Tuesday, July 07, 2009

Social security numbers may be too easy to guess, especially for seniors

Brian Krebs has a story in The Washington Post, July 6, “Researchers: Social Security Numbers Can Be Guessed”, with link here.

The social security numbering system was never intended to be used for authentication, and older people may find that social security numbers are derived from other demographic data, or may have been given in sequence to family members. Identity thieves could make up algorithms to keep trying and guess the numbers.

The Social Security Administration has long cautioned private companies against using social security numbers as a prime identifier. Banks and financial institutions used to use them, but have tended to shift toward randomly generated user ids as well as passwords.

AOL also has a major story on "guessing social security numbers" with URL here. The article refers to a Carnegie Mellon report, which breaks down how the social security number has often been parsed. The first three digits of a Social Security number were called the area number and correlated to ZIP code. The middle two numbers were called the group number and were assigned within a "region", often consistently for years. Lists of assigned area and group numbers are available through Web sites associated with the Social Security Administration, the report said. In 1988, the government mounted an effort to assign social security numbers right after birth. The number system is rather like that of a library that changes its catalogue locations a few times over a long period.

Carnegie Mellon has a "SSN watch" website here.

No comments: