Your Social Security number is NOT as random as you’ve been led to believe; its very existence makes you MORE vulnerable and your privacy LESS secure.
Today, it has become relatively easy for identity thieves to turn people into paupers or make them look like deadbeats to banks for years to come! Especially when it comes to an elderly parent whose life savings could be wiped out. (In the end, if you don’t cover that base, you could even find yourself having to carry the burden for years.)
The Social Security number was never meant to be a master key to our private financial, health, or personal lives. And, in fact, it may be the weakest link.
Your Social Security Number:
Easier to Guess Than You Think
In a study at Carnegie Mellon University, researchers were able to reverse engineer how Social Security numbers are generated and use that information to accurately guess a person’s Social Security number.
It’s a commonly held belief that Social Security numbers are randomly issued. On the contrary, the Social Security Administration uses a standard pattern based on where and when the number is issued. What the researchers did that’s never been done before was use publicly available information to work backwards and accurately guess the Social Security numbers for a large percentage of the population.
“In general, the first 5 digits can be predicted with a very high degree of accuracy with a single attempt,” reads the report.
With less than 10 tries, they could predict an entire Social Security number for some people in their study.
For 8.5% of the population born after 1988, it took less than 1,000 attempts to guess the entire Social Security number, even though mathematically, there are one billion possible nine-digit combinations.
A couple of things to consider:
8.5% of the people born after 1988 represents millions of individuals at risk;
Being born in a less populated state makes it easier to accurately guess your Social Security number. For instance, the study was able to guess one in 20 Social Security numbers, in less than 10 attempts, for individuals born in Delaware in 1996;
Everyone is potentially at risk. With today’s computer power, 10 attempts, or even 1,000 attempts, is a piece of cake.
Social Security Number Used
as Account Number AND Password?
Another important issue to consider is the first five digits of your Social Security number are the easiest ones to guess. These are the numbers tied closely to when and where the Social Security number was issued (highly correlated to your date and place of birth; information that is readily available online today for free or at nominal cost).
The last four digits are more random. But, most companies, employers, banks, and perhaps even your doctor routinely expose these numbers, falsely believing this is a safe method to identify someone.
The dangerous habit exacerbates the risks, because the last four digits of your Social Security number can be easier to find in public records, by rifling through paperwork, and even by dumpster diving. Which means if a criminal gets hold of the final four digits, he may have the ability to guess the first five digits and complete the deal.
Another Security Problem:
We’ve often said in our Executive Bulletins and in our monthly Independent Living newsletters (available only to paid subscribers) that it is your responsibility to protect your personal identity from theft and abuse. The reason being: even if organizations invest some time or resources to protect your information, they have little liability once your information is compromised. You’re on the hook for cleaning up the whole mess.
Not too long ago, ID Analytics published a report showing that more than 20 million Americans have multiple Social Security numbers associated with their name in commercial databases. In addition, they found over 40 million Social Security numbers were associated with multiple people! The report states:
6.1% of Americans have at least two SSNs associated with their name;
100,000 Americans have five or more SSNs associated with their name;
15% of SSNs are associated with two or more people;
140,000 SSNs are associated with five or more people;
Over 27,000 SSNs are associated with 10 or more people!
“Our research shows that Social Security numbers, contrary to popular perception, do not uniquely identify an individual,” said ID Analytics chief technology officer Dr. Stephen Coggeshall. There’s some good news: “most of these cases of duplication are likely due to simple data entry errors as opposed to deliberate falsification,” said Dr. Coggeshall.
Credit insiders mention that one can secure credit, through a mail-in credit-card offer for example, even if the Social Security number on the application is off by a few digits. This is allowed for “convenience;” just in case the consumer makes a mistake on the form.
Social Security numbers cannot be trusted for authentication or as a unique identifier. They are not a reliable master key.
According to the Carnegie Mellon report: “SSNs were originally designed in the 1930s to be used as identifiers of accounts tracking individual earnings… over time, they started being used for ‘authentication’ in… private sector services… to verify identity and determine whether someone is who he/she is claiming to be… The inherent tensions between using the same number as ‘identifier’ of an account (which may be shared with other parties) as well as a ‘password’ (which is supposed to be private and confidential) has contributed to the rise of identity theft.”
A few things you can do to protect yourself:
Secure and protect your Social Security card and other documents containing your SSN;
Be careful what information you reveal such as your date of birth and place of birth, last four digits of your Social Security number, and especially information you reveal publicly and online;
Shred documents rather than simply throwing them away;
Put pressure on elected officials and the corporations you deal with to stop using the Social Security number as both an identifier and password.
Make sure any elderly relatives for which you have ultimate financial responsibility are PROTECTED! If they are ripped off, it will totally be on you. That makes their security YOUR business.
At this point, our over-use and over-reliance of such a weak method for security, and the fact that it persists even after it’s been compromised, acts as an Achilles heel in our privacy. Vigilance is warranted.