Cracking Your SSN
There exists a database of Social Security Numbers of deceased people. It is called the Death Master File. This is a publically available database of SSN’s that employers can use to make sure their potential employees are not trying to register with false information. It has been known for some time that there is a pattern in the numbering of SSN’s based on year and location issued. With new data processing techniques, it is becoming far easier for attackers to extrapolate a person’s SSN based on information easily found on social networking sites. It’s trivial for someone with a little scripting knowledge to write something to spider social networks and retrieve this information.
Attackers don’t even need to extrapolate your entire SSN, mainly just the first 5 digits. The last 4 digits can be found in public documents and are not considered as private as the first 5. The end result is that the extrapolation is significantly more accurate as the prediction algorithm doesn’t have to predict as many outcomes. Alessandro Acquisti has a whitepaper published with the startling figures as to just how accurate this kind of attack is. He also explains why it is economically feasible for attackers to do this. The slides from the presentation can also be found here.
The thing that should be taken away from this is that SSN’s are not a valid form of identification. Even changing the numbering scheme for future SSN’s does nothing for those already affected and it is impractical to revoke all current SSN’s in circulation. The government should ideally devise some new means of unique identification.
|Statistics||What can be done|