Jack TenneyExtra Point

by Jack Tenney, Publisher

July 2013

Here’s a little data on big data.

Think about the number of times you are asked to give the last four digits of your Social. Theoretically, there are 10,000 different ways to use the 10 digits when given the last four, ranging from “0000” to “9999.”  Since the format for Social is xxx-xx-xxxx, the possible combinations would be “000-00-0000” to “999-99-9999” or a billion combinations. However, there are no Socials beginning “000-00,”  so that’s 500,000 numbers that can’t possibly exist.

The first three digits indicate where the number was assigned (if before June 2011) and the next two digits indicate when. So if your Social begins 008-58-XXXX, your card was issued in Vermont in 1975 (008-68-XXXX: Vermont 1986).

So far, so good?

Back to thinking about the last four digits and the frequency you are asked for them and you answer.

Let’s say I’m a hacker with access to millions of last-four-digits sourced by telephone numbers or Internet addresses. What now?

Well, a stroll through census data would suggest more than half the population lives in the state where they were born. Therefore, if I told my magic app to guess the first digits of a Social based on the area code or computer location of the intercepted data, what would be result? If it came from your phone and you were born in Vermont and still live here, the hacker would have a 50 percent chance of guessing your entire Social in less than 100 tries.

Imagine, then, because the hacker has data and time, as the previous app catalogs some best guesses for valid Socials, that the hacker begins to match the last four of Socials given with credit card purchases against the list of possible nine-digit Socials, and the game gets interesting. Account numbers, Socials, PINs, passwords, expiration dates, security codes. ... Not to worry, hacking’s illegal.