My SSN is showing?
February 6th, 2007 by 
mb
I got an e-mail earlier this week from a financial web site. The e-mail displayed the last 4 digits of my U.S. social security number. Presumably, they didn’t show the entire number for security reasons, but I wondered how secure that really is to show even the last 4 digits. Can someone easily guess my full SSN with just the last 4 digits?
After a bit of research–although not going into any real stats–it turns out getting those first 5 numbers probably isn’t that hard, especially if someone knows a little bit about you. As the Social Security Administration explains, the first three digits of a social security number correspond to the place it was issued, and the next two numbers represent a group serial. The group serial is a non-consecutive sequence that follows a specific number order. Since those numbers are issued in a predictable sequence, both of those number groups could also infer the year it was issued.
So although there are five numbers to guess, there certainly are not 99,999 possibilities. If you know the state the person was born it, that should narrow it down to just a few possibilities for the first 3 digits. If you know their approximate age, you could probably guess, within a few numbers, the next 2 digits based on tables like this. In fact, if you had SSN’s from others in that same state you could narrow that down fairly well.
Finally, you would need to narrow down your possibilities by eliminating invalid numbers and those belonging to people who are already dead. And finally, the Social Security Administration, as well as many other web sites offer online verification of SSN’s. And who knows, even a Google search might eliminate a few possibilities
Of course, will all the public information database thefts we have seen, a smart hacker could use collected serial numbers to make the whole process quite efficient. I’m sure, based on how many apps keep track of ssn’s, that it wouldn’t be too hard to build up your own database.
So no, it probably isn’t that secure to send the last 4 digits of a SSN over an insecure medium such as e-mail. The entire number is a secret. You might be able to use it to partially identify a user by having them provide you the last 4 numbers but you shouldn’t be the one giving it out.
This is kind of off the subject, but this show’s that there is a definite a need to rethink how we identify ourselves.
No tag for this post.Related posts
Posted in Application Security, Privacy | 
March 2nd, 2007 at 10:35 am
The last four digits of an SSN is ever Social Engineer’s “Golden Ticket”. Many companies use the last four digits of your ssn as their primary means of authentication. Even if an account with a utility company or other service provider has been password protected company reps are often sympathetic to customers who “can never remember all of their passwords”. The information contained in this email alone may have been enough for an attacker to gain access to your account considering they would now know not only the last four digits of your SSN, but also the name of your financial institution and I would assume your first and last name. (which would be trivial to obtain if not included).