Social Security numbers can be cracked by fraudsters

Pittsburgh — Criminals can easily predict a person’s Social Security number using publicly available data, according to Carnegie Mellon University researchers.

The researchers found that an individual’s date and state of birth were all that were needed to guess his or her Social Security number with great accuracy. This creates an obvious risk of identity theft, as many businesses use Social Security numbers as passwords or for other forms of authentication — a use not anticipated when Social Security was devised in the 1930s. ID theft cost Americans almost $50 billion in 2007 alone.

“In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone,” said Alessandro Acquisti, associate professor of information technology and public policy at Carnegie Mellon.
For most individuals born since 1989, Social Security numbers are assigned shortly after birth, making those numbers easier to predict.

One mine of information is the Social Security Administration’s Death Master File, a public database with Social Security numbers, dates of birth and death, and states of birth for every deceased beneficiary. While it’s intended to prevent impostors from assuming the Social Security numbers of deceased people, the researchers found that it enabled them to detect statistical patterns that would help predict Social Security numbers of the living.

The researchers tested their prediction method using records from the Death Master File of people who died between 1973 and 2003. They could identify in a single attempt the first five digits for 44 percent of those who were born after 1988 and for seven percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts. Their accuracy was considerably higher for smaller states and recent years of birth.

Fraudsters who knows just the first five digits of an individual’s number might use a phishing email to trick the person into revealing the last four digits, warn the authors. Alternatively, they could use a botnet to repeatedly apply for credit cards in a person’s name until hitting the correct sequence.

Assigning numbers randomly would help, but ultimately an alternative means of authenticating identities must be adopted, the authors conclude.

The study findings will appear in the Proceedings of the National Academy of Science, and will be presented on July 29 at the BlackHat 2009 information security conference in Las Vegas. Additional information about the study and some of the questions it raises is available here.