IT | Security

Social Security Numbers Can Be Predicted

By: Absolute Team | 7/9/2009

According to Wired, two researchers at Heinze College, Carnegie Mellon University, were able to successfully predict Social Security Numbers using only publicly available information. The study by Alessandro Acquisti and Ralph Gross, Predicting Social Security Numbers from Public Data, will be published in the 'Proceedings of the National Academy of Sciences' and will be presented this July at the BlackHat convention.

Social Security Numbers (SSNs) are a primary piece of personal information sought by identity thieves, so it has always been cautioned that individuals and companies protect this sensitive information closely. However, this new study indicates that SSNs can be predicted from publicly available data.

Based on patterns in SSNs visible in the "Death Master File" (a database with SSNs of people who have died), Alessandro and Ralph were able to determine that date of birth and state of birth could be used to predict a narrow range of values likely to contain the individual's assigned SSN. This information becomes more accurate for individuals born after 1988.

Within 2 attempts, the researchers were able to correctly guess the first 5 digits of SSNs for 60% of deceased individuals; within 1000 attempts, they could identify all 9 digits for 8.5% of the group (a number that would inevitably go up with more attempts). A hacker could then create a process to exploit existing services to test and verify SSNs.

Since SSNs are considered a primary form of identification, upon which you can apply for additional identification or for credit, there are troubling consequences to this discovery. From the executive summary of the study:

Since SSNs are predictable from public data, identity theft could occur even without events such as data breaches. Some of the implications are that 1) the SSA should randomize the entire SSN assignment process; 2) current policy initiatives in the area of SSN and identity theft should be reconsidered: most policy-making currently focuses on removing SSNs from databases or redacting their digits, so that they can still be used as "confidential information" - however, since SSNs are predictable from otherwise publicly available data, SSNs cannot be kept confidential even if they are removed from databases, and therefore those initiatives may be ineffective; 3) since SSNs can be predicted and are therefore, in a sense, semi-public information, consumers should not be required by private sector entities to use SSNs as passwords or for authentication.

The report makes some recommendations to government agencies, policy-makers, credit and financial institutions, online services and consumers regarding SSNs. You can read them here.