Social Security Numbers Easily Cracked

It is easier than ever to guess or predict an individual’s Social Security number, which puts us all at a greater risk for identity theft.

Researchers at Carnegie Mellon University have developed a reliable method for predicting Social Security numbers, using information from social networking sites, data brokers, voter registration lists, online white pages, and the publicly available Social Security Administration’s Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people born on the East Coast were assigned the lowest numbers and those born on the West Coast were assigned the highest numbers. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

The Carnegie Mellon researchers were able to guess the first five digits of a Social Security number on their first attempt for 44% of people born after 1988. For those in less populated states, the researchers had a 90% success rate. In fewer than 1,000 attempts, the researchers could identify a complete Social Security number, “making SSNs akin to 3-digit financial PINs.” The researchers concluded, “Unless mitigating strategies are implemented, the predictability of SSNs exposes people born after 1988 to risks of identity theft on mass scales.”

While the researchers’ work is certainly an accomplishment, the potential to predict Social Security numbers is the least of our problems. Social Security numbers can be found in unprotected file cabinets and databases in thousands of government offices, corporations, and educational institutions.

The problem stems from that fact that our existing system of identification is seriously outdated. We rely on nine digits as a primary identifier, the key to the kingdom, despite the fact that our Social Security numbers have no physical relationship to who we actually are. This problem can only be remedied by incorporating multiple levels of authentication into our identification process.

With more than 11 million victims just last year, identity theft is a serious concern. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Visit to educate and protect yourself.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss how a person becomes an identity theft victim on (Disclosures)

Government Moves Away from SSN as Identifier

The Department of Defense proclaims, “The national security depends on our defense installations and facilities being in the right place, at the right time, with the right qualities and capacities to protect our national resources.” But by relying on Social Security numbers as primary identifiers, this same organization puts the identities of soldiers and their families at risk.

Last month, four West Point professors released a journal article arguing, “Despite the Defense Department’s recent advances in protecting personally identifiable information (PII) such as Social Security numbers, the military continues to have a ‘cultural disregard’ for PII.” The professors also pointed out that since the first digits of a Social Security number can be deduced based on birth year and location, restricting use to the last four digits does not adequately preclude identity theft.

In 2007, an Office of Management and Budget memo ordered agencies to eliminate all nonessential uses of Social Security numbers, and the Department of Defense is currently working on limiting its use of the numbers.

If you are a soldier or have a family member away on leave, there are two ways to protect yourself or your family member:

1. Place an “active duty alert” on your credit report. To place or remove an active duty alert, call all three of the three nationwide consumer reporting companies: Equifax, Experian, and TransUnion. Each will require proof of the soldier’s identity, which may include their Social Security number, name, address, and other personal information.

Equifax: 1-800-525-6285

Experian: 1-888-397-3742

TransUnion: 1-800-680-7289

2. Whether or not you are a member of the military, consider subscribing to an identity theft protection service, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, visit

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

School Officials Warn of Identity Theft

In a small Maine town, local school officials buck state requirements and tell parents not to give out their child’s Social Security number.

The Bangor Daily reports “School departments across the state are required by a new state law to collect students’ Social Security numbers for all enrolled this fall. Parents, however, should know that they can decline”. Local school officials, worried about the possibility of identity theft, are encouraging parents not to provide their children’s Social Security numbers to the state so the students can be tracked as they leave school and get jobs.

“We’re required to ask but we’re encouraging parents not to tell,” Superintendent Daniel Lee said on Monday.

The SSNs are supposed to be used for a 12 year study that will track each students and their progress throughout school. This is a perfect example of “functionality creep” of the SSN.  Functionality creep occurs when an item, process, or procedure ends up serving a purpose that it was never intended to perform.  An alternative to relying on SSN to track the students, another identifier could be assigned.

It is precisely this type of expanding use of an individual’s SSN that puts their personal identity at risk. Each child who coughs up their SSN has to worry whether or not someone who has authorized or even unauthorized access to the data base may use that child’s primary identifier to open new credit.

McAfee Identity Protection includes proactive identity surveillance to monitor a child’s identity and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing child identity theft on NBC Boston (Disclosures)

Leaked Social Security Numbers Put “Personal Security and Safety at Risk”

Allen West, a Republican Congressional candidate, is speaking out after a mailing from the Florida Democratic Party releases his Social Security number and his wife’s federal employee number. “It’s an attack against me and I think it shows the weakness of the character of Ron Klein and definitely the Florida Democratic party, to put a person’s personal security and safety at risk,” said West, “And also affects my family as well.”

The Florida Democratic Party responded by stating, “We apologize for the oversight of not redacting this information from the public record included in the mailer,” and by offering West two years of identity theft monitoring, but West says he will not accept their money.

Meanwhile, in Virginia, a judge has ruled it is legal to post Social Security numbers on websites. Every city, state, and town has its own set of regulations determining the collection and management of public records, including birth, death, marriage, court, property, and business filings. Many of these documents include Social Security numbers. And many are posted on the Internet.

