The Mathematics Of Proving (Or Disproving) Identity Fraud
from the brush-up-on-your-probability dept
Here's a fun one by Thomas O'Toole, looking into a lawsuit by the US gov't against a guy who committed identity fraud to apply for emergency disaster relief after Hurricane Katrina. Basically, the entire case hinged on a bit of probability. The guy had applied for aid using 15 different social security numbers on 15 different applications. Here's the thing: the law he was charged under says that it's a crime to "knowingly" make use of someone else's identity. In other words, it's only identity fraud if the guy knew he was using someone else's SSN. If he just made up the numbers, and they all turned out to be legit by luck, then he could say he did not knowingly commit fraud on the people who those SSN's actually applied to. So, here's where the probability part comes in. As O'Toole notes, if you just take a guess, you actually have about a 50% chance of getting an actual SSN (which doesn't seem like a very good system). But to get 15 correct guesses in a row? Well, simplifying things a bit, the probability of guessing right 15 times in a row is about 0.0003.So, the government argued, there was a 99.997% chance that the guy, Gregory Parks, must have known that the SSNs he was using came from real people, and thus, he was guilty of knowingly using their SSNs, against the law. But Parks and his lawyers went a little deeper, and pointed out that the original calculation was wrong, in that it way over-simplified things:
The first three digits of a social security number are known as "area numbers." These numbers correlate to states. All of the numbers Parks used had Texas or Louisiana area numbers. Except for two: one had an Oklahoma area number and the other a Michigan area number. Area codes are published on the SSA website.While amusing, this does raise a few points. First of all, it highlights how ridiculous it is to use Social Security Numbers as identifiers, given just how easy it is to guess legit SSNs. Second, it makes you wonder why the law dealing with identity fraud cares one way or another if the fake SSN was used "knowingly" or not. The guy still was guilty of mail fraud -- so it's not like he gets off completely free. But does it make sense that the laws on identity fraud only apply if you know that the SSN you're using is someone else's, but doesn't apply if you just make it up?
The SSA also publishes on its website information indicating the extent to which the second pair of digits in a social security number -- the "group number" -- have been assigned. In Parks' case, this information indicated that, for the 13 social security numbers he used in the Texas and Louisiana area codes, the two-digit "group number" was 99, meaning that nearly all of those numbers had been assigned. Louisiana and Texas were the areas hardest hit by Hurricane Katrina.
The group numbers for the two other area numbers used by Parks indicated that the social security numbers for those areas were not assigned to such an extent. For area number 446 (Oklahoma), the group number was 19 (out of a possible 99); for area number 372 (Michigan), the group number was 31 (again, out of 99).
All of this extra information dramatically increased Parks' odds of randomly guessing valid social security numbers. According to the court, the new math looked like this:
1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 0.59 * 0.65 = .38
Thus, with a little knowledge about how the SSA doles out social security numbers, Parks had a 38 percent chance of "randomly" choosing 15 valid social security numbers.
According to the court's math. And that was the math that counted here. The court ruled that the high odds of making 15 educated guesses about social security numbers was sufficient to vacate Parks' conviction
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: identity fraud, odds, probability, social security numbers
Reader Comments
Subscribe: RSS
View by: Time | Thread
Intent?
I was wondering the same thing. Just because the guy didn't know whether or not the numbers were real, shouldn't it be enough that a guy, who is legally entitled to one SSN, used 15 numbers, none of them his own, to get paid?
Isn't the intent to defraud apparent enough?
[ link to this | view in chronology ]
Re: Intent?
Well, it was enough to convict him of mail fraud, so in some sense, yes.
I guess a reasonable question to ask would be: did he think the success of his scheme depended on at least some of his randomly selected numbers corresponding to actual people?
If the answer to this question is yes, I feel like that might be enough intent, but of course, it would likely be hard to prove that the answer is yes...
[ link to this | view in chronology ]
I'm fairly certain it was Louisiana and Mississippi. Texas had no direct damage from Katrina.
[ link to this | view in chronology ]
Knowingly
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Also this does the actual fraud analysis: http://www.journalofaccountancy.com/Issues/1999/May/nigrini.htm
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What about the dead?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Credit card numbers
[ link to this | view in chronology ]
Re: Credit card numbers
It takes you 5 lines of code? Slacker!
Any other company, and I'd readily agree with you. This is AOL were talking about, though.
[ link to this | view in chronology ]
Re: Re: Credit card numbers
[ link to this | view in chronology ]
Re: Re: Credit card numbers
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Actually, come to think of it, it might not be that hard. Presumably SSNs are assigned in some sort of order.
So you'd have to cross-check SSNs against something with less correlation -- like names or something. But I imagine that creates all sorts of havoc for people who change their names and whatnot.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Cross checking
[ link to this | view in chronology ]
No such thing as Identity theft
In reality identity theft is when someone physically tries to pose as you to do something (criminal). Like that bad Travolta/Cage movie.
When someone steals money from a bank by breaking into the bank or holding up a teller they are called bank robbers.
When they crack a supposedly secure system and take money out of the bank (via checking accounts) that is also bank robbery NOT ID theft. When they steal credit card numbers that is also a crime of fraud, a breaking of a security system, again NOT ID theft.
Same for any of these crimes committed using identification or non-cash payment methods.
The reason I bring this up is because right now the banks and credit card companies are putting the onus on consumers for THEIR security issues. If a retail corporation has it's systems compromised they and the bank should deal with it. Why do consumers have to feel the pain and brunt of that? I didn't have anything to do with it. This whole issue needs to be turned around and the dialog changed to reflect what's actually happening. It's pretty d@mned rare that anyone actually takes my identity. They really are just stealing/breaking the bank's security systems and they should be held accountable. Maybe even be liable to me for my losses.
[ link to this | view in chronology ]
Wouldn't this mean that he had an almost 100% chance of guessing a correct number? Also, is there anything in the law that says it's illegal to use SSN number of a living person but legal to use a deceased person's one? If not then as soon as he guesses a correct number then he's guilty. At the same time - and correct me if I'm wrong - there's the legal concept that intent follows the bullet. That applies to homicides though. If it applies to fraud as well, then what's the problem? If it doesn't, why the hell not?
[ link to this | view in chronology ]
Easy Peasy
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Censored data
If he made 30 applications then you would expect 15 to be accepted (assuming no knowledge about the system).
[ link to this | view in chronology ]
It Wasn't Random Then
If he had only applied once, or maybe twice, I could see the argument being valid, but once you purposely increase your likelihood to near 100% you are knowingly using a real SSN.
[ link to this | view in chronology ]
I guess our social security system isn't really all that secure. But forget about all that, the cyberwar is more important.
[ link to this | view in chronology ]
I think the distinction of identity fraud can be important. It actually victimizes an individual. If you knowingly victimize an individual, it is probably more serious than just defrauding the government.
[ link to this | view in chronology ]
SSN court mistake
The law is fine, but the court just proved Einstein is correct - the only thing we know is infinite is human stupidity.
[ link to this | view in chronology ]
Electronic security in the financial sector
[ link to this | view in chronology ]