Last week the Internet shark that processes my student loans changed its online payment provider, requiring me to create a new account on some other Web site for some goddamn reason. Of course the thing asked me for my User ID and Password first — things which I didn’t actually have since the site is brand new.
So I click on the Forgot User ID or Password? button to have the site email me my login information.
Two minutes later I find out that my default password is a random smattering of numbers (yay student loan company!) but my default User ID is my social security number (boooooooooo student loan company!).
SSNs are notoriously bad security devices. They are easily stolen since every American has been forced to hand that information over to credit card companies, DMVs, hospitals, universities, employers, and many other institutions typically run by idiots.
And if the Washington Post is to be believed, that’s not even the worst of it. Turns out that a reasonably sophisticated software program could actually GUESS your social security number based only on your date and place of birth:
The Social Security number’s first three digits — called the “area number” — is issued according to the Zip code of the mailing address provided in the application form. The fourth and fifth digits — known as the “group number” — transition slowly, and often remain constant over several years for a given region. The last four digits are assigned sequentially.
As a result, SSNs assigned in the same state to applicants born on consecutive days are likely to contain the same first four or five digits, particularly in states with smaller populations and rates of birth.
Using only birth-related information in the so-called Death Master File, researchers at Carnegie Mellon were able to guess the first five digits of the SSN for 44% of dead people born after 1988 on the first try. They were able to guess all nine SSN digits for the same group 8.5% of the time in less than 1,000 attempts — an effort that would take only fractions of a second using a software program.
Most thieves wouldn’t even have to get all nine, since the only digits unique to you are passed around like blame at a congressional hearing:
Linda Foley, founder of the Identity Theft Resource Center, a San Diego based nonprofit, cited another potential problem. She said many businesses have errantly rely upon or have moved to redact all but the last four digits of a person’s SSN, the very digits that are most unique to an individual.
“Because of the way the SSN has been designed, asking for the last four numbers of the SSN puts people at risk because those are the only numbers that are unique to you and cannot be guessed easily by someone who might want to use your identity,” Foley said.
The Carnegie Mellon research has some — including the Social Security Administration — calling for private business to stop using the number as an authentication number. Companies resist this because it will cost money — plus consumers don’t want to have to remember dozens of totally random numbers for each bank or other account. I think the answer is to let people create their own authentication numbers in whatever sequence or language they like and then use that everywhere. Mine would be “serendipity” only the e’s would be made of dolphins and there would be a rainbow from the s to the y. Just like my lower back tattoo.
Researchers: Social Security Numbers Can Be Guessed [Washington Post]