The Privacy Act of 1974 is a federal law that establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of personally identifiable information in federal record systems.

Back in 1974, identity theft wasn’t an issue, so having your Social Security number on your driver’s license, school ID, and most other documents wasn’t a big deal. Then someone figured out how to use a Social Security number to pose as someone else, and from there, identity theft became big business.

When a judge rules that it’s okay to post Social Security numbers online, and a politician states that a similar act “puts a person’s personal security and safety at risk,” it’s clear that we have a systemic problem, one which the government is unlikely to solve.

It is important to observe basic security precautions to protect your identity. But you have no control over the security of your personal information when it is stored in government and corporate databases.

Consumers should consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection includes all these features as well as live help from fraud resolution agents if your identity is ever compromised. For more tips on protecting yourself, please visit

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Social Security numbers as national IDs on Fox News. (Disclosures)

IRS Fully Reliant on Social Security Numbers

On the Policy, Practice & Procedures page of their website, the IRS addresses the public’s concern regarding Social Security numbers on checks:

Complete Social Security Numbers (SSN) on Checks or Money Orders Remitted to IRS

Issue: Tax Professionals and clients have concerns about taxpayers putting their full SSN on checks remitted to IRS in payment of a balance due. Page 74 of the Form 1040 instructions directs taxpayers to put their full SSN on checks.

Response: The SSN Elimination and Reduction program is presently working on mid-to-long-term solutions to address the use of SSNs on checks remitted to IRS in payment of a balance due. To ensure payments are posted to the correct account, we encourage taxpayers to include their SSNs on checks and money orders submitted to the IRS. IRS processes millions of returns and payments each year, including many from taxpayers with the same or similar names. If you are concerned about providing the SSN, you may consider using the Electronic Federal Tax Payment System. EFTPS is a secure alternative to mailing a check.”

Essentially, if you want to be sure that you’re properly credited for any money paid to the IRS, and avoid being labeled a tax evader, you don’t have much of a choice about including your Social Security number on checks and money orders.

The IRS sent 201 million notices to taxpayers during the fiscal year 2009, and most of those mailings included Social Security numbers. Social Security numbers may also appear in more than 500 computers systems and 6,000 internal and external forms. According to the Treasury Department Inspector General, “this is because Social Security numbers are used to associate correspondence and documents with taxpayer accounts.”

The IRS is currently in the process of reviewing their current reliance on Social Security numbers as primary account numbers for all citizens. Some have suggested that we may eventually switch to barcodes, but if this transition ever does take place, it isn’t likely to happen anytime soon.

At present, the IRS, along with many other government agencies and corporations, relies on Social Security numbers and will do so for years to come. This continued reliance will inevitably result in additional data breaches and therefore, more stolen identities.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first, providing live access to fraud resolution agents who work with victims to help restore their identities. For additional tips, please visit

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss IRS related identity theft on Fox News. (Disclosures)

Security Breach Threatens Soldiers’ & Civilians’ Personal Information

Robert Siciliano Identity Theft Expert

Burglars tend to go after high ticket items that can be immediately turned into cash. They may include electronics such as TVs, computers, game consoles or various kinds of stereo equipment. Jewelry has always been the favorite of the thief, and they know most women keep their jewelry box on their dresser or in the top or bottom drawer.

What many are beginning to realize is that the information on the computers or laptops that are stolen is worth much more than the hardware itself. The money today is in the data that is stolen that can be used to commit identity theft.

In the past few years, numerous data breaches have occurred simply because a laptop or PC was stolen from someone’s home. A Veterans Administration employees home was broken into and his work PC was stolen which had almost 26.5 million Social Security numbers of veterans and their families. That’s almost 10% of the US population on one computer! That PC cost the VA maybe $1000.00 to purchase, but the data loss cost hundreds of thousands of dollars to mitigate.

“CNN reports The personal records of thousands of soldiers, employees and their families were potentially exposed after a laptop computer containing the information was stolen over the Thanksgiving holiday weekend, the military says.

The security breach happened where the rental apartment of an employee was. The computer contained “names and personally identifiable information for slightly more than 42,000 records including names, Social Security number, home address, date of birth, encrypted credit card information, personal e-mail address, personal telephone numbers, and family member information.”

A theft of this kind in your own home, whether it is your company’s computer or your own can have a devastating effect. The key is to prevent it from happening in the first place.

1. Always lock your doors and windows no matter what time of the year it is.

2. Make sure all exterior ladders are locked up to prevent someone from accessing an upper level window.

3. Install a home security system that calls you and the local police when tripped.

4. Make sure your computers are locked down too.  For desktops, it is a good idea to cable them to a desk or wall. For laptops they should be put in a safe.

5. Install encryption software on all PCs that makes the data unreadable and useless to the thief.

Robert Siciliano personal security expert to Home Security Source discussing stolen laptops on the Today Show. Disclosure