Social Security Numbers: One massive information security risk

1 11 2011

“Social Security number (SSN) misuse, catalyzed by the Internet, has quickly become a serious national concern. […] The power it wields―power to enable financial transactions, power to obtain personal information, power to create or commandeer identities―makes it a valuable asset and one that is subject to limitless abuse.”

-The Office of the Inspector General of the Social Security Administration[1]

The above quotation was in the preface of a report about how 9/11 hijackers used fake Social Security Numbers to infiltrate the country and use it as their own base of operations and training. Let’s step back a bit, though. I’ll keep the SSN history lesson down to a minimum for the purposes of this post, but the major historical points of interest are:

-SSNs were first issued so that the Social Security Agency could keep track of your social security earnings.

-Over time, the government started requiring SSNs for identification purposes for taxation, military service, and other purposes.

-Private companies began requiring SSNs for banking, contracts, purchases, credit purposes, medical care, etc., until its use as a national identification number became common practice.

Along the way, the government went from casually issuing them to just about anyone who asked for one to clamping down and requiring you to provide proof of birth and identity in 1972.[2] This leads us to the first major security issue: The use of these numbers to securely identify people in any circumstance is undermined by the fact that, according to research, “6.1 percent of Americans have at least two SSNs associated with their name[, and m]ore than 100,000 Americans have five or more SSNs associated with their name”.[3] An identification validation system that has a 6% error rate sounds like a pretty massive security issue to me. Those figures are most likely not counting all the people who fraudulently claim stolen SSNs, which is apparently such a big issue that in just the city of Tampa, Florida, the IRS sends out fraudulent refunds (mostly facilitated by stolen SSNs) in the order of over $1 million a week.[4]

Most of us are aware of the other side of the security issues of Social Security Numbers. Whether you’re careful or not, these nine digit numbers can have a pretty negative impact on your life. According to the Social Security Agency (SSA), the fraudulent uses of your SSN include obtaining (and subsequently destroying) credit via purchases or loans, obtaining work, work permits, or licenses, obtaining phone, television, or utility services, obtaining benefits including child support, opening bank accounts, or being used to avoid identification from law enforcement officials.[5] The reason I mentioned that these things could happen whether you’re careful or not is because you can get your SSN stolen in data breaches from all sorts of organizations, even all the way up to the actual SSA itself.[6] Just a quick search brought up two recent incidents where 4.9 million military personnel’s medical records including their SSNs were stolen [7] and the US government accidentally published another ~30,000 SSNs of various citizens, many of whom claimed they only found out after their identities had been stolen.[8]

All of this fear of stolen and lost SSNs may be moot, as researchers at Carnegie Mellon have shown they can use just someone’s place and date of birth to predict their SSN. They claim they can guess someone’s SSN in less than about 1000 guesses. The results are obviously not exact, but using a bit of computing power to test out your guesses by registering for a bunch of credit cards online, one could hypothetically gather about 4,000 fraudulent credit cards in two hours.[9] Thankfully, the SSA has addressed some of these concerns by explaining:

“One should not make too much of the ‘geographical code.’ It is not meant to be any kind of useable geographical information. The numbering scheme was designed in 1936 (before computers) to make it easier for SSA to store the applications in our files in Baltimore since the files were organized by regions as well as alphabetically. It was really just a bookkeeping device for our own internal use and was never intended to be anything more than that.”[10]

“The public should not be alarmed by this report because there is no foolproof method for predicting a person’s Social Security Number. The method by which Social Security assigns numbers has been a matter of public record for years. […] For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year.”[11]

Don’t you feel safer already?
















Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: