12

453.7 million social security numbers have been issued to date. There are only 1 billion = 1000 million distinct 9 digit integers. This means that if I were to make up any 9 digits, I would have roughly a 45% chance of guessing someone else's valid social security number.

With that said, is it fair to say that if a criminal has nothing but your social security number (i.e. they don't have your name, they don't know when you were born, they know nothing about you) it is in fact useless as a means to commit identity theft or other fraud?

Anders
  • 64,406
  • 24
  • 178
  • 215
jake192
  • 367
  • 2
  • 8
  • 3
    YES. Same goes with credit card numbers. You can generate a list of valid card numbers if you know the algorithm. But without other information like CVC and expiry date, it is practically useless. – Question Overflow Sep 11 '14 at 01:43
  • 1
    @QuestionOverflow: Though to be fair, credit cards are a rather bad example. The extra "security" information on credit cards is pretty much as poor as it can be. The CVC is 3 digits, and expiry dates are one of 60 possible choices. Generating random CC numbers is still not something I would want to try (for obvious reasons, being illegal and such), but it's very feasible compared to other things which don't grant "free access to unlimited money". – Damon Sep 11 '14 at 08:33
  • 1
    @Damon, there is nothing illegal about generating CC numbers. The Luhn algorithm is [public information](http://en.wikipedia.org/wiki/Luhn_algorithm) and there are _several_ websites that help you [generate CC numbers](https://www.google.com/search?q=generate+credit+card+numbers) for testing purpose. You are correct to say that there are only limited (60,000-600,000) permutations of expiry dates and CVC numbers. Granted, any competent card issuing bank would implement security measures to detect such brute-forcing activities and block the card account. – Question Overflow Sep 11 '14 at 08:48
  • There is a really good podcast show about that: http://www.social-engineer.org/podcast/episode-008-the-social-engineering-zero-day-revealed/ – user857990 Sep 11 '14 at 11:57

2 Answers2

3

Please remember that SSN numbers are NOT random. They include data like where it was issued, and what year it was issued. This might not be hard data, but it can be used to infer data about the person it was issued to.

http://www.ssa.gov/history/ssn/geocard.html

http://www.stevemorse.org/ssn/ssn.html

http://en.wikipedia.org/wiki/Social_Security_number#Structure

Pre-2011:

The number is divided into three parts: the first three digits, known as the area number because they were formerly assigned by geographical region; the middle two digits, known as the group number; and the final four digits, known as the serial number.

While the number in complete isolation is not useful, you can leverage it with other info.

Not to mention that it is used for identification for other means (like employers, health insurance, banks, etc.)

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Same with CA license plates sequential as well. I often compare my car's condition with the other car if our range is close. – Sun Sep 15 '14 at 19:40
-1

Yes.

Justification: there are 109 possible Social Security Numbers (for those outside the United States, a US Social Security Number, aka SSN, is a string of nine characters drawn from the set 0-9, generally formatted as XXX-XX-XXXX). Despite its name, it should not be treated as a number, since '0' is a valid first character.

So yes, given that there have been about 450 million SSNs already issued of the possible billion, there is indeed roughly a 45% chance that any random string of nine digits will be somebody's SSN. The point here is that a bad guy has no way of knowing whose SSN he has just concocted, and so wouldn't be able to do anything useful with that random number.

However, this is not an argument to say that you should not treat your Social Security Number as a sensitive piece of information, if only because many organizations that should have known better have used it as the primary key for identifying you in their systems. And so if one of those organizations is compromised, so are all the others.

Dave Mulligan
  • 501
  • 4
  • 7
  • 1
    To build on the last paragraph; Organizations that use the SSN in addition to credit card companies: Motor Vehicle Offices, Universities, Utility companies, Banks, any Job application. Just having the SSN is fairly useless, start adding info like POB, DOB, etc can get you into a lot of trouble. And most of that information is on Facebook. – RoraΖ Sep 11 '14 at 11:40