Re: Bare Social Social Security Numbers

[Keith Schoenefeld <schoenk () UTULSA EDU>]

Initially, I had the same concerns you address below about the exposure
of SSNs. The more I thought about it, the more I recognized that based
on the information the SSA provides (and that you cite below), anyone
can create a set of valid SSNs.  Given that the most anyone could really
glean from this data is some geographic data about where the SSNs were
issued.  I think it would be awfully tough for someone to actually put
names to the SSNs.

On a side note, we had a recent scare on campus where a faculty member
had created an example database using real student names combined with a
set of SSNs, addresses, phone numbers, etc. that were made up.  Students
in the class had exported the information into excel spreadsheets and
posted it on the web, then a parent doing a google search for their
child found their child's name in a spreadsheet with a SSN next to it,
and complained to the university immediately (not bothering to check to
see if it was really his/her child's SSN).  We quickly figured out that
it was a bogus database, but the numbers _looked_ real, and it sent some
of the upper level administrators scrambling until we figured out what
was going on.  Does anyone have a university policy about example
databases that will be distributed to students, and a requirement that
they contain only example SSNs that have never, and will never, be
handed out by the SSA?  Please ignore the fact that we likely shouldn't
be teaching students to key the databases using SSNs.

-- KS

H. Morrow Long wrote:
> On Mar 27, 2006, at 11:59 AM, Christopher E. Cramer wrote:
> > .....           Worse than that, since the
> > 1st three digits roughly indicate age and place where the person is
> > born,
> > you could probably narrow it down quite a bit.
>
> They indicate the state and may clue you as to whether the person was
> born
> before 1972-1973 and as you state they are not very random - for a
> list of the
> state/area codes go to
> http://www.socialsecurity.gov/employer/stateweb.htm,
> for a list of the area codes with the highest two digit codes (group
> codes)
> currently ever assigned in that area code go to
> http://www.socialsecurity.gov/employer/highgroup.txt
>
> From the www.ssa.gov website:
> .....................................................................
> The following is general information about Social Security numbers and
> a list which indicates the State and its corresponding area number
> used by Social Security when assigning Social Security numbers.
>
> The nine-digit Social Security number is divided into three parts—
>
> · The first three digits are the area number. If your Social Security
> number was assigned before 1972 when Social Security cards were issued
> by local offices, the area number reflects the State where you applied
> for your number. If your number was assigned in 1972 or later when we
> began issuing Social Security cards centrally, the area number
> reflects the State as determined by the ZIP code in the mailing
> address on your application for the number.
> · The middle two digits are the group number. It has no special
> geographic or data significance but merely serve to break the number
> into conveniently sized blocks for orderly issuance.
> · The last four digits are serial number. It represents a straight
> numerical sequence of digits from 0001-9999 within the group.
>
> To see the most recent information about the allocation of Social
> Security numbers go to SSA’s web site.
> .....................................................................
>
> - H. Morrow Long, CISSP, CISM, CEH
>   University Information Security Officer
>   Director -- Information Security Office
>   Yale University, ITS