2

Up until recently I was under the impression that the social security number was insufficient information to perform identity theft, and that in practice you will at least need the victim's SSN and name.

However, recent events and stories have made me start questioning this assumption. Is knowing only the social security number sufficient enough for someone to steal an identity? Would it be possible (or realistic) if you also took into account potential social engineering attacks, presumably against state agencies, which could reveal additional private information through leveraging the known SSN?

Anders
  • 64,406
  • 24
  • 178
  • 215
Moses
  • 2,137
  • 2
  • 20
  • 23

1 Answers1

2

Absolutely!

The thing to remember is that a social engineering attack, when played out well, can be successful given no personal information other than a name or a role or a position.

The more information an attacker knows about a target, the easier it is for them to build a convincing scenario, but SSN's are trusted as a key piece of your identity in the US, so they are very vulnerable.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 1
    But theoretically, if there were a SE vector, couldn't someone just start guessing arbitrary SSNs (while following the typical structure for state/age/regions) to just steal a massive amount of data? – Moses Nov 07 '12 at 19:11
  • Yes. The variable is how difficult an attack is. With just one piece of information you would need a lot of work to persuade staff to divulge other info. If you already have enough to be convincing it gets much easier. – Rory Alsop Nov 07 '12 at 19:13
  • The trick is that you usually need to know the person's name and SSN as a minimum, and often a date of birth too. As such, randomly guessing SSNs doesn't really make much sense. – Polynomial Nov 07 '12 at 22:14