Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« The Twitter Attack | Main | SHA-3 Second Round Candidates Announced »
July 24, 2009
Social Security Numbers are Not Random
Social Security Numbers are not random. In some cases, you can predict them with date and place of birth.
Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration's Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums.
I don't see any new insecurities here. We already know that Social Security Numbers are not secrets. And anyone who wants to steal a million SSNs is much more likely to break into one of the gazillion databases out there that store them.
Posted on July 24, 2009 at 10:36 AM • 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
predictable • July 24, 2009 11:00 AM
The problem with SSNs is that they were never intended to provide proof of identity or security. It was simply a number attached to a name to differentiate people with similar names for the purpose of delivering federal benefits. Instead, the problem lies with our banking and credit systems which are misusing SSN's as a way of verifying one's identity. The problem lies not with the SSN, but the poorly thought out identity-verification procedures used by the rest of society. It is somewhat unnerving to know that the people trusted with safeguarding our financial systems know no better way of verifying our identities than asking for a name and number combination which can be easily discovered or guessed.
crickel • July 24, 2009 11:02 AM
Yeah, I'd have to file this under 'not news'. Missouri stopped using SSNs for the state's Drivers License numbers years ago for just this reason - and haven't we been being told for just about as long that SSNs should never be used as an 'identification number'?
stranger • July 24, 2009 11:20 AM
I totally agree about SSN not being secrets or authenticators.
However, I'm puzzled that the fact that they're fairly predictable is news. Certainly through the 80's they were allocated block by block. In the 90's when my Big10 school was still posting grades on office doors with SSN's, it was easy to guess which were from those born out of state. The two of us born in California always could tell the others grades...
JRR • July 24, 2009 11:23 AM
This only really works for younger people. When I was born, you didn't need a SSN until you started to work, so they'd have to know when I got my first job; that's a lot harder to know than my birthday.
There are other vulnerabilities like this though; the Michigan driver's license number is made up of a bunch of personal info; you can know the DL# given a bunch of personal info, and given the DL#, you can know at least a lot of the personal info, like I think the first couple of letters of the name, the date of birth, the county they were born in, etc. I wrote a program to find DL# given some info, on the TRS-80 so it's been a while.
AlanS • July 24, 2009 11:32 AM
Well, maybe this isn't news to anyone here but tell that to all the companies using them for identity purposes and the states pushing data security laws requiring protection of SS#s. They seem to be the target audience for this:
"2) current policy initiatives in the area of SSN and identity theft should be reconsidered: most policy-making currently focuses on removing SSNs from databases or redacting their digits, so that they can still be used as "confidential information" - however, since SSNs are predictable from otherwise publicly available data, SSNs cannot be kept confidential even if they are removed from databases, and therefore those initiatives may be ineffective
3) since SSNs can be predicted and are therefore, in a sense, semi-public information, consumers should not be required by private sector entities to use SSNs as passwords or for authentication."
Nick • July 24, 2009 11:36 AM
@predictable
"Instead, the problem lies with our banking and credit systems which are misusing"
Of course.... That can apply to 80% of all evils.
Pete Austin • July 24, 2009 11:39 AM
Not a new security issue, but might be useful for data cleaning or input validation.
Don • July 24, 2009 11:54 AM
I'm not very old, but while I was in college (early 1990s), both my school and my bank used my SSN as my account number. All nine digits were printed on the ID card that I hard to show at the cafeteria line, sports events, the library, etc. And they were printed on the bottom of every check I wrote for rent, utilities, or pizza delivery.
When exactly did we decide to treat that as my lifetime financial password?
The source of the problem is this: Financial institutions make far more off fast credit decisions than they lose off identity theft.
I don't have any easy answers. I do have cumbersome ones. For example, a real password on my credit reports. If I want to authorize someone to check or extend credit, I can log in and grant them authorization. (Maybe this is generating a one-time key for them to use so I can write that onto a paper credit, employment, or rental application. Or maybe someone makes a request and I click "approve.") Today's identity theft problems would disappear. But so would all those mailers offering credit cards. (Well, perhaps not. Lobbyists are creative people.)
Mike Wyman • July 24, 2009 12:20 PM
@Don
The one-time key makes sense. I started advocating this three years ago. See http://wymanator.blogspot.com/2006/06/...
Not that this will ever make any difference.
Matt from CT • July 24, 2009 12:54 PM
>Not a new security issue, but might be >useful for data cleaning or input
>validation.
Totally worthless for data validation.
As others pointed out, while there is a strong correlation, there isn't a 100% match.
More useful for law enforcement or others trying to find small threads that if pulled can unravel fake identities.
antibozo • July 24, 2009 1:06 PM
My comment from 2005 (emphasis added):
http://www.schneier.com/blog/archives/2005/12/...
The real problem is that somehow it has become accepted practice for the financial industry to abuse SSN as a pre-selected shared password. This is stupid beyond belief and shouldn't be tolerated. SSN shouldn't need to be a big honking secret--no more than the checking account number that is printed on the face of every check you write. It's an account number with SSA; that's all. It is by no means suitable key material--it is known by too many people and ***it is even highly predictable from other personal information (go read up on area and group numbers)***. It is also difficult (but not impossible) to change, which no key should be. But since it /is/ possible to change, it is also not a suitable unique identifier for any individual.
The obvious solution is for everyone to publish his or her SSN everywhere possible--put it in your .signature, post it on blogs, take out an ad in the newspaper, write it on a bumper sticker, etc. If everyone published SSN, mother's maiden name, and any other lame excuse for a password that lazy corporate idiots have decided to use to protect access to our livelihoods, the problem would go away because the banks and corporate office drones would have to get off their fat asses and actually come up with a secure system for us to establish real passwords (or other authenticators).
An alternative would be a law requiring SSA to publicly disclose all SSNs. I'm afraid it will be a long time, however, before enough people realize what a state of total moronitude we've become enmeshed in. Until then, we're all looking over our shoulders because we let the greedy corporate banking people (and to a lesser extent human resources bozos) implement vast systems without the fundamental security measure of password management.
Blair H. • July 24, 2009 2:37 PM
The other category that this opens up, is creating false identities. With the SSNs being predictable, it makes it easier to create a false identity with an SSN from a time and region that matches what you are looking for.
Even if you're hijacking someone else's SSN, it might easier.
Kind of scary to contemplate really.
AlanS • July 24, 2009 2:38 PM
@antibozo
Exactly. They weren't designed to be secure and will never be made secure. The states and the feds should get over it and pass laws against their misuse instead of laws requiring institutions to the secure what can't be secured.
Michael Seese • July 24, 2009 2:59 PM
"The obvious solution is for everyone to publish his or her SSN everywhere possible--put it in your .signature, post it on blogs, take out an ad in the newspaper, write it on a bumper sticker, etc."
You first. :)
Actually, considering the number of breaches to date, one wonders what kind of huge event has to happen in order to get folks to change a well-entrenched system.
-- Michael Seese, Author of Scrappy Information Security
Rich Wilson • July 24, 2009 3:00 PM
"the feds should get over it and pass laws against their misuse"
Of course that would be opposed by the CC lobby, which has pretty deep pockets.
Brandioch Conner • July 24, 2009 3:15 PM
@Blair H.
"The other category that this opens up, is creating false identities."
Extend that concept a little further.
One day the criminals will discover databases. And how to populate them with all the personally identifying information they can steal.
Then they'll be able to take out a second mortgage on your home.
N/A • July 24, 2009 3:44 PM
@crickel
"haven't we been being told for just about as long that SSNs should never be used as an 'identification number'?"
That's exactly what it is, it's a number to uniquely identify you. What it is not, is a form of shared secret as the other posters point out.
Other countries have national registration number, nobody treats it as a secret there, it is only used as a way of identifying someone and never ever used as a shared secret.
The US has this weird tendency to treat the knowledge of a number which is meant to be public information as a way of authentication. Apparently Americans keep their bank account numbers secret as well: in Europe account numbers are even published on websites. Knowledge of the number only allows one transfer money TO one's account. It's not possible to transfer money FROM the account by only knowing the account number, that would be silly.
Davi Ottenheimer • July 24, 2009 6:36 PM
In related news, researchers have discovered that water is wet.
Roger • July 25, 2009 2:11 AM
@N/A:
> ... in Europe account numbers are even published on websites. Knowledge of the number only allows one transfer money TO one's account. It's not possible to transfer money FROM the account by only knowing the account number, that would be silly.
That's the theory, any way. In practice, account number + unusual transaction type + a little social engineering = withdrawal. Just ask Jeremy Clarkson of "Top Gear" fame; for details see:
http://news.bbc.co.uk/2/hi/entertainment/...
(Clarkson makes a living from being a controversial (but witty) big-mouth, but it has to be said that unlike many public figures today, he is big enough to admit it when he is wrong.)
Roger • July 25, 2009 6:11 AM
@antibozo:
Well-written and insightful comment, thank-you. I have one quibble, though:
> ... that lazy corporate idiots have decided to use to protect access to our livelihoods, the problem would go away because the banks and corporate office drones would ...
Having at one point been on the wrong side of this fence, I can say that in my experience the problem is not laziness, it is marketing. To my shame I have been involved in rolling out a financial software product where, over howls of anguish from the development team, encryption was weakened to "kid sister" levels because marketing insisted that an adequately long password would confuse customers and drive down uptake.
A contributing factor is the rise of the non-specialist MBA manager who has no understanding of the business's technology and so has more buy-in to marketing's hand-wavy arguments, at the expense not only of the technical teams but also the marketing demographers (who had concluded that actually, a lot of our customers rated good security as a very important feature.)
Mark • July 25, 2009 2:05 PM
@Don
I'm not very old, but while I was in college (early 1990s), both my school and my bank used my SSN as my account number.
It isn't exactly hard to generate a student number, account number, library number, customer number, etc. which is meaningless outside the institution which generated it. Indeed this is the way things are done in most places. Also can you only have one account with a US bank?
Mark • July 25, 2009 2:09 PM
@JRR
There are other vulnerabilities like this though; the Michigan driver's license number is made up of a bunch of personal info; you can know the DL# given a bunch of personal info, and given the DL#, you can know at least a lot of the personal info, like I think the first couple of letters of the name, the date of birth, the county they were born in, etc. I wrote a program to find DL# given some info, on the TRS-80 so it's been a while.
This is even more insecure when you remember that these kind documents often, even primarily, used (especially in the US) for purposes completly unrelated to driving on public roads.
Mark • July 25, 2009 2:19 PM
@antibozo
The real problem is that somehow it has become accepted practice for the financial industry to abuse SSN as a pre-selected shared password. This is stupid beyond belief and shouldn't be tolerated. SSN shouldn't need to be a big honking secret--no more than the checking account number that is printed on the face of every check you write. It's an account number with SSA; that's all.
It's an IDENTIFIER, possibly only a unique one when combined with other information. The point is that knowing a set of identifiers that uniquely relate to a single person sould not be of much use in enabling anyone else to impersonate that person.
There must be a way to actually do things properly. Otherwise celebrities and politicians at most risk of "identity theft".
Mark • July 25, 2009 2:26 PM
@Blair H.
The other category that this opens up, is creating false identities. With the SSNs being predictable, it makes it easier to create a false identity with an SSN from a time and region that matches what you are looking for.
Which in any half decent system would be flagged as either "never assigned" or assigned to someone else without notification of name change. (The latter may simply equate to a miss-spelling of name. Which a human can trivially identify after a machine has done the first stage checking.)
antibozo • July 26, 2009 11:27 AM
Mark and others,
As I pointed out already, SSN is *not* a persistent identifier. SSA provides a procedure for changing your SSN if adequate criteria are met:
http://www.ssa.gov/oig/hotline/when.htm
A sequence of SSNs may be an identifier, but do any systems allow for this? And how strong is SSA against deliberate attempts to assign multiple SSNs to the same individual?
And, after all, how much use is an identifier without an authenticator?
Practically, SSN is designed neither to be a persistent identifier nor an authenticator. It's an account number. That's all.
David • July 27, 2009 8:31 AM
@Don
The problem is not that financial institutions decided that accepting fraud losses was worth the gains from issuing easy credit. The problem is that the financial institutions don't do all the handling of the fraud losses, but push a lot of it onto the individual victim.
Quite a few years ago, my wife's wallet was stolen. The thieves did several things, including open up a new account at Best Buy and charge about $2500 worth of stuff. We wrote to all the institutions that had been defrauded and included the police report number. We weren't asked to pay a thing, and the incident is not on our credit report.
That's how it should work. Best Buy extended lots of credit on a risky basis. That's their business decision; if they sold enough more merchandise to make up for the fraud, it's a good one. Unfortunately, that's not how it works in all cases.
checco • July 27, 2009 8:39 AM
I view SSNs as going the way of car registration cards... remember those? We were supposed to keep them safe to prevent car thefts (?)... so how many are stored in the glove compartment? and really, how many are attributed to car thefts?
The same goes for SSNs... protecting the number itself is not going to prevent identity theft... we just haven't gotten to the "lojack" stage of identity theft.
Timothy • July 28, 2009 8:48 AM
SSN's are not specific to a place of birth as the article states. They are tied to the place of application.
If you are concerned about correlation, simply make application for your child's SSN at an office remote from the birth city. It's as simple as that.
rik • July 28, 2009 10:56 AM
In the UK, National insurance numbers (equivalent to SSN) are not random. They are of the form of AB 12 34 56 C.
I remember at high school, when everyone in my year group was allocated with their NI nummber, given to us on a little white card, I noticed that they were all in a similar range (same starting letters) and the numbers allocated in age order, rather than alphabetical order.
I have worked in places where the IT department decided that NI numbers would make a good user login ID (really bad idea), so I got to working out some of the patterns.
Since then I have often had fun with a party trick working out peoples ages from their NI number...
Kai Howells • July 28, 2009 5:29 PM
I think that the reliance on SSNs as a form of ID is just crazy. Here in Australia, we have a Tax File Number. Your TFN is a secret, you tell your bank, your employer and your accountant this number and no-one else.
I have never heard of anyone having their identity stolen or anything like that due to their TFN getting compromised, but you still treat this number with respect and don't give it out to anyone...
antibozo • July 30, 2009 12:48 PM
Timothy> If you are concerned about correlation, simply make application for your child's SSN at an office remote from the birth city. It's as simple as that.
Yeah, you can add a couple of bits of entropy that way. But there are only a very limited number of area+group combinations being used at any given time, so it really doesn't help as much as you imply.
antibozo • July 30, 2009 12:49 PM
Kai Howells> Here in Australia, we have a Tax File Number. Your TFN is a secret, you tell your bank, your employer and your accountant this number and no-one else.
Why should this number be kept secret? What is the risk of making it public?
Lee mchaney • March 24, 2010 4:30 AM
Hello, Lee here in Thailand. When I was very young my grandfather got me an SSN. in Missouri, When I was old enough to work, my Dad got me another one in Tennessee. He didn't know about the first one. My question is, do I have two numbers? I'd love to find the other one from when I was a little boy. Talk about your clean slate! :-)
Lazslo Panaflex • April 28, 2010 7:13 PM
I have been issuing valid SSN following a few
very precise rules based on publicly available
data from the SSA. I issue SSN for numbers that
ARE YET TO BE ISSUED and so do not yet belong
or are associated to any living individual. there
are a few rules I need to follow that make the
accurate enough so as to fall through the net
and not raise red flags. The only reason I do this
is to show just how stupid and redundant an
excersize this is to establish an identifier or id
for banks and financial crapola et all that all
our financial/credit &c., business is based on.
jjones444 • November 30, 2010 5:05 PM
It's scary to learn (or realize, rather) that social security numbers are not random and that my number can be figured out without any super personal information. I knew that certain number beginnings correlated with certain years, but I didn't realize how much of it is public information. At what point do I need to find a social security attorney to help protect my identity?
Craig • August 1, 2011 12:12 PM
My five siblings and I all have sequential social security numbers even though we were born between 1948 and 1955. Why? Because the Social Security administration used to give out blocks of SSNs to local banks to distribute to kids opening savings accounts. We all got our SSNs from the same branch of our local bank, and it just happened that no other kids opened savings accounts.
JK • February 5, 2012 11:12 PM
All news to me. No one ever talked about this in school, or anywhere else. I would have guessed it was random.
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments