Now they can guess your Social Security Number

Tue Jul 7, 2009 11:19AM EDT

See Comments (199)

By now we've had it beaten into our thick skulls: Protect your Social Security Number at all costs, because those nine magic digits are the gateway to your entire life. Financial history, medical records... just about everything hinges on your SSN remaining private.

As such, large-scale thefts of SSN and other private information continue to make headlines, but this piece of news takes the cake: Researchers at Carnegie Mellon University have now figured out a way to roughly reverse engineer the way in which Social Security Numbers are assigned. Armed with your date of birth and the state in which you were born, it's now possible to generate a quite small set of digits that are likely to contain your actual SSN.

How is this possible? Mainly because SSNs aren't just randomly generated. The first three digits are tied to your state of birth, and the next two digits (the "group number") are used sequentially as SSNs are handed out over time. The final four digits are supposedly random, but using a public database called the Death Master File, which lists SSNs that were held by the deceased, patterns emerged in those digits, as well.

The result is that, depending on the state and year of birth (the older you are and the larger your state of birth, the harder it is to guess your SSN), the researchers could guess a Social Security Number's first five digits with up to 90 percent accuracy, and the last four digits with up to 5 percent accuracy. Considering the odds of getting a SSN right by random guess really ought to be 1 in a billion, that's a phenomenal success rate.

And if those numbers seem small, consider that with the use of commonly-available botnets, computers could correctly guess dozens of SSNs every minute by simple brute force as they apply for bogus credit cards en masse. The Ars Technica story linked above also notes that many credit card verification services allow for a couple of digits in an SSN to be wrong, as a convenience for forgetful applicants, opening the door a little wider for hackers.

What happens now? It's hard to imagine an organization as venerable and bureaucratic as the Social Security Administration to change the way it works, but it's hard not to think that the nine-digit SSN may have at last outlived its utility, and its security. Still, just try to imagine the upheaval should the country attempt to move to longer numbers...

Comments on Now they can guess your Social Security Number

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 186 Posted by gemberlingb on Thu Jul 16, 2009 7:36PM EDT Report Abuse

    Every commercial advertisement is "spam". Did you opt in to any of the commerical ads on television, radio, newspapers, magazines, billboards? NO. Why should email marketers get such grief when people on their lists actually HAVE opted in?

  • 187 Posted by jgiannettict@sbcglobal.net on Sun Jul 19, 2009 7:53PM EDT Report Abuse

    First thing I must say thank you for printing this... You have now inspired criminals around the globe how get S. S. numbers.... A job well done!!!

  • 188 Posted by nincsenjobbfalat on Tue Jul 21, 2009 11:48PM EDT Report Abuse

    We should have give in a pin number on our SSI card too, and only we should know that number. thats how it is both fair and safe too.

  • 189 Posted by rgbsr46 on Thu Jul 23, 2009 7:53PM EDT Report Abuse

    I have only nine digits. How do you get ten digits?

  • 190 Posted by mungagungadin on Sat Jul 25, 2009 12:07AM EDT Report Abuse

    why dont we just give in and get our chips embedded. the antichrist will come *or not* independent of chips, I promise.

  • 191 Posted by sirmanson on Thu Sep 3, 2009 9:24PM EDT Report Abuse

    The thing that is even more frightening about this is the fact that in many cases the last 4 of your social is used for verification and is printed on documents. If the first 5 can be generated with 90% accuracy then we need to resort to constant credit monitoring to protect ourselves from fraud.

  • 192 Posted by g.frayer on Mon Jul 27, 2009 11:02PM EDT Report Abuse

    Well I guess I am one of the lucky ones ... No one would want to be who I am !! ... But seriously if this is true there should be a a way of re-assigning all numbers randamly ... Almost like changing your password ... Maybe have a form to do this enclosed with this years tax return? Any ideas?

  • 193 Posted by redheadthompson on Fri Jul 31, 2009 10:28AM EDT Report Abuse

    I had a car repoed from Triad Financial. On the repo order it had my full name, birth date and social security number. So I guess that banks care about your private info.

  • 194 Posted by nmexico451 on Mon Aug 3, 2009 5:25PM EDT Report Abuse

    There may be some validity to this, but the first three digits are not the state of birth. My son and I have the same first three digits as we got out numbers in the same state, but we were not born in the same state.

  • 195 Posted by revsah777 on Mon Aug 3, 2009 5:32PM EDT Report Abuse

    I THINK THEY SHOULD GIVE YOU A PIN NUMBER, NO TO BE GIVEN TO ANYONE

  • 196 Posted by smgorohoff on Tue Aug 4, 2009 6:13PM EDT Report Abuse

    Tracking everything we do by our Social Security Number (which is required in the USA and is issued at birth now) is just another "Big Brotherism" of our government. Our "FREEDOM" comes with a pretty high price! Re: post #191 ...shades of Orwells' 1984??? just a few decades late???

  • 197 Posted by jfchappell on Wed Aug 5, 2009 9:16AM EDT Report Abuse

    Ah, what happened to the phrase that was on my Social Security card when first issued? All of them used to say "not to be used for identification" down at the bottom.

  • 198 Posted by new_grad_99 on Thu Aug 6, 2009 6:25AM EDT Report Abuse

    So why do they insist on tying our life, job, and medical records to the darn thing?

  • 199 Posted by wiseacresmn on Thu Aug 6, 2009 8:25AM EDT Report Abuse

    And if it were the previous administration, it would already exist, be 2000 people in three countries, and there'd be a list of SSNs that flag another large, secret agency every time they get used. The idea of a user-held key in addition to an SSA held key should allow a software solution without as much change. The other 'easier' solution if we need more numbers is to go alphanumeric. Please, include some sort of checksum as well to help the typists.

More Posts: First Prev 9 10 11 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.