Security flaws in Social Security numbers is old news

* Carnegie-Mellon study 'reveals' well-known SSN security issues

There was a big hoo-hah last week about a paper published by folks at my old school, Carnegie-Mellon University. There was so much attention, in fact, that I found myself endlessly humming "Dear Old Tech" over and over. According to the press release, "Carnegie Mellon researchers find Social Security numbers can be predicted with public information." Is that startling information? More importantly, is it a security/identity fraud problem?

Alessandro Acquisti, associate professor of IT and public policy at Carnegie Mellon's H. John Heinz III College, and Ralph Gross, a post-doctoral researcher at the Heinz College, are publishing a paper -- and presenting it at the upcoming Black Hat conference -- which shows that an individual's date and state of birth are sufficient to guess his or her Social Security number with great accuracy.

I've known that for more than 40 years.

"Known it" but didn't know I knew it. Or, alternatively, thought that everybody knew it.

For those of us over 30, getting a Social Security number was a rite of passage. You got it when you got your first job, typically a part-time gig as soon as you hit 16. I went to get mine along with a couple of high school friends and, in those innocent times, the first thing we did was compare numbers trying to see who had the "coolest" SSN. (I no longer remember what constituted "cool" back in 1961). It quickly became apparent that there was a pattern to the numbers issued. So much so that we could attempt to guess other people's numbers (as long as we knew when they were issued) with enough success to keep gas in our cars (of course gas was only 27 cents a gallon back then).

In advance of the study's publication, the authors have posted a FAQ list, but reading through it begs the question "where have you been for the past dozen years?" Statements such as:

* SSNs are supposed to be confidential information

* SSNs are highly insecure passwords and should not be used for authentication.

* Our findings highlight the unexpected consequences of the interaction of multiple data sources in modern information economies.

* Tuna tastes remarkably like chicken.

OK, I added that last one. But the point is that this study "revealed" information that was already well known (the predictability of SSNs) while adding nothing new to the arsenal of devices needed to prevent identity fraud. Yet the general press (and even the technical press) fell all over themselves to publicize this.

What this all means is that your boss (and her boss and his boss) will be on your neck to "do something" to protect their security and personally identifiable information. Things like "don't publish that birthday list anymore" or "don't join that city-based network on Facebook" or even ban contact with social networks so that the bad guys can't skim this vital information. And what that really means is more headaches for you, more time lost to needlessly repetitive explanations of the "problem" and how to avoid it and more exasperation that people with no knowledge of your job will attempt to define how you do it. Maybe, in the words of Southwest Airlines, you just "gotta get away."

Learn more about this topic

Protecing Social Securiy numbers online is a futile exercise

Study: Social Security numbers are predictable

Researchers expose security flaws in Social Security numbers
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.