period when they received a number, then you pretty much have the first two parts of the SSN. I'm curious to how they calculated the last 4 digits.

    I would suspect in 1989, they started automatically issuing SSN's at birth, which made the target much easier, if they had the birth month and year available. And yes, this does bring the number pool way down to 9,999 potential SSNs.

    Someone like me, I was born in one state, but I was not issued a card until I lived in another state, and was a few years older. You can't base it on my birth date nor location. The best guess would be where I lived, but you can't narrow it down to month or year, because you don't know when it happened. Was I 2 months old, or 5 years old? Maybe I simply never got one until I was 16 and wanted a job. I knew people in school who didn't have one, which threw off some of the school's paperwork. :) Someone I knew didn't have one until he was 21, because he didn't have a birth certificate (born at home, no surviving witnesses other than his parents). He finally did get one, and then got his drivers license. :) They wouldn't issue his drivers license until he has a SSN.

    They really should have never gone with SSN's as an identification. It's bad to have a serial number issued by the government. Really, any American isn't an American, we are our SSN, and the name associated with it is an arbitrary value.

Re:Duh (5, Interesting)

gznork26 (1195943) | more than 4 years ago | (#28601757)

The cards have changed over the years, but mine specifically states:
"For social security and tax purposes -- not for identification"

What were the steps that led down the slippery slope of using them for identification?

Re:Duh (4, Interesting)

gfxguy (98788) | more than 4 years ago | (#28601965)

Yes... in fact, when they were first suggest, people had many objections (including religious reasons) to not want to be "numbered."

The federal government swore that the only use would be for social security, and nothing else.

So, anything else they promise, GET IT WRITING. When they pass a law, and you say "yeah, but it's so loosely worded that you can use it for [i]this other thing[/i]," and they say "but we won't," get it in writing.

For example, when they say they want to use GPS only to track your miles, get it in writing.

Re:Duh (3, Interesting)

Planesdragon (210349) | more than 4 years ago | (#28602633)

For example, when they say they want to use GPS only to track your miles, get it in writing.

Screw that. Get SOMETHING BETTER.

I'm all for automatic tracking of speeding -- IF we get 100% enforcement, no exceptions. If you're not an emergency vehicle WITH LIGHTS ON, you (personally) get a fine.

I'm all for the Feds having a national ID -- so long as I can query a list of everyone who looks up my info. Forever.

Re:Duh (0)

Anonymous Coward | more than 4 years ago | (#28601973)

Some people were allergic to the tattoo ink.

Re:Duh (2, Insightful)

turbidostato (878842) | more than 4 years ago | (#28602607)

"What were the steps that led down the slippery slope of using them for identification?"

The problem is not that the SSN is used for identification, with very few corner cases is guaranteed to be unique, so it's a good candidate. The problem is when it's used for *qualified* identification, and not the number but just knowing it. That's the mad part. Proper nouns have been used for ages as an identificative token: "Hi, Joe, this is my friend Mike" and there's no problem with that (given a much limited scope, of course). But you really know that me calling myself "John Doe" doesn't give to that token too much authority.

The problem is not identifying somebody as being 1243839845B, which is not a bad idea provided there's only one 1243839845B and there's an interest on univocally identifying people (which is a different problem). The problem comes when all the comprobation you do is the like to "Hey, he must certainly be 1243839845B. How do you know? Because so he says".

This is in fact an acknowledged problem almost everywhere but USA: that's why you are identified as 1243839845B, not because you say so but because you say so *and* can produce an ID card with that number, your photograph and your fingerprints on it.

Disregarding the question of nationwide identification being good or bad (and in fact, USA has already disregarded this problem too or else the SSN wouldn't be used for identification purpouses) this news seems to be absourd out of USA: well, my ID number is 34980233, there you have... so what?

Re:Duh (2, Insightful)

DerekLyons (302214) | more than 4 years ago | (#28602025)

I would suspect in 1989, they started automatically issuing SSN's at birth, which made the target much easier, if they had the birth month and year available.

IIRC, around then the IRS started requiring you to submit the SSN's of minor dependents you were claiming as exemptions.

Re:Duh (0)

Anonymous Coward | more than 4 years ago | (#28602095)

...because he didn't have a birth certificate

There's no shame in that, it won't even disqualify you from being President of the United States.

drivers license (Re:Duh) (1)

blindseer (891256) | more than 4 years ago | (#28602323)

They wouldn't issue his drivers license until he has a SSN.

Was that so the SSN could be used as the driver license number?

Around here they stopped putting SSNs on the drivers license some time ago. It must have been fairly routine to do so since I recall that about five years ago one of the staff at the license station started to ask if I wanted my SSN removed from my drivers license only to stop herself once she looked at my license. I don't think I ever had my SSN on my driver license since, even at a young age, I realized the danger in linking those two databases.

What really boggled my mind was that co-workers of mine were perplexed at my distaste for RealID even after pointing out the dangers of one's SSN getting into the wrong hands. If you think Social Security Numbers are scary you need to look at how RealID can really mess with your life.

Re:Duh (0)

Anonymous Coward | more than 4 years ago | (#28602479)

Twins? We have fraternal twins,. and they have sequential numbers as well.

In other words (1)

mysidia (191772) | more than 4 years ago | (#28601279)

Most of the useful "security" characteristics of the SSN are in the last 4 digits.

If you know the last 4 digits of a SSN, and you get 2 or 3 guesses, then using their model: you can expect to guess the entire SSN correctly.

Re:In other words (3, Interesting)

Goobermunch (771199) | more than 4 years ago | (#28601367)

It's even better than that. Consider that the Federal Rules of Civil Procedure call for the redaction of all but the last four digits of an individual's social security number if it must be part of a court record (for example a discovery response).

Much of the discovery I have seen asks for the party's date of birth, place of birth, and social security number. While the rule "protects" the SSN from release by redacting the first five numbers, with a typical set of interrogatory responses, and the techniques pioneered by these researchers, I can get the holy trinity of identity theft information: SSN, DOB, and location of birth.

Even worse, most of the country now uses PACER for electronic filing in Federal Courts. For $.08/page, anyone can access filings in a Federal case. This seems ripe for abuse.

--AC

Re:In other words (2, Interesting)

Shakrai (717556) | more than 4 years ago | (#28602073)

Even worse, most of the country now uses PACER for electronic filing in Federal Courts. For $.08/page, anyone can access filings in a Federal case. This seems ripe for abuse.

Actually the majority of modern PACER filings redact the SSN. I looked up my bankruptcy case once upon a time and it was redacted in full on the various documents that were available. Some of the older filings leave them exposed though. Remember Mike Tyson? Looked up his Chapter 11 case awhile ago. His SSN is 089-56-9372. Thank you public record!

Re:In other words (1)

CAIMLAS (41445) | more than 4 years ago | (#28601451)

Funny, then, that employers put the least common numbers of your SSN on your pay check (as if it were 'randomized' in the same fashion as a credit card, which until fairly recently was pretty damn easy to fake/guess as well).

I wouldn't be surprised that, in states with lower populations/birth rates, the ease of guessing a person's SSN increases. I remember comparing/talking about SSN with friends in high school; the numbers of the (admittedly small) sample of local-born friends were sequentially matched to their order of birth.

I'd not be surprised that if you were to get a hold of birth records somewhere for such local areas, with a single SSN/name as a base point, you'd be able to figure out (to fairly high certainty) the specific SSN for quite a few people.

Likewise, you could probably figure out people's SSN in a deterministic fashion through process of limitation: guess a dozen people's SSNs, and after the 3 that came back positive, you'd have narrowed a smaller set to work with.

I'm safe! (0, Redundant)

g1zmo (315166) | more than 4 years ago | (#28601283)

It's a good thing they only use the last four digits for identification at my school.

Re:I'm safe! (2, Informative)

mysidia (191772) | more than 4 years ago | (#28601471)

If they are a publicly funded school and utilize parts of your SSN on your student ID, or display it on class rosters, and other places, then they may be in violation of the law. Specifically the Family Educational Rights and Privacy Act [privacyrights.org] restrictions:

One of FERPA's provisions requires written consent for the release of âoeeducational recordsâ or personally identifiable information, with some exceptions. The courts have stated that SSNs fall within this provision. (See Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)).

Also

Many states now have laws banning public universities and colleges from using SSNs as student IDs.

Re:I'm safe! (1)

socsoc (1116769) | more than 4 years ago | (#28602527)

True, I remember my university having a sudden and mandatory reissue of ID cards because the SSN was encoded on the mag strip (back in 2005).

Why guess? (4, Insightful)

JorDan Clock (664877) | more than 4 years ago | (#28601287)

Who needs to guess when it's so easy to get someone to just give you their social security number if you just present a vaguely legitimate reason? For instance, I could pretend to be hiring people for a new business I am opening. Pretty much every application I've ever filled out has asked for a social security number.

I could also see this technique being combined for some nasty phishing methods. Set up a fake credit check website, ask for their date of birth, the security question is their place of birth, and the last four digits of their social security number is their pin number. Using the technique of these researchers, you can guess a significant portion of people's SS numbers. 40% is probably a huge number for phishing, where most people avoid them, but by shear volume enough get caught to make money off it.

