Blog article
See all stories »

Social Security Numbers Cracked, Creates Identity Theft Risk reports that researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration’s Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people on the east coast had the lowest numbers and those on the west coast had the highest. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

The Carnegie Mellon researchers were able to guess the first five digits of a Social Security number on their first attempt for 44% of people born after 1988. For those in less populated states, the researches had a 90% success rate. In fewer than 1,000 attempts, the researchers could identify a complete Social Security number, “making SSNs akin to 3-digit financial PINs.” “Unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identify theft on mass scales,” the researchers wrote.

While the researchers work is certainly an accomplishment, the potential to predict Social Security numbers is the least of our problems. Social Security numbers can be found in unprotected file cabinets and databases in thousands of government offices, corporations and educational institutions. Networks are like candy bars - Social Security numbers can be hacked from outside the hard chocolate shell or from the soft and chewy inside.

The problem stems from that fact that our existing system of identification is seriously outdated and needs to be significantly updated. We rely on nine digits as a single identifier, the key to the kingdom, despite the fact that our Social Security numbers have no physical relationship to who we actually are. We will only begin to solve this problem when we incorporate multiple levels of authentication into our identification process.

The process of true and thorough authentication begins with “identity proofing.” Identity proofing is a solution that begins to identify, authenticate and authorize. Consumers, merchants, government don’t just need authentication. We need a solution that ties all three of these components together.

Jeff Maynard, President and CEO of Biometric Signature ID, provides a simple answer to a complicated issue in four parts:

Identify – A user must be identified when compared to others in a database. We refer to this as a reference identity. A unique PIN, password or username is created and associated with your credential or profile.

Authenticate – Authentication is different than verification of identity. Authentication is the ability to verify the identity of an individual based specifically on their unique characteristics. This is known as a positive ID and is only possible when using a biometric. A biometric can be either static or dynamic (behavioral). A static biometric is anatomical or physiological, such as a face, a fingerprint or DNA. A dynamic biometric is behavioral, such as a signature gesture, voice, or possibly gait. This explains why, when authentication solutions incorporate multiple factors, at least two of the following identifiers are required: something you have, such as a token or card, something you are, meaning a biometric identifier, and something you know, meaning a pin or password.

Verify – Verification is used when the identity of a person cannot be definitely established. These technologies provide real time assessment of the validity of an asserted identity. When we can’t know who the individual is, we get as close as we can in order to verify their asserted identity. PINs, passwords, tokens, cards, IP addresses, behavioral based trend data and credit cards are often used for verification. These usually fall into the realm of something you have or something youknow.

Authorize – Once the user has passed the identification test and authenticated their identity, they can make a purchase or have some other action approved. Merchants would love to have a customer’s authenticated signature to indicate his or her approval of a credit card charge. This is authorization.

Effective identification results in accountability. It is being achieved in small segments of government and in the corporate world, but not systematically. Unfortunately, we are years away from full authentication.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

Robert Siciliano Identity Theft Speaker discussing identity theft


Comments: (1)

Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 08 July, 2009, 22:10Be the first to give this comment the thumbs up 0 likes

I'm very very concerned by any formulation of the identity management challenge that builds in biometrics like this.  It is just not true that "the ability to verify the identity of an individual ... is only possible when using a biometric".

The biometrics industry is awash with hype and brand new R&D hot off the bench, but very light on actual performance specs.  In security, brand new products are actually regarded with suspicion by the professionals, so it surprises me that biometrics advocates keep foisting new technologies on us.  Robert's blog mentions several options, some are unproven, some aren't even commercially available! Handwritten signature verification was a flash in the pan in the 1990s.  DNA gets mentioned with monotonous regularity but there is no affordable DNA based authentication system on the market (portable forensic DNA labs used to identify disaster victims are as big as shipping containers and take hours to generate results).  And as for gait, I cannot imagine how it could be used in practical ID management.

Biometrics are soooo sexy - see how vendors use sci-fi movie clips as if there were case studies - but we need to get real about performance.  There are no agreed ways to test False Accept and False Reject rates.  Wild figures get bandied about like error rates of "one in a million" but they're never sustainable in real world settings.  Proponents gloss over the fact that False Positives and False Negatives have to be traded off; to get false matches anywhere near 1 in 10,000, the false reject goes up to 10 percent and vice versa!

What error rate testing that does exist is subject to the "Zero Imposter Assumption".  That is, biometric testing only picks up accidental matches and non-matches, and assumes that nobody is trying to fool the system.  The FBI reported earlier this year that "When a dedicated effort is applied toward fooling biometrics systems, the resulting performance can be dramatically different". This is fatal.  How can banking security systems be evaluated when nobody can tell us how they perform when a criminal is actually trying to break in?

Stephen WIlson, Lockstep.

Now hiring