Predicting a person's social security number is a lot easier than previously thought, according to new scientific research that has important implications for identity theft. Armed with publicly available information about where and when an individual was born, researchers from Carnegie Mellon University were able to guess the …
you don't need to guess the last four
The last four digits are commonly used for security purposes and are on any manner of documents. I am surprised no one has done this before. Lucky for me I got my SSN in a state I wasn't born in. Although a little search on where I grew up would fix that.
last four most often in trash can
yes, the last four are commonly found on most cash register receipts. The irony is that a few years back, the entire SSN was printed on receipts. For "security" purposes, the first 5 are now routinely "x-ed" out and only the last four are printed... how sad.
I am lucky because I am sufficiently old enough that my number does not fit this research.
pirate logo for obvious reasons
What is the Real Flaw here?
Not a US citizen (from Betelgeuse originally), so not entirely sure how SSNs are used. However...
What is the real problem here? The fact that SSN can be "calculated" to a fair degree of accuracy? Or is it a system that relies on an individual to have a "secret" number for identification?
In most parts of the world, identifying yourself requires some form of government issued paper identification. Not just rambling off a "secret" number as your identification.
Another reminder why SSN as de facto ID is a bad idea
Just another reminder as to why the use of SSN as a de facto ID was a terrible, terrible idea.
Thank goodness corporate expediency is there yet again ^/sarcasm^
Stop posting it then
I find it highly irresponsible to SPELL OUT HOW TO STEAL SOMEONE'S SSN. Next they will be publishing the correct method for producting homemade plastic explosives. Idiots.
plausible ID on demand.
Merkins get all the best services ahead of the rest of us.
I was under the impression you could just buy this stuff from various companies / government agencies.
What you merkins need is a secure ID card, with a database behind it containing the real information. Let the UK lead the way !
@ Why guess?
Or just look around while on trains and busses - there's usually a lost CD with 10000+ records on it between the seats somewhere (sometimes it's in the seat pocket).
Completely absurd considerations
Of course the numbers can be guessed. They never were devised to be hard to compute.
Quite the contrary, it's completely official that the first numbers are just proxies for specific birth information.
Tell us something new.
These pseudo-"researchers" have researched nothing, anyone who spends 20 minutes on this obtains the same results.
The comprehensive stats they give is just the fact that yes, when you've got 10.000 combinations left (4 unknown digits), obviously a thousand try will yield a rate of success around the 10%.
And the real problem, as said by Slappy Frog, is certainly not the fact the SSN can be found out, but the fact that it's used as a private identification key.
THIS is ludicrous, and the non-work of these non-searchers provides nothing new under the sun.
Although we don't have SSN's in the UK, we have a whole load of other numbers that are used to identify us to government agencies (NI number for tax, NHS number for health care etc.); but these numbers are rarely used for the purposes of borrowing money.
A number that you give to someone else is not a secret after you've used it once, so you can't expect it to be a secret over the lifetime of the individual. The real failure here is the use of SSN by American financial institutions as "proof of ID".
@Trokair 1 - Security through obscurity? Doesn't work.
Just like Hud Dunlap, my SSN is from a state I wasn't born in.
Just like Hud Dunlap, my SSN is from a state I wasn't born in. At that time, it was normal (seemingly not anymore!) to wait a few years before worrying about SSN stuff for the kids.
The town I was born in is also the town I graduated high school in and it is also where I currently live. If that's all the info you had, you'd assume that I've lived here my whole life. It just happens that I've lived here for only a few very specific milestones in my life that would seem to throw someone off the track. All coincidence, though. Most of my life has been lived elsewhere, much of it out of state. And I'll almost definitely be married here as I'm engaged at this moment. I just hope I don't die here.
So, does anyone want to play the SSN guessing game with me? :-)
Success rates also rise when the researchers got more guesses
"Success rates also rise when the researchers got more guesses"
yes, best not to publish flaws, just to hope no one hasn't already discovered this for illegal means. Let's face it a goverment is bound to change a flawed system if nobody knows there is a problem with it. I mean I'm sure the UK gov was going to insist MP's cleaned up there expenses, and that gov departments would start encrypting a data routinely if someone had worte a nice letter explaining that the system was wrong.
Sometimes you need a big public outcry to kick the gov into action.
Although I'm not sure I should respond to someone WHO WRITES IN ALL CAPS, the obvious problem here is the use of a number as some sort of secret identifier in the first place. Here in the UK, we have a national insurance number, which is something similiar. Nobody in their right mind would think that knowing someone's NI number would mean that you are that person. The use of a SSN for this purpose beggars belief.
Also, as someone who holds two degrees in chemistry, I can assure you that if a person had the desire to make home-made explosives, they wouldn't have any trouble finding the information on the internet. They would, however, be likely to get caught either buying the materials, or testing their products.
Anyway, you seem to be under the false impression that security-through-obscurity works. If you bothered to do a little research before posting idiotic rantings then you would find myriad examples of how it fails.
Is it 3?
Grade-A American A-Holes
As noted, the problem isn't that SSN is easy to guess, but that an easy to guess SSN has been used as "proof of ID" and is in widespread use as such.
I guess someone chose to use SSN simply because "every American has one" without thinking it through. SSN's don't even have a checksum that I can see.
SSN is not a reasonable "secret" code
@Ed Blackshaw: Well, if you were guessing only one of the digits then you'd be correct. Of course it might be in there more than once.
And to make it more difficult, I only lived in the "SSN State" for an extremely short length of time. I can count the number of people that know which state that is and when it was on one hand. Of course if I was really worried about someone guessing my first five digits, I would have omitted that info completely as they could now (if they knew more info) omit several states from the potential list.
SSN was not intended for this nonsense. If they issued such things these days maybe they'd have used UUID? (FYI: UUID is *not* secure for secrets either, just much longer and more complex.)
Oh, I'm guessing 7
Time to start issuing people PGP keys at birth, hmm? Where's the D'oh! icon?
and don't forget UK driving licences and NI too.
Nothing out of the ordinary here, government id is usually trivial to crack.
UK driving licence numbers have your whole date of birth in it, always makes me laugh.
And to make it easy to tell men and women apart by ID number they increment the first digit of the month by 5 for women.
Means that if you can get a look at that *girl* at the bar you can check she wasn't born a dave or barry.
NI is harder from the outside, but from my NI number you can work out that of my siblings.....
Why do we have these government ID's again?
what is the probem ?
As many others have stated, what is the problem, here ? It all depends on the processes that need to have this inputs. In my personnal case, I don't mind at all, since those processes are limited to very unikely getting a doctor consultation on my name !
Here is mine, pls don't censor it, El Reg, I'm taking full responsability on giving it away:
1 means I'm male, great news.
69 means I'm born in 1969.
12 means I'm born in december.
01 means I'm born in a particular french department (the first one, pls guess).
The rest I'll leave it to townhall secretaries discretion.
If anyone here happens to have a clue how to do anything bad with it, on top of the above, don't hesitate ! I'd be glad to report any bank account problem, or tax amount leaks or anything else !
Paris icon, since she also gave away a lot of clues on her personal life.
And apparently you're also old enough to not know the difference between a SSN and a credit card number....
Re: what is the problem?
I find it quite stunning that a society so fond of litigation should have so many businesses happy to "confirm" identity with SSNs. If they just said "OK, so you know the guy's name, you're obviously him." then the resulting legal onslaught would make Desert Storm look like a walk in the park. But apparently using SSNs is OK. Does US law have no notion of negligence?
It is truly *very* strange.
Here's the real problem:
Birth certificates are public records. For about $10 USD, anyone can get an "Original" copy of anyone's birth certificate.
Birth certificate + knowledge of the SSN + a utility bill (easily faked) is enough information for a state ID card. The picture will be of the person who presents the documentation.
A state ID card, + knowledge of the SSN is enough to order a replacement SS card.
A SS card + Photo ID is enough information to get a mortgage, credit card, or passport in the name of the victim.
But SSNs are easy to come by, anyway. Just run a fake website offering employment services, and indicate that a SSN is required for all applications "To verify employment eligibility." If you make pages that parse like employment offers, all the major recruiting websites will link to you.
Not true - the driving license number details how the state sees someone now, not how they were born.
If someone has gone through a complete sex change, a change of passport etc is included. I suspect driving licenses are also affected.
30% is easy, want an iPhone?
Well if the SSN is nine digits and the population of the USA is a conservative 300 million then you have a 30% chance of guessing a correct SSN with no effort at all. How long is it before they recycle numbers (of the deceased), could it be that you have an even higher than 30% chance?
By comparison, I seem to remember some time ago that a British Gas customer alphanumeric reference number was sufficiently long enough to have more combinations than the number of atoms in the universe.
Wasn't there a big hoo haa when Apple got slated for demanding a persons SSN in order to buy an iPhone?
This doesnt amount to anything...
The ssn is nine digits, not five. The first three are in known sets for each state, the fourth and fifth numbers are 01-99. If there is any ingenuity, it is figuring out how those last two digits are guessed, assuming they aren't assigned by date. Lastly, and as already noted, there are nine digits, so guessing the first five really is not what the title of this article implies.
oh, how stupid I can be at times. David W is correct. Receipts have the last 4 credit card numbers, not SSN.
Paris Hilton, because it seems I take lessons from her.
use mine, use mine, oh please oh please
> How long is it before they recycle numbers (of the deceased), could it be that you have an even higher than 30% chance?
At the present rate? A really long time. See www.ssa.gov. The system will probably run out of money before it runs out of numbers.