Social Security number code cracked, study claims

digg Share this on Facebook Huffpost - Social Security number code cracked, study claims stumble reddit del.ico.us RSS

RANDOLPH E. SCHMID | 07/ 6/09 05:21 PM | AP

I Like ItI Don’t Like It
Read More: Guess Social Security Numbers, Social Security, Social Security Numbers, Social Security Numbers Can Be Guessed, Ss Numbes Can Be Guessed, Politics News

WASHINGTON — For all the concern about identity theft, researchers say there's a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans' Social Security numbers.

"It's good that we found it before the bad guys," Alessandro Acquisti of Carnegie-Mellon University in Pittsburgh said of the method for predicting the numbers.

Acquisti and Ralph Gross report in Tuesday's edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.

For people born after 1988 _ when the government began issuing numbers at birth _ the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts.

For smaller states their accuracy was considerably higher than in larger ones.

Acquisti said in a telephone interview that he has sent the findings to the Social Security Administration and other government agencies with a suggestion they adopt a more random system for assigning numbers.

Social Security spokesman Mark Lassiter said the public should not be alarmed by the report "because there is no foolproof method for predicting a person's Social Security number."

"The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration," Lassiter said via e-mail.

Story continues below
advertisement

However, he added: "For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year."

The researchers say their report omits some details to make sure they aren't providing criminals a blueprint for obtaining the numbers.

The predictability of the numbers increases the risk of identity theft, which cost Americans almost $50 billion in 2007 alone, Acquisti said.

A problem in the battle against identity thieves is that many businesses use Social Security numbers as passwords or for other forms of authentication, something that was not anticipated when Social Security was devised in the 1930s. The Social Security Administration has long cautioned educational, financial and health care institutions against using the numbers as personal identifiers.

"In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone," he said, warning against providing too much data on social network sites.

Acquisti, who researches the economics of privacy, said he got interested in what could be learned from easily available by looking at social networks, which he termed "a great experiment in self-revelation."

People were willing to include their date of birth and hometown, he said, and he already knew that was part of the information used in issuing Social Security numbers.

So the researchers turned to the SSA's "Death Master File," which lists the numbers of people who have died. The purpose of making that file public is to prevent impostors from assuming the Social Security numbers of deceased people.

But by plotting the data for people listed on the file between 1973 and 2003 the researchers were able to develop patterns for number issuance.

"I was surprised by the accuracy of certain predictions," Acquisti said.

The system can produce a range of possibilities for the last four numbers, making it easier for a computer to test the possibilities until the correct number is found for an individual, Acquisti explained.

In addition, "attackers can exploit various public- and private-sector online services, such as online "instant" credit approval sites, to test subsets of variations to verify which number corresponds to an individual with a given birth date.

While it was well known that the numbers have a geographic component, past studies have used the patterns plus other data to estimate when and where a specific number may have been issued.

"Our work focuses on the inverse, harder, and much more consequential inference: it shows that it is possible to exploit the presumptive time and location of SSN issuance to estimate, quite reliably, unknown SSNs," Acquisti said.

The research was supported by the National Science Foundation, the U.S. Army Research Office, Carnegie-Mellon University and the Pittsburgh Supercomputing Center.

___

On the Net:

http://www.pnas.org

WASHINGTON — For all the concern about identity theft, researchers say there's a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans' Social Securi...
WASHINGTON — For all the concern about identity theft, researchers say there's a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans' Social Securi...
Read more from Huffington Post bloggers:

Loading...
 
Report Corrections
 
Comments
1348
Pending Comments
0
iPhone App Promo

Want to reply to a comment? Hint: Click "Reply" at the bottom of the comment; after being approved your comment will appear directly underneath the comment you replied to

View Comments:
Page: 1 2 3 4 5 6 7 8 Next › Last » (18 pages total)
- research I'm a Fan of research 281 fans permalink

Virtually everyone's ss# and mother maiden name has been stolen and is available to crooks.

Use passwords on all your account,

    Favorite    Flag as abusive Posted 02:41 PM on 07/07/2009
- KIVPossum I'm a Fan of KIVPossum 70 fans permalink
photo

When you have to list your SS# on a check, when many firms use it as way for employees to clock in, when you have to give it to anyone for anything, who believes there is any security in the number? I dare say you could follow almost anyone around a couple of hours and have their number.

    Favorite    Flag as abusive Posted 01:51 PM on 07/07/2009
- Bitsko I'm a Fan of Bitsko 543 fans permalink
photo

And thus are urban legends born.

    Favorite    Flag as abusive Posted 01:08 PM on 07/07/2009
- cozen I'm a Fan of cozen permalink

OMG 1984. Is this the lead up to a fascist state?

    Favorite    Flag as abusive Posted 12:36 PM on 07/07/2009
- atomic I'm a Fan of atomic 68 fans permalink
photo

I had no idea they assigned social security numbers at birth now ... That seems screwed up to me .. our social security number should not be tied to our financial identities that can be hacked and used against us ... The problem is that the reason we have a SSN is so government and or banks can track our incomes and extract taxes from us.

A person is not allowed to work without one ... This seems normal because most of us grew up accepting that's how thing work but the whole system is set up to funnel money to banks and government that then spend it on things like wars and of course much of it lands in their own pocket books. We live in a system designed to keep track of us and keep us in debt to the banks who control the money and set the agenda.

