New Computing Method Guesses Social Security Number Using Date and Place of Birth
John Timmer, arstechnica: For citizens of the US, the social security number (SSN) is the gateway to all things financial. It fills its government purpose of helping us pay our taxes and track our (in many cases, hypothetical) government benefits, and it has also been widely adopted as a means of verifying identity by a huge range of financial institutions.
As a result, anytime you disclose an SSN you run a real risk of enabling identity theft. So far, most of the SSN-related ID theft problems have resulted from institutions that were careless with their record keeping, allowing SSNs to be harvested in bulk. But a pair of Carnegie Mellon researchers has now demonstrated a technique that uses publicly available information to reconstruct SSNs with a startling degree of accuracy.
The irony of their method is that it relies on two practices adopted by the federal government that were intended to reduce the ability of fraudsters to craft a bogus SSN. The first is that the government now maintains a publicly available database called a Death Master File, which indicates which SSNs were the property of individuals who are now deceased. This record provided the researchers with the raw material to perform a statistical analysis of how SSN assignments related to two other pieces of personal information: date and state of birth.
The second is that the government has centralized its handling of SSN assignments and provided documentation of the procedures. The first three digits are based on the state where the SSN was originally assigned, and the next two are what’s termed a group number. The last four digits are ostensibly assigned at random. Since the late 1980s, the government has promoted an initiative termed “Enumeration at Birth” that seeks to ensure that SSNs are assigned shortly after birth, which should limit the circumstances under which individuals apply for them later in life (and hence, make fraudulent applications easier to detect).
That last program proved to be the key feature that allowed the new research, as it ensured that SSN assignments were more tightly correlated to date of birth. The researchers used the Death Master File to split out data from individual states (which determine the first three digits) then order them by date. At that point, they searched for statistical patterns within the resulting data.
