Now they can guess your Social Security Number

Tue Jul 7, 2009 11:19AM EDT

See Comments (199)

By now we've had it beaten into our thick skulls: Protect your Social Security Number at all costs, because those nine magic digits are the gateway to your entire life. Financial history, medical records... just about everything hinges on your SSN remaining private.

As such, large-scale thefts of SSN and other private information continue to make headlines, but this piece of news takes the cake: Researchers at Carnegie Mellon University have now figured out a way to roughly reverse engineer the way in which Social Security Numbers are assigned. Armed with your date of birth and the state in which you were born, it's now possible to generate a quite small set of digits that are likely to contain your actual SSN.

How is this possible? Mainly because SSNs aren't just randomly generated. The first three digits are tied to your state of birth, and the next two digits (the "group number") are used sequentially as SSNs are handed out over time. The final four digits are supposedly random, but using a public database called the Death Master File, which lists SSNs that were held by the deceased, patterns emerged in those digits, as well.

The result is that, depending on the state and year of birth (the older you are and the larger your state of birth, the harder it is to guess your SSN), the researchers could guess a Social Security Number's first five digits with up to 90 percent accuracy, and the last four digits with up to 5 percent accuracy. Considering the odds of getting a SSN right by random guess really ought to be 1 in a billion, that's a phenomenal success rate.

And if those numbers seem small, consider that with the use of commonly-available botnets, computers could correctly guess dozens of SSNs every minute by simple brute force as they apply for bogus credit cards en masse. The Ars Technica story linked above also notes that many credit card verification services allow for a couple of digits in an SSN to be wrong, as a convenience for forgetful applicants, opening the door a little wider for hackers.

What happens now? It's hard to imagine an organization as venerable and bureaucratic as the Social Security Administration to change the way it works, but it's hard not to think that the nine-digit SSN may have at last outlived its utility, and its security. Still, just try to imagine the upheaval should the country attempt to move to longer numbers...

Comments on Now they can guess your Social Security Number

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 46 Posted by introspectacle on Tue Jul 7, 2009 5:09PM EDT Report Abuse

    I love how caldust55 seeks to exclude himself from this article by claiming that his own "personal ssn" does not follow the rules described in the article. Puhhhlease.....first of all, your own "personal ssn" is a redundancy....it's not as though there are public SSN's, genius. Additionally, how is it that your SSN does not follow the rules described in this article? Did your mother request special treatment? Are you an immigrant? Request a new SSN due to some extenuating circumstance? Frankly, I think the response is lame and completely void of any valid information.

  • 47 Posted by wjrcdh on Tue Jul 7, 2009 5:19PM EDT Report Abuse

    picture has 10 digit SSN....???

  • 48 Posted by hau_ff353 on Tue Jul 7, 2009 5:29PM EDT Report Abuse

    yeah, thats not news. any observant person would already know this info. trust me its already been figured out by the criminals.

  • 49 Posted by kyyb6 on Tue Jul 7, 2009 5:30PM EDT Report Abuse

    1) While we're at it (lengthening SSNs), how about implementing IPv6? 2) Why not make the new SSN your biometric CRC value plus your Microsoft Office GUID plus your OnStar account number? There, that ought to do it. 3) This study was sponsored by LifeLock?

  • 50 Posted by dragnkidx on Tue Jul 7, 2009 5:58PM EDT Report Abuse

    It's obvious now unless your completely ignorant that the concept of the social security number,should officialy be obolished!It most likely would have a significant negative Impact on the American System & Government,but that is a reality of what is best for everybody & everything!If the Social Security Administration & or U.S. Government refuse to do this(any excuse they give for not doing so is pathetic)!Then it should be a wake up call to Earth about the reality of our society & the direct action that must be taken immideatly to ulitimatly turn this reality into a better reality!

  • 51 Posted by sean_mcguire17 on Tue Jul 7, 2009 6:08PM EDT Report Abuse

    This isn't breaking news. I worked for an insurance company in 1989 that had a mainframe program which already could do this 100$ accurately as long as you gave it a person's full name, DOB and state of birth

  • 52 Posted by babshal on Tue Jul 7, 2009 6:09PM EDT Report Abuse

    I know you erased my comment. That;s ok. There are other media sources

  • 53 Posted by lejla_ilma on Tue Jul 7, 2009 6:15PM EDT Report Abuse

    i wasn't even born in the states so i don't have to worry

  • 54 Posted by johnxkef on Tue Jul 7, 2009 6:19PM EDT Report Abuse

    They should allow to change the first 3 digits to alpha and the second 2 digits to misc, Alpha and numeric. Does not need to be longer.

  • 55 Posted by sueyolman on Tue Jul 7, 2009 6:21PM EDT Report Abuse

    SS Cards/Numbers were never supposed to be used for identification. They were assigned for taxing/benefits reasons only. I don't know why it was ever allowed to be used for credit models, medical records, school registration, etc. The federal government just couldn't help itself. They had to get deeper into your personal business because they don't trust you to take care of yourself and therefore all of your information should be their information. Now it is no different than a national ID card. Now the feds want to activate a national ID. It won't be any different. Eventually that will be stolen as well.

  • 56 Posted by joeyanadevon on Tue Jul 7, 2009 6:22PM EDT Report Abuse

    better yet just implant us with info chips and be done with it. being killed for a chip would be better than having to deal with all the bullsh** when your identity is stolen. ha ha

  • 57 Posted by jshox on Tue Jul 7, 2009 6:28PM EDT Report Abuse

    this is not true. they don't tie your social to where you were born. correct your story, in fact they issue the first three of your social according to the state that your parents submit to get your social security in.

  • 58 Posted by shortgal272000 on Tue Jul 7, 2009 6:28PM EDT Report Abuse

    I can remember when my son was born (less than 20 yrs ago) we had an issue with his ss#. I was adding him to our insurance policy and of course you have to give them the numbers. They said we couldn't add him because (according to his ss#) he was a 90yr old deceased male. Supposedly, he was issued the same number of the 'dead man'. It didn't take long to straighten things out. But it makes you think were your ss# come from.

  • 59 Posted by anarch_arv on Tue Jul 7, 2009 6:55PM EDT Report Abuse

    Look! Yahoo blocks your SSN automatically! xxx-xx-xxxx!

  • 60 Posted by ctoagea on Tue Jul 7, 2009 7:15PM EDT Report Abuse

    We're not numbers, we're human beings. SSN are the only way that our government can track us and enslave us. Holocaust victims were known as numbers too...

  • 61 Posted by brian_heinis on Tue Jul 7, 2009 7:20PM EDT Report Abuse

    Just one more thing the government screwed up. Now that the Federal Government controls our entire economy, we are SCREWED

  • 62 Posted by aimzeronus on Tue Jul 7, 2009 7:24PM EDT Report Abuse

    I'm in the same situation as rickmoerer...born in a different state than where I got my SSN issued to me. This was before they started giving out SSNs to babies, of course.

  • 64 Posted by crystallis_infection on Tue Jul 7, 2009 7:27PM EDT Report Abuse

    No, whats more annoying is that they posted this for everyone to see. If they hadn't figured it out already, they're surely going to try it now. Fantastic. Sure, it's nice to know, but that sort of concern is better of being taken care of in a more private manner than spelling it out for any scam artist or identity thief who can access a home page.

  • 65 Posted by biggeric91962 on Tue Jul 7, 2009 7:52PM EDT Report Abuse

    This is nothing new, when I joined tha army in 1987, the guy who gave me my first uniform could "Guess" what town I came from by my SSN. this is old and hack, but it does need to be fixed.

More Posts: First Prev 2 3 4 5 6 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.