backtop

Print 27 comment(s) - last by 0ldman.. on Jul 8 at 10:40 AM
Researchers indicate it's easier to guess SSNs than previously thought

Researchers from Carnegie Mellon University discovered the Social Security numbering system has put millions of Americans at risk of identity theft.

The research, which was published in the Proceedings of the National Academy of Sciences, indicates hackers have the ability to guess up to all nine numbers of the SSN simply by using information available publicly.  A person who knows someone's birth date, along with any public records that person may be in, indicates a higher ability to accurately guess a SSN.

It'd be possible for criminals to compile a list of 4,000 real SSNs simply using statistical patterns based off birth dates and other public records.  The more information criminals are able to gather, of course, the more likely they will be to guess genuine SSNs.

"The inferences are made possible by the public availability of the Social Security Administration's Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites," the report's abstract reads.  "Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums."

There has been concern among lawmakers and privacy experts regarding possible issues with Social Security numbers, including many companies and universities still using it as identification numbers.  Many U.S. universities that traditionally used the SSN as an ID number have started to issue student ID numbers.

When created, SSNs "were designed as identifiers at a time when personal computers and identity theft were unthinkable," the study ends.

Some lawmakers in Congress are now backing legislation to force businesses to no longer require customers turn over a SSN when purchasing a product from the store.  This CMU study may help put further pressure on lawmakers to modify how the SSN is used, although it's unsure when citizens can expect some type of change.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Probabilitly
By bubbastrangelove on 7/7/2009 11:37:18 AM , Rating: 1
I think given the probability of matching a single SSN to the correct name than being able to determine whether or not they're correct - these 'hackers' may find it more profitable just to buy a lottery ticket.




RE: Probabilitly
By keegssj on 7/7/2009 11:43:21 AM , Rating: 3
It's apparently not as hard as you think:

http://arstechnica.com/tech-policy/news/2009/07/so...


RE: Probabilitly
By sxr7171 on 7/7/2009 2:18:43 PM , Rating: 2
This is why I never provide my correct DOB to stupid sites.


RE: Probabilitly
By PrinceGaz on 7/7/2009 2:55:52 PM , Rating: 5
I never provide any personal information to stupid sites.


RE: Probabilitly
By callmeroy on 7/7/2009 3:17:42 PM , Rating: 2
Some sites you are forced to register for the information or download you want (or whatever).....

Do I give my real info....9 out of 10 times no....

Let's just say many a web account opened by me is registered to one of the following:

Homer Simpson
Bill Gates
Ben Dover
Mister Flopakins

For addresses the good old 1234 Wouldyaliketoknowmore Street

and then just randomly match a zip, town and state to it

phone numbers are easy 555-555-1212 works most times.


RE: Probabilitly
By camylarde on 7/8/2009 9:26:43 AM , Rating: 2
and for us foreigners, Beverly hills 90210 was a blessing ^^


RE: Probabilitly
By Hawkido on 7/7/2009 4:28:30 PM , Rating: 3
First Name: Bob
Last name: Bob
DOB: 1/1/1970
Address: 123 bob Street
Appt Number: 123
E-mail Addy: bobbob@hotmail.com

Boy I bet bobbob@hotmail.com is really pissed. He's getting all my spam.


RE: Probabilitly
By bobobeastie on 7/8/2009 12:40:40 AM , Rating: 2
bob@aol.com has been getting my spam for years, sorry guy.


RE: Probabilitly
By RandallMoore on 7/8/2009 8:59:30 AM , Rating: 2
I also feel bad for asdf@aol.com haha


RE: Probabilitly
By 0ldman on 7/8/2009 10:40:18 AM , Rating: 2
I've used that address as well.
Poor bastard...


RE: Probabilitly
By MozeeToby on 7/7/2009 11:53:23 AM , Rating: 3
But it's not just guessing. See my other comment on this article for a quick explaination on how their technique works. Basically, by apply a few mathematical tools, widely available datasets, and a little common sense you can narrow it down to just a few dozen guesses. Well within the abilities of many scammers.


RE: Probabilitly
By Spivonious on 7/7/2009 12:02:10 PM , Rating: 3
Well, if you know the person's birth date and birth place, then you can definitely get the first 3 digits, and probably the middle 2 if you have data on other people born around the same time in the same state.

Although it doesn't always work, since the first three of mine say I was born in NJ, yet I was born in PA.


RE: Probabilitly
By kattanna on 7/7/2009 12:32:48 PM , Rating: 3
quote:
The Social Security number's first three digits -- called the "area number" -- is issued according to the Zip code of the mailing address provided in the application form


taken from here:

http://www.washingtonpost.com/wp-dyn/content/artic...


RE: Probabilitly
By Spivonious on 7/7/2009 3:58:23 PM , Rating: 2
Hmm..well we did move to NJ a couple of months after I was born...that could explain it.

Apparently they use different numbers for military bases too, since my wife was born on an army base in Kansas but doesn't have a Kansas number.


RE: Probabilitly
By SOSTrooper on 7/7/2009 1:33:01 PM , Rating: 3
I suppose people who weren't born in the US are less likely to have their SSN guessed.


What stores?
By Morphine06 on 7/7/2009 11:51:10 AM , Rating: 2
quote:
Some lawmakers in Congress are now backing legislation to force businesses to no longer require customers turn over a SSN when purchasing a product from the store.


What store requires a SSN for purchase? I've never purchased a gun, but I would assume this is the only item that would require such a stringent measure of traceability.




RE: What stores?
By Alphafox78 on 7/7/2009 12:15:19 PM , Rating: 2
Wall mart does. ever buy dipers there?? jk


RE: What stores?
By ebakke on 7/7/2009 12:56:51 PM , Rating: 2
Cell phones.


RE: What stores?
By jeff834 on 7/8/2009 12:51:26 AM , Rating: 2
I sell cell phones, and if the place you're buying one from requires a SSN just to buy the phone don't get it there. However the service providers use SSNs to run credit checks and determine if any deposits are required. At Sprint if you decline to give your SSN when setting up your account you'll have to fill out a form, show extra ID, and will only be approved for 2 lines with $150 deposit, but you can still buy a phone and set up service.


RE: What stores?
By JediJeb on 7/7/2009 2:02:03 PM , Rating: 2
Up until a few years ago most stores around me required it if you wrote a check for a purchase, but now they use your drivers license number instead because they found out it is not legal to require it.


Easy Solution
By AntiM on 7/7/2009 11:52:35 AM , Rating: 5
It should be made illegal for any company or institution to use SSNs for identification purposes, or any purpose for that matter. The only institution that should store and use SSNs is the Social Security Administration.
We do need some type of system of identification, but SSNs aren't it. We need some type of national ID (voluntary) that has a photo and some type of biometric info such as a thumbprint.
If the IRS needs to identify people, it should issue it's own Tax ID numbers for each person that pays taxes.
If a lending institution needs to identify me and research my credit history, then there should be some type of Lending/Credit ID number. But don't get me started about credit reporting agencies, that's another scam being perpetrated upon the American people.
SSNs were never meant to be used for identification purposes and now we know why.




RE: Easy Solution
By JediJeb on 7/7/2009 2:00:01 PM , Rating: 2
Correct, and if you look at the actual card it is printed in big letters on there " Not for Identification Purposes" or at least it is on mine, I haven't seen any newer ones lately.

Also if a university is using it for student IDs you can request that it not be used and they have to comply, because it is the law that they can not require it. Here in Kentucky it was used for drivers license numbers but it has changed now because someone took the State to court over it and won. Many places use it, but do so illegaly because noone calls them on it. Stores here now ask for drivers license numbers on your checks instead of SSN and I believe they can not refuse your check if you have an alternate ID number if you will not give them the SSN. It is like so many other laws on the books, nobody enforces it and most don't even know it is there. Using the SSN is just the easy way out of creating a user ID and face it most companies and government agencies are too lazy to create and administer their own ID systems, until forced to do so.


RE: Easy Solution
By albundy2 on 7/7/2009 6:50:43 PM , Rating: 2
that's what the barcodes and RFID chips are for... you'll get one someday, in your forehead or right ha....
/tinfoil


Not Even Psuedo-Random
By MozeeToby on 7/7/2009 11:49:16 AM , Rating: 5
The basic format for SSN is available, with the first three conforming to the location the card was requested from and the rest being a supposedly random number. The problem is, the middle random part is based heavily off of your date of birth (well actually the date you requested your card but since '88 it has been requested at birth). As for the last 4 digits, they can be purchased legally and anonymously from many data brokers.

Basically, purchase a list of truncated SSNs that include the last digits, date of birth, and location of birth. Where the person was born gives you the first three digits. After that, you can bracket the 'random' middle part between two deceased people (whose numbers are published to prevent re-use). The random part comes between those two values. Ta-da, you now know the SSN to within a couple dozen guesses (depending on how well the person is bracketed by deceased people).

It's hard to blame the SS office when you think about it. The system was designed at a time when most people, even most banks wouldn't loan money out to anyone they didn't know personally. It was never intended to be a national ID number (it says so directly in the law that created it) but the advent of computerized databases and the need for a unique primary key for each individual led to the current situation.




Shadowrun
By JDHack42 on 7/7/2009 8:27:58 PM , Rating: 2
Time for everyone to get their SIN (System Identification Number)




It does not matter
By rudy on 7/7/2009 10:35:57 PM , Rating: 2
No matter what form of identification people can get it because of the insecure nature of needing to give that number to anyone who needs to identify you.




By Souka on 7/7/2009 2:48:43 PM , Rating: 1
back when I was in college (early 90's), my university often posted mid-term and final grades on bilboards outside the classroom and/or department office.

I "stole' and kept several sheets as I had highest scores on some of my Comp-sci classes...all of these sheets have the SSN (some just the last 4-digits) and grade/points Most also had some personal info like first name, last name, initials, etc---- typical was first inital + full last name (J. Smith - SSN - grade)

If I had been a info-theif... I could have easily taken pictures with a camera and obtained thousands of SSNs plus info... kinda makes me wonder if someone did?

ANyhow.. my $.02 of history




"There is a single light of science, and to brighten it anywhere is to brighten it everywhere." -- Isaac Asimov









botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki