Report: Social Security numbers can be predicted

It is possible to use publicly available data on state and date of birth to predict someone's Social Security number, particularly if they were born after 1988 and in smaller states, according to an article published Monday in The Proceedings of the National Academy of Sciences.

The ability to use statistic inference to predict the sensitive data exposes the Social Security numbers to identity fraud risks on "mass scales," the article said.

Social Security numbers "were designed as identifiers at a time when personal computers and identity theft were unthinkable; today, abused as authentication devices, they enable an 'architecture of vulnerability,' in which losses are incurred even in absence of fraud, because of costs caused by attempts to defend, and exploit, the system," the article concluded.

The researchers from Carnegie Mellon University analyzed Social Security numbers of people who have died to detect statistical patterns in the assignment of numbers. They were then able to use those patterns to predict a range of values likely to include a living person's Social Security number. Birth data, meanwhile, can be inferred from data brokers, voter registration lists, online white pages, and social-networking profiles, the report said.

The researchers identified in a single attempt the first five Social Security digits for 44 percent of the records of the people listed as dead from 1989 to 2003 and the complete Social Security numbers in fewer than 1,000 attempts for 8.5 percent of those records.

On average, the researchers matched on the first attempt the first five digits for 7 percent of all records for people born nationwide between 1973 and 1988.

"Extrapolating to the U.S. living population, this would imply the potential identification of millions of SSNs for individuals whose birth data were available," the article says.

The report goes on to give an example of how someone could get the entire Social Security number by renting a botnet to apply for credit cards impersonating 18-year-old West Virginia-born residents. Following numerous assumptions, including that the attacker can find birth data for 50 percent of the potential targets and that inquiries with the correct first seven of nine digits are sufficient for a credit reporting agency to answer a positive match in half of the cases, an attacker could potentially harvest credentials at rates as high as 47 per minute, obtaining 4,000 credentials within two hours before the IP addresses used in the botnet were blacklisted, the article said.

[cspwal]

I think it is time to hide in a hole.

[Saltiva]

Go ahead- but before you go, What is your Birth Date and Birth State??

[paulej]

It's not time to hide in a hole, but it's definitely time that creditors, the DMV, and other government agencies stop using SSNs where they were not intended to be used. I have a rather old Social Security card that states that these numbers are not intended to be used except in a manner as prescribed by the SSA (or similar language). But, credit reporting agencies and even other federal and state agencies now use these numbers. They're definitely too short and these statistical trends are not surprising. But that troubles me far less than the fact that these organizations (government and private sector) will accept that the person on the other end of a phone call or standing in person is who he says he is just because he can quote somebody's SSN, or worse, just the last 4 digits. While this is not at all secure, if you fall victim to ID theft, those same organizations require you to prove with multiple forms of ID that you are who you claim to be... and they still will not always clean up the mess they created by accepting the thief's word in the first place. It's definitely time for an overhaul.

[Renegade Knight]

Just holding credit reporting agencies accountable for reporting false data (slander and libel) about a persons credit history would do a lot to fix identity theft. It's always chapped me that a person has to do all the work and lead these "experts" by the nose to the truth about your credit when someone else creates a probelem.

[viper396]

So if they stop using a SSN what would you suggest legitimate agencies use to identify you? Your name? Address? Make up another form of ID numbers that you'll also need to protect? Your identity is more then just your SSN and plenty can be done without it. Creating yet another form of identification is not the answer. Whatever they use the possibility of identify theft will still exist unless you intend on living off the grid and away from civilization.


Tougher laws against the criminals would be a good start.

[ZetaZeta_]

@viper:
I completely agree. Making tougher and tougher punishment on those who actually cause harm to others makes a lot more sense than making those who have done nothing wrong pile on more and more security or identification.

[pentest]

Tougher laws never stop or slow anything down.

A constitutionally sound approach needs to be taken to make it extremely difficult to steal ones identity. What does it look like? I am not sure, but tougher sentences is a laughable "solution".

[c|net Reader]

@pentest

Tougher laws can work, but only if they are/can be enforced. If the risk of being caught and prosecuted is small, even capital punishment is rarely a sufficient deterrent. However, not having tough laws is silly in the extreme as there would be no way to punish those caught. It is not laughable.

[Jack K1]

People stole identities long before personal computers hit the scene. They were used everywhere from fraud to smuggling. The main difference is that we're now able to read about it online.

[rich58b]

Actually, the difference is in the quantities, not that you can read about it online. Years ago, the numbers of identity thefts could be counted in the hundreds. Now it's in the hundreds of thousands, and increasing yearly. Our legislators need to get off their butts, tell the banks to go to hell and do something about it. The banking lobby is a major reason they've done so little to fix this problem.

