Oh, goody. There is a report out in which it states that, using an algorithm formula, it is possible to guess anyone’s Social Security Number. One only needs to know the date of when the person was born and also the city where the birth took place. The smaller the state, the easier it is to guess the number.

According to an article over at Ars Technica is also states that:

The irony of their method is that it relies on two practices adopted by the federal government that were intended to reduce the ability of fraudsters to craft a bogus SSN. The first is that the government now maintains a publicly available database called a Death Master File, which indicates which SSNs were the property of individuals who are now deceased. This record provided the researchers with the raw material to perform a statistical analysis of how SSN assignments related to two other pieces of personal information: date and state of birth.

The second is that the government has centralized its handling of SSN assignments and provided documentation of the procedures. The first three digits are based on the state where the SSN was originally assigned, and the next two are what’s termed a group number. The last four digits are ostensibly assigned at random. Since the late 1980s, the government has promoted an initiative termed “Enumeration at Birth” that seeks to ensure that SSNs are assigned shortly after birth, which should limit the circumstances under which individuals apply for them later in life (and hence, make fraudulent applications easier to detect).

The accuracy of these algorithms is positively disturbing. Using a separate pool of data from the Death Master File, the authors were able to get the first five digits right for seven percent of those with an SSN assigned before 1988; after that, the success rate goes up to a staggering 44 percent. For a smaller state, like Vermont, they could get it right over 90 percent of the time.

Getting the last four digits right was substantially harder. The authors used a standard of getting the whole SSN right within 10 tries, and could only manage that about 0.1 percent of the time even in the later period. Still, small states were somewhat easier—for Delaware in 1996, they had a five percent success rate.

That may still seem moderately secure if it weren’t for some realities of the modern online world. The authors point out that many credit card verification services, recognizing the challenges of data entry from illegible forms, may allow up to two digits of the SSN to be wrong, provided the date and place of birth are accurate. They often allow several failed verification attempts per IP address before blacklisting it. Given these numbers, the authors estimate that even a moderate-sized botnet of 10,000 machines could successfully obtain identity verifications for younger residents of West Virginia at a rate of 47 a minute.

Interesting. There doesn’t appear to be a way to avoid this guessing of SSN. Our only protection is to try to keep our personal information as safe as possible. This is getting harder to do with the advent of the Internet.

Comments welcome.