Social Security Numbers Not as Safe as We Thought?
A breakthrough by researchers at Carnegie Mellon University showed recently that our Social Security numbers may not be as secure as we would like to believe. To hear the Social Security Administration (SSA) tell it, the public should not be concerned because, as a spokesperson told The New York Times, there's still "no foolproof method for predicting a person's Social Security number." "The method by which Social Security assigns numbers has been a matter of public record for years," SSA Spokesperson Mark Lassiter told the Times. "The suggestion that Mr. Acquisti has cracked a code for predicting an S.S.N. is a dramatic exaggeration." Still, the study was enough to give many observers pause, and for good reason. What the analysis shows is that it is possible to use algorithm to predict a person's Social Security number based on their data and place of birth. The findings, published Monday in the Proceedings of the National Academy of Sciences, were the work of researchers Alessandro Acquisti, an associate professor of information technology and public policy, and Ralph Gross, a post-doctoral researcher. The findings are troubling, especially given the amount of personal data on the Web. Social networking sites such as Facebook and LinkedIn have also lowered the barriers to gathering such information. But while this may make things simpler for identity thieves, easier doesn't equal easy. For one thing, criminals would have to be able to copy the researchers' methodology, no easy task. For another, the Social Security Administration is in the process of developing a system to randomly generate numbers that will be in place next year. Still, the validity of the algorithm suggests those nine digits we hold so dear may not be as un-guessable as some of us think. "Dramatically reducing the range of values wherein an individual's Social Security number is likely to fall makes identity theft easier," Gross said in a statement. "A fraudster who knows just the first five digits of an individual's number might use a phishing e-mail to trick the person into revealing the last four digits. Or, a fraudster could use networks of compromised computers, or "botnets," to repeatedly apply for credit cards in a person's name until hitting the correct nine-digit sequence." |
Comments (3)
Safer than we thought? Surely, no one thought SSN were safe.
This is why many places don't ask for your whole SSN any longer, but only the terminal four digits.
The real problem here is that the first five digits are highly predictable for those born after 1983.
Consequently, a breach of a data store containing name, DOB and terminal four digits can be quickly leveraged to full SSN breach for many (close to half) of SSNs, from my reading of the research.
Posted by Paul Burrell | July 8, 2009 2:15 PM
I was a student at Carnegie Mellon from 1993-1997, and our student id numbers were our SSNs. You could even use your SSN to order pizza from Dominoes Pizza back then, and they would charge your student account. So only now are Carnegie Mellon researchers realizing that the SSN is not secure?
Posted by Jon | July 8, 2009 7:30 PM
The law today requires new-born children to receive an SSN, but that wasn't the case when I was born. I was almost a teenager before the law went into effect requiring me to get an SSN. My family moved to a new state every few years, so the state in which I received my SSN was far removed from my state of birth. As a result, my SSN has no connection to my state of birth. But, thanks to the laws, for most people, the first 3 digits of their SSN are directly related to their state of birth.
Our personal info isn't secure, partly because laws require us to divulge sensitive information about ourselves in ways that members of the public can exploit.
Posted by Richard Alexander | July 9, 2009 3:58 AM