We all know to keep our social security number private, and not share it with the masses, right? After all, if the wrong person gets a hold of it, that could be a very bad thing. Our social security number (SSN) is like the magic little key to our financial world, and other critical parts of our lives. It can open or close doors for us. And if misused by another, like in the case of identity theft, it can break us.
Well, what if that number is not as secret and secure as we would like to think? What if there were a way for wily would-be hacker/thieves to steal our SSNs and have a field day with our identity? And no, I don’t mean just through the old break into an institution and get their records method. Nothing as blase as that. I mean actually being able to figure out what your SSN is, based on your date of birth and where you were born, using a specific algorithm. Yes Virginia, it is possible.
Two researchers at Carnegie Mellon University discovered this nifty little technique. And it works with a rather amazing degree of accuracy, especially considering that the two practices (which were created by the federal government) that it relies on were created to actually prevent the ability of schemers from being able to create a fake SSN. Well, they don’t have to create a bogus one anymore, they can just take a real person’s number.
The first thing it relies on is what is called the Death Master File. The government makes this file publicly available, and it shows the SSNs of any deceased individuals. This gave researchers material to analyze how the assignment of SSNs related to date and state of birth.
The second thing is that the handling of SSN assignments has been centralized and documentation has been provided on the procedures. So, it is clear and known now that the first three digits are based on the state where the SSN was originally assigned, and that the next two are what is called a group number. The last four are random. Now, since the late 80′s, there has been an initiative in place called the “Enumeration at Birth”, which tries to make sure that everyone gets their SSN very soon after birth, hoping to cut down on fraud.
This second program is what really made the difference in the research, as it kind of pointed to SSN numbers being related to date of birth. So, the researchers used the Death Master File to break up the data from the states (the first three digits), then ordered them by date. They then looked for statistical patterns within that data.
There were some patterns before the 1990s in the numbers given for region and group number, but, after that, with rare exception, it was clear that there was an obvious pattern of sequential order used for almost all SSNs. If you live in a less populous state, the pattern is even easier to determine, although the last four digits were still tougher to figure out. Although even that could be guessed with a lower degree of accuracy with the algorithm the scientists came up with.
Using this algorithm, they were able to get the first five digits of the number right for those born before 1988 seven percent of the time. You may think, well, that isn’t too bad, it’s only 7 percent. Yeah, but it went up to a success rate of 44 percent for those people assigned a SSN after 1988, and if you happened to live in a smaller state like Vermont, the success rate was over 90 percent.
They still need the last four digits though. They were only able to get that right 0.1 time within 10 tries even after 1988, although again with smaller states they did better. However, this still doesn’t give total peace of mind. Because many credit card verification companies allow up to two digits of the SSN to be wrong as long as the date and place of birth are accurate. They do this because they allow for illegible forms. They also allow for several failed verification attempts per IP address before they go and lock it out and blacklist it. So, based on this, the authors of the algorithm estimate that a bot of about 10,000 machines could obtain identity verification of younger residents of a smaller state at a rate of 47 a minute. That’s frightening in my opinion.
The botnet master would just need access to birth information, which many commercial services will gladly provide for a price. Or, social networking sites like Facebook and MySpace are a well-spring of just such information for free. Just another reason to keep your personal information off of those sites. You never know who might be reading, or why.
Read: [arstechnica]
This was a very interesting article. Good opinion and
research done here. I hope that other readers will
find this to be as helpful and beneficial as I have.
Excellent work indeed. Thank you for taking the time to
share this information with us!