THE BLOG
08/08/2009 05:12 am ET Updated May 25, 2011

Social Security Numbers Cracked, Creates Identity Theft Risk

SearchSecurity.com reports that researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration's Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people on the east coast had the lowest numbers and those on the west coast had the highest. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

The Carnegie Mellon researchers were able to guess the first five digits of a Social Security number on their first attempt for 44% of people born after 1988. For those in less populated states, the researches had a 90% success rate. In fewer than 1,000 attempts, the researchers could identify a complete Social Security number, "making SSNs akin to 3-digit financial PINs." "Unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identify theft on mass scales," the researchers wrote.

While the researchers work is certainly an accomplishment, the potential to predict Social Security numbers is the least of our problems. Social Security numbers can be found in unprotected file cabinets and databases in thousands of government offices, corporations and educational institutions. Networks are like candy bars -- Social Security numbers can be hacked from outside the hard chocolate shell or from the soft and chewy inside.

The problem stems from that fact that our existing system of identification is seriously outdated and needs to be significantly updated. We rely on nine digits as a single identifier, the key to the kingdom, despite the fact that our Social Security numbers have no physical relationship to who we actually are. We will only begin to solve this problem when we incorporate multiple levels of authentication into our identification process.

The process of true and thorough authentication begins with "identity proofing." Identity proofing is a solution that begins to identify, authenticate and authorize. Consumers, merchants, government don't just need authentication. We need a solution that ties all three of these components together.

Jeff Maynard, President and CEO of Biometric Signature ID, provides a simple answer to a complicated issue in four parts:

Identify -- A user must be identified when compared to others in a database. We refer to this as a reference identity. A unique PIN, password or username is created and associated with your credential or profile.

Authenticate -- Authentication is different than verification of identity. Authentication is the ability to verify the identity of an individual based specifically on their unique characteristics. This is known as a positive ID and is only possible when using a biometric. A biometric can be either static or dynamic (behavioral). A static biometric is anatomical or physiological, such as a face, a fingerprint or DNA. A dynamic biometric is behavioral, such as a signature gesture, voice, or possibly gait. This explains why, when authentication solutions incorporate multiple factors, at least two of the following identifiers are required: something you have, such as a token or card, something you are, meaning a biometric identifier, and something you know, meaning a pin or password.

Verify -- Verification is used when the identity of a person cannot be definitely established. These technologies provide real time assessment of the validity of an asserted identity. When we can't know who the individual is, we get as close as we can in order to verify their asserted identity. PINs, passwords, tokens, cards, IP addresses, behavioral based trend data and credit cards are often used for verification. These usually fall into the realm of something you have or something youknow.

Authorize -- Once the user has passed the identification test and authenticated their identity, they can make a purchase or have some other action approved. Merchants would love to have a customer's authenticated signature to indicate his or her approval of a credit card charge. This is authorization.

Effective identification results in accountability. It is being achieved in small segments of government and in the corporate world, but not systematically. Unfortunately, we are years away from full authentication.

1. Get a credit freeze. Go online now and search "credit freeze" or "security freeze" and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what's buzzing out there in regards to YOU.