Your SSN Can Now Be Accurately Guessed Using Date and Place of Birth

by Paul Michael on 8 July 2009 14 comments
Photo: Paul Michael

It seems that nothing is safe any more. And now your Social Security Number, the lynchpin to you credit score, taxes, government benefits and more, is under attack. It can be guessed, with a staggering degree of accuracy, using simple information you probably have on sites like Facebook and MySpace.

We have all heard the stories about Identity Theft and we all take precautions to be careful with our SSN. In fact, these days I’ll only put it down on a form if I absolutely have to; that includes medical forms that you often have to fill out when you visit a GP or specialist.  But that may now be a moot point, because two Carnegie Mellon researchers have basically reverse-engineered the SSN formula to gain access to that most precious and private number.

John Timmer of Arstechnica.com reported yesterday that these two bright sparks used two practices that had been designed to protect the number, and make it fraud-proof, as a way to discover the code from those two simple facts – date of birth, and place of birth; two facts that are on most public profiles.

 

To know how they did it, you need to know the basic structure of the SSN. As John describes it, it splits into three zones:

The first three digits are based on the state where the SSN was originally assigned, and the next two are what's termed a group number. The last four digits are ostensibly assigned at random. Since the late 1980s, the government has promoted an initiative termed "Enumeration at Birth" that seeks to ensure that SSNs are assigned shortly after birth, which should limit the circumstances under which individuals apply for them later in life (and hence, make fraudulent applications easier to detect).

From there, the article gets pretty heavily into some technical data and statistics that I won’t bore you with here. If you’re interested, read all the details of the algorithm that reconstructs your Social Security Number. But all you really need to know is that if the SSN code has been cracked, or hacked, then it won’t be long before that information gets into the wrong hands.

So, should you be worried, and what can you do?

Well, as John Timmer explains, although some of the SSN digits are relatively easy to obtain, others are more tricky:

Getting the last four digits right was substantially harder. The authors used a standard of getting the whole SSN right within 10 tries, and could only manage that about 0.1 percent of the time even in the later period. Still, small states were somewhat easier—for Delaware in 1996, they had a five percent success rate.

BUT, and this is a big but, it seems as though modern security systems and automated forms DO NOT REQUIRE the whole SSN. As long as it is cross-referenced with the date and place of birth, up to two numbers can be incorrect. John continues:

They often allow several failed verification attempts per IP address before blacklisting it. Given these numbers, the authors estimate that even a moderate-sized botnet of 10,000 machines could successfully obtain identity verifications for younger residents of West Virginia at a rate of 47 a minute.

think this is enough to cause concern for the average US citizen. And as such, it may be time to start taking precautions.

First, see if you can remove your private information, or replace your place and date of birth with something more vague on your social networking sites and other public profiles. That one should be relatively easy, if a little time consuming.

Second, continue to practice good personal security. Shred any important documents that you are throwing out, and don’t leave sensitive data in a place where thieves could easily find it. I know a lot of people throw things in the car and forget about it, but if the car were stolen or broken into, it could be the start of much bigger problems.

Third, keep on top of your credit reports. You are allowed one free each year from each of the three major credit bureaus. DO NOT use freecreditreport.com, they charge. Instead, go to Annual Credit Report here. If you see anything suspicious or just plain wrong, contact the bureau immediately.

 

Finally, consider some ID theft protection. I use LifeLock because I got a great deal on it, and although not 100% effective, it does cover me if anything should happen. But LifeLock is basically just a method of putting 90-day fraud alerts on your credit reports, which you can do yourself for free. You can find the information for each bureau here:

EXPERIAN

EQUIFAX

TRANSUNION

For further reading, visit the FTC’s site. It has some great information. Stay safe folks.

 

0
No votes yet
Your rating: None
ShareThis

comments

14 discussions

Add New Comment

CAPTCHA
This test helps prevent automated spam submissions.
Guest's picture
Guest

I can only add (re giving out personal info, especially on the Internet)--when will people learn to shut the **** up?! Seriously! Shut up already! Parents, please convey this to your kids.

Guest's picture

I have personally identifying information all over the web. This is scary stuff. I'm beginning to get the feeling that it's only a matter of time before my identity is stolen. :(

Guest's picture
Jim

If you are older and got your Social Security card in a state different from the state in which you were born, you do not have to worry.

Xin Lu's picture
Xin Lu

This won't work for immigrants since we were not born in the states.  The first 3 digits usually tell you in which state the card is issued, though.  After that there are only 6 more digits so it's not even that hard to go through all the combinations with a machine.   It is also true that a lot of verification systems only need the last 4 digits of your social, and then there are only 10000 possibilities.  It probably takes a machine less than a second to count to 10000 and hit the right combination.  However this method of "hacking" isn't extremely useful because very rarely do banks and other institutions allow you to guess a SSN or password more than 3 or 5 times.   It's much easier for hackers to just get into some unsecured database and copy the SSNs instead of brute forcing it this way. 

Guest's picture
Emily

I understand that this is an article-worthy subject. But what is this CNN? Maybe tone down the panic in the title.

Guest's picture

Thank you for sharing this important information.

Bottom line, as I see it: don't make it any easier for the jerks who have nothing better to do than steal from the rest of us.

Keeping you entire life private won't protect you either, of course. After all, nothing is full-proof, as evidenced by your dramatically increased risk having shopped at TJ Maxx at the wrong time. Still, posting your mother's maiden name on your profile just unnecessarily put you in the cross-hairs of the bad guys. And for what?

Guest's picture
Huh?

Wasn't this an article on Yahoo!'s or MSN's page yesterday? It wasn't explained like this at all. Too much.

Guest's picture
Guest

You shuld not be using your real birthdate for anything you do online.

Pick an "internet birthday" that is easy to remember and use that instead.

Since my actual birthdate is late in the year, I picked January 1 of the following year as my "internet birthday"

Guest's picture

How many times do you call up a financial institution or something and asked for the last 4 digits of your SSN? it's also a common password reset question (why?!?!?) You could probably with some social engineering call up the victim make up some story about being at a financial institution and to verify information get the last 4 digits of CC (this also verifies you have the right number) and last 4 digits of SSN.

Essentially, you're at risk. Most people's benefit is all this stuff to extract a ssn is extra work. A bigger target is someone who's famous or dumpster diving for account numbers and addresses. So as long as you're not obviously going "HERE IS ALL MY PERSONAL INFO WITH SSN, CREDIT CARDS, AND BANK ACCOUNTS" then you were just a "lucky" random person that got their identity stolen.

Guest's picture

I'm in agreement with Xin Lu (#4), this won't be as easy for the bad guys as more traditional methods of identity theft.

On networks and other non-essential venues, I scramble the information I give, including age, soc sec, date of birth and anything else I can. They aren't verifying any of it either, otherwise I'd have been thrown out of any number of sites. If they're collecting information it's guaranteed they're assembling in a database for sale, so why make it easy?

It probably would do us all a world of good to reduce our "identity footprint" by giving out bogus info (extending to creating a bogus profile with scrambled info) and paying cash whenever and where ever we buy.

Guest's picture
valletta

I'm hoping an "illegal" uses my SSN and makes oodles of money, which is then reported as my base income for retirement benefits. :) It happens!

Guest's picture
lisa

Hi! The place in our county where we go to apply for jobs. It's one of those ,1 stop job places that supposed to have everything you need & they are pretty good. They have computers to use for job searches & you can learn Microsoft office & word . They have the software to do this & they have a list of places that are hiring. Here's the kicker : they have you sign in to pick up the job sheets or do anything there & the information they want you to put down is your name, LAST 4 DIGITS OF YOUR SOCIAL SECURITY NUMBER, home phone & address. I told her no & she didn't like it. My son put his down . He was in there before I saw that.Every person who walks up to the desk sees this & I ca remember things like that , so how many people have info they shouldn't??I was wanting to talk to the SS office to ask them to talk to the people about asking for this info. I actually think it's illegal for them to ask for it , as it isn't a SS program. Another thing I don't like is having to put my street address on my vehicle registration. A woman here in Ohio, last year was murdered by someone who stole her car, then got her address off her registration, went to her home ,molested her 4 year old son, murdered her & kidnapped him. It could have all been avoided if her street address was only on the records they run , if you are pulled over. Lisa

Guest's picture
Guest

I wish to address the last point raised by the poster. I do NOT, repeat DO NOT, leave my vehicle in my unattended car. It is on my person. Why people are willing to leave such a document staggers me. I also do NOT use my home address on GPS. So, if someone should steal my car, they won't know where I live either from the non-existent registration or the GPS.

Discretion is the key.

Guest's picture
katy

My workforce1 unemployment office always has us sign in with the last 4 numbers of the social too. Awful. But It's the gummint, whatcha gonna do....I'm more afraid of giving it to employment agencies who then don't get me jobs - but have my number.