Last four digits of social security number identity theft

Internet users have become pretty aware of spam email and do their best to ignore it, but few people apply the same caution to a phone call from a company whose name they trust.

For example, I got a call today from a mortgage company I do business with that wanted to verify some personal details. They told me that they were calling on a recorded line and would like the last four digits of my social security number to authenticate myself before they could give me information on what they were calling about.

Now, that’s a Very Bad Idea(TM) because they called me, not the other way around. How do I know they’re really calling from that company?

The caller should have to authenticate to the called party first

If anyone needs to authenticate themselves, it is the caller. Mortgages are public records in many states, so any scammer could have picked my name and mortgage company off public records and called me to find out the last four digits of my social, and potentially more.

If anyone needs to authenticate themselves, it is the caller.

This doesn’t only apply to mortgage companies. Many records are public or easily guessable, so be on the lookout. If you call ten people at random, more than half will have an account with Bank of America, most have a mortgage, and everyone has filed taxes with the IRS.

Social Security Numbers are a really bad way to authenticate people

It’s a really bad idea to authenticate people by their social security numbers. To illustrate the point, let’s look at how you authenticate in other places.

Think of how you log on to your computer at work: you have a user name that is public. It’s probably part of your email address. It’s easily guessable, but that’s okay because it’s only used to identify you. Let’s call this the “identifier”. It’s just a way to identify a particular person from the next one.

To log on to your computer, you not only need your user name, you also need your password. Your password is secret and only known to you. You can change it if you believe it has been compromised, which can happen when someone looks over your shoulder, or there’s a data breach. Let’s call this part the “authenticator”.

The challenge with social security numbers is that they are being used as both the identifier and the authenticator. Companies use it to keep you apart from Joe Schmoe and they also ask you for your SSN to ensure that you are you. To make things worse, you can’t actually change your social security number when it’s been compromise. It’s a flawed system. Other countries, such as my birth country Germany, legally ban universal numbers to track people, partially for this reason.

In other words, companies use your social security number as your user name AND your password, which you can’t change. What could go wrong?

Companies use your social security number as your user name AND your password, which you can’t change.

The first three digits of your SSN are easy to guess

The first three numbers of your social security number are actually pretty easy to guess. Are you a reader from Wyoming? Then your social starts with 520.

Not that’s not magic, it’s publicly documented. Knowing the last four digits, this means an attacker would only have to guess the middle two digits (that’s 100 combinations) to figure out the right number.

Even if a scammer just has the last four digits of your SSN, they can still authenticate as you to companies you already do business with.

Caller ID can easily be spoofed

I didn’t recognize the number that called in my case, but even if you do, the number can easily be spoofed. If you’d like to try this out, call your best buddy from the number of the White House.

Simply find a service that offers call spoofing (here’s a free one) and tell the service that you’d like to call from the White House number (to save you some time, it’s (202) 456–1111). And yes, it’s that easy.

How you should behave if someone calls you, asking to authenticate

First, always be polite. You’re on a recorded line and you wouldn’t want your mother to blush if the tape ended up on the evening news. They’re just following protocol, so please be nice to them.

Next, inform the other party that they called you and that you would like them to authenticate the company they’re calling from. While this is a fun exercise, this usually ends in pleasant but a Kafka-esque dialogue.

Decline to proceed and call the company from a number you know to be valid, for example from the back of your bank card or your mortgage statement. Don’t accept a number the person gives you on the phone — if they’re not trustworthy, you shouldn’t trust information they’re giving you. Good scammers have used this trick, and many people fall for it.

Decline to proceed and call the company from a number you know to be valid.

In case you think I’m too paranoid

Scams happen all the time, and they’re incredibly easy to pull off. If you don’t believe me, I’d recommend that you buy a flight ticket to Las Vegas an join this year’s DefCon conference. Every year, DefCon features a Social Engineer Village, where contestants phone companies with the goal of extracting confidential information. In a nutshell, social engineering is “hacking people”.

The event is all above board and they have an attorney on staff to keep it legal, but if you’ve ever sat in the 200+ people audience during a live call into the Fortune 500s of this world, you’d know that what you’d normally give out on the phone could really hurt you and your company. Badly.

I’m applying to be a contestant in this year’s event, and fingers crossed, I’ll have a chance to compete. If you happen to be in Vegas, please join me for some fun and hope that the person on the other line of my call hasn’t read this blog post.

In the meantime, stay safe.

Update: I ended up winning the Social Engineering competition at DefCon in 2017. Watch a reenactment of my winning call to a Fortune 500 company that reveals how inconspicuous information on the web can become very dangerous: