• On MovieTome: See the villain of IRON MAN 2!
July 6, 2009 5:59 PM PDT

Report: Social Security numbers can be predicted

by Elinor Mills
  • Font size
  • Print
  • 29 comments

It is possible to use publicly available data on state and date of birth to predict someone's Social Security number, particularly if they were born after 1988 and in smaller states, according to an article published Monday in The Proceedings of the National Academy of Sciences.

The ability to use statistic inference to predict the sensitive data exposes the Social Security numbers to identity fraud risks on "mass scales," the article said.

Social Security numbers "were designed as identifiers at a time when personal computers and identity theft were unthinkable; today, abused as authentication devices, they enable an 'architecture of vulnerability,' in which losses are incurred even in absence of fraud, because of costs caused by attempts to defend, and exploit, the system," the article concluded.

The researchers from Carnegie Mellon University analyzed Social Security numbers of people who have died to detect statistical patterns in the assignment of numbers. They were then able to use those patterns to predict a range of values likely to include a living person's Social Security number. Birth data, meanwhile, can be inferred from data brokers, voter registration lists, online white pages, and social-networking profiles, the report said.

The researchers identified in a single attempt the first five Social Security digits for 44 percent of the records of the people listed as dead from 1989 to 2003 and the complete Social Security numbers in fewer than 1,000 attempts for 8.5 percent of those records.

On average, the researchers matched on the first attempt the first five digits for 7 percent of all records for people born nationwide between 1973 and 1988.

"Extrapolating to the U.S. living population, this would imply the potential identification of millions of SSNs for individuals whose birth data were available," the article says.

The report goes on to give an example of how someone could get the entire Social Security number by renting a botnet to apply for credit cards impersonating 18-year-old West Virginia-born residents. Following numerous assumptions, including that the attacker can find birth data for 50 percent of the potential targets and that inquiries with the correct first seven of nine digits are sufficient for a credit reporting agency to answer a positive match in half of the cases, an attacker could potentially harvest credentials at rates as high as 47 per minute, obtaining 4,000 credentials within two hours before the IP addresses used in the botnet were blacklisted, the article said.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

News,

Privacy and data protection

Tags:

Social Security numbers

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Microsoft patching zero-day Windows 7 SMB hole
RSA reveals details behind re-shipping scam
Expert says Adobe Flash policy is risky
Apple updates Safari for security
Microsoft probing Windows 7 zero-day hole
Security considerations for virtual environments
Eastern Europeans charged in payment processor hack
A child porn-planting virus: Threat or bad defense?
Related
Movie studios curbing actors' use of social media
Study: Twitter users young, wireless, on other social sites
Ex-MySpace CEO wants to gamble on social games
Gartner: Loosen up on social networks, security
Are small businesses chugging social media Kool-Aid?
Expert says Adobe Flash policy is risky
Study: Internet use won't cause social isolation
Q&A: Defcon's Jeff Moss on cybersecurity, government's role
Add a Comment (Log in or register) (29 Comments)
  • prev
  • 1
  • next
by cspwal July 6, 2009 7:30 PM PDT
I think it is time to hide in a hole.
Reply to this comment
by Saltiva July 7, 2009 8:39 AM PDT
Go ahead- but before you go, What is your Birth Date and Birth State??
by paulej July 6, 2009 8:22 PM PDT
It's not time to hide in a hole, but it's definitely time that creditors, the DMV, and other government agencies stop using SSNs where they were not intended to be used. I have a rather old Social Security card that states that these numbers are not intended to be used except in a manner as prescribed by the SSA (or similar language). But, credit reporting agencies and even other federal and state agencies now use these numbers. They're definitely too short and these statistical trends are not surprising. But that troubles me far less than the fact that these organizations (government and private sector) will accept that the person on the other end of a phone call or standing in person is who he says he is just because he can quote somebody's SSN, or worse, just the last 4 digits. While this is not at all secure, if you fall victim to ID theft, those same organizations require you to prove with multiple forms of ID that you are who you claim to be... and they still will not always clean up the mess they created by accepting the thief's word in the first place. It's definitely time for an overhaul.
Reply to this comment
by Renegade Knight July 7, 2009 7:19 AM PDT
Just holding credit reporting agencies accountable for reporting false data (slander and libel) about a persons credit history would do a lot to fix identity theft. It's always chapped me that a person has to do all the work and lead these "experts" by the nose to the truth about your credit when someone else creates a probelem.
by viper396 July 7, 2009 9:54 AM PDT
So if they stop using a SSN what would you suggest legitimate agencies use to identify you? Your name? Address? Make up another form of ID numbers that you'll also need to protect? Your identity is more then just your SSN and plenty can be done without it. Creating yet another form of identification is not the answer. Whatever they use the possibility of identify theft will still exist unless you intend on living off the grid and away from civilization.


Tougher laws against the criminals would be a good start.
by ZetaZeta_ July 7, 2009 11:43 AM PDT
@viper:
I completely agree. Making tougher and tougher punishment on those who actually cause harm to others makes a lot more sense than making those who have done nothing wrong pile on more and more security or identification.
by pentest July 7, 2009 2:33 PM PDT
Tougher laws never stop or slow anything down.

A constitutionally sound approach needs to be taken to make it extremely difficult to steal ones identity. What does it look like? I am not sure, but tougher sentences is a laughable "solution".
by c|net Reader July 8, 2009 9:20 AM PDT
@pentest

Tougher laws can work, but only if they are/can be enforced. If the risk of being caught and prosecuted is small, even capital punishment is rarely a sufficient deterrent. However, not having tough laws is silly in the extreme as there would be no way to punish those caught. It is not laughable.
by Jack K1 July 6, 2009 9:22 PM PDT
People stole identities long before personal computers hit the scene. They were used everywhere from fraud to smuggling. The main difference is that we're now able to read about it online.
Reply to this comment
by rich58b July 7, 2009 1:47 AM PDT
Actually, the difference is in the quantities, not that you can read about it online. Years ago, the numbers of identity thefts could be counted in the hundreds. Now it's in the hundreds of thousands, and increasing yearly. Our legislators need to get off their butts, tell the banks to go to hell and do something about it. The banking lobby is a major reason they've done so little to fix this problem.
by zheng-ye July 6, 2009 9:26 PM PDT
Time to tattoo a bar code on us all at birth and be done with it. Wasn't that Hitler's idea originally. How far we've come.
Reply to this comment
by ikramerica--2008 July 6, 2009 10:18 PM PDT
No, just time to stop using the SSN as your credit ID. Instead, you should apply to a credit company for a 16 digit number that will then be used as your credit ID along with other information besides simply a date of birth and name. SSN can be part of that criteria used, but shouldn't be required to be used.
by viper396 July 7, 2009 10:00 AM PDT
@ikramerica. So what would make this "credit ID" exempt from identity theft? All your talking about is replacing one form of identification with another. That doesn't stop the possibility of identity theft as there is still an identity there that can be stolen. Someone with your "credit ID' could probable cause just as much finacial damage as someone with your SSN.
by c|net Reader July 8, 2009 9:14 AM PDT
@viper396

There's a slight difference. This article is talking about the possibility of someone stealing your identity by applying some computer resources to data readily available about you. With a new number handed out to people across the country, you eliminate the date/place of birth key to the number, thereby requiring compromise or outright theft to get the ID.
by basraw July 7, 2009 5:29 AM PDT
the first 5 aren't hard to figure out! if you put on FB your location, age, etc.. well DUH
Reply to this comment
by celticbrewer July 7, 2009 6:29 AM PDT
Gee- all this time I thought they were just randomly picking numbers like a lottery. Yeah!

Seriously. I noticed a pattern just by doing tax returns for a few people in my family. Way to go "researchers" from Carnegie Mellon University- you really came up with a breakthrough didn't you?

Unfortunately, if we switch to another ID number, what's stopping criminals from just using that number? The first thing to do would be require a PIN along with the ID number, but even that would be a low-level of security. Anything we have to verify against a databsae (PIN, Fingerprint scan, DNA, whatever) can be hacked into and forged. How many people sign up for a credit card in person versus online or via the mail? Anything physical (token, mag strip) can be stolen. We need a good trifecta of those options to come up with something halfway decent; but I doubt anything will be 100% bulletproof.
by ewestby July 7, 2009 8:48 AM PDT
@celticbrewer: Come on, putting "researchers" in quotation marks just makes you look like a typical Internet crank. Are you suggesting that because you anecdotally perceived a pattern in a few tax returns, that's the functional equivalent of proving it to a high degree of statistical significance in a random sample? People incorrectly perceive patterns in random data all the time. The researchers you unthinkingly belittled have done the hard work of proving an important point about the insecurity of public data -- and yet you feel contempt for them, because you think your offhand guess was just as good?
by fafafooey July 7, 2009 5:58 AM PDT
The sad thing is that based on this research, the people with the most secure SS#'s are illegal immigrants, because their numbers are fake or stolen, and therefore are exempt from the pattern...
Reply to this comment
by codynews July 7, 2009 5:59 AM PDT
"On average, the researchers matched on the first attempt the first five digits for 7 percent of all records for people born nationwide between 1973 and 1988."

OMG WE'RE ALL GONNA DIE!!!!!!!!!

Seriously.... *yawn* BFD. This doesn't worry me at all.
Reply to this comment
by superman227 July 7, 2009 6:36 AM PDT
Duh, predictable. How bout that dumb ceo of LifeLock trying to sell is id protection service by publishing his ss #. Anyone with a braincell in this country can tell you no ss # starts with 4 - http://www.lifelock.com/
Reply to this comment
by monkeyfun14 July 7, 2009 7:52 AM PDT
You act like thats common knowledge.
by viper396 July 7, 2009 10:12 AM PDT
@superman227 . So are you saying those people with a SSN that start with 4 don't exist?

Seems you are in no position to talk about braincells, or the lack there of.
by Seaspray0 July 7, 2009 10:48 AM PDT
SSN's can start with 4.
by gqpenn2 July 7, 2009 12:39 PM PDT
lol. who told you that? SS #s issued in KY, TN, AL, MS, AR, LA, OK, TX, MN, IA and parts of Missouri all start with 4.
by BarkerDigital July 7, 2009 8:26 AM PDT
Umm... Mine starts with a 4.
Reply to this comment
by jemiller0 July 7, 2009 10:52 AM PDT
My favorite use of SSN is when the cell phone companies force you to give it out. Cingular told me that I couldn't get a phone at one point if I didn't give them my SSN.
Reply to this comment
by GlennAllen July 7, 2009 12:01 PM PDT
The first 5 digits? You mean the ones that relate to the location and year of your birth? I knew this already when I got my card back in the 6th grade. So?
Reply to this comment
by djcrazy-mpls July 8, 2009 2:21 PM PDT
Let's call it what it REALLY is. Taxpayer Identification Number (TIN) . This thing has been fraudulently used for years now. You can buy one on the street for 20 bucks. Soon the illegals will own them all considering the government doesn't do anything about our illegal immigration problem. Just another headache in this country that not only stagnates wages but actually pushes them downward while at the same time creating higher unemployment rates. Gotta fix the root of the problem Then make it illegal for consumer agencies (especially credit bureaus) to use this number.
Reply to this comment
by beachbum70 August 2, 2009 12:12 PM PDT
Todd Davis is a lucky dude to have such a crappy service that made him rich. His info is out there and this link prooves it http://www.blogtalkradio.com/OptOutDetectives/blog/2009/07/24/Todd-Davis-from-Lifelock-Not-So-Protected-To-much-info-on-public-data-bases-Opting-out-would-ha
Reply to this comment
(29 Comments)
  • prev
  • 1
  • next

A CNET Conversation with Eric Schmidt

CNET's Tom Krazit and Molly Wood sit down with Google CEO Eric Schmidt to discuss the future of Android, the Chrome OS, the problem of real-time search indexing, and more.

Verizon tests sending RIAA copyright notices

The No. 2 phone company, known for its reluctance to intervene in antipiracy cases, strikes an agreement to forward copyright notices on behalf of the music industry.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET