A breakthrough by researchers at Carnegie Mellon University showed recently that our Social Security numbers may not be as secure as we would like to believe.
To hear the Social Security Administration (SSA) tell it, the public should not be concerned because, as a spokesperson told The New York Times, there’s still “no foolproof method for predicting a person’s Social Security number.”
“The method by which Social Security assigns numbers has been a matter of public record for years,” SSA Spokesperson Mark Lassiter told the Times. “The suggestion that Mr. Acquisti has cracked a code for predicting an S.S.N. is a dramatic exaggeration.”
Still, the study was enough to give many observers pause, and for good reason. What the analysis shows is that it is possible to use algorithm to predict a person’s Social Security number based on their data and place of birth.
The findings, published Monday in the Proceedings of the National Academy of Sciences, were the work of researchers Alessandro Acquisti, an associate professor of information technology and public policy, and Ralph Gross, a post-doctoral researcher.
Acquisti and Gross tested their prediction method using records from the Death Master File of people who died between 1973 and 2003. In a single attempt, they could identify the first five digits for 44 percent of the individuals born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of the individuals born after 1988 in fewer than 1,000 attempts. Their guesses were more for smaller states and recent years of birth – in the case of Delaware, they needed 10 or fewer attempts to predict all nine digits for one out of 20 Social Security numbers issued in 1996.
The findings are troubling, especially given the amount of personal data on the Web. Social networking sites such as Facebook and LinkedIn have also lowered the barriers to gathering such information. But while this may make things simpler for identity thieves, easier doesn’t equal easy. For one thing, criminals would have to be able to copy the researchers’ methodology, no easy task. For another, the Social Security Administration is in the process of developing a system to randomly generate numbers that will be in place next year.
Still, the validity of the algorithm suggests those nine digits we hold so dear may not be as un-guessable as some of us think.
“Dramatically reducing the range of values wherein an individual’s Social Security number is likely to fall makes identity theft easier,” Gross said in a statement. “A fraudster who knows just the first five digits of an individual’s number might use a phishing e-mail to trick the person into revealing the last four digits. Or, a fraudster could use networks of compromised computers, or “botnets,” to repeatedly apply for credit cards in a person’s name until hitting the correct nine-digit sequence.”