SSN Chickens Come Home to Roost

As I've written before, I was a Social Security number resister as long as I could be -- until I finally got my first job after graduating from high school.

Today's Washington Post reminds me of another reason why using SSNs as de facto national ID numbers is not such a good idea. Researchers at Carnegie Mellon University found that it is not too hard to guess someone's complete SSN from public information, particularly if the person was born after 1988 and is from a smaller state.

Why? Because the first three numbers are assigned based on the zip code provided with the application, while the fourth and fifth are the same for all the people in the same region over a period of time. The last four digits are consecutively assigned as the applications come in.

And starting in 1988 the IRS required every taxpayer to provide an SSN for all claimed dependents (i.e., children), so numbers are now applied for at birth -- so all the records of who was born where and when are available to the public to use in guessing SSNs.

As I suspected -- even before it was confirmed by an expert at the end of the article -- the increasingly common practice of unmasking the last four numbers of the SSN on web forms and paperwork is completely stupid, since those four numbers are actually the part that is most worth protecting, since they are the hardest to guess.

But I suppose it's not fair to blame the chickens.

_________

Note: The full study can be downloaded here.