This story appeared on Network World at

This story appeared on Network World at
http://www.networkworld.com/columnists/2009/071609bradner.html

Guessable SSNs -- but is that the real problem?

The fact that Social Security numbers are guessable is big news but the real problem has been known for a long time

'Net Insider By Scott Bradner , Network World , 07/16/2009

Researchers at Carnegie Mellon University report that they can sometimes guess a person's Social Security number and the press goes nuts. This is actually a good thing (the press going nuts that is).

Maybe, though not likely, the chaotic din will result in rules being changed to actually protect us from SSN-based identity theft attacks.

The research is solid, but not all that surprising for many in the security community.

It turns out that the Social Security Administration has gone about the business of assigning SSNs in a way that is only ideal for the original purpose of the SSN -- an unimportant taxpayer identifier. The Social Security Administration could have been randomly assigning SSNs, as many people assumed, but they have not. Instead, SSNs have been assigned according to a too rigid formula resulting in you getting assigned a guessable SSN as long as someone knows when and where you were born. The level of guessability depends mostly on the population of the state you were born in and when you were born.

Guessability is highest for people born in states with smaller populations between 1989 and about 2003 but is not zero for others.

In two ways this research would not have succeeded without the help of the U.S. government. First, National Science Foundation and Army Research Office grants supported the researchers and, second, a U.S. government document meant to reduce credit card fraud provided key data in a way that will facilitate ID theft.

The U.S. government published a macabre-named "Death Master File" that contains information about people who have died. In particular it contains the name, dates of birth and death, zip code of last residence and SSN of a whole lot of dead people. This is much more info than needed for the stated purpose -- telling banks what SSNs belong to dead people (all it would need is a list of SSNs to do that). The extra info is useful to genealogists but also to people who want to guess your SSN. See the paper for the details.

What was not covered well in the press is that the researchers were able to guess the first five digits of SSNs in one try in many cases. This is more than a bit of a worry because a SSN masked to only show the last four digits is not considered confidential information (see here, for example. The very same four digits that the researchers found were the hardest to guess can be found all over the place.

Businesses spend fortunes protecting SSNs that they collect from their customers and people spend endless time, and often quite a bit of money, when someone steals their SSN and -- using the SSN and a bit of public information -- steals their identity. And here a few researchers, aided and abetted by the U.S. government show that it's too easy to guess these.

But the real problem is that the fact that SSN has to be secret at all.

It was designed to disambiguate between people, not serve as proof of identity. There are many things wrong with using the SSN as a proof of identity; guessability is only one, and maybe not an important one. The basic idea that a credit card company would grant credit to someone just because they produced a string of digits that hundreds of organizations legitimately store and thousands of people have legitimate access to is absurd.

The best fix for the problems with SSNs would be for the government to publish a "Life Master File" that included the names and SSNs of everybody. If this were to happen the banks would have to actually think about security and come up with a reliable way to find out who they gave credit to. Maybe people should show up in person with a picture ID. But that would be too logical to ever happen.

Disclaimer: There are many classes that deal with logic at Harvard but I do not know of any that have understood the logic of using the SSN the way it's currently used. Thus, the above attempt at logic is my own.