[zheng-ye]

Time to tattoo a bar code on us all at birth and be done with it. Wasn't that Hitler's idea originally. How far we've come.

[ikramerica--2008]

No, just time to stop using the SSN as your credit ID. Instead, you should apply to a credit company for a 16 digit number that will then be used as your credit ID along with other information besides simply a date of birth and name. SSN can be part of that criteria used, but shouldn't be required to be used.

[viper396]

@ikramerica. So what would make this "credit ID" exempt from identity theft? All your talking about is replacing one form of identification with another. That doesn't stop the possibility of identity theft as there is still an identity there that can be stolen. Someone with your "credit ID' could probable cause just as much finacial damage as someone with your SSN.

[c|net Reader]

@viper396

There's a slight difference. This article is talking about the possibility of someone stealing your identity by applying some computer resources to data readily available about you. With a new number handed out to people across the country, you eliminate the date/place of birth key to the number, thereby requiring compromise or outright theft to get the ID.

[basraw]

the first 5 aren't hard to figure out! if you put on FB your location, age, etc.. well DUH

[celticbrewer]

Gee- all this time I thought they were just randomly picking numbers like a lottery. Yeah!

Seriously. I noticed a pattern just by doing tax returns for a few people in my family. Way to go "researchers" from Carnegie Mellon University- you really came up with a breakthrough didn't you?

Unfortunately, if we switch to another ID number, what's stopping criminals from just using that number? The first thing to do would be require a PIN along with the ID number, but even that would be a low-level of security. Anything we have to verify against a databsae (PIN, Fingerprint scan, DNA, whatever) can be hacked into and forged. How many people sign up for a credit card in person versus online or via the mail? Anything physical (token, mag strip) can be stolen. We need a good trifecta of those options to come up with something halfway decent; but I doubt anything will be 100% bulletproof.

[ewestby]

@celticbrewer: Come on, putting "researchers" in quotation marks just makes you look like a typical Internet crank. Are you suggesting that because you anecdotally perceived a pattern in a few tax returns, that's the functional equivalent of proving it to a high degree of statistical significance in a random sample? People incorrectly perceive patterns in random data all the time. The researchers you unthinkingly belittled have done the hard work of proving an important point about the insecurity of public data -- and yet you feel contempt for them, because you think your offhand guess was just as good?

[fafafooey]

The sad thing is that based on this research, the people with the most secure SS#'s are illegal immigrants, because their numbers are fake or stolen, and therefore are exempt from the pattern...

[codynews]

"On average, the researchers matched on the first attempt the first five digits for 7 percent of all records for people born nationwide between 1973 and 1988."

OMG WE'RE ALL GONNA DIE!!!!!!!!!

Seriously.... *yawn* BFD. This doesn't worry me at all.

[superman227]

Duh, predictable. How bout that dumb ceo of LifeLock trying to sell is id protection service by publishing his ss #. Anyone with a braincell in this country can tell you no ss # starts with 4 - http://www.lifelock.com/

[monkeyfun14]

You act like thats common knowledge.

[viper396]

@superman227 . So are you saying those people with a SSN that start with 4 don't exist?

Seems you are in no position to talk about braincells, or the lack there of.

[Seaspray0]

SSN's can start with 4.

[gqpenn2]

lol. who told you that? SS #s issued in KY, TN, AL, MS, AR, LA, OK, TX, MN, IA and parts of Missouri all start with 4.

[BarkerDigital]

Umm... Mine starts with a 4.

[jemiller0]

My favorite use of SSN is when the cell phone companies force you to give it out. Cingular told me that I couldn't get a phone at one point if I didn't give them my SSN.

[GlennAllen]

The first 5 digits? You mean the ones that relate to the location and year of your birth? I knew this already when I got my card back in the 6th grade. So?

[djcrazy-mpls]

Let's call it what it REALLY is. Taxpayer Identification Number (TIN) . This thing has been fraudulently used for years now. You can buy one on the street for 20 bucks. Soon the illegals will own them all considering the government doesn't do anything about our illegal immigration problem. Just another headache in this country that not only stagnates wages but actually pushes them downward while at the same time creating higher unemployment rates. Gotta fix the root of the problem Then make it illegal for consumer agencies (especially credit bureaus) to use this number.

[beachbum70]

Todd Davis is a lucky dude to have such a crappy service that made him rich. His info is out there and this link prooves it http://www.blogtalkradio.com/OptOutDetectives/blog/2009/07/24/Todd-Davis-from-Lifelock-Not-So-Protected-To-much-info-on-public-data-bases-Opting-out-would-ha