title: Guessable SSNs - but what is that the real problem

Guessable SSNs - but what is that the real problem?

By: Scott Bradner

Researchers at CMU report that, for some people, the researchers can sometimes guess the person's Social Security number and the press goes nuts. This is actually a good thing (the press going nuts that is). Maybe, though not likely, the chaotic din will result in rules being changed to actually protect us from SSN-based identity theft attacks.

The research (http://www.pnas.org/content/early/2009/07/02/0904891106.full.pdf) is solid, but for many in the security community not all that surprising. It turns out that Social Security Administration has gone about the business of assigning SSNs in a way that is only ideal for the original purpose of the SSN - an unimportant taxpayer identifier. The Social Security Administration could have actually been randomly assigning SSNs, as many people assumed, but they have not been. Instead, SSNs have been assigned according to a too rigid formula resulting in you getting assigned a guessable SSNs as long as someone knows when and where you were born. The level of guessability depends mostly on the population of the state you were born in and when you were born. Guessability is highest for people born in states with smaller populations between 1989 and about 2003 but is not zero for others.

In two ways this research would not have succeeded without the help of the US Government. First, National Science Foundation and the Army Research Office grants supported the researchers and, second, a US Government document mean to reduce credit card fraud provided key data, and did so in a way that will facilitate ID Theft. The US Government publishes a macabrely named "Death Master File" (http://www.ntis.gov/products/ssa-dmf.aspx). This file contains information about people who have died. In particular it contains the name, dates of birth and death, zip code of last residence and SSN of a whole lot of dead people. This is much more info than it needs for the stated purpose - tell banks what SSNs belong to dead people (all it would need is a list of SSNs to do that). The extra info is useful to genealogists but also to people who want to guess your SSN. See the paper for the details.

A result of the research that was not covered as well in the press is that the researchers were able to guess the first 5 digits of SSNs in one try in many cases. This is more than a bit of a worry since, officially, a SSN masked to only show the last 4 digits is not considered confidential information. (see, for example, http://www.ustaxcourt.gov/press/011508.pdf) The very same 4 digits that the researchers found were the hardest to guess can be found all over the place.

Businesses spend fortunes protecting SSNs that they collect from their customers and people spend endless time, and often quite a bit of money, when someone steals their SSN and then, using the SSN and a bit of public information, steals their identity. And here a few researchers, added and abetted by the US Government shows that it's too easy to guess these.

But the real problem is that the fact that SSN has to be secret at all. It was designed to be a disambiguator between people not as a proof of identity. There are many things wrong with using the SSN as a proof of identity, guessability is only one, and maybe not an important one. The basic idea that a credit card company would grant credit to someone just because they produced a string of digits that hundreds of organizations legitimately store and thousands of people have legitimate access to is absurd.

The best fix for the problems with SSNs would be for the government to publish a "Life Master File" that included the names and SSNs of everybody. If this were to happen the banks would have to actually think about security and come up with a reliable way to find out who they gave credit to. Maybe, have people show up in person with a picture ID. But that would be too logical to ever happen.

disclaimer: There are many classes that deal with logic at Harvard but I do not know of any that have understood the logic of using the SSN the way it's currently used, thus, the above attempt at logic is my own.