The Mathematics Of Proving (Or Disproving) Identity Fraud

from the brush-up-on-your-probability dept

Thu, May 20th 2010 1:55pm — Mike Masnick

Here's a fun one by Thomas O'Toole, looking into a lawsuit by the US gov't against a guy who committed identity fraud to apply for emergency disaster relief after Hurricane Katrina. Basically, the entire case hinged on a bit of probability. The guy had applied for aid using 15 different social security numbers on 15 different applications. Here's the thing: the law he was charged under says that it's a crime to "knowingly" make use of someone else's identity. In other words, it's only identity fraud if the guy knew he was using someone else's SSN. If he just made up the numbers, and they all turned out to be legit by luck, then he could say he did not knowingly commit fraud on the people who those SSN's actually applied to. So, here's where the probability part comes in. As O'Toole notes, if you just take a guess, you actually have about a 50% chance of getting an actual SSN (which doesn't seem like a very good system). But to get 15 correct guesses in a row? Well, simplifying things a bit, the probability of guessing right 15 times in a row is about 0.0003.

So, the government argued, there was a 99.997% chance that the guy, Gregory Parks, must have known that the SSNs he was using came from real people, and thus, he was guilty of knowingly using their SSNs, against the law. But Parks and his lawyers went a little deeper, and pointed out that the original calculation was wrong, in that it way over-simplified things:

The first three digits of a social security number are known as "area numbers." These numbers correlate to states. All of the numbers Parks used had Texas or Louisiana area numbers. Except for two: one had an Oklahoma area number and the other a Michigan area number. Area codes are published on the SSA website.

The SSA also publishes on its website information indicating the extent to which the second pair of digits in a social security number -- the "group number" -- have been assigned. In Parks' case, this information indicated that, for the 13 social security numbers he used in the Texas and Louisiana area codes, the two-digit "group number" was 99, meaning that nearly all of those numbers had been assigned. Louisiana and Texas were the areas hardest hit by Hurricane Katrina.

The group numbers for the two other area numbers used by Parks indicated that the social security numbers for those areas were not assigned to such an extent. For area number 446 (Oklahoma), the group number was 19 (out of a possible 99); for area number 372 (Michigan), the group number was 31 (again, out of 99).

All of this extra information dramatically increased Parks' odds of randomly guessing valid social security numbers. According to the court, the new math looked like this:

1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 1 * 0.59 * 0.65 = .38

Thus, with a little knowledge about how the SSA doles out social security numbers, Parks had a 38 percent chance of "randomly" choosing 15 valid social security numbers.

According to the court's math. And that was the math that counted here. The court ruled that the high odds of making 15 educated guesses about social security numbers was sufficient to vacate Parks' conviction

While amusing, this does raise a few points. First of all, it highlights how ridiculous it is to use Social Security Numbers as identifiers, given just how easy it is to guess legit SSNs. Second, it makes you wonder why the law dealing with identity fraud cares one way or another if the fake SSN was used "knowingly" or not. The guy still was guilty of mail fraud -- so it's not like he gets off completely free. But does it make sense that the laws on identity fraud only apply if you know that the SSN you're using is someone else's, but doesn't apply if you just make it up?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: identity fraud, odds, probability, social security numbers

31 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Joe Mens Rea, 20 May 2010 @ 2:08pm

Intent?
...it makes you wonder why the law dealing with identity fraud cares one way or another if the fake SSN was used "knowingly" or not.

I was wondering the same thing. Just because the guy didn't know whether or not the numbers were real, shouldn't it be enough that a guy, who is legally entitled to one SSN, used 15 numbers, none of them his own, to get paid?

Isn't the intent to defraud apparent enough?
[ link to this | view in thread ]
a-dub (profile), 20 May 2010 @ 2:28pm

Louisiana and Texas were the areas hardest hit by Hurricane Katrina.

I'm fairly certain it was Louisiana and Mississippi. Texas had no direct damage from Katrina.
[ link to this | view in thread ]
Frankz (profile), 20 May 2010 @ 2:36pm

Knowingly
I doubt they'll have to prove that he knowingly used somebody else's identity. He knowingly used one's that were not his own, so prosecutors and the court will probably take that as the same thing.
[ link to this | view in thread ]
Anonymous Coward, 20 May 2010 @ 2:38pm

Some type of "knowledge" limitation is necessary because we don’t want the government wasting time on people who accidently transposed numbers on their own SSN-this is more akin to mistake or negligence then fraud-fraud historically is intentionally misleading another while negligent misrepresentation is more like an accident.
[ link to this | view in thread ]
Jason (profile), 20 May 2010 @ 2:42pm

A bit more interesting is the usage of Benford's Law to predict fraud - most people assume that numbers in most lists occur with equal probability on average, which is false. Surprising law perhaps? The Wikipedia article is interesting...

Also this does the actual fraud analysis: http://www.journalofaccountancy.com/Issues/1999/May/nigrini.htm
[ link to this | view in thread ]
Anonymous Coward, 20 May 2010 @ 2:50pm

It's sounds like the prosecutor was trying to stretch the identity theft law pretty far here; it's hardly identity theft if he didn't know or try to use any further information about the people (e.g. their names)...
[ link to this | view in thread ]
Ryan, 20 May 2010 @ 3:04pm

Re:
Right, so you can limit it by the existence of mens rea. Sounds like the law was just poorly worded, as many are when written by 535 monkeys hopping on typewriters.
[ link to this | view in thread ]
Chuck Norris' Enemy (deceased) (profile), 20 May 2010 @ 3:08pm

What about the dead?
Adding to the probability...even if he guessed 15 real SSNs what where the chances that the SSNs were living people? One would hope that being alive is important to collect aid...but we all know how the government handled that catastrophe. They couldn't wait to give away your tax dollars! I guess if the dead can vote then they can collect aid.
[ link to this | view in thread ]
DataShade, 20 May 2010 @ 3:11pm

I won't admit to having done this myself, but there was a time, in the early/mid-90's where AOL would take any 16-digit number starting with a 3, 4, 5, or 6 as a credit card in order to qualify for a one-month free trial. They didn't try to verify or bill the card until the end of that month, so a fair number of my friends in high school had rolling, perpetually-free AOL accounts. I'm sure AOL rued the loss of revenue, but charging those kids with identity theft because the credit card number they faked might have matched someone's real number would have been an injustice; there's no way the card-owner was held responsible for the charges, unless there was an Ivan Peter Freely, Seymour Buttz, Hugh Jass actually using one of those faked numbers.
[ link to this | view in thread ]
electraglide, 20 May 2010 @ 3:34pm

Credit card numbers
Datashade, Your story about the credit card numbers is not credible. Credit card numbers contain a check digit calculated with Modulus math. About 5 lines of code can determine whether the number is valid. You also remark about card owners getting charged...so they must have been stolen numbers. It is not credible that AOL would accept a number without check digit validation.
[ link to this | view in thread ]
Anonymous Coward, 20 May 2010 @ 3:35pm

SSN reform needs to happen, but I imagine lobbyists from * are the ones requesting that the system not be changed. Can you imagine the mess it would take to revamp the Social Security system, or come up with a "secure" number or identifier for the U.S. population? Would make Y2K look like child's play.
[ link to this | view in thread ]
Andrew F (profile), 20 May 2010 @ 3:56pm

Re:
Isn't the current system one of cross-checking the SSN with something else? It's easy to guess a valid SSN and it's easy to guess someone's birthday, but it's hard to match the two together.

Actually, come to think of it, it might not be that hard. Presumably SSNs are assigned in some sort of order.

So you'd have to cross-check SSNs against something with less correlation -- like names or something. But I imagine that creates all sorts of havoc for people who change their names and whatnot.
[ link to this | view in thread ]
electraglide, 20 May 2010 @ 4:01pm

Cross checking
Healthcare uses the birthdate and sex. In a population of 100,000 people, like a health plan, any given birtday will return only 4 to 5 hits. add sex and off you go.
[ link to this | view in thread ]
Anonymous Coward, 20 May 2010 @ 4:14pm

Re: Credit card numbers
About 5 lines of code can determine whether the number is valid.

It takes you 5 lines of code? Slacker!

It is not credible that AOL would accept a number without check digit validation.

Any other company, and I'd readily agree with you. This is AOL were talking about, though.
[ link to this | view in thread ]
nasch (profile), 20 May 2010 @ 4:20pm

Re:
Very interesting, thanks.
[ link to this | view in thread ]
Phillip Vector (profile), 20 May 2010 @ 5:04pm

Re: Re: Credit card numbers
Having worked in the CC industry, I can assure you, AOL would have used the checksum. If what you are saying is true from your point of view, then they were stolen credit card numbers.
[ link to this | view in thread ]
JLofty, 20 May 2010 @ 5:49pm

No such thing as Identity theft
There is a lot of BS going on around this topic.
In reality identity theft is when someone physically tries to pose as you to do something (criminal). Like that bad Travolta/Cage movie.
When someone steals money from a bank by breaking into the bank or holding up a teller they are called bank robbers.
When they crack a supposedly secure system and take money out of the bank (via checking accounts) that is also bank robbery NOT ID theft. When they steal credit card numbers that is also a crime of fraud, a breaking of a security system, again NOT ID theft.
Same for any of these crimes committed using identification or non-cash payment methods.

The reason I bring this up is because right now the banks and credit card companies are putting the onus on consumers for THEIR security issues. If a retail corporation has it's systems compromised they and the bank should deal with it. Why do consumers have to feel the pain and brunt of that? I didn't have anything to do with it. This whole issue needs to be turned around and the dialog changed to reflect what's actually happening. It's pretty d@mned rare that anyone actually takes my identity. They really are just stealing/breaking the bank's security systems and they should be held accountable. Maybe even be liable to me for my losses.
[ link to this | view in thread ]
Pickle Monger (profile), 20 May 2010 @ 5:49pm

In Parks' case, this information indicated that, for the 13 social security numbers he used in the Texas and Louisiana area codes, the two-digit "group number" was 99, meaning that nearly all of those numbers had been assigned.

Wouldn't this mean that he had an almost 100% chance of guessing a correct number? Also, is there anything in the law that says it's illegal to use SSN number of a living person but legal to use a deceased person's one? If not then as soon as he guesses a correct number then he's guilty. At the same time - and correct me if I'm wrong - there's the legal concept that intent follows the bullet. That applies to homicides though. If it applies to fraud as well, then what's the problem? If it doesn't, why the hell not?
[ link to this | view in thread ]
bob, 20 May 2010 @ 6:24pm

Easy Peasy
Should have just used http://www.fakenamegenerator.com/gen-random-us-us.php - all kinds of "real" fake ID
[ link to this | view in thread ]
Anonymous Coward, 20 May 2010 @ 6:29pm

Re: Intent?
Isn't the intent to defraud apparent enough?

Well, it was enough to convict him of mail fraud, so in some sense, yes.

I guess a reasonable question to ask would be: did he think the success of his scheme depended on at least some of his randomly selected numbers corresponding to actual people?

If the answer to this question is yes, I feel like that might be enough intent, but of course, it would likely be hard to prove that the answer is yes...
[ link to this | view in thread ]
Anonymous Coward, 20 May 2010 @ 9:27pm

Right now congress needs to focus on this cyberwar instead. The cyberwar is a much larger problem.
[ link to this | view in thread ]
Anonymous Coward, 20 May 2010 @ 9:36pm

Re: Re:
You have to notify the Social Security administration when you change your name... eventually they will start flaging your taxes etc if you do not. SSNs without a first name or initial and last name are generally not considered NPI by many data protection regulations and are not worth much to identity brokers as anyone can generate a list of valid SSNs.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2010 @ 1:59am

Needs more research.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2010 @ 2:33am

What kind of research?
[ link to this | view in thread ]
Evostick, 21 May 2010 @ 2:58am

Censored data
How many rejected applications were there?
If he made 30 applications then you would expect 15 to be accepted (assuming no knowledge about the system).
[ link to this | view in thread ]
jsf (profile), 21 May 2010 @ 6:51am

It Wasn't Random Then
If he used knowledge of the rules about how SSNs are assigned then they weren't random numbers. Only part of the number was random. He specifically attempted to improve the odds of getting a real SSN. Thus with a 38% chance of success per number, he knew that after the second number he had a very high likelihood of guessing one or more real SSNs.

If he had only applied once, or maybe twice, I could see the argument being valid, but once you purposely increase your likelihood to near 100% you are knowingly using a real SSN.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2010 @ 10:38am

"First of all, it highlights how ridiculous it is to use Social Security Numbers as identifiers, given just how easy it is to guess legit SSNs."

I guess our social security system isn't really all that secure. But forget about all that, the cyberwar is more important.
[ link to this | view in thread ]
Zubin, 21 May 2010 @ 5:48pm

Well sure, 38% Chance is definitely not "beyond a shadow of a doubt".

I think the distinction of identity fraud can be important. It actually victimizes an individual. If you knowingly victimize an individual, it is probably more serious than just defrauding the government.
[ link to this | view in thread ]
Gene Cavanaugh, 21 May 2010 @ 7:25pm

SSN court mistake
BS!!! The Social Security Administration, by analogy to corporate law, is an entity. All unassigned SSNs belong to the Social Security Administration - .
The law is fine, but the court just proved Einstein is correct - the only thing we know is infinite is human stupidity.
[ link to this | view in thread ]
electraglide (profile), 21 May 2010 @ 8:32pm

Re: Re: Credit card numbers
The 5 lines includes comments (we are preofessionals). AOL may be the great Satan, I heartily agree, but they don't leave easy money on the table. Trust me on that one.
[ link to this | view in thread ]
electraglide (profile), 21 May 2010 @ 8:44pm

Electronic security in the financial sector
After attending a Gartner seminar on security, where some industry heavyweights spoke, it is simple. The cost of fraud has not execeded the cost of prevention. It is claimed for $5 a cardholder/card, they could reach virtual stopage of fraud (I don't have an exact definition of that term), but the fraud damage is still cheaper to absorb and/or pass on. It will take an event(s) of unimaginable magnitude for them to implement the additional security factors. I am not holding my breath.
[ link to this | view in thread ]