Today, I will share a scary fact about your most important identity - SSN (Social Security Number)
TL;DR: If one knows your place of birth and date of birth, one can determine the first five digits of your SSN. The attacker only needs to get your last four digits which is not so difficult as it is conveniently shared across all platforms for identity verification purposes.
Let's dive in:
If you were born before 2011 and have a Social Security number, here's how your nine-digit number is constructed:
The first three numbers represent the zip code of the Social Security office that issued it; most likely, it is where you were born and the nearest office in that zip code. Like zip codes, these numbers increase from east to west across the U.S. So, depending on where you were born, one can get deterministic value.
The next two numbers are between 01 and 99, and there are some complex rules to determine them, but it turns out there is a deterministic relationship between your date of birth and these two numbers. For example, every SSN issued in Pennsylvania during 1996 contains the middle two numbers 76.
The last four numbers are the only "random" numbers. They are supposed to be private, like your password. The last four are NOT supposed to be shared with anyone, just like how you must not share your password.
Unfortunately, the last four have become our identity, and we give it over the phone, email, and websites for identity verification purposes. Insider attacks are common, with employees getting that last four and performing malicious attacks. Some data brokers sell truncated SSNs, with either the first five or the last four numbers visible to the purchaser.
(FYI - post-2011, SSNs have been randomized. So, our kids "should be safe")
Strac provides end-to-end data loss prevention for all SaaS and Cloud apps. Integrate in under 10 minutes and experience the benefits of live DLP scanning, live redaction, and a fortified SaaS environment.