Now they can guess your Social Security Number

Tue Jul 7, 2009 11:19AM EDT

See Comments (200)

By now we've had it beaten into our thick skulls: Protect your Social Security Number at all costs, because those nine magic digits are the gateway to your entire life. Financial history, medical records... just about everything hinges on your SSN remaining private.

As such, large-scale thefts of SSN and other private information continue to make headlines, but this piece of news takes the cake: Researchers at Carnegie Mellon University have now figured out a way to roughly reverse engineer the way in which Social Security Numbers are assigned. Armed with your date of birth and the state in which you were born, it's now possible to generate a quite small set of digits that are likely to contain your actual SSN.

How is this possible? Mainly because SSNs aren't just randomly generated. The first three digits are tied to your state of birth, and the next two digits (the "group number") are used sequentially as SSNs are handed out over time. The final four digits are supposedly random, but using a public database called the Death Master File, which lists SSNs that were held by the deceased, patterns emerged in those digits, as well.

The result is that, depending on the state and year of birth (the older you are and the larger your state of birth, the harder it is to guess your SSN), the researchers could guess a Social Security Number's first five digits with up to 90 percent accuracy, and the last four digits with up to 5 percent accuracy. Considering the odds of getting a SSN right by random guess really ought to be 1 in a billion, that's a phenomenal success rate.

And if those numbers seem small, consider that with the use of commonly-available botnets, computers could correctly guess dozens of SSNs every minute by simple brute force as they apply for bogus credit cards en masse. The Ars Technica story linked above also notes that many credit card verification services allow for a couple of digits in an SSN to be wrong, as a convenience for forgetful applicants, opening the door a little wider for hackers.

What happens now? It's hard to imagine an organization as venerable and bureaucratic as the Social Security Administration to change the way it works, but it's hard not to think that the nine-digit SSN may have at last outlived its utility, and its security. Still, just try to imagine the upheaval should the country attempt to move to longer numbers...

Comments on Now they can guess your Social Security Number

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 1 Posted by wolverinemarky on Tue Jul 7, 2009 12:01PM EDT Report Abuse

    they have to protect the people if longer numbers will help they should go longer

  • 2 Posted by caldust55 on Tue Jul 7, 2009 12:48PM EDT Report Abuse

    What makes this particularly annoying (or, maybe, ironic) is that many data collection schemes do not protect the last four digits of the social security number. If the first 5 digits can be predicted 90% of the time, that leaves the social security number just about an open book. Luckily for me, my personal ssn does not follow the rules described in the article.

  • 3 Posted by knthart on Tue Jul 7, 2009 1:16PM EDT Report Abuse

    social security should allow everyone to add a pin number to their account. a new government agency (with computerization should only take perhaps 10 people) should hold all social security numbers and when a new account or medical info is requested by a personally unknown person, a message should be sent to this agency, the agency will email the person, the person enter their pin, and it will either pass or fail. the end. all failures should be immediately reported to law enforcement and the person picked up. but then, our government might actually come up with a way to actually protect us. that'll never happen.

  • 5 Posted by tkdugan on Tue Jul 7, 2009 2:08PM EDT Report Abuse

    Knthart, good idea, but did you just say that a Government Agency could be staffed by 10 people?????????? Under today's Administration they would need a numbers Czar and 1500 people to staff.

More Posts: First Prev 1 2 3 4 5 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.