Social Security Number Code Cracked, Study Claims

By U.S. News Staff

July 6, 2009 RSS Feed Print

RANDOLPH E. SCHMID,
AP Science Writer

WASHINGTON—For all the concern about identity theft, researchers say there's a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans' Social Security numbers.

"It's good that we found it before the bad guys," Alessandro Acquisti of Carnegie-Mellon University in Pittsburgh said of the method for predicting the numbers.

Acquisti and Ralph Gross report in Tuesday's edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.

For people born after 1988 — when the government began issuing numbers at birth — the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts.

For smaller states their accuracy was considerably higher than in larger ones.

Acquisti said in a telephone interview that he has sent the findings to the Social Security Administration and other government agencies with a suggestion they adopt a more random system for assigning numbers.

Social Security spokesman Mark Lassiter said the public should not be alarmed by the report "because there is no foolproof method for predicting a person's Social Security number."

"The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration," Lassiter said via e-mail.

However, he added: "For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year."

The researchers say their report omits some details to make sure they aren't providing criminals a blueprint for obtaining the numbers.

The predictability of the numbers increases the risk of identity theft, which cost Americans almost $50 billion in 2007 alone, Acquisti said.

A problem in the battle against identity thieves is that many businesses use Social Security numbers as passwords or for other forms of authentication, something that was not anticipated when Social Security was devised in the 1930s. The Social Security Administration has long cautioned educational, financial and health care institutions against using the numbers as personal identifiers.

"In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone," he said, warning against providing too much data on social network sites.

Acquisti, who researches the economics of privacy, said he got interested in what could be learned from easily available by looking at social networks, which he termed "a great experiment in self-revelation."

People were willing to include their date of birth and hometown, he said, and he already knew that was part of the information used in issuing Social Security numbers.

So the researchers turned to the SSA's "Death Master File," which lists the numbers of people who have died. The purpose of making that file public is to prevent impostors from assuming the Social Security numbers of deceased people.

But by plotting the data for people listed on the file between 1973 and 2003 the researchers were able to develop patterns for number issuance.

"I was surprised by the accuracy of certain predictions," Acquisti said.

The system can produce a range of possibilities for the last four numbers, making it easier for a computer to test the possibilities until the correct number is found for an individual, Acquisti explained.

In addition, "attackers can exploit various public- and private-sector online services, such as online "instant" credit approval sites, to test subsets of variations to verify which number corresponds to an individual with a given birth date.

While it was well known that the numbers have a geographic component, past studies have used the patterns plus other data to estimate when and where a specific number may have been issued.

"Our work focuses on the inverse, harder, and much more consequential inference: it shows that it is possible to exploit the presumptive time and location of SSN issuance to estimate, quite reliably, unknown SSNs," Acquisti said.

The research was supported by the National Science Foundation, the U.S. Army Research Office, Carnegie-Mellon University and the Pittsburgh Supercomputing Center.

___

On the Net:

PNAS: http://www.pnas.org

Tags:
technology,
computers

Reader Comments Read all comments (2)

Add Your Thoughts
Your comment will be posted immediately, unless it is spam or contains profanity. For more information, please see our Comments FAQ.

To simplify what I wrote in the first article: With the specifically designed random number generator, you insert your social security number as the seed number, then use your birthday as the nth number; the resulting number is your unique equivalent social security number that no one can predict. If the government used this technique, then a crook could never figure out what your social security number means to the social security administration. It wouldn't matter if someone else knew your number because of the unique output of the specially designed random number generator. This could prevent identity theft.

Robert L. Matarainen of NY 6:48PM September 05, 2009

Random number generators are not so random; for example, on a specifically designed random number generator, the first, second, third random number up to the nth random number is always the same if you feed in the same "Seed" number. SO by having a specially designed random number generator, you can feed in a person's social security number as the "Seed" number and the 5th, or nth number will be unique to the Seed Social Security Number. This resulting output number can be used to verify and confuse a crook because the nth number can be changed weekly, daily or whatever. So if the crook gets your social security number, who cares because the gov't is using your social security number as a seed and on certain days, only the unique nth number is significant.

Robert L. Matarainen of NY 1:26AM August 08, 2009

National Science Foundation

NSF

Young professional works at his computer
Cybersecurity: Training Students

CyberWatch spans all school levels.

Science of Spatial Learning

Center seeks to transform teaching practices.

Schools in the Little Rock School District are among the 2012 U.S. News Best High Schools.
Studying Carbon in Rivers

Researcher explores physical, chemical and biological interactions.

advertisement

Science Discoveries

Science Discoveries

iTunes icon RSS icon

advertisement

  1. Maryland Man Arrested After Admitting to Killing, Eating Roommate
  2. Miami's 'Naked Zombie' Proves Need to Ban Bath Salts, Experts Say
  3. The Best Jobs of 2012
  4. Daily 'Dose' of Dark Chocolate Might Shield the Heart
  5. 'Ron Paul Festival' Could Bring 100k Supporters to GOP Convention

Editor's Picks

Money »

Best Mutual Funds

Use the U.S. News Mutual Fund Score and the rankings of trusted fund analysts to pick an investment that's right for you.

Politics & Policy »

Photo Gallery: Michelle Obama

Take a look back at the first lady's first year in the White House.

Education »

How to Cut College Costs by $5,000

Colleges that lock tuition at the freshman rate can save parents thousands.

Health »

How to Choose the Right Nursing Home, Step by Step

Autos »

US News Best Cars for the Money: 2010

Cars that make the most economic sense — not just when you sign on the dotted line, but for years after.