Researchers at Carnegie Mellon University report that they can sometimes guess a person's Social Security number and the press goes nuts. This is actually a good thing (the press going nuts that is).

Maybe, though not likely, the chaotic din will result in rules being changed to actually protect us from SSN-based identity theft attacks.

The research is solid, but not all that surprising for many in the security community.

It turns out that the Social Security Administration has gone about the business of assigning SSNs in a way that is only ideal for the original purpose of the SSN -- an unimportant taxpayer identifier. The Social Security Administration could have been randomly assigning SSNs, as many people assumed, but they have not. Instead, SSNs have been assigned according to a too rigid formula resulting in you getting assigned a guessable SSN as long as someone knows when and where you were born. The level of guessability depends mostly on the population of the state you were born in and when you were born.

Guessability is highest for people born in states with smaller populations between 1989 and about 2003 but is not zero for others.

In two ways this research would not have succeeded without the help of the U.S. government. First, National Science Foundation and Army Research Office grants supported the researchers and, second, a U.S. government document meant to reduce credit card fraud provided key data in a way that will facilitate ID theft.

The U.S. government published a macabre-named "Death Master File" that contains information about people who have died. In particular it contains the name, dates of birth and death, zip code of last residence and SSN of a whole lot of dead people. This is much more info than needed for the stated purpose -- telling banks what SSNs belong to dead people (all it would need is a list of SSNs to do that). The extra info is useful to genealogists but also to people who want to guess your SSN. See the paper for the details.

What was not covered well in the press is that the researchers were able to guess the first five digits of SSNs in one try in many cases. This is more than a bit of a worry because a SSN masked to only show the last four digits is not considered confidential information (see here, for example. The very same four digits that the researchers found were the hardest to guess can be found all over the place.