Social Security Numbers are Worthless as Authenticators
The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth.
The findings, published Monday in The Proceedings of the National Academy of Sciences, are further evidence that privacy safeguards created in the era before powerful computers and ubiquitous networks are increasingly failing, setting up an “architecture of vulnerability” around personal digital information, the researchers said.
…
“My hope is that publishing these results may open a window of opportunity, so to say, to finally take action,” Mr. Acquisti said. “That S.S.N.’s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address.”
So reports John Markoff in “Social Security Numbering System Vulnerable to Fraud.”
We’ve all known for a long time that the SSN makes a godawful authenticator. And now Alessandro Acquisti and Ralph Gross have put a final nail in the coffin for anyone using the SSN as an authenticator. I would really hate to be on the witness stand defending a decision to let anyone authenticate to my business with “the last four” because “everyone else is doing it.” Now is the time to go to management and talk to them about improving things.
My favorite response is from the Social Security Administration, “There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide:”
For decades, we have cautioned the private sector, including educational, financial and health care institutions, against using the SSN as a personal identifier.
Ahh, decades of advice. How’s that working out for you guys? I’m sure if you tell everyone just once more, they’ll listen. For the rest of you: not getting going on a fix now will turn out to be career limiting.
While I in no way want to suggest that SSNs are an effective authenticator I question if the Acquisti/Gross research is at all an issue. They suggest that while they can guess the first 5 digits 44% of the time in one strike they can guess all 9 digits only 8.5% of the time in 1,000 tries. Given these two stats together it seems likely that they are not much better than random on guessing the last four digits. Even in small States for recent SSNs they are have a 1 in 20 chance of getting there in 10 attempts or less. Given what we know about the entropy of user-chosen 4 digit PINs it seems to me that the SSN is probably at least as good as, if not better than, letting the user choose their own authenticator.
On a slightly related note, I recently discovered that having an ‘old’ SSN is considered sufficient evidence that you are legally resident in the USA and eligible for employment. This is demonstrably not always true! I may investigate if it enables one to vote.
I guess I’m glad I was born in the NYC metro area. Take that, Delaware!
I guess what we really need is a proper government issued universal identifier, eh? (ducks)
SSN are perfect for Identification. They are a global identifier attached to a person.
The problem is that people use them for Authentication and, even worse Authorization. Given an SSN you need to verify that the person matches the SSN and that he allowed to do what he wants to do. It seems that this is the problem, not the usage of the SSN as an Identifier.
Keeping Identity, Authentication and Authorization apart is too hard for most designers of computer system, which is exactly why security professionals should scream bloody murder everytime something like SSN are used for anything beyond Identification.
authentication: something you have (written on your hide)
SSN is not even good for identification:
1. Duplicate SSNs can be, and have been issued
2. SSNs can be changed
3. Not everybody has an SSN (non-citizens and non-taxpayers aren’t required to do so)
Nicko,
Lots of people are “protecting” the SSN by showing only the last 4 digits. I’ve gotten tax documents from states redacted like this. If an attacker can guess the first 5 44% of the time with my birthday (on the form) and my place of birth (also easily found), then that security measure is pretty poor.
I’m surprised at the publicity this has gotten; anyone who didn’t move a lot and had siblings already knew that SSNs had these issues. Back before the IRS tightened the child deduction rules to essentially require parents to get SSNs for children before their second birthdays, it was pretty common for a family to apply for SSNs for their kids in a batch when the oldest turned 15 or so and applied for a first job.
This resulted in a set of nearly identical SSNs – same first 5 digits with the last 4 increasing in an obvious pattern. If you were paying even a little bit of attention it was pretty clear how the system worked.
I suppose someone who wants 15 minutes of fame could write the next paper on the not-very-sophisticated algorithms many states used (maybe some still use them; I haven’t checked recently) to derive drivers’ license numbers from SSNs.
Student, mckt,
SSNs lack a check digit, and are too short. If you really want an identifier, you want at least 3, preferably 4 digits for issuing government, then at least 10 digits to encode ten billion people (so China and India are covered for a few generations.
So a “perfect identifier” is probably 15 digits, not 9.
(This of course assumes that such a thing exists or is desirable, which it doesn’t and isn’t.)
The problem, of course, is that a unique identifier is a useful thing to have for tracking things like credit reports; but for political reasons any kind of national ID number is a non-starter. So we’re stuck with using the SSN as a sort of defacto national ID number.
Consider someone pretending to be you – like an Identity Thief. He/she knows your SSN, Name, Address, Birthdate, and gets your Resume online (all quite simple to obtain). Now consider this ID Thief applying for Jobs and going to interviews as you, using your information and applying for these jobs in your name, pretending to be you. The company just wants the SSN in their hiring system (your SSN provided by the ID Thief) to run a background check and “verify” the information provided by the ID Thief. The SSN check and background check comes back clean because you are a great person and the employment history and other information from your resume matches the company background check. Now, the company offers the ID Thief a job and hires the ID Thief now using your name and identity, starts working, earns money in your name. Now consider after a month this person murders someone in the company or steals something big and simply leaves town to another state and starts all over again. I would say you are screwed and the SSN failed to provide any authentication at all. And we wonder why ID Theft is a serious problem in America. Wake up people… Call and scream at your elected officials Now to prevent employers from using your SSN for autheticataion. And good luck with cleaning up the mess left behind by the ID Thief…
Consider someone pretending to be you – like an Identity Thief. He/she knows your SSN, Name, Address, Birthdate, and gets your Resume online (all quite simple to obtain). Now consider this ID Thief applying for Jobs and going to interviews as you, using your information and applying for these jobs in your name, pretending to be you. The company just wants the SSN in their hiring system (your SSN provided by the ID Thief) to run a background check and “verify” the information provided by the ID Thief. The SSN check and background check comes back clean because you are a great person and the employment history and other information from your resume matches the company background check. Now, the company offers the ID Thief a job and hires the ID Thief now using your name and identity, starts working, earns money in your name. Now consider after a month this person murders someone in the company or steals something big and simply leaves town to another state and starts all over again. I would say you are screwed and the SSN failed to provide any authentication at all. And we wonder why ID Theft is a serious problem in America. Wake up people… Call and scream at your elected officials Now to prevent employers from using your SSN for autheticataion. And good luck with cleaning up the mess left behind by the ID Thief…