APG-L Archives

Archiver > APG > 2009-07 > 1247041497


From: "Richard A. Pence" <>
Subject: Re: [APG] APG Digest, Vol 4, Issue 412 (Social Security Numbers)
Date: Wed, 8 Jul 2009 04:24:57 -0400
References: <187050.7580.qm@web31608.mail.mud.yahoo.com>


Sorry, Ray. Don't know what you read, but the article appearing in _The
Proceedings of the National Academy of Science_ entitled "Predicting Social
Security Numbers From Public Data" clearly - very clearly - says they can
"guess" the Social Security number of a living person based on his birth
date and place of birth.

The authors, in their Executive Summary, state, "we show that it is possible
to predict individual SSNs simply from publicly available data. Based on
observation of issuance patterns in . . . a public database . . . , we were
able to use information about an individual's date and state of birth to
predict narrow ranges of values likely to contain that individual's SSN."

The "public database" is the SSA's Death Master File aka the Social Security
Death Index.

I didn't read the entire article, but I didn't find anything like what you
say you saw in your technical publication when I read the Executive Summary
or the Abstract.

If I can find a copy of the study in something other than pdf, which is
impossible for me to read with my bad eyes, I'll wade through it. Frankly,
based on what I have seen so far, claims are made that simply can't be
supported, especially for person born prior to about 1970.
Richard
----- Original Message -----
From: "Ray Beere Johnson II" <>
To: "APG Posting" <>
Sent: Tuesday, July 07, 2009 10:03 PM
Subject: Re: [APG] APG Digest, Vol 4, Issue 412 (Social Security Numbers)


>
> Gladys;

> --- On Tue, 7/7/09, Gladys Paulin <> wrote:
>> You did not read the article carefully. As Joy Rich pointed out, the
>> study uses information in the index such as date of birth, state of
>> issue, and numerical portions indicating place of issue, along with
>> otherwise available public information, to calculate a probable social
>> security number of living persons to be used for identity theft.
>>
>> The link in the news article will take you to a site which has the
>> entire paper in a free downloadable .pdf file.
>
> I didn't read the article mentioned on this list at all - since I'd
> already read a detailed article on the issue from the computer security
> perspective. However, I don't need to read the article to understand that,
> if it says what you suggest, it is wildly inaccurate. (That is one reason
> I only read articles on issues of this type which appear in technical
> sources.)
> Every date of birth, state of issue, etc. listed in the SSDI is a data
> point for someone who is _already dead_. Those data points cannot be used
> to calculate a probable SSN for a living individual. What they _can_ be
> used for is a comparison with the SSNs they are matched with. That type of
> analysis, repeated enough times, reveals a _pattern_.
> Then, the hypothetical would-be identity thief would apply that
> pattern to data points relevant to living individuals. The article I
> read - and I believe the original study - mentioned Facebook as one
> possible source of these data points. They would then use the algorithm
> generated from analysing the SSDI to calculate a probable number for that
> living individual. And, as I noted earlier, there is some reason to doubt
> that this process would be as efficient as simply stealing data from
> financial institution computers. It is really more a "proof-of-concept"
> study than an exploit crackers appear to be using in real life.
> Ray Beere Johnson II
>
>
>
>
>
>
>
>
>
> .
>
> -------------------------------
> To unsubscribe from the list, please send an email to
> with the word 'unsubscribe' without the quotes in
> the subject and the body of the message

This thread: