Search Form

Black Hat 2009 Convention

Cracking Your SSN

There exists a database of Social Security Numbers of deceased people. It is called the Death Master File. This is a publically available database of SSN’s that employers can use to make sure their potential employees are not trying to register with false information. It has been known for some time that there is a pattern in the numbering of SSN’s based on year and location issued. With new data processing techniques, it is becoming far easier for attackers to extrapolate a person’s SSN based on information easily found on social networking sites. It’s trivial for someone with a little scripting knowledge to write something to spider social networks and retrieve this information.

Attackers don’t even need to extrapolate your entire SSN, mainly just the first 5 digits. The last 4 digits can be found in public documents and are not considered as private as the first 5. The end result is that the extrapolation is significantly more accurate as the prediction algorithm doesn’t have to predict as many outcomes. Alessandro Acquisti has a whitepaper published with the startling figures as to just how accurate this kind of attack is. He also explains why it is economically feasible for attackers to do this. The slides from the presentation can also be found here.

The thing that should be taken away from this is that SSN’s are not a valid form of identification. Even changing the numbering scheme for future SSN’s does nothing for those already affected and it is impractical to revoke all current SSN’s in circulation. The government should ideally devise some new means of unique identification.

SSN Slide 1 SSN Slide 2
Statistics What can be done
left arrow  Previous Page                  Next Page  right arrow

4 Comments... What's your say?

  1. I liked it. So much useful material. I read with great interest.

  2. Very much enjoyed this! Well done!


  1. outdoor store – Passwords Part I: Why Do We Need Them?…

    I found your entry interesting thus I’ve added a Trackback to it on my weblog :)…

  2. […] 920 Processor Review @ Alpha Protocol (Xbox 360) Preview @ Event Coverage: Black Hat 2009 Convention @ Aufgebohrt – AMDs neuer 785G-Chipsatz @ Hard Tecs Installation eines Aqua […]

Join in, share your thoughts

You must be logged in to post a comment.