A new study says that identity thieves may be able to use easily accessible information like your birthday and hometown listed in commercial databases, public voter registration lists, and even on social networking websites and blogs to predict your Social Security number. Two Carnegie Mellon University researchers found that an individual’s date and place of birth were sometimes sufficient to guess his or her Social Security number.
Alessandro Acquisti, an associate professor of information technology and public policy, and Ralph Gross, a post-doctoral researcher, were able to infer Social Security numbers using mathematical algorithms and patterns in the way Social Security numbers are assigned. They were able to predict, in a single attempt, the first five Social Security digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. All 9 digits were identified correctly for 8.5 percent of individuals born after 1988 in fewer than 1,000 attempts. “If you can successfully identify all nine digits of an Social Security number in fewer than 10, 100, or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN," the authors said in a statement. Their predictions were verified using the Social Security Administration's Death Master File, a public database that contains the Social Security numbers of all deceased beneficiaries.
Social Security numbers can be inferred because the Social Security Administration assigns numbers based in part on geography. The Social Security number's first three digits are issued based on the zip code of the mailing address provided on the Social Security application form, the middle two digits are allocated in a precise but nonconsecutive order between 01 and 99, and the last 4 digits are issued in a sequential order. Since 1989, Social Security numbers have been assigned shortly after birth, which makes younger American’s Social Security numbers even easier to figure out, according to Carnegie Mellon. Acquisti and Gross were able to more accurately predict the Social Security numbers of Americans in smaller states and in more recent years of birth. For example, they needed 10 or fewer attempts to predict all nine digits for one out of 20 Social Security numbers issued in Delaware in 1996. “The SSN assignment scheme effectively discriminates in terms of higher identification risks against younger individuals born in less populous states,” the authors wrote in a paper published this week in the research journal Proceedings of the National Academy of Sciences.
In a second experiment, the researchers used birth dates and hometowns that 621 college students reported on social networking sites and information gleaned from public records to predict their Social Security numbers. Enrollment records were then used to confirm the accuracy of their predictions. The researchers accurately infer the first 5 digits for 6.3 percent of the college students in a single attempt. Approximately a third of the projections were within 1,000 digits of the student’s actual Social Security number.
Being able to deduce even the first 5 digits of someone’s Social Security number makes identity theft easier, say the Carnegie Mellon researchers. Thieves could potentially use networks of computers to apply repeatedly for credit cards in another person’s name until hitting on the correct sequence of numbers or send out a phishing e-mail to attempt to trick someone into revealing the last four digits of their Social Security number. But the Social Security Administration says Americans should not be alarmed by this report. “There is no fool proof method for predicting a person's Social Security Number,” says Mark Lassiter, a spokesman for the Social Security Administration. “The method by which Social Security assigns numbers has been a matter of public record for years. The suggestion that Mr. Acquisti has cracked a code for predicting a Social Security number is a dramatic exaggeration.”
Acquisti and Gross say future Social Security numbers could be made more secure by switching to a more randomized assignment scheme. For reasons unrelated to this report, the Social Security Administration has been developing a system to randomly assign Social Security numbers. The new numbering strategy will be implemented next year.