Why using Social Security numbers for identification is risky and stupid.

Inside the Internet.
July 14 2009 6:08 PM

No, You Can't Have My Social Security Number

Why using SSNs for identification is risky and stupid.

Illustration by Rob Donnelly. Click image to expand.

In a paper published last week, two Carnegie Mellon professors unveiled a method for cracking the code of Social Security numbers. Given a person's birth date and the state where he or she was born along with public records of deceased people born around the same time, the researchers wrote an algorithm that predicted a person's SSN with startling accuracy. The biggest question raised by their paper isn't how our country came to rely on such an insecure identification system. The mystery is how it took so long for anyone to break such a ridiculously elementary system.

Social Security numbers were never designed to be secure. When SSNs came into existence 75 years ago, they had one and only one purpose: to keep track of contributions to the federal pension system. When Congress established the program in 1935, it started issuing cards with unique nine-digit numbers. The numbers were derived using a simple formula. The first three digits, called the "area number," refer to the state where the card was issued. The fourth and fifth digits, the "group number," are assigned in a predetermined order to divide the applicants into arbitrary groups. The last four digits, the "serial number," are assigned sequentially, from 0001 to 9999 in each group.

Advertisement

Ten years after the SSN debuted, the feds added a clarification to the card in capital letters: "FOR SOCIAL SECURITY PURPOSES—NOT FOR IDENTIFICATION." By that point, it was already too late. Three years earlier, President Franklin Roosevelt had issued an executive order allowing other federal agencies to use SSNs rather than launch their own systems. Within 20 years, the IRS, the Civil Service Commission, and the military were all using the numbers to identify people.

Social Security numbers haven't evolved much since those early days, but the techniques for exploiting them have. The Social Security Administration's Web site is happy to tell you which three-digit codes belong to which states and in what order the group numbers are assigned. The Carnegie Mellon researchers simply determined that if you know when and where a person was born—info that many of us readily supply on Facebook—you can narrow down her possible Social Security number to a fairly small range. (Studying existing government records, like the list of dead people's SSNs in the Death Master File, gave the researchers additional clues about when exactly specific states assigned specific numbers.) The system works particularly well for people born in small states, which have only a few possible area numbers. (For example, Wyoming natives are very likely to have Social Security numbers that start with 520.) The odds of guessing someone's number on the dot are still low—about 1 percent on average for more recent births, but up to 10 percent in small states. Even the lower figures, however, are plenty large enough to steal a lot of real identities if you use a small network of computers to try out lots of possibilities.

Now that SSNs are used on our driver's licenses, tax returns, and bank statements, we have the worst of all possible worlds: Numbers that were never intended to be secure are being used to secure our most-valuable information. Because many companies also use Social Security numbers as a password to get into your account, swiping the number from a license or a student ID card gives a person all sorts of access to your life.

TODAY IN SLATE

Jurisprudence

Don’t Expect Adrian Peterson to Go to Prison

In much of America, beating your children is perfectly legal. 

Ken Burns on Why Teddy Roosevelt Would Never Get Elected in 2014

Cops Briefly Detain Django Unchained Actress Because They Thought She Was a Prostitute

Minimalist Cocktail Posters Make Mixing Drinks a Cinch

How the Apple Watch Will Annoy Us

A glowing screen attached to someone else’s wrist is shinier than all but the blingiest of jewels.

Books

Rainbow Parties and Sex Bracelets

Where teenage sex rumors come from—and why they’re bad for parents and kids.

Books

You Had to Be There

What we can learn from things that used to be funny.

Legendary Critic Greil Marcus Measures and Maps Rock History Through 10 Unlikely Songs

Catfish Creator Nev Schulman’s Book Is Just Like Him: Self-Deluded and Completely Infectious

Behold
Sept. 12 2014 5:54 PM An Up-Close Look at the U.S.–Mexico Border
  News & Politics
Jurisprudence
Sept. 14 2014 2:37 PM When Abuse Is Not Abuse Don’t expect Adrian Peterson to go to prison. In much of America, beating your kids is perfectly legal. 
  Business
Moneybox
Sept. 12 2014 5:54 PM Olive Garden Has Been Committing a Culinary Crime Against Humanity
  Life
Inside Higher Ed
Sept. 13 2014 8:38 AM “You’re More Than Just a Number” Goucher College goes transcript-free in admissions.
  Double X
The XX Factor
Sept. 12 2014 4:05 PM Life as an NFL Wife: “He's the Star. Keep Him Happy.”
  Slate Plus
Behind the Scenes
Sept. 12 2014 5:55 PM “Do You Know What Porn Is?” Conversations with Dahlia Lithwick’s 11-year-old son.
  Arts
Brow Beat
Sept. 14 2014 7:10 PM Watch Michael Winslow Perform Every Part of “Whole Lotta Love” With Just His Voice
  Technology
Future Tense
Sept. 12 2014 3:53 PM We Need to Pass Legislation on Artificial Intelligence Early and Often
  Health & Science
New Scientist
Sept. 14 2014 8:38 AM Scientific Misconduct Should Be a Crime It’s as bad as fraud or theft, only potentially more dangerous.
  Sports
Sports Nut
Sept. 12 2014 4:36 PM “There’s No Tolerance for That” Pete Carroll and Jim Harbaugh say they don’t abide domestic abuse. So why do the Seahawks and 49ers have a combined six players accused of violence against women?