The last four digits are commonly used for security purposes and are on any manner of documents. I am surprised no one has done this before. Lucky for me I got my SSN in a state I wasn't born in. Although a little search on where I grew up would fix that.

yes, the last four are commonly found on most cash register receipts. The irony is that a few years back, the entire SSN was printed on receipts. For "security" purposes, the first 5 are now routinely "x-ed" out and only the last four are printed... how sad.

I am lucky because I am sufficiently old enough that my number does not fit this research.

pirate logo for obvious reasons

Not a US citizen (from Betelgeuse originally), so not entirely sure how SSNs are used. However...

What is the real problem here? The fact that SSN can be "calculated" to a fair degree of accuracy? Or is it a system that relies on an individual to have a "secret" number for identification?

In most parts of the world, identifying yourself requires some form of government issued paper identification. Not just rambling off a "secret" number as your identification.

I find it highly irresponsible to SPELL OUT HOW TO STEAL SOMEONE'S SSN. Next they will be publishing the correct method for producting homemade plastic explosives. Idiots.

Merkins get all the best services ahead of the rest of us.

What you merkins need is a secure ID card, with a database behind it containing the real information. Let the UK lead the way !

Or just look around while on trains and busses - there's usually a lost CD with 10000+ records on it between the seats somewhere (sometimes it's in the seat pocket).

Although we don't have SSN's in the UK, we have a whole load of other numbers that are used to identify us to government agencies (NI number for tax, NHS number for health care etc.); but these numbers are rarely used for the purposes of borrowing money.

A number that you give to someone else is not a secret after you've used it once, so you can't expect it to be a secret over the lifetime of the individual. The real failure here is the use of SSN by American financial institutions as "proof of ID".

@Trokair 1 - Security through obscurity? Doesn't work.

Just like Hud Dunlap, my SSN is from a state I wasn't born in. At that time, it was normal (seemingly not anymore!) to wait a few years before worrying about SSN stuff for the kids.

The town I was born in is also the town I graduated high school in and it is also where I currently live. If that's all the info you had, you'd assume that I've lived here my whole life. It just happens that I've lived here for only a few very specific milestones in my life that would seem to throw someone off the track. All coincidence, though. Most of my life has been lived elsewhere, much of it out of state. And I'll almost definitely be married here as I'm engaged at this moment. I just hope I don't die here.

So, does anyone want to play the SSN guessing game with me? :-)

"Success rates also rise when the researchers got more guesses"

No.

Shit.

Sherlock.

yes, best not to publish flaws, just to hope no one hasn't already discovered this for illegal means. Let's face it a goverment is bound to change a flawed system if nobody knows there is a problem with it. I mean I'm sure the UK gov was going to insist MP's cleaned up there expenses, and that gov departments would start encrypting a data routinely if someone had worte a nice letter explaining that the system was wrong.

Sometimes you need a big public outcry to kick the gov into action.

Although I'm not sure I should respond to someone WHO WRITES IN ALL CAPS, the obvious problem here is the use of a number as some sort of secret identifier in the first place. Here in the UK, we have a national insurance number, which is something similiar. Nobody in their right mind would think that knowing someone's NI number would mean that you are that person. The use of a SSN for this purpose beggars belief.

Also, as someone who holds two degrees in chemistry, I can assure you that if a person had the desire to make home-made explosives, they wouldn't have any trouble finding the information on the internet. They would, however, be likely to get caught either buying the materials, or testing their products.

Anyway, you seem to be under the false impression that security-through-obscurity works. If you bothered to do a little research before posting idiotic rantings then you would find myriad examples of how it fails.

Is it 3?

As noted, the problem isn't that SSN is easy to guess, but that an easy to guess SSN has been used as "proof of ID" and is in widespread use as such.

I guess someone chose to use SSN simply because "every American has one" without thinking it through. SSN's don't even have a checksum that I can see.

@Ed Blackshaw: Well, if you were guessing only one of the digits then you'd be correct. Of course it might be in there more than once.

And to make it more difficult, I only lived in the "SSN State" for an extremely short length of time. I can count the number of people that know which state that is and when it was on one hand. Of course if I was really worried about someone guessing my first five digits, I would have omitted that info completely as they could now (if they knew more info) omit several states from the potential list.

SSN was not intended for this nonsense. If they issued such things these days maybe they'd have used UUID? (FYI: UUID is *not* secure for secrets either, just much longer and more complex.)

Oh, I'm guessing 7

Time to start issuing people PGP keys at birth, hmm? Where's the D'oh! icon?

As many others have stated, what is the problem, here ? It all depends on the processes that need to have this inputs. In my personnal case, I don't mind at all, since those processes are limited to very unikely getting a doctor consultation on my name !

Here is mine, pls don't censor it, El Reg, I'm taking full responsability on giving it away:

1691201283454

1 means I'm male, great news.

69 means I'm born in 1969.

12 means I'm born in december.

01 means I'm born in a particular french department (the first one, pls guess).

The rest I'll leave it to townhall secretaries discretion.

If anyone here happens to have a clue how to do anything bad with it, on top of the above, don't hesitate ! I'd be glad to report any bank account problem, or tax amount leaks or anything else !

Paris icon, since she also gave away a lot of clues on her personal life.

And apparently you're also old enough to not know the difference between a SSN and a credit card number....

Birth certificates are public records. For about $10 USD, anyone can get an "Original" copy of anyone's birth certificate.

Birth certificate + knowledge of the SSN + a utility bill (easily faked) is enough information for a state ID card. The picture will be of the person who presents the documentation.

A state ID card, + knowledge of the SSN is enough to order a replacement SS card.

A SS card + Photo ID is enough information to get a mortgage, credit card, or passport in the name of the victim.

But SSNs are easy to come by, anyway. Just run a fake website offering employment services, and indicate that a SSN is required for all applications "To verify employment eligibility." If you make pages that parse like employment offers, all the major recruiting websites will link to you.

Well if the SSN is nine digits and the population of the USA is a conservative 300 million then you have a 30% chance of guessing a correct SSN with no effort at all. How long is it before they recycle numbers (of the deceased), could it be that you have an even higher than 30% chance?

By comparison, I seem to remember some time ago that a British Gas customer alphanumeric reference number was sufficiently long enough to have more combinations than the number of atoms in the universe.

Wasn't there a big hoo haa when Apple got slated for demanding a persons SSN in order to buy an iPhone?

oh, how stupid I can be at times. David W is correct. Receipts have the last 4 credit card numbers, not SSN.

Paris Hilton, because it seems I take lessons from her.

078-05-1120

Oh, and

> How long is it before they recycle numbers (of the deceased), could it be that you have an even higher than 30% chance?

At the present rate? A really long time. See www.ssa.gov. The system will probably run out of money before it runs out of numbers.