Keeping your Social Security number secret may not be enough to protect you from identity theft. According to a new study, a crook need only figure out where and when you were born--information often easily found on social networking sites like Facebook--to guess your number in as few as 1000 tries. Those individuals particularly at risk were born in smaller states after 1989, when receiving a Social Security number at birth became the norm.
Social Security numbers were never meant to be used for widespread identification. They were conceived solely to track taxes and benefits. But as more banks, credit card companies, and government agencies have used them as proof of identification, Social Security numbers have become a key instrument used to fake another's identity. To help credit bureaus spot fraud, the Social Security Administration (SSA) publishes all records for deceased Social Security holders, as well as publicly describing the method for assigning numbers in various states. But researchers have now found that this very information opens the door to guessing someone's number.
Here's how Social Security numbers work: Every Social Security number starts with three digits known as an "area number." Smaller states might have only one, whereas New York, for example, has 85. The next two digits are "group numbers," which can be anything from 01-99, but don't correspond to anything specific. The last four digits, the "serial number," are assigned sequentially.
On the surface, the process seems like it would lead to randomized--and thus secure--numbers. But it doesn't. When economist Alessandro Acquisti and computer scientist Ralph Gross of Carnegie Mellon University in Pittsburgh, Pennsylvania, compared SSA's public death records with birth data, they found that area numbers are not rotated until all 9999 serial numbers have been assigned. So instead of each of New York's 85 area numbers being the possible starting three digits for any Social Security number on any given day, Social Security numbers are assigned essentially in order: 576-32-0001 is followed immediately by 576-32-0002, etc. That means a potential thief can narrow down a number simply by knowing the date (often some 6 to 11 weeks after birth) on which one received it. After 1989, individuals started receiving Social Security numbers at birth, rather than at their discretion (often when they began their first job), so pinpointing these people's numbers is especially easy, says Acquisti.
So easy in fact that Acquisti and Gross were able to do it themselves. Using fairly standard computer algorithms, the duo predicted the first five digits of Social Security numbers for people born after 1989 44% of the time on the very first try. On a handful of attempts, they managed to get all nine digits on the first try, but at the very least they could predict the full numbers of 8.5% of those born after 1989 in fewer than 1000 tries, they report online today in the Proceedings of the National Academy of Sciences.
Such statistics, says Acquisti, mean that a computer-savvy attacker could simultaneously test numbers on credit applications easily accessible online and harvest some 47 numbers per minute. "Information that is publicly available is enough to predict Social Security numbers with a degree of accuracy which is quite concerning," he says.
The threat is real, agrees information privacy expert Chris Hoofnagle of the University of California, Berkeley. "Using Social Security numbers for both identification and authentication is no longer tenable, because possession of the number--unlike a fingerprint--offers no verification of identity," he says. It is also clear, says Hoofnagle, that years of consumer education to teach people not to share their Social Security number isn't adequate when one can simply predict a number.
Acquisti and Gross have brought their findings to the attention of numerous government agencies, including SSA. Several of these agencies plan to meet in Washington, D.C., this week to discuss the implications of the work.