Public information available from government sources, commercial databases or online social networks could be used to predict most–and sometimes all–of an individual’s nine-digit Social Security number, according to two Carnegie Mellon University researchers, who intend to present their findings at the BlackHat 2009 information security conference later this month in Las Vegas.
Alessandro Acquisti, associate professor of information technology and public policy at Carnegie Mellon’s H. John Heinz III College, and Ralph Gross, a post-doctoral researcher at the Heinz College, have found that an individual’s date and state of birth are sufficient to guess a person’s Social Security. The study findings will appear this week in the online Early Edition of the Proceedings of the National Academy of Science. Additional information about the study and some of the issues it raises is available here.
Because many businesses use Social Security numbers as passwords or for other forms of authentication–a use not anticipated when Social Security was devised in the 1930s–the predictability of the numbers increases the risk of identity theft, the pair say.
“In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone,” said Acquisti, a researcher in the Carnegie Mellon CyLab.
Information that once was useful to the public may now be too available. An example is the Social Security Administration’s Death Master File, a public database with Social Security numbers, dates of birth and death, and states of birth for every deceased beneficiary. Its purpose is to prevent impostors from assuming the Social Security numbers of deceased people. But Acquisti and Gross found that analyzing the death file enabled them to detect statistical patterns that would help them predict Social Security numbers of the living.
These statistical patterns can help narrow guesses of an individual’s Social Security number, when combined with that person’s date and state of birth. Birth information can be obtained from various sources, including commercial databases, public records (such as voter registration lists) and the millions of profiles that people publish about themselves on social networks, personal Web sites and blogs.
The statistical patterns and the birth information can be used to predict Social Security numbers because the Social Security Administration’s methods for assigning numbers, based in part on geography, are well-known. For most individuals born nationwide since 1989, Social Security numbers are assigned shortly after birth, making those numbers easier to predict.
Acquisti and Gross tested their prediction method using records from the Death Master File of people who died between 1973 and 2003. They could identify in a single attempt the first five digits for 44% of deceased individuals who were born after 1988 and for 7% of those born between 1973 and 1988. They were able to identify all nine digits for 8.5% of those individuals born after 1988 in fewer than 1,000 attempts. Their accuracy was considerably higher for smaller states and recent years of birth. For instance, they needed 10 or fewer attempts to predict all nine digits for one out of 20 SSNs issued in Delaware in 1996. Sensitive details of the prediction strategy were omitted from the article.
“If you can successfully identify all nine digits of an SSN in fewer than 10,100 or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN,” the authors noted.
Knowing just five digits, the two note, could help scam artists obtain the other four. The scammer might, for example, use a phishing email to trick the person into revealing the last four digits. Or, a fraudster could use networks of compromised computers, or botnets, to repeatedly apply for credit cards in a person’s name until hitting the correct nine-digit sequence, the authors warn.
One solution is for the Social Security Administration to switch to a randomized assignment scheme, but that won’t help people who have already been issued numbers.
The National Science Foundation, the U.S. Army Research Office, Carnegie Mellon CyLab and the Berkman Faculty Development Fund provided support for this research.
Carnegie Mellon, which touts itself as a global university, has its main campus in Pittsburgh,. It also has campuses in California’s Silicon Valley and Qatar, and programs in Asia, Australia and Europe.