Wednesday, July 8, 2009

Your SSN Can Now Be Accurately Guessed Using Date and Place of Birth

It seems that nothing is safe any more. And now your Social Security Number, the lynchpin to you credit score, taxes, government benefits and more, is under attack. It can be guessed, with a staggering degree of accuracy, using simple information you probably have on sites like Facebook and MySpace.

We have all heard the stories about Identity Theft and we all take precautions to be careful with our SSN. In fact, these days I’ll only put it down on a form if I absolutely have to; that includes medical forms that you often have to fill out when you visit a GP or specialist. But that may now be a moot point, because two Carnegie Mellon researchers have basically reverse-engineered the SSN formula to gain access to that most precious and private number.

John Timmer of reported yesterday that these two bright sparks used two practices that had been designed to protect the number, and make it fraud-proof, as a way to discover the code from those two simple facts – date of birth, and place of birth; two facts that are on most public profiles.

To know how they did it, you need to know the basic structure of the SSN. As John describes it, it splits into three zones:

The first three digits are based on the state where the SSN was originally assigned, and the next two are what's termed a group number. The last four digits are ostensibly assigned at random. Since the late 1980s, the government has promoted an initiative termed "Enumeration at Birth" that seeks to ensure that SSNs are assigned shortly after birth, which should limit the circumstances under which individuals apply for them later in life (and hence, make fraudulent applications easier to detect).

From there, the article gets pretty heavily into some technical data and statistics that I won’t bore you with here. If you’re interested, read all the details of the algorithm that reconstructs your Social Security Number. But all you really need to know is that if the SSN code has been cracked, or hacked, then it won’t be long before that information gets into the wrong hands.

So, should you be worried, and what can you do?

Well, as John Timmer explains, although some of the SSN digits are relatively easy to obtain, others are more tricky:

Getting the last four digits right was substantially harder. The authors used a standard of getting the whole SSN right within 10 tries, and could only manage that about 0.1 percent of the time even in the later period. Still, small states were somewhat easier—for Delaware in 1996, they had a five percent success rate.

BUT, and this is a big but, it seems as though modern security systems and automated forms DO NOT REQUIRE the whole SSN. As long as it is cross-referenced with the date and place of birth, up to two numbers can be incorrect. John continues:

They often allow several failed verification attempts per IP address before blacklisting it. Given these numbers, the authors estimate that even a moderate-sized botnet of 10,000 machines could successfully obtain identity verifications for younger residents of West Virginia at a rate of 47 a minute.

Think about it: 47 a minute! Considering how prevalent ID theft is around the world, and how sophisticated thieves are becoming, I think this is enough to cause concern for the average US citizen. And as such, it may be time to start taking precautions.

First, see if you can remove your private information, or replace your place and date of birth with something more vague on your social networking sites and other public profiles. That one should be relatively easy, if a little time consuming.

Second, continue to practice good personal security. Shred any important documents that you are throwing out, and don’t leave sensitive data in a place where thieves could easily find it. I know a lot of people throw things in the car and forget about it, but if the car were stolen or broken into, it could be the start of much bigger problems.

Third, keep on top of your credit reports. You are allowed one free each year from each of the three major credit bureaus. DO NOT use, they charge. Instead, go to Annual Credit Report here. If you see anything suspicious or just plain wrong, contact the bureau immediately.

Finally, consider some ID theft protection. I use LifeLock because I got a great deal on it, and although not 100% effective, it does cover me if anything should happen. But LifeLock is basically just a method of putting 90-day fraud alerts on your credit reports, which you can do yourself for free. You can find the information for each bureau here:




For further reading, visit the FTC’s site. It has some great information. Stay safe folks.

No comments: