Social security numbers can be predicted with public information, researchers find

Jul 06, 2009

Carnegie Mellon University researchers have shown that public information readily gleaned from governmental sources, commercial data bases, or online social networks can be used to routinely predict most — and sometimes all — of an individual's nine-digit Social Security number.

Project lead Alessandro Acquisti, associate professor of information technology and public policy at Carnegie Mellon's H. John Heinz III College, and Ralph Gross, a post-doctoral researcher at the Heinz College, have found that an individual's date and state of birth are sufficient to guess his or her Social Security number with great accuracy. The study findings will appear this week in the online Early Edition of the Proceedings of the National Academy of Science, and will be presented on July 29 at the BlackHat 2009 information security conference in Las Vegas. Additional information about the study and some of the issues it raises is available at http://www.ssnstudy.org.

The predictability of is an unexpected consequence of seemingly unrelated policies and technological developments that, in combination, make Social Security numbers obsolete for authentication purposes, according to Acquisti and Gross. Because many businesses use Social Security numbers as passwords or for other forms of authentication — a use not anticipated when Social Security was devised in the 1930s — the predictability of the numbers increases the risk of identity theft. ID theft cost Americans almost $50 billion in 2007 alone. The Social Security Administration could mitigate this vulnerability by assigning numbers to people based on a randomized scheme, but ultimately an alternative means of authenticating identities must be adopted, the authors conclude.

"In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone," said Acquisti, a researcher in the Carnegie Mellon CyLab. Information that once was useful to make public may now be too available. An example is the Social Security Administration's Death Master File, a public database with Social Security numbers, dates of birth and death, and states of birth for every deceased beneficiary. Its purpose is to prevent impostors from assuming the Social Security numbers of deceased people. But Acquisti and Gross found that analyzing the death file enabled them to detect statistical patterns that would help them predict Social Security numbers of the living.

These statistical patterns can help narrow guesses of an individual's Social Security number, when combined with that person's date and state of birth. Birth information can be obtained from various sources, including commercial databases, public records (such as voter registration lists) and the millions of profiles that people publish about themselves on social networks, personal Web sites and blogs.

The statistical patterns and the birth information can be used to predict Social Security numbers because the Social Security Administration's methods for assigning numbers, based in part on geography, are well-known. For most individuals born nationwide since 1989, Social Security numbers are assigned shortly after birth, making those numbers easier to predict.

Acquisti and Gross tested their prediction method using records from the Death Master File of people who died between 1973 and 2003. They could identify in a single attempt the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts. Their accuracy was considerably higher for smaller states and recent years of birth: for instance, they needed 10 or fewer attempts to predict all nine digits for one out of 20 SSNs issued in Delaware in 1996. Sensitive details of the prediction strategy were omitted from the article.

"If you can successfully identify all nine digits of an SSN in fewer than 10, 100 or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN," the authors noted.

When the researchers tested their method using birth dates and hometowns that students had self-reported on popular sites, the results were almost as good despite the inaccuracies typical of social network data. Enrollment records were used to confirm the accuracy of the predictions, though the researchers did not receive confirmation of any individual Social Security number, but only aggregate measures of accuracy.

"Dramatically reducing the range of values wherein an individual's Social Security number is likely to fall makes identity theft easier," Gross said. A fraudster who knows just the first five digits of an individual's number might use a phishing email to trick the person into revealing the last four digits. Or, a fraudster could use networks of compromised computers, or "botnets," to repeatedly apply for credit cards in a person's name until hitting the correct nine-digit sequence.

Future Social Security numbers could be made more secure by switching to a randomized assignment scheme, but protecting people who already have been issued numbers is harder, the researchers said. Given the ease with which Social Security numbers can be predicted — particularly the first five digits and particularly for the millions of Americans born since 1988 — legislative and policy initiatives aimed at removing the numbers from public exposure, or redacting their first five digits, may be well-meaning but misguided, Acquisti added.

"Given the inherent vulnerability of Social Security numbers, it is time to stop using them for verifying identities and redirect our efforts toward implementing secure, privacy-preserving authentication methods," Acquisti said. Methods to consider include two-factor authentication, similar to the PIN number/card combinations used for bank accounts, and digital certificates.

Source: Carnegie Mellon University (news : web)

Explore further: Computer scientists can predict the price of Bitcoin

add to favorites email to friend print save as pdf

Related Stories

Hackers breach UC Berkeley computer database

May 08, 2009

(AP) -- University of California, Berkeley, officials said Friday that hackers infiltrated restricted computer databases, putting at risk health and other personal information on 160,000 students, alumni and others.

Domain registry on the rise

Apr 27, 2006

Internet domain names may become as ubiquitous as Social Security numbers one day, according to Dotster Inc.

Recommended for you

Tablets, cars drive AT&T wireless gains—not phones

10 hours ago

AT&T says it gained 2 million wireless subscribers in the latest quarter, but most were from non-phone services such as tablets and Internet-connected cars. The company is facing pricing pressure from smaller rivals T-Mobile ...

Twitter looks to weave into more mobile apps

10 hours ago

Twitter on Wednesday set out to weave itself into mobile applications with a free "Fabric" platform to help developers build better programs and make more money.

Blink, point, solve an equation: Introducing PhotoMath

11 hours ago

"Ma, can I go now? My phone did my homework." PhotoMath, from the software development company MicroBlink, will make the student's phone do math homework. Just point the camera towards the mathematical expression, ...

Google unveils app for managing Gmail inboxes

11 hours ago

Google is introducing an application designed to make it easier for its Gmail users to find and manage important information that can often become buried in their inboxes.

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

El_Nose
not rated yet Jul 07, 2009
when combined with that person's date and state of birth.

lol -- at least reread the article


anyway i figured most people already new this -- if you leave in a state your first two numbers on your ssn are like only 2 - 4 combinations and then take city and date and you can really narrow it down -- how to get the last 4 are a mystery to me
david_42
not rated yet Jul 07, 2009
Having received my SSN before 1972 and not in my birth state this method doesn't work. So, I'll just have to rely on my bank to release the info due to carelessness.
PaulLove
not rated yet Aug 05, 2009
David,

That is why they specify that more recent dates are easier to predict as SS# are assigned to persons significantly closer to thier birth date. Where as for people born earlier it there might be a significant delay between birth and issuance of a SSN. It is also why smaller states are easier to "guess" correctly as for that time period with a smaller population many fewer numbers are issued. What the article fails to mention is that each successful datapoint Person to SSN increases their likelyhood of quickly pinpointing someone else in that geographic region