Re:Why guess? (4, Interesting)

CastrTroy (595695) | more than 4 years ago | (#28601689)

There was a scam going on here in Ontario with the same premise a few years ago. They would advertise a job in a local paper. Get you to send in a resume. Then call you up and give you a fake interview. A few days later, they'd call and say they were considering you for a position and ask you to send all the information to them (DOB, Name, SIN (Social Insurance Number, same as SSN)) plus a bunch of other personally identifying information. People who were pretty desperate for a job would send give them all the info, and then they would have their identity a couple days later. Really ingenious scam when you think about it. When everybody else is watching out for phishing sites, these guys were just using old technology to collect all the information. Problem is, is that once the police figured it out, it was very easy to trace back to the scammers.

Re:Why guess? (1)

ceoyoyo (59147) | more than 4 years ago | (#28602083)

Another problem - you end up with the information of people who are desperate for jobs instead of people who have steady jobs and good credit.

Re:Why guess? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28602259)

Credit is credit, and almost anyone can qualify for new accounts.

A good way to do this would be to advertise summer jobs right after college terms are over. College students are well known for being offered new credit constantly, and not keeping track of their credit rating at all.

Re:Why guess? (1)

StikyPad (445176) | more than 4 years ago | (#28601793)

It's already common practice for ID thieves to troll Monster and Craigslist posing as potential employers. In most cases, the fake employers are easy to spot, but I imagine the technique will become more sophisticated in the future, if it hasn't already.

Re:Why guess? (1)

nmb3000 (741169) | more than 4 years ago | (#28602053)

Pretty much every application I've ever filled out has asked for a social security number.

This is why I've adopted the practice of simply writing "N/A", "-----", or just nothing when asked for a SSN. It's incredibly uncommon that they actually need that information, usually it's just stuck on there because the person making the form figures it should be on it. Go to a doctor of any kind? Don't need it unless you're processing your payment through insurance (and not even always then). I'll bet that in all the forms you fill out, maybe 10% have a legitimate need to know your SSN, and those are almost always employment applications.

They can always ask again or press the issue if it's really needed. Why just hand out sensitive information because some random piece of paper asks you to? I wonder how many people would fill in credit card numbers, bank account passwords, and mother's maiden name when asked to sign up for a grocery store "savings" card?

Re:Why guess? (0)

Anonymous Coward | more than 4 years ago | (#28602115)

I hav lots of monies in bank waiting for me,
Give your number and I get rich for us
Then the womans loves us!!!!!
Clikc here :::)))!

Hardly news (1)

Todd Knarr (15451) | more than 4 years ago | (#28601293)

Not news to anyone who knows how SSN assignment works. The first three digits (region code) have always been assigned based on state (with a few exceptions for things like Railroad Retirement and military uses), and since a new region code's only assigned to a state when the old one's nearly exhausted there's usually only a short period when there's 2 regions in use for a state. The middle 2 digits (group code) have always been assigned in a strict order as groups are exhausted. And SSNs are generally only assigned at 2 times: birth, or the first time someone gets a job and has to pay taxes (usually in high school). So if you know the state and date of someone's birth and where they went to high school, it's long been known that you can narrow it down to only a small handful of possible region and group codes. The only thing this research does is extend that into the last 4 digits, and I'm not surprised they found those assigned in some order over time. If I had to guess, frankly I'd've guessed that the last 4 digits were just assigned in order starting from 0000 with a new group code being assigned around 9900.

Re:Hardly news (0)

value_added (719364) | more than 4 years ago | (#28601685)

And SSNs are generally only assigned at 2 times: birth, or the first time someone gets a job and has to pay taxes (usually in high school).

Or when becoming a naturalised citizen.

I received my SS card 15 years before my green card was (finally) approved. Translated, that means I was able to pay taxes, but lacked the legal right to work.

Re:Hardly news (3, Interesting)

interkin3tic (1469267) | more than 4 years ago | (#28602365)

Not news to anyone who knows how SSN assignment works.

Yes it is. Knowing it's theoretically possible to figure it out is one thing. Someone actually demonstrating it can be done with high success rate is another. And it's news that matters because maybe this will force some change on the issue, dispels the illusion that it's a super secret identifying code that only you and X large organization knows. ...and maybe there will be a pony waiting for me at home...

This isn't really new (1)

Ark42 (522144) | more than 4 years ago | (#28601323)

This isn't really new as the first 3 digits of your SSN already tell you which state you were born in more or less - http://www.google.com/search?q=ssn+by+state [google.com] and the numbers are issued pretty sequentially from there, so just the year you were born and the state you were born in narrows it down pretty far already.

Social Security Numbers As Identifiers (5, Interesting)

StormReaver (59959) | more than 4 years ago | (#28601333)

When I was young, the back of my social security card has a notice: "Not to be used for identification purposes" (or something similar). When I lost my original card and had to get a replacement, the notice was missing. Our government is solely to blame for allowing the private sector to use social security numbers as identifiers. Congress has had an overabundance of time to pass laws criminalizing the use of social security numbers by the private sector. In my opinion, Congress has been criminally negligent in allowing this to continue for this long.

Social security numbers should be used for one, and only one, purpose: to link an individual to social security benefits. Any other use should be a criminal offense.

Re:Social Security Numbers As Identifiers (0, Troll)

Short Circuit (52384) | more than 4 years ago | (#28601533)

In my opinion, Congress has been criminally negligent in allowing this to continue for this long.

Because Congress must pass laws to protect us from ourselves?

Re:Social Security Numbers As Identifiers (2, Insightful)

frosty_tsm (933163) | more than 4 years ago | (#28601691)

Because Congress must pass laws to protect us from ourselves?

You can hardly call this protecting us from ourselves when everything from employment to apartment rental to cell phone plans to education require SSNs.

Re:Social Security Numbers As Identifiers (2, Interesting)

Shakrai (717556) | more than 4 years ago | (#28601997)

You can hardly call this protecting us from ourselves when everything from employment to apartment rental to cell phone plans to education require SSNs.

Actually you are welcome to refuse to give out your SSN for any of those purposes. Of course the person on the other end of the business arrangement is also welcome to refuse to do business with you.....

Re:Social Security Numbers As Identifiers (1)

interkin3tic (1469267) | more than 4 years ago | (#28602399)

Actually you are welcome to refuse to give out your SSN for any of those purposes. Of course the person on the other end of the business arrangement is also welcome to refuse to do business with you.....

And the current story proves that even that is pretty useless.

Re:Social Security Numbers As Identifiers (1)

Short Circuit (52384) | more than 4 years ago | (#28602019)

Employment requires it because the large chunk of your taxes are targeted at funding the Social Security program, and your employer is required to contribute before you even get your check. Granted, it goes to someone else's benefits right now, but the program is naively designed under the assumption that someone else's taxes will be paying your benefits in the future.

As for apartment rental, cell phone plans and education, are there legal requirements for them to demand your SSNs? If not, then it's the fault of that particular institution. If so, then those laws are in conflict, sure, and need to be fixed. If not, then find arrangements that don't require your SSN. That can be anything from using a Wifi phone with a WISP to getting a prepay phone to getting a roommate who's willing to put his SSN on the paper.

Millions of illegal immigrants get by without legitimate SSNs. Try finding and talking to a few to find out what approaches are available that don't involve falsifying one.

I don't have a good alternative for education, though I've heard there are a few institutions that cater to people without legitimate SSNs, and don't get shut down; It must be possible for them to do it without one.

Re:Social Security Numbers As Identifiers (1)

Your.Master (1088569) | more than 4 years ago | (#28601781)

The US government is responsible for Social Security Numbers, yes. If the security of that system is vulnerable to social engineering, then it should take reasonable steps to eliminate that security hole.

Re:Social Security Numbers As Identifiers (1)

The Grim Reefer2 (1195989) | more than 4 years ago | (#28601673)

When I was young, the back of my social security card has a notice: "Not to be used for identification purposes" (or something similar). When I lost my original card and had to get a replacement, the notice was missing.

I still have my original, and it does state it. I always assumed that it was still the case, I guess spammers have a better lobby than we thought. ;-)

 

Our government is solely to blame for allowing the private sector to use social security numbers as identifiers. Congress has had an overabundance of time to pass laws criminalizing the use of social security numbers by the private sector. In my opinion, Congress has been criminally negligent in allowing this to continue for this long.

I agree, but I'd like to know how you plan to punish them. Obviously voting them out of office hasn't worked out so well. Besides, there are probably many more injustices that are far worse that they should be held accountable for.

 

Social security numbers should be used for one, and only one, purpose: to link an individual to social security benefits. Any other use should be a criminal offense.

I've always refused to give out my social security number other than after I've been hired by an employer. I've lived in several states over the years and many used to use your social security number as your drivers license number. I never understood why people would choose to use it when the option to not do so was offered. Usually the reason was an excuse of pure laziness, "I don't want to have to remember another number". I also remember when businesses would try to claim that you were required to write you social on a check for them to accept it as payment.

Re:Social Security Numbers As Identifiers (1)

StormReaver (59959) | more than 4 years ago | (#28602391)

I agree, but I'd like to know how you plan to punish them.

That is certainly the problem. It's a "who watches the watchers" conundrum. Congress needs to be punished for many misdeeds, but it's Congress that determines what's punishable. It's no secret how they're going to view this.

Old news... (1)

The Pirou (1551493) | more than 4 years ago | (#28601349)

With a simple social engineering question of 'where are you from, where where you born?,' that most people think nothing of, you are able to easily acquire the first 3/8 digits of someone's SSN (and the answer to 15% of the standard security questions out there). The rest is just a matter of time and patience.

Honestly, this topic was covered for the umpteenth time when 2600 magazine did it over 10 years ago in a quarterly format available at most Barnes & Nobles stores (if you didn't have a home subscription). I can't lay my hand on the issue without doing a bothersome search of my closet, but really, this is old hat.

I don't know which is worse, the fact that this is making news now, or the fact that I pretty much outed myself as being from the era of AOL script kiddies. I'm sure Phrack or somewhere else probably covered this way before 2600 did. Nothing changes...

Common knowledge (0, Redundant)

DigitalCrackPipe (626884) | more than 4 years ago | (#28601365)

who for the first time

For the first time? Is this a joke? The pattern of assignment has been well known for years, whereby everybody born in an area at a particular time had the same prefix.

Any scheme that uses the first 5 digits for authentication is utter crap. It's almost as dumb as using telephone area codes.

Re:Common knowledge (1)

Jimmy King (828214) | more than 4 years ago | (#28602033)

That was my first thought when I read this, too. I immediately went and double checked to make sure I was remembering right. I need to become a researcher. That job sounds way easier than mine.

Damned if you do, damned if you don't (5, Interesting)

Palestrina (715471) | more than 4 years ago | (#28601383)

If we all have unique id numbers to identify us, then someone can impersonate us by knowing that number.

But of course, if we did not have unique id numbers to identify us it would be even easier for someone to impersonate us.

And however many digits the number is, and even if it is randomly-generated (as the article proposes) your id number is only as strong as the weakest link among those who have stored your id, meaning the used car dealer, the credit card company, the student loan office, etc.

It is guaranteed to fail since they all involve transmitting and storing the secret.

What we need is a national public key infrastructure, with keys stored on smart cards, or similar, along the lines of what they have in Belgium. Of course, even PKI fails in the face of social engineering, so we need citizens to be more aware of the risks as well.

Re:Damned if you do, damned if you don't (5, Insightful)

Todd Knarr (15451) | more than 4 years ago | (#28601583)

Identification != authentication. Failure to understand that is the problem.

Take your e-mail account. Your username identifies you. Your password authenticates you. Your provider (and everyone else in the world) use your username or e-mail address to identify you or to identify who they're sending their mail to. But when you go to log on to read your mail your provider doesn't just assume that if you know who you are that you're authorized to read your e-mail. They ask for your password (which you don't give out to anybody else) to authenticate that you're really who you're claiming to be.

The basic problem is that a lot of businesses want to verify your identity, but they want to do it fast and not waste time or resources actually authenticating you. So they've taken shortcuts. And now it's biting them, and they want someone to make the problem go away. Note: they do not want to fix the problem. To quote someone, "When the users say "When I drop this bowling ball on my foot it hurts. Make it stop hurting.", they mean just that. They don't want to stop dropping the bowling ball on their foot. They want you to make it not hurt when they do.".

Re:Damned if you do, damned if you don't (1)

Bovius (1243040) | more than 4 years ago | (#28601621)

there is no fool-proof method for protecting a person's Social Security Number

Fixed that for you, article summary.

Re:Damned if you do, damned if you don't (1)

Culture20 (968837) | more than 4 years ago | (#28602313)

If we all have unique id numbers to identify us, then someone can impersonate us by knowing that number. But of course, if we did not have unique id numbers to identify us it would be even easier for someone to impersonate us.

Without ID: "I am Napoleon!" "Here's a white coat, sire. Long Sleeves, befitting Imperial majesty."
With ID: "I am Napoleon! Release me!" *displays falsified ID* "At once! Please forgive us you majesty!"
In other words, once people get used to using ID numbers, they stop getting used to thinking and using webs of trust. "I called Jim over in the hospital, Mr. Napoleon. It seems he knows you. He's coming by to visit you in a few minutes. Juice?"

Re:Damned if you do, damned if you don't (0)

Anonymous Coward | more than 4 years ago | (#28602625)

But of course, if we did not have unique id numbers to identify us it would be even easier for someone to impersonate us.

Not really. If I'm John Doe, and somebody else claims to be John Doe, you can't assume they're the same person. It requires some actual investigation to do.

However, if I'm John Doe SSN 123-45-6789 and somebody else claims to be John Doe SSN 123-45-6789, it's too easy to assume they're the same person.

Personally I always thought nobody should have to have a public identity. Somehow the concept seemed antithetical to freedom to me. Now that I've seen how our identities are abused, I'm sure of it. Identity is never for our benefit. It's only used so corporations can abuse us.

Its pretty sad (1)

scorp1us (235526) | more than 4 years ago | (#28601393)

When we put more consideration into TCP ISNs than we do an identifier someone has for life. We even worked hard to randomize this so that the connection is not easy to hijack if SSNs are being sent.

The problem is not that SSNs are easy to guess (5, Insightful)

raddan (519638) | more than 4 years ago | (#28601409)

Because SSNs are supposed to be unique identifiers. Identifiers only. The problem is that they're also being used as the shared secret! There's nothing secret about an SSN, people, and there shouldn't be. I think at this point, the government needs to simply legislate the correct behavior, because companies like Comcast (who asked me for my SSN for 'security reasons' just the other day) just don't get it. Of course, getting the government to know the 'correct behavior' is yet another battle...

Re:The problem is not that SSNs are easy to guess (4, Informative)

Ron Bennett (14590) | more than 4 years ago | (#28601855)

You're spot on about SSN being an identifier only, and was not intended to be a secret.

However, SSNs were never designed to be unique; they are not!

SSNs can be recycled. And it's also possible, though difficult, for one to obtain a new SSN.

In addition, many SSNs are assigned to more than one person - so common that the IRS, as well as many other government agencies, as well as the major credit bureaus, utilize software that allows for SSN duplicates and doesn't rely on SSNs alone to separate people.

Ron

Re:The problem is not that SSNs are easy to guess (1)

thisissilly (676875) | more than 4 years ago | (#28601979)

What the parent said. SSN should only be used as a uniquifier, to distinguish John Smith 123-45-6789 from John Smith 123-99-4321. The government should pick a date, say 5 years from now, and state that on that date they will publish the full list of Name & SSN data. Everyone using SSN as a shared secret must fix their databases.

Re:The problem is not that SSNs are easy to guess (1)

izomiac (815208) | more than 4 years ago | (#28602037)

Or they could just remind people that they aren't secret, and post a public database of everyone's name/SSN online. No legislation necessary, and businesses don't have to switch their software that (foolishly?) uses SSNs as ID numbers.
 
Actually, come to think of it, the government isn't the only one who could do this. A cracker or disgruntled employee of a large company could effectively make this happen. I'm half surprised that it hasn't already...

CMU + SSN (0)

Anonymous Coward | more than 4 years ago | (#28601427)

hehehe... about 10 years ago CMU was using SSN's as Student ID's.... and CMU researchers were using university data including student ID's in research they were publishing on the web(without notifying students)... oops.

why it pays to google for your SSN every once in a while. ;)

Re:CMU + SSN (0)

Anonymous Coward | more than 4 years ago | (#28602035)

They still used SSNs as Student IDs for the class of 2009.

That is the problem when using SSN as ID (2, Insightful)

dunkelfalke (91624) | more than 4 years ago | (#28601439)

If you use just a number for identification, it will be grossly misused. It is crazy to oppose a real ID card but use a much weaker (in terms of security) SSN as identification means and suddenly a baseless fear of certain forms of identification opens the way to very bad forms of identity theft.

Re:That is the problem when using SSN as ID (1)

zippthorne (748122) | more than 4 years ago | (#28602457)

The problem with a real ID card is that it would just be another number if we did it right now. Although the technology exists to do far better, the mindshare of cryptography is appallingly low.

We really need a "cryptology spokesman" with charisma to go out there and extol the virtues of not blabbing your freakin' financial information to everyone who asks. Or having a stupid number somewhere that does the same crap for you.

Not being careful with your personal data is like not being careful with your personal genitals. The more people you allow to access either, the more likely something very bad will happen.

Re:That is the problem when using SSN as ID (2, Insightful)

dunkelfalke (91624) | more than 4 years ago | (#28602641)

Not if the number of the real ID would be just its serial number and meaningless otherwise. Since the ID card itself is a proof of your identity, the number of it wouldn't be saved anywhere.

Tell me something I didn't already know. (0)

Anonymous Coward | more than 4 years ago | (#28601461)

This is old news, especially to me. I used this method to invent a plausible SSN for Michael J. Volpe, my legal-drinking-age alter ago when I was in college. I figured that as long as I had a fake ID, I'd see if I could use it to leverage myself into a false identity too. The number I used had the right digits for his supposed data and place of birth; the rest was just random. I never got any real documentation or credit accounts issued for Michael, but that was only because I ran into bootstrapping issues using a SSN with no history, not because the SSN was recognized by anyone as invalid.

good thing I was born in 1987 (0)

Anonymous Coward | more than 4 years ago | (#28601501)

They'll never be able to figure out my SSN. 754-6523. No pattern to that one.

fool-proof method -- who cares? (2, Interesting)

whoever57 (658626) | more than 4 years ago | (#28601507)

'there is no fool-proof method for predicting a person's Social Security Number.'"

Who cares that there is no fool-proof method? All that matters is that there is a significant probablilty of success.

Probably the only people who are safe from this are immigrants!

I call bullshit. (1)

Lord Kano (13027) | more than 4 years ago | (#28601519)

A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'

Yeah, maybe with a wink and a nod. Social Security cards used to say "Not to be used for Identification" or words to that effect written on them in bright red ink. If the Federal Government was serious about not having the private sector use the number for identification purposes, they'd ban the practice.

LK

Sorry: Not News (1)

WheelDweller (108946) | more than 4 years ago | (#28601587)

I saw a guy on one of those shows...might have been Donahue, do that knowing only the guy's age and state....verifying whether it was the right number.

The whole SSN thing is such a misnomer. There's only so many digits; people think every number has one person....it doesn't work that way. Instead, it's intended to weed out the (possibly) 10,000,000 "Joe Smiths" out there.

Re:Sorry: Not News (0)

tverbeek (457094) | more than 4 years ago | (#28602129)

"There's only so many digits; people think every number has one person....it doesn't work that way."

Um, yes, it does. To be more precise, there are nine digits, which allows them to specify one billion different people without assigning two of them the same number. The population of the U.S. is less than a third of that, with dead people whose SSNs are used up we're still at less than half. Granted, in a few generations there will be allocation problems with the current algorithm, and they'll have to start reallocating numbers, then assigning the remaining ones randomly, and eventually we'll have a big "SSN1G" crisis when we switch to 10-digit SSNs. But for now, it really and truly is 1 SSN to 1 person.

This problem will go away (0)

Anonymous Coward | more than 4 years ago | (#28601661)

Once we make the switch to SSNv6.

Ran into this a few years ago... (1)

moniker (9961) | more than 4 years ago | (#28601819)

Having worked in IT for 9 years at a college, this kind of thing is a nightmare.

One application we used for tracking students allowed a student to enter their SSN, which would then be replaced by their benign student ID and display their name. Even something like this is pretty dangerous.

If I know that most students at the college are going to be residents of a certain, I can limit myself to searching just for SSNs assigned to that state by looking at the first three numbers. The next two numbers are the assignment group, which will vary based on when the SSN was assigned.

But, being from the same area, it was even easier than that. I could assume that there is a good chance that someone might be born in my state and assigned an SSN in the same group as me, which means I only have to guess the last four numbers, starting with the same five numbers that I have. (As a DBA, I had access to all of this information anyways.)

Starting with my SSN, I began incrementing by one. It only took six increments to reach another persons SSN. By using this application, I could type in my variations of a known SSN and find new SSNs, along with the name of the person who belongs to that SSN.

Out of curiosity, I did a 'group by' query on the first five numbers of all the SSNs in the database (roughly 60k SSNs) and found that in the most populous grouping, you would have a 1 in 20 chance of getting an SSN just by guessing the last four numbers of this group.

I always use my State Driver License ID number (2, Interesting)

Orion Blastar (457579) | more than 4 years ago | (#28601871)

which I selected to not be my social security number.

The State ID number is a random series of letters and numbers and it is harder to guess.

The usual jokes like Ronald Reagan's social security number was 000-00-0002 because he was the second person to file behind FDR, are funny but historically inaccurate.

Illegal Immigrants or Undocumented Workers or whatever you want to call them easily generate fake SSNs, and a bulk of them use the same SSN for the same employer and it is usually a SSN of someone who died, and they got it off a death certificate. The current system of checking SSNs is broken.

What we need is a different system that is harder to guess, one that uses letters and numbers like license plates or software serial numbers. One that Social Security keeps on a secure system that can verify the numbers and tell if the new SSN is stolen or the owner of the SSN is dead and someone else may be using it for fraud.

I just hope the new system isn't abused to take away rights and freedoms, that would be bad.

I remember the colleges I went to use to use our SSN as our student number and it was on grade lists. I requested that I be issued a student number not based on my SSN for privacy reasons and they did issue me a student number different from my SSN. The grade lists would be student name, student number, and then grade issued in class and everyone could see them. The professors listed them by the door for the classroom after finals and midterm grades were calculated. Many other systems used to base employee number etc on SSNs.

Re:I always use my State Driver License ID number (1)

zippthorne (748122) | more than 4 years ago | (#28602495)

No, what we need is some kind of pairing device. Your name ought to be a sufficient identifier, or your name plus a number if you couldn't think of an original name....

But if you want two groups to be able to share information on your behalf (say, a bank and a utility), there ought to be some kind of pairing process like with bluetooth, or SSL, or wireless networking...

Ideally, there would be some kind of smart device, possibly about the size of a library card so it would be convenient that could store and compute the "keys" to establish links.

Re:I always use my State Driver License ID number (1)

arb phd slp (1144717) | more than 4 years ago | (#28602531)

The State ID number is a random series of letters and numbers and it is harder to guess

In New Hampshire, if you know somebody's name, DOB and a couple of other things you can extrapolate someone's driver's license number. (I can't remember what else was in there and they confiscated it when I got my PA one. Eye color, maybe.)

Same other places too.... (2, Interesting)

MortenMW (968289) | more than 4 years ago | (#28602001)

Its the same problem in Norway. The person-numbers (Norwegian SSN's) are built this way:
DD MM YY III CC

The three first groups are your date of birth (which is found in all public records).

The next group (III) are individual numbers ranging from 000 to 999. If you are born before 2000 it is under 500, if your born after it is over. If you are male it is a odd number and even for girls. So if you know the date of birth and a persons gender there are 250~ possible numbers.

The last group are control digits used to calculate a valid person-number.

Most (if not all) banks and other important thing use the numbers as both identification and authentication...

the real paper (1)

cinnamon colbert (732724) | more than 4 years ago | (#28602065)

you can get a pdf of the actual report by the researchers - no 2nd, 3rd and 4th hand stuff, for free from this url
http://www.pnas.org/content/early/2009/07/02/0904891106.full.pdf+html?sid=5e51e1ab-8945-420c-8013-29182641090e [pnas.org]
which raises an interesting question: why do /.ers, who obviously consider themselves above average, make do with 2nd hand reports when they can so easily get the real thing.

actually bothering to take, say, 5 min to find and read the original report would have zeroed out a lot of the nonsense on /. for instance: the report, in its intro, says that the SS administratin openly discloses that the first 3 digits are area number, AN....

SSN's have no error control (5, Interesting)

grandpa-geek (981017) | more than 4 years ago | (#28602075)

Change a digit or transpose digits in an SSN and you most likely will transform it into another valid SSN.

The SSN numbering system was developed in the mid 1930's. The modern mathematics of error control were published by Shannon after World War II. (His work or error control was related to work on cryptography.) By "modern" mathematics, I refer to the fact that there was some understanding of error control in old telegraph systems, but it wasn't developed systematically.

Credit cards have check digits that will catch some common errors in data entry. Computer and communications technology use error control in many ways. SSN's are still back in the 1930's.

Perhaps it is time to modernize them by at least adding check digits. Also, the prohibition against using them as personal identifiers should be strengthened and enforced.

No... (1)

Culture20 (968837) | more than 4 years ago | (#28602091)

The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches

No, Ubiquitous use of SSNs as a "secret" for anything beyond Social Security has left millions of citizens vulnerable to privacy breaches.

Universal Identifier != universal authentication (0)

Anonymous Coward | more than 4 years ago | (#28602121)

The SSN is a perfectly fine choice as a universal identifier. However, it is a lousy choice as a universal password. That is what most institutions have used it as. A universal identifier and password at the same time. Identification, Authentication, and Authorization are in fact separate activities and require distinctly separate systems.

(Why are people so stupid about this stuff? it's so simple.)

funded by the National Science Foundation (4, Interesting)

call -151 (230520) | more than 4 years ago | (#28602273)

Here [nsf.gov] is their grant and proposal abstract from the NSF. It sounds like they did exactly what they'd proposed to do- not every grant meets that metric! Theirs is a 3-year grant for a total of $386927.

There was a cute line in their FAQs:

Q. Were the tests IRB approved?

Yes, they were approved. No SSNs were harmed during the writing of this paper.

Military service (1)

the_macman (874383) | more than 4 years ago | (#28602303)

Fuck....Nevermind the fact that if you've ever been in the military your SSN has been passed around more than a two dollar whore. Such much for security through obscurity :\

Impressive, not *too* surprised (1)

rnelsonee (98732) | more than 4 years ago | (#28602615)

Okay, guessing all 9 digits is good, so I'm not downplaying the success of this research. My sister and I were born 3 minutes apart and our SSNs are 20 values apart.

But the first 5 have always been not too difficult for some areas as it's based on date and location of birth (or date of issue, but there's obviously a correlation between the two). This makes it invaluable as a social hacking tool.

Just like the easy-to-guess Soundex [wikipedia.org] numbers found on many state licenses, as well as the fact that credit cards use a system [merriampark.com] for numbering, simply correctly identifying the first few digits of a number can sometimes gain someone's trust ("Okay, I'm going to verify the first 4 digits of your Driver's License, but I won't disclose the whole thing over the phone. After I've verified this information, I will need...")

You're missing the point (0)

Anonymous Coward | more than 4 years ago | (#28602649)

The point that I haven't seen anyone hit on yet is the fact that they designed it for THEIR use, not ours and not the private sector. They've even gone so far as to require that it's redacted to some degree (even though as proven a bazillion times) it's trivial to guess what's been redacted. The fact is that everyone else has adopted it because if any legal matters came up, that's the only way the law was going to identify you. The problem is that the lazy private sector doesn't have anything else that's "consistent" (and I use that term extremely loosely) across all entities to manage your identity. Hell FINGERPRINTS would be a better way of managing the authentication - the level of security required can be increased by simply requiring more fingers be scanned. Signing into a basic forum where you don't care? Swipe a digit. Logging into your bank? Swipe more, PLUS use an SSN. I'd certainly be happy to go spend the few bucks on a USB fingerprint reader for my desktop - laptop's already got it.

Let's face it - the US Government isn't known for developing numbering systems with security in mind - take a look at IPv4. What the world needs is a commercial solution for a commercial problem. What good is my SSN when doing business outside the US?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...