Quick, guess my SSN!
This is wonderful. Algorithmically generating SSNs based on birth date and place is kind of feasible:
The accuracy of these algorithms is positively disturbing. Using a separate pool of data from the Death Master File, the authors were able to get the first five digits right for seven percent of those with an SSN assigned before 1988; after that, the success rate goes up to a staggering 44 percent. For a smaller state, like Vermont, they could get it right over 90 percent of the time.
Getting the last four digits right was substantially harder. The authors used a standard of getting the whole SSN right within 10 tries, and could only manage that about 0.1 percent of the time even in the later period. Still, small states were somewhat easier—for Delaware in 1996, they had a five percent success rate.
That may still seem moderately secure if it weren’t for some realities of the modern online world. The authors point out that many credit card verification services, recognizing the challenges of data entry from illegible forms, may allow up to two digits of the SSN to be wrong, provided the date and place of birth are accurate. They often allow several failed verification attempts per IP address before blacklisting it. Given these numbers, the authors estimate that even a moderate-sized botnet of 10,000 machines could successfully obtain identity verifications for younger residents of West Virginia at a rate of 47 a minute.
I predict someone will make a Facebook app out of this and trick people into giving out their SSNs (“why yes, that is my SSN!”).