I have written before about the security of the Social Security Death Index and its use as a very effective tool to combat identity theft. Now several newsletter readers have written and have referred to a string of articles that have appeared in the past few days claiming that researchers have "cracked the code to Social Security Numbers" and can now guess your Social Security Number, or SSN.
A close examination of the articles show that the articles are VERY misleading. Let me use a stronger term: they are hogwash. I have a still stronger term in mind, but this is a family newsletter.
One example of this "misleading journalism" can be found at http://tech.yahoo.com/blogs/null/145774 although there are numerous other online examples as well. The article claims researchers can now guess your Social Security Number but only briefly mentions that researchers were only able to reverse engineer the FIRST FIVE DIGITS of Social Security Numbers, which are meaningless when it comes to identity theft. Who cares?
In fact, you don't need to be much of a "researcher" to guess those numbers: the government will gladly give you that information. Indeed, that information has been plastered all over the web for years.
The first three digits are based on the state where the SSN was originally assigned, and the next two are called a group number. The last four digits apparently are assigned at random.
One article tells the entire story: http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hacking.ars. It states, "Getting the last four digits right was substantially harder. The authors used a standard of getting the whole SSN right within 10 tries, and could only manage that about 0.1 percent of the time even in the later period. Still, small states were somewhat easier—for Delaware in 1996, they had a five percent success rate."
They managed a 0.1% success rate nationwide? And that was after ten tries? And they only had a one in ten thousand chance to begin with? (Guessing the last four digits is a one in ten thousand chance.)
Statistically, that means they are using random guesses. You don't need to be a "researcher" to do that.
Again, who cares? Let's get real, folks.
Very well said. The success rate (or lack thereof) reminded me of the adage that 99.9% of all statistics are made up.
Posted by: Doug Detling | July 08, 2009 at 02:10 PM
You and I may not be able to do much with this information, but a good hacker with a botnet program could make some headway pretty quickly...
Posted by: John | July 08, 2009 at 02:28 PM
I think it might just occasionally work when the folks have lived in placed their whole lives if they are actually trying to guess your ssn. I was born in Germany and lived in six different states before I received my ssn. So I think mine might be harder.
Posted by: ankt | July 08, 2009 at 05:07 PM
I don't see how a good hacker with a botnet could make any more headway with this approach. They'd have to have both a list of existing SS account holders as well as some way of validating whether or not they number they guessed was correct. It's easy to pair semi-random numbers up with a name, but how do you verify accuracy without setting off all kinds of red flags? Obviously the people doing this test had a pre-existing list of names and numbers and were attempting to make them match. Otherwise how would they ever know that 445-98-0012 was Bob Dobalina's SSN?
Posted by: Jason Presley | July 08, 2009 at 06:29 PM
Think of it this way, the last four digits are often used as a security code. If someone is able to obtain the last four digits of your SSN and they can find out or guess where you were born, the chances of them figureing your complete SSN is substantially higher.
Posted by: Roger Barnes | July 09, 2009 at 08:01 AM
While I completely agree with the difficulty of guessing the last four digits, this does raise some concerns since some agencies still use the last four digits of the SSAN as an identifier. For example, some financial institutions actually use these digits, although the practice is lessening. If these were intercepted this would suggest the probability of constructing the whole SSAN would be much higher. Of course this has little to do with the SSDI or genealogy.
Posted by: Ron Madle | July 09, 2009 at 08:13 AM
Many years ago I worked for Social Security. I don't know about present cards but my own card states, "NOT TO BE USED FOR PURPOSES OF IDENTIFICATION." Whoa! How far we have come!
Posted by: Noreen Blair | July 09, 2009 at 08:56 AM
How can the security of a SSN be all that important when it has appeared on every hospital admission, every deed made, every legal document signed, every loan, every bank account, every credit card application - for decades?
Betty
Posted by: Betty Clay | July 09, 2009 at 12:32 PM
Some of this buzz started up again recently because of a Washington Post article on Monday (July 6). Legitimate newspapers seem to stir the pot best.
http://www.washingtonpost.com/wp-dyn/content/article/2009/07/06/AR2009070602955.html
Posted by: HistoryLady | July 09, 2009 at 03:50 PM
Forget the statistics. They are arbitrary. You apparently didn't read to the bottom of the article you linked to:
"That may still seem moderately secure if it weren't for some realities of the modern online world. The authors point out that many credit card verification services, recognizing the challenges of data entry from illegible forms, may allow up to two digits of the SSN to be wrong, provided the date and place of birth are accurate. They often allow several failed verification attempts per IP address before blacklisting it. Given these numbers, the authors estimate that even a moderate-sized botnet of 10,000 machines could successfully obtain identity verifications for younger residents of West Virginia at a rate of 47 a minute."
In other words, a determined hacker with a list of names, birthplaces, and birthdates, can start harvesting SSNs. This can be done leisurely, running 24/7. Don't be so quick to poo-poo concepts you aren't familiar with.
Posted by: JimmyDaGeek | July 09, 2009 at 09:05 PM
But as you just said, the "determined hacker" still needs 75% of the person's vital details to be able to find that last 25%. The chances are better of them just grabbing one of these laptops filled with SSN information that seem to be so popular these days. It's more surprising at this point that everyone's SSN isn't already publicly known considering how terrible the security of banking and government organizations seems to be.
Posted by: Jason Presley | July 09, 2009 at 09:25 PM
I'm not sure just how random the last 4 digits are. A girlfriend and I applied for our numbers together and our SS numbers are identical except for the last digits which are consecutive.
Posted by: Jane | July 09, 2009 at 09:38 PM
A friend went to the Peekskill, NY Soc Sec Office to confirm his mother's SS#, and reported to them that someone else is using that number. They said there was nothing they could do about someone else using the number! Well, if they can't, who can?
Posted by: Bari | July 14, 2009 at 02:07 AM
Unfortunately, As I just found out, you don't need to be a hacker to obtain SS #'s. In the era of the net, all you have to do is visit your local clerk of court's website! A good percentage of public records have your SS# on them. I was doing a random check of my mine and my husband's records and Boom! There was our numbers right on the website for everyone to see! The real kicker? You didn't need to register, log in or have ANY of our info to find this. Just click on property records, loans, whatever you wish, and then on any name you like! All the info was there for someone to completely assume our identity. Names, numbers, addresses, birth dates.. it was all there. I'm totally unsettled by this. How can the *government* post sensitive info like this for the world to see?!?! There really needs to be redaction law requiring them to remove the data or black it our before posting it.
Go ahead, check your clerk of court website, you'll be *unpleasantly* surprised too.
Posted by: Kate | November 01, 2009 at 09:36 AM