Jim Rockford comes to identity theft
I’m not sure exactly why this reminds me of The Rockford Files•. Probably it’s the episode where Rockford discovers an insurance fraud scheme based on birth certificates not being linked to death certificates.
This trick involves finding your social security number by looking up people who died but were born in the same location and day as you were born:
Researchers Alessandro Acquisti and Ralph Grossy… accessed the Social Security Administration’s Death Master File, a publicly-available (at a price) record of Americans who have died, including their SSN, birth and death dates.
The third piece of information they needed was the date and location of birth of test subjects. They found these details readily available for purchase from information brokers, or even divulged for free by users of Facebook and other social networking sites.
Since 1988, babies have been automatically assigned Social Security numbers at the time of birth. So, suppose you were born September 21, 1989 at 10:11 a.m. in Springfield, Mass. If there was a Death Master File entry on someone born in the same location as you on the same date, given that the numbers are assigned sequentially, it would narrow down what number you were assigned to one very close to the deceased.
While the researchers couldn’t usually determine the exact numbers of their subjects, they were able to eliminate enough that a hacker would have only 9 or 99 or 999 possible combinations to try, a problem easily solved with a brute-force attack.
As the authors of the study say, “If one can successfully identify all nine digits of a SSN in fewer than 10, 100 or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN.” In fact, your high-school locker was probably more secure than your Social Security number.
This trick appears to work for people born between 1988 and 2011, as, before that, social security numbers had to be requested—they weren’t automatic at birth. The more the state makes things more convenient for the state, the more they make the same thing more convenient for criminals.
I still have my original social security paperwork that tells me to carry my card with me. Despite the admonition not to use it as an identity card, why, you never know when you might need to show it. And if you lose it, it’s no big deal, just go down to the social security office to get a new one.
In response to The last four digits of your social security number: The last four digits of your social security number are the least guessable part of your SSN.
- Crooks Can Guess Digits in Your Social Security Number, Study Finds: Tom Barlow
- “Since 1988, babies have been automatically assigned Social Security numbers at the time of birth. So, suppose you were born September 21, 1989 at 10:11 a.m. in Springfield, Mass. If there was a Death Master File entry on someone born in the same location as you on the same date, given that the numbers are assigned sequentially, it would narrow down what number you were assigned to one very close to the deceased.”
- The Rockford Files (Season One)• (DVD)
- Season one of The Rockford Files, starring James Garner. This was a lot of fun to watch in the seventies, and I expect it ages well. Jim Rockford was a “reformed” con artist, and many of his cases required pulling cons to solve.
More social security numbers
- Mat Honan should read Mimsy
- “Because the last four numbers of your SSN are what businesses ask for, they are all that a criminal sometimes needs to use your cash or credit.”
- Insecurity questions on phones and at banks
- How important are the last four digits of your social security number? That and a high school yearbook can get a hacker your bank account.
- Tumbling to SSN privacy
- Guessing social security numbers based on the statistical analysis I talked about in “The last four digits of your social security number” now has a name: “tumbling”.
- The last four digits of your social security number
- The last four digits of your social security number are the least guessable part of your SSN.