Carnegie Mellon researchers find social security numbers can be predicted with public information
Carnegie Mellon University researchers have shown that public information readily gleaned from governmental sources, commercial data bases, or online social networks can be used to routinely predict most — and sometimes all — of an individual's nine-digit Social Security number. Project lead Alessandro Acquisti, associate professor of information technology and public policy at Carnegie Mellon's H. John Heinz III College, and Ralph Gross, a post-doctoral researcher at the Heinz College, have found that an individual's date and state of birth are sufficient to guess his or her Social Security number with great accuracy. The study findings will appear this week in the online Early Edition of the Proceedings of the National Academy of Science, and will be presented on July 29 at the BlackHat 2009 information security conference in Las Vegas. Additional information about the study and some of the issues it raises is available at http://www.ssnstudy.org.
The predictability of Social Security numbers is an unexpected consequence of seemingly unrelated policies and technological developments that, in combination, make Social Security numbers obsolete for authentication purposes, according to Acquisti and Gross. Because many businesses use Social Security numbers as passwords or for other forms of authentication — a use not anticipated when Social Security was devised in the 1930s — the predictability of the numbers increases the risk of identity theft. ID theft cost Americans almost $50 billion in 2007 alone. The Social Security Administration could mitigate this vulnerability by assigning numbers to people based on a randomized scheme, but ultimately an alternative means of authenticating identities must be adopted, the authors conclude.
"In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone," said Acquisti, a researcher in the Carnegie Mellon CyLab. Information that once was useful to make public may now be too available. An example is the Social Security Administration's Death Master File, a public database with Social Security numbers, dates of birth and death, and states of birth for every deceased beneficiary. Its purpose is to prevent impostors from assuming the Social Security numbers of deceased people. But Acquisti and Gross found that analyzing the death file enabled them to detect statistical patterns that would help them predict Social Security numbers of the living.
These statistical patterns can help narrow guesses of an individual's Social Security number, when combined with that person's date and state of birth. Birth information can be obtained from various sources, including commercial databases, public records (such as voter registration lists) and the millions of profiles that people publish about themselves on social networks, personal Web sites and blogs.
The statistical patterns and the birth information can be used to predict Social Security numbers because the Social Security Administration's methods for assigning numbers, based in part on geography, are well-known. For most individuals born nationwide since 1989, Social Security numbers are assigned shortly after birth, making those numbers easier to predict.
Acquisti and Gross tested their prediction method using records from the Death Master File of people who died between 1973 and 2003. They could identify in a single attempt the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts. Their accuracy was considerably higher for smaller states and recent years of birth: for instance, they needed 10 or fewer attempts to predict all nine digits for one out of 20 SSNs issued in Delaware in 1996. Sensitive details of the prediction strategy were omitted from the article.
"If you can successfully identify all nine digits of an SSN in fewer than 10, 100 or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN," the authors noted.
When the researchers tested their method using birth dates and hometowns that students had self-reported on popular social networking sites, the results were almost as good despite the inaccuracies typical of social network data. Enrollment records were used to confirm the accuracy of the predictions, though the researchers did not receive confirmation of any individual Social Security number, but only aggregate measures of accuracy.
"Dramatically reducing the range of values wherein an individual's Social Security number is likely to fall makes identity theft easier," Gross said. A fraudster who knows just the first five digits of an individual's number might use a phishing email to trick the person into revealing the last four digits. Or, a fraudster could use networks of compromised computers, or "botnets," to repeatedly apply for credit cards in a person's name until hitting the correct nine-digit sequence.
Future Social Security numbers could be made more secure by switching to a randomized assignment scheme, but protecting people who already have been issued numbers is harder, the researchers said. Given the ease with which Social Security numbers can be predicted — particularly the first five digits and particularly for the millions of Americans born since 1988 — legislative and policy initiatives aimed at removing the numbers from public exposure, or redacting their first five digits, may be well-meaning but misguided, Acquisti added.
"Given the inherent vulnerability of Social Security numbers, it is time to stop using them for verifying identities and redirect our efforts toward implementing secure, privacy-preserving authentication methods," Acquisti said. Methods to consider include two-factor authentication, similar to the PIN number/card combinations used for bank accounts, and digital certificates.
Source: Carnegie Mellon University
Related
- Autism's social struggles due to disrupted communication networks in brainWed, 23 Jul 2008, 10:22:43 EDT
- Carnegie Mellon researchers apply new statistical testTue, 17 Mar 2009, 14:36:15 EDT
- Carnegie Mellon computer model reveals how brain represents meaningThu, 29 May 2008, 14:50:01 EDT
- Carnegie Mellon theory of visual computation reveals how brain makes sense of natural scenesWed, 19 Nov 2008, 14:01:30 EST
- Carnegie Mellon system estimates geographic location of photosWed, 18 Jun 2008, 10:42:53 EDT
Other sources
- Researchers find social security numbers can be predicted with public informationfrom Science CentricTue, 7 Jul 2009, 12:49:10 EDT
- Can Social Security Numbers be Predicted?from CBSNews - ScienceTue, 7 Jul 2009, 8:07:13 EDT
- Social Security Numbers Can Be Predicted With Public Informationfrom Science DailyMon, 6 Jul 2009, 23:28:20 EDT
- Black Hat: Your Social Security Number Can Be Predicted With Online Information, Say Researchersfrom Scientific BloggingMon, 6 Jul 2009, 20:56:06 EDT
- Social security numbers can be predicted with public information, researchers findfrom PhysorgMon, 6 Jul 2009, 17:28:35 EDT
- Social Security Numbers Are Easy to Guessfrom Science NOWMon, 6 Jul 2009, 17:21:18 EDT
- Social Security number code cracked, study claimsfrom NewsvineMon, 6 Jul 2009, 17:07:21 EDT
- Social Security number code cracked, study claimsfrom AP ScienceMon, 6 Jul 2009, 17:07:15 EDT
Latest Science Newsletter
Get the latest and most popular science news articles of the week in your Inbox!Learn more about
Popular science news articles
- First black holes may have incubated in giant, starlike cocoons, says CU-Boulder study
- Polyphenols and polyunsaturated fatty acids boost the birth of new neurons
- Molecule discovered that makes obese people develop diabetes
- Factors from common human bacteria may trigger multiple sclerosis
- Report shows dramatic decline in Siberian tigers
- Beyond sunlight: Explorers census 17,650 ocean species between edge of darkness and black abyss
- Generating electricity from air flow
- Therapy 32 times more cost effective at increasing happiness than money
- Beyond genomics, biologists and engineers decode the next frontier
- It's a gas: New discovery may lead to heartier, high-yielding plants
- Therapy 32 times more cost effective at increasing happiness than money
- Treatment with folic acid, vitamin B12 associated with increased risk of cancer, death
- Full recovery now possible for an 'untreatable' mental illness
- 5 exercises can reduce neck, shoulder pain of women office workers
- Beyond sunlight: Explorers census 17,650 ocean species between edge of darkness and black abyss
- New evidence that dark chocolate helps ease emotional stress
- African desert rift confirmed as new ocean in the making
- Scientists discover influenza's Achilles heel: Antioxidants
- Nanoparticles used in common household items caused genetic damage in mice
- New study links vitamin D deficiency to cardiovascular disease and death