Re: Colorado Supreme Court: Using a Stolen Social Security Number is Not Identity Theft

[Dan Kaminsky <dan () doxpara com>]

On Wed, Nov 17, 2010 at 4:04 PM, Jeffrey Walton <noloader () gmail com> wrote:
> On Wed, Nov 17, 2010 at 6:58 PM, Dan Kaminsky <dan () doxpara com> wrote:
> > Did anyone actually read the ruling?
> > They're basically saying a SSN# isn't an identity.
> >
> > Given that SSN#'s aren't actually unique in the population, they're, you
> > know, right.
> Expand, please.

http://www.schneier.com/blog/archives/2009/07/social_security.html

Information about an individual's place and date of birth can be
exploited to predict his or her Social Security number (SSN). Using
only publicly available information, we observed a correlation between
individuals' SSNs and their birth data and found that for younger
cohorts the correlation allows statistical inference of private SSNs.
The inferences are made possible by the public availability of the
Social Security Administration's Death Master File and the widespread
accessibility of personal information from multiple sources, such as
data brokers or profiles on social networking sites. Our results
highlight the unexpected privacy consequences of the complex
interactions among multiple data sources in modern information
economies and quantify privacy risks associated with information
revelation in public forums.
===
This is, of course, a direct consequence of (from Wikipedia/SocialSecurity.gov):


The Social Security number is a nine-digit number in the format
"AAA-GG-SSSS". The number is divided into three parts.

The Area Number, the first three digits, is assigned by the
geographical region. Prior to 1973, cards were issued in local Social
Security offices around the country and the Area Number represented
the office code in which the card was issued. This did not necessarily
have to be in the area where the applicant lived, since a person could
apply for their card in any Social Security office. Since 1973, when
SSA began assigning SSNs and issuing cards centrally from Baltimore,
the area number assigned has been based on theZIP code in the mailing
address provided on the application for the original Social Security
card. The applicant's mailing address does not have to be the same as
their place of residence. Thus, the Area Number does not necessarily
represent the State of residence of the applicant, neither prior to
1973, nor since.

Generally, numbers were assigned beginning in the northeast and moving
south and westward, so that people on the east coast had the lowest
numbers and those on the west coast had the highest numbers. As the
areas assigned to a locality are exhausted, new areas from the pool
are assigned, so some states have noncontiguous groups of numbers.

Complete list of area number groups from the Social Security Administration

The middle two digits are the group number. The group numbers range
from 01 to 99. However, they are not assigned in consecutive order.
For administrative reasons, group numbers are issued in the following
order:

ODD numbers from 01 through 09
EVEN numbers from 10 through 98
EVEN numbers from 02 through 08
ODD numbers from 11 through 99

As an example, group number 98 will be issued before 11.

The last four digits are serial numbers. They represent a straight
numerical sequence of digits from 0001-9999 within the group.

Information from http://www.socialsecurity.gov/history/ssn/geocard.html

On June 25, 2011, SSA will change the SSN assignment process to "SSN
Randomization". SSN randomization will affect the SSN assignment
process in the following ways:

It will eliminate the geographical significance of the first three
digits of the SSN, currently referred to as the area number, by no
longer allocating the area numbers for assignment to individuals in
specific states.
It will eliminate the significance of the highest group number and, as
a result, the High Group List will be frozen in time and can be used
for validation of SSNs issued prior to the randomization
implementation date.
Previously unassigned area numbers will be introduced for assignment
excluding area numbers 000, 666 and 900-999.

===

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.