Shop, Swipe and Smile. With SmartSwipe it is that easy.


Jul 07
2009

Are Social Security Numbers Secure?

Posted by Greg Hluska in Identity Theft

Alessandro Acquisti and Ralph Gross, researchers at Carnegie Mellon University, published a report with serious ramifications for United States law enforcement. This report, entitled "Predicting Social Security Numbers from Public Data" demonstrated that, if given a person's State and Date of Birth, they could often correctly guess that person's Social Security Number.

In their paper, Acquisti and Gross showed that their computer could properly guess 8.5% of social security numbers. And, their computer program guessed the first five digits of a social security number a surprising 44% of the time.  (Social Security Numbers have nine digits)

So, how did they guess so many numbers?

To start with, they analyzed publically available records from the Social Security Administration's Death Master File, which is a list of Social Security Numbers for people who have died. They found patterns between Date of Birth, State and Social Security Number and used these patterns to start predicting Social Security Numbers.

This study has major ramifications for everyone interested in combatting identity theft in the United States. Social Security Numbers have long been used as a secure, personal identifier.  If the system that generates these numbers is not secure, it is difficult to claim that Social Security Numbers actually add security to a transaction.

Thankfully, the researchers had some recommendations on how to combat this problem.  Acquisti and Gross recommended making the number assignment fully random and abandoning the matching of area numbers to states.


[ Back ]
Trackback(0)
Comments (7)Add Comment
feedSubscribe to this comment's feed
Nima Sharifimehr
pseudo-identity
written by Nima Sharifimehr, July 08, 2009
Hmmm... even if my SIN is generated with the most perfect random generation mechanism and there aint no way to derive my SIN from my personal info, why would it matter? Everyday, I am dealing with different organization which ask me for my SIN and I have to give it to them! Are they really using secure and safe systems to store my info??? [“The weakest link in the chain is also the strongest. It can break the chain.” Stanislaw Jerzy] Which one you think is easier/cheaper/faster/(kewler lol): 1) hacking the random generation function, or 2) hacking any of those organizations' systems? There are so many ways to improve this whole pseudo-identity thing. Though it seems the authorities think the cost to implement any of those solutions (i.e. infrastructure changes, training/education, ...) is more than damages caused from identity-theft!
0
Great Points!
written by Greg H., July 08, 2009
Hey Nima, thank you for posting that excellent summary. I agree with every one of your points.

I have become very, very careful with who I give my Social Insurance Number to. Way too many organizations ask for it now, despite the fact that they have absolutely no legal right to ask for that number. I think I might write another post about this right now, in fact...

However, as a good rule of thumb, only give your Social Insurance Number to your employer/people who pay you child support, any bank that pays you interest, and any government agency directly responsible for administering either taxation, or social programs (like Employment Insurance).



Nima Sharifimehr
CONFIDENTIAL
written by Nima Sharifimehr, July 08, 2009
Sweet! I am really interested in knowing all the details about the legal aspect of this and I would appreciate you providing any information regarding this. Knowing my legal rights at least I can reduce the attack surface. So, next time I have a form in front of me asking for my SIN while I know they aint legally allowed to have it, I can just simply write down in SIN field of that form: "CONFIDENTIAL".
0
...
written by Greg H., July 08, 2009
Hey Nima....

I posted an article on who can have your social insurance number and who cannot.
0
...
written by Canada Goose Jackets, December 06, 2011
This is good site to spent time on .I just stumbled upon your informative blog and wanted to say that I have really enjoyed reading your very well written blog posts. I will be your frequent visitor, that’s for sure.
0
Your blog is good
written by moncler jackets, December 30, 2011
http://www.moncler2012top.com/ The great http://www.moncler2012top.com/...s-c-5.html masterpiece
0
http://www.canada-goose-jackets1.com/
written by Canada goos jackets, January 06, 2012
HW-http://www.canadagoosejacket1.org/ , http://www.canadagoosejacket1.org/

Write comment
smaller | bigger

busy
Powered by Azrul's MyBlog for Joomla!

Authors

Categories

Archive