|"Social Security Numbering Code System Cracked"|
Posting by Staff
link to story | permalink
July 8, 2009
Carnegie Mellon University researchers published a reporting claiming that an U.S. individual's 9-digit Social Security number can be easily predicted using free or low-cost public information such as governmental sources, commercial data bases, or online social networks.
According to researchers, Alessandro Acquisti and Ralph Gross, information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). By using only publicly available information, they observed a correlation between individuals' SSNs and their birth data.
In the United States, a Social Security number (SSN) is a nine-digit number issued to U.S. citizens and permanent residents. Its primary purpose is to track individuals for taxation purposes. In recent years the SSN has become a de facto national identification number. The first SSNs were issued by the Social Security Administration in November 1936
Determining an individual's SSN is possible by using the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites.
Using these sources, researchers identified with a single attempt the first 5 digits for 44% individuals born in the U.S. from 1989 to 2003 and the complete SSNs in less then 1000 attempts (making SSNs akin to 3-digit financial PINs) for 8.5% their test group.
By their estimates, at least 10 millions U.S. residents make publicly available or inferrable their birthday information on their online profiles. SSN predictions do not require knowledge of someone's birth zipcode but just his or her state and date of birth.
An attacker who knows just the first five digits of an individual's number might use an email to trick the person into revealing the last four digits, or could use networks of compromised computers to repeatedly apply for credit cards in a person's name until hitting the correct nine-digit sequence. ID theft cost Americans almost $50 billion in 2007 alone.
Authors conclude that the Social Security Administration should ultimately adopt an alternative means of authenticating identities. Until then, the best way to protect yourself is to not make your birthdates or place of residence publically available on social networking sites, and learn how to identify hoax email.
Source: Full Report at Proceedings of the National Academy of Sciences.