I have written before about the security of the Social Security Death Index and its use as a very effective tool to combat identity theft. Now several newsletter readers have written and have referred to a string of articles that have appeared in the past few days claiming that researchers have "cracked the code to Social Security Numbers" and can now guess your Social Security Number, or SSN.
A close examination of the articles show that the articles are VERY misleading. Let me use a stronger term: they are hogwash. I have a still stronger term in mind, but this is a family newsletter.
One example of this "misleading journalism" can be found at http://tech.yahoo.com/blogs/null/145774 although there are numerous other online examples as well. The article claims researchers can now guess your Social Security Number but only briefly mentions that researchers were only able to reverse engineer the FIRST FIVE DIGITS of Social Security Numbers, which are meaningless when it comes to identity theft. Who cares?
In fact, you don't need to be much of a "researcher" to guess those numbers: the government will gladly give you that information. Indeed, that information has been plastered all over the web for years.
The first three digits are based on the state where the SSN was originally assigned, and the next two are called a group number. The last four digits apparently are assigned at random.
One article tells the entire story: http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hacking.ars. It states, "Getting the last four digits right was substantially harder. The authors used a standard of getting the whole SSN right within 10 tries, and could only manage that about 0.1 percent of the time even in the later period. Still, small states were somewhat easier—for Delaware in 1996, they had a five percent success rate."
They managed a 0.1% success rate nationwide? And that was after ten tries? And they only had a one in ten thousand chance to begin with? (Guessing the last four digits is a one in ten thousand chance.)
Statistically, that means they are using random guesses. You don't need to be a "researcher" to do that.
Again, who cares? Let's get real, folks.