Reverse-engineering SSNs from publicly available data

Computer scientists at Carnegie Mellon University have figured out how to predict Social Security numbers from publicly accessible birth data with frightening accuracy. The researchers analyzed a public information source known as the "Death Master File," which includes birth data and SSNs for people who have died. The scientists found that in many instances, if you know the date and state in which a person was born, you can deduce their SSN.

With just two attempts, the researchers correctly guessed the first five digits of SSNs for 60 percent of deceased Americans born between 1989 and 2003. With fewer than 1,000 attempts, they could identify the entire nine digits for 8.5 percent of the group.
There's only a few short steps between making a statistical prediction about a person's SSN and verifying their actual number, Acquisti said. Through a process called "tumbling," hackers can exploit instant online credit approval services -- or even the Social Security Administration's own verification database -- to test multiple numbers until they find the right one. Although these services usually block users after several failed attempts, criminals can use networks of compromised computers called botnets to scan thousands of numbers at a time.
"A botnet can be programmed to try variations of a Social Security number to apply for an instant credit card," Acquisti said. "In 60 seconds, these services tell you whether you are approved or not, so they can be abused to tell whether you've hit the right social security number."

Social Security Numbers Deduced From Public Data (Wired Science)

Predicting Social Security numbers from public data: Abstract (text) and full article (PDF) (Proceedings of the National Academy of Sciences)

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE: Safety • Science

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

Anonymous

This is perfectly normal. The only odd thing is that organizations pretend that the SSN can be used to verify someone’s identity.

The sooner these tools get out onto the web and into public use, the sooner that organizations will admit that the SSN is a fundamentally flawed way to verify someone’s identity.

Has someone put the tools & sourcecode on the web yet?

Mac
Oni23

In France, you can figure out your social security number with the D.O.B., the sex and place of birth.
Pretty easy.
Mazoola

Like Mr Fantasy, when I was in college (at the University of Virginia), one’s student identification numbers was one’s first initial followed by one’s SSN. (Of course, in those days the Virginia DMV used SSNs for one’s driver’s license number as well.) By the time I got to grad school, a memo had gone around instructing professors to mask this info before posting class schedules and grades — by taking a felt-tip marker and drawing it through the two-digit column in the middle of the IDs. I don’t *think* the ID was printed in the student phone directory, but without a doubt, in a box somewhere back at the old homestead, I’ve got printouts from classes I took or TAed that list dozens of name/SSN pairs.

Personally, I guard against identity theft by having shit credit — but given the Virginia gentlemen and US presidential offspring and grand-offspring who were my classmates, I suspect not everyone is as well-protected as I.
Anonymous

Thanks for the primer. Reminds me of when CNN showed us how to make bombs and meth.

Next please show us how to hack bank’s account balance software!
Anonymous

My original SS card, form #OA-702 Rev. 4-56, has printed on the bottom of the front ‘For Social Security Purposes – NOT For Identification’

What irks me most is my new Medicare card issued by our stupid government is two letters followed by my SSN! And I’m supposed to carry this with me at ALL times?? NO WAY!!
Anonymous

OCR can easily bypass CAPTCHAs. All they do is annoy humans.
Jonathan Badger

When I was an undergraduate (depressingly, approaching 20 years ago), exam scores were commonly posted on the door of the professor tied by SSN. Have universities finally given up on this?
cadecc

Does anyone know what to do if you lose your SSN Card along with your wallet? I know, carrying the card in my wallet was a terrible idea.
Anonymous

most universities and colleges i’ve been to assign student id numbers upon admission (in sequential, non-randomized form). most forms at these places ask for the student id number, but you can find older forms hiding within the institution which ask for SSN. most things related to money (finaid, tuition, or student work) ask for SSN, but are being switched over. this is my experience, anyway.
Antinous / Moderator

My card was stolen along with my murse. In 1976. I lived without it until 1998, when a new job required it. I just went down to the SS office and told them it was lost. I didn’t mention the 22 years part of the story. I think that I had to bring a copy of my birth certificate.
Anonymous

Well then…that’s scary.
ill lich

Well, I’ve suspected this for years: one of my best friends in high school was born on the same day in the same hospital as I was, and we noticed our SSN’s were practically sequential (and we were born well before 1989. . . or did we coincidentally apply for cards on the same day as teens?)
Super Nate

I remember seeing this list of the worst events for privacy a couple years back:
http://www.schneier.com/blog/archives/2006/08/ten_worst_priva.html
Brett Burton

and if we just add captcha to those online credit application services? won’t that stop the bots?
Anonymous

I recall many years ago, David Brin compared how we handle SSNs with how we handle usernames and passwords. The difference is that we seem to treat the SSN as both username and password at the same time. Clearly it’s a username – it’s a unique identifier. But just as clearly, it’s not a password. That’s the problem.
Anonymous

Got my SSN & SS card in the early 80s. Simple piece of paper, same quality/size as a business card. Haven’t seen it in about 2 decades; it never would have lasted 20 years in any event.

Recently, to fix a snafu at one of the credit scoring agencies, they required me to mail copies of 2 pieces of ID……. one of which was a copy of my SS card.

So if I mail TransUnion a copy of a 30-yr old, ratty piece of paper — do they actually consider it authoritative proof of my identity?
The Raven

SSN’s aren’t and never were PINs. May this report lead to reform.
Anonymous

From the article: According to information privacy experts, Social Security numbers were never meant to be used for authentication purposes, and using them as passwords puts all consumers at risk for identity theft.
Anonymous

I returned to the same university after a twelve year absence. As an undergrad, our student ids had ssns on them! Now all uses of ssn have been replaced with the student id, but they still need the ssn, so I’m sure there’s a db somewhere that ties them together.
Anonymous

My late father delighted in telling stories of how bad things were. Kind of a chicken-and-egg thing with him and talk radio. Anyway, he took my youngest brother to the SS office downtown, circa 1984 (heh), to get the lad a card so his wages from his first job could be taxed.

Turned out that my brother’s birth certificate was not sufficient, but other documents, e.g., a library card (!) or a postmarked letter addressed to him (!!) would work. Mildly frustrated, Pop took him to the downtown library, where all he had to do was to point to his parents’ entry in the telephone book to get the library card.

My dad loved the next part, because he could actually foment rage in others with it. When they returned, they not only had to stand in line even longer, but the 58-year-old WWII veteran had to endure a parade of non-English-speaking adults brandishing letters with common names on the To: line getting SSNs. When he noticed the same letter being passed between applicants, he became so enraged that the security guard very nearly ejected him from the office.

Fortunately, my brother got his card and had a lovely summer working retail at the mall, thereby motivating him to excel in school.

[ in a burst of supremely random irony, the story I've told happened in our home town of San Antonio, Texas--and I'm laughing at the captcha "the alamo" ... wherever you are, Dad, I hope you can laugh about this one, too ]
Anonymous

@21

I think the point of the paper is that they went to social networking sites and used the formulas and found strangers SSNs 9% of the time.

Its not that they have “cracked the code” but that they are pointing out that we all are spreading trival but personal information into the world.
Mobile Bacon

I thought this was common knowledge. I wonder why the sudden fuss. It’d be nice if this were the opening salvo in a push to decouple your SSN from … well, everything except your Soc Sec account really.
Anonymous

1989 is an important limiting factor in this process. Before 1989 you only needed to get a SSN once you had a job, and paid taxes. After ’89 all dependents claimed on taxes needed a SSN, meaning that children were issued them when born, and hence the connection between birthdate and SSN.
bhorn

Amazing! Yet another reason why SSNs should not be used for anything other than Social Security business. It is a convenient and easy way for institutions to verify your identity but fatally flawed. Credit card companies, banks, and everybody except the SSA should stop using them immediately as employers are starting to do.

Any credit card company which give the wrong person a credit card in your name simply because they know your SSN should be held liable for any damage they do to you.
Timothy Hutton

Just an historical note, it wasn’t until fairly recently that you had to request a SSN within one year of your child’s birth to be able to claim the tax deduction. When I was born (in the mid-sixties) it wasn’t unusual for SSN requests to be delayed for years after birth, making this “prediction” harder.

Also, the vast majority of employers fail to use freely available SSN verification tools, so the need to come up with a correct SSN is primarily identity theft I’d imagine.
Timothy Hutton

Wow – what an accomplishment!

Here is a website with an overview of the SSN generation “scheme”.

Here is a more detailed accounting…

And here and here are some detail documents – all from the Social Security Adminsitration!

What a bunch of hard-core crackers – they put the published formula into a piece of code?!
monogodo

I’ve known this since 1987. I worked at the admissions office in college, and did a study which involved SSNs, and noticed the pattern described above. It also helped that my parents were born 5 days apart in the same area of Wisconsin, and their SSNs are identical up until the last two digits. What’s odd is my father’s SSN is a higher number than my mother’s, yet he’s the older of the two.
Anonymous

BHORN:

I agree with you about SSN not being used for anything other than Social Security. However, the flaws with a SSN is really a flaw with any all-in-one method of recording identity.

Back in the day, this wasn’t an issue, because people’s identity was verified by the community. For example, back in the day when you wanted a loan from your local bank, instead of them doing a computerized credit check they wanted a recommendation from a good standing member of the community… or, social services where provided by local private charity who knew most of the people they served, as opposed to a national bureaucracy that serves hundreds of millions via telephone and mail.

Identity theft is the price we pay for easy credit in the private sector, and for socialism in the public sector. Those things would not be possible without some highly centralized (and therefore, vulnerable) method of ID. Unless people want to give up their their easy loans and credit cards, and people want to give up their government entitlement programs, identity theft is just something we are going to have to live with. Some technological improvements can be made to make something like SSN more secure… but at the same time as we become more and more dependent on big centralized institutions, both centralized financial services provided by multinational corporations, and big centralized socialism, the incentive to steal identities will grow bigger.

I prefer small, decentralized institutions, both in business and in government, any would be willing to give up the benefits of centralization… but that is clearly a fringe concept, and most American and people around the world would not want that.
mrfantasy

When I was in graduate school, and in classes of 12 students, where exam results were posted by student ID number (which, back then was the SSN), I one afternoon told everyone their grades as we were geographically diverse enough that determining which SSN belonged to whom was a trivial exercise. People really got scared of me being able to do that, but I explained how the first 3 digits identify where you applied for the number.