Mimsy Were the Borogoves

Editorials: Where I rant to the wall about politics. And sometimes the wall rants back.

Jim Rockford comes to identity theft

Jerry Stratton, June 14, 2013

Carry your SSN in your purse or wallet

“Detach your card and sign it immediately. Carry it in your purse or wallet.”

I’m not sure exactly why this reminds me of The Rockford Files. Probably it’s the episode where Rockford discovers an insurance fraud scheme based on birth certificates not being linked to death certificates.

This trick involves finding your social security number by looking up people who died but were born in the same location and day as you were born:

Researchers Alessandro Acquisti and Ralph Grossy… accessed the Social Security Administration’s Death Master File, a publicly-available (at a price) record of Americans who have died, including their SSN, birth and death dates.

The third piece of information they needed was the date and location of birth of test subjects. They found these details readily available for purchase from information brokers, or even divulged for free by users of Facebook and other social networking sites.

Since 1988, babies have been automatically assigned Social Security numbers at the time of birth. So, suppose you were born September 21, 1989 at 10:11 a.m. in Springfield, Mass. If there was a Death Master File entry on someone born in the same location as you on the same date, given that the numbers are assigned sequentially, it would narrow down what number you were assigned to one very close to the deceased.

While the researchers couldn’t usually determine the exact numbers of their subjects, they were able to eliminate enough that a hacker would have only 9 or 99 or 999 possible combinations to try, a problem easily solved with a brute-force attack.

As the authors of the study say, “If one can successfully identify all nine digits of a SSN in fewer than 10, 100 or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN.” In fact, your high-school locker was probably more secure than your Social Security number.

This trick appears to work for people born between 1988 and 2011, as, before that, social security numbers had to be requested—they weren’t automatic at birth. The more the state makes things more convenient for the state, the more they make the same thing more convenient for criminals.

I still have my original social security paperwork that tells me to carry my card with me. Despite the admonition not to use it as an identity card, why, you never know when you might need to show it. And if you lose it, it’s no big deal, just go down to the social security office to get a new one.

In response to The last four digits of your social security number: The last four digits of your social security number are the least guessable part of your SSN.

  1. <- Mat Honan iCloud hack
  2. United helps hackers ->