    Favorite    Flag as abusive Posted 11:51 AM on 07/07/2009
- RitaLouise I'm a Fan of RitaLouise 2 fans permalink

Perhaps memory eludes me, but I am old enough to remember (?) that at one time we were ASSURED by our government that our Social Security number would remain only for use to issue SS checks when we retired. That, like many other governmental promises seemed to have been overcome by big business where it was discovered to be beneficial to their own needs. Comment anyone?

    Favorite    Flag as abusive Posted 10:44 AM on 07/07/2009
- Bozwellian I'm a Fan of Bozwellian 31 fans permalink

That very factor , that SUPPOSEDLY SS# were highly classified has been rather a real hooter for some time...Apply for a job, apply for credit of any kind, a bank account, insurance, vist a doctor's office and fill in the balnks...enroll in school-preschool onward and ever after REQUIRE the SS #. I remember refusing to put info at a doctors office ona form as a new patient, was told NO problem, they would simply get it from the insurance listed ...There is NO security in SS# but evryone at risk and no defense !!

    Favorite    Flag as abusive Posted 03:30 PM on 07/07/2009
- Bude I'm a Fan of Bude 164 fans permalink
photo

If someone steals my identity, they give it right back.

    Favorite    Flag as abusive Posted 10:21 AM on 07/07/2009
- BigAl72 I'm a Fan of BigAl72 136 fans permalink
photo

LOL

    Favorite    Flag as abusive Posted 01:50 PM on 07/07/2009
- isis I'm a Fan of isis 17 fans permalink
photo

When I was in graduate school grades were posted by SS# and we could guess everybody's. It had to do with age and where you were from. But we did have to also guess at who was at the top and bottom of the class which we gathered from how much complaining or gloating went on.

    Favorite    Flag as abusive Posted 10:02 AM on 07/07/2009
- wadda I'm a Fan of wadda 4 fans permalink

I had a security guard gig while at a university. It would blow people away when I stated where they were from from their student ID numbers --shh, Social Security #. I even did dialect analysis for on the fly for fun; "You were born in MN, but it sounds like you lived in southern IL for most of your life." It would knock their socks off.

Not ever attempt was a winner, but when I hit it...man!

    Favorite    Flag as abusive Posted 12:36 PM on 07/07/2009
- Chubbster I'm a Fan of Chubbster 36 fans permalink

Yes, guessable like any lottery ticket.

    Favorite    Flag as abusive Posted 09:51 AM on 07/07/2009
- quantumspin I'm a Fan of quantumspin 35 fans permalink

Several years ago, I was pulled over and a state trooper asked to see my ID, SSN, and driver's license. He looked at my SSN and knew what state I lived in when the card was issued, and the approximate year that the card was issued. He said he did this from the first 5 digits. He didn't use a 'decoder' but just looked at the ssn to tell me this info. So if someone knows where you lived as a kid and your age 'today' they can devise a good guess of the first five SSN digits.

    Favorite    Flag as abusive Posted 09:33 AM on 07/07/2009
- Tagrid I'm a Fan of Tagrid 4 fans permalink
photo

Your Govt doesn't follow their own cautions. Our military uses SS#s instead of military ID#s. Medicare and most insurance, including the VA, use your SS# as your acct # - these numbers are on everything from dog tags to medical cards you carry around and show (even tho you're cautioned not to carry your SS card.)

Besides banks and credit cards, utility companies, gas, elec, cable, phone all require a SS# - how many times have you been asked for the "last 4 digits of your SS#?" Those last 4 digits are the only "random" part of your SS# - the rest can be guessed - so you're just giving away the hard part whenever asked.

The way to fix this weak system is to go ahead and let the SS# be used as a personal identifier - but require a 5-digit pin# to be physically punched in for legit reasons to verify it. Any company that has a good reason to verify it should have a dedicated key pad connected only to the SSA.

BTW, have you ever noticed that when you use a credit card for a purchase, or a meal in a restaurant, some of them print out only the last 4-digits of your card number, and others print out the whole number? That's because some of them run the card immediately, and others run all the card numbers later. In the meantime all of the employees have access to your number. Feels good eh?

    Favorite    Flag as abusive Posted 09:02 AM on 07/07/2009
- WillT I'm a Fan of WillT 5 fans permalink

This article should be viewed as another reminder that monitoring and protecting your personal information is not something that should be viewed as casually as "this is gov't issued identification information, as long as my card isn't stolen i'm safe". Citizens should check things like credit reports regularly. Credit monitoring services for $10-$13 a month, fraud reports and law enforcement are already in place to resolve these issues, I speak from personal experience. My issue involving a total of 15K worth of fraud was handled within 6 weeks and the only money I spent was for paper, envelopes and stamps, for a grand total of $2.60 because I informed myself. By law every citizen is entitled to a free credit report from each major Bureau, annually I believe.

Food for thought.

    Favorite    Flag as abusive Posted 09:02 AM on 07/07/2009
- BlackJAC I'm a Fan of BlackJAC 66 fans permalink

Makes sense, as the three-digit group is the state it was issued in and the two-digit group is when it was issued.

    Favorite    Flag as abusive Posted 08:20 AM on 07/07/2009
- igorz I'm a Fan of igorz 25 fans permalink

Tinfoil hat alert.

You ARE wearing yours, aren't you?

    Favorite    Flag as abusive Posted 07:41 AM on 07/07/2009
- mamacat I'm a Fan of mamacat 150 fans permalink

Ah, the less-than-soothing prevarications of the mighty bureacrat. What would we do without them?

    Favorite    Flag as abusive Posted 07:41 AM on 07/07/2009
Page: 1 2 3 4 5 6 7 8 Next › Last » (18 pages total)
Comments are closed for this entry

 You must be logged in to comment. Log in  or connect with 

Connect