Guest blog: Algorithm guesses social security numbers

"Guest blogger Michael Argast, director of global sales engineering at Sophos, comments on how sometimes adding security can actually take it away – despite the best intentions of governments. Over to you Michael.."

Michael Argast
Two researchers from Carnegie Mellon have discovered patterns in US social security numbers (SSN) that make it much easier to guess a given individual’s number based on their date and location of birth. Of course, with two of those pieces of information – SSN and date of birth, an identity thief can run rampant, applying for credit, stealing assets, etc.

The interesting part about this isn’t just that this pattern exists in SSNs – it’s why.

It turns out the government, trying to reduce fraud, dramatically reduced the randomness associated with an individual’s number. Apparently, fraudsters were faking SSNs a lot in the 1970s and 80s – this is because the SSN is the single piece of identity that would allow an individual to apply for drivers licenses, credit cards, etc. This sort of fraud lead the government to promote an initiative known as ‘Enumeration at Birth’ in 1989 – which lead to over 90% of new SSN numbers being assigned at birth.

This process dramatically increases the predictability associated with individual’s numbers – various elements of birth, including location are in effect encoded into the SSN number that an individual automatically receives.

According to the Social Security Agency, one of the big issues is that when the social security account number was created in 1936, it was never forseen that the 9-digit number would ever be used for anything other than its original intended purpose – to track user’s wages and pay them benefits. But then in 1943 this number was mandated to be used whenever setting up a new identification system when tracking individuals, which led to it being used for driver’s licenses, voting registration, tax collection, alimony, jury selection, etc.

The impact of the Internet and identity theft has made the need to protect SSN information critical, but the system was never designed to handle the degree of fraud that occurs today. SSN information has become a form of “ňúnational identity’ with all the inherent risks associated. Trying to protect a system designed over 60 years ago against today’s malicious activity is growing increasingly difficult.

The upside of all this security is that it makes it much harder for a fraudster to obtain a fake SSN, and apply for benefits, be eligible to work, etc. The downside – it makes it much easier for fraudsters to steal identity from an actual person, and all the associated costs are now borne by the individual rather than the state.

We should always be cautious when ‘improving’ security – often the costs and risks are being moved around rather than eliminated.