Tax season in the United States is ramping up, and it reminded me of something I learned about recently.
Social Security Numbers are ‘hackable’.
They may seem like a random collection of nine digits (which would give roughly 1 billion possibilities per citizen), but they are far from random.
There’s a pattern that they are designed to, and learning some key information about a person makes it much easier to figure out their SSN.
The format is XXX-XX-XXXX. The first three digits map to the state the person was born in, and the middle two correspond generally to the year of their birth (it’s called group number).
With the explosion of social media, a criminal trying to snag your SSN might easily learn your DOB and state and city you were born in. With a good idea of the first five digits, they only have to guess from 10,000 possible combinations for the last four. But it may not even be that hard.
A few years ago, some researchers found that they could develop a guessing algorithm based on the publicly available “Death Master File” which the government maintains. When guessing SSNs of individuals from smaller states, they achieved a success rate over 90%.
But criminals don’t even need to be clever enough to put together an algorithm like that. They can potentially call or email their victim, and request the last four digits while posing as a financial institution. Or they can obtain a list of the last four digits for a whole slew of people if they can hack into some databases… because the laws regulating the storage of PII (Personally Identifiable Information) don’t consider the last four digits of your SSN to be sensitive information. So almost anyone who stores those values does not encrypt them.
So take care of your personal data. Your credit will thank you later.