How to figure out someone’s social security number
By Gregory M. Lamb | 07.06.09
Even careful people who don’t disclose their social security numbers (SSNs) unless absolutely necessary could have them revealed by computer programs crunching publicly available data. All that’s needed to predict at least a valuable portion of someone’s nine-digit SSN is their date of birth and the state where he or she was born.
That’s the conclusion of two researchers at Carnegie Mellon University in Pittsburgh. Alesssandro Acquisti and Ralph Gross say that the government forces Americans to place a “perilous reliance” on SSNs to establish their identities while giving them the “impossible duty” of trying to protect their number.
The researchers found visual and statistical patterns in publicly available SSN data, showing that “a strong correlation exists between dates of birth and all 9 SSN digits.” They were able to develop a prediction algorithm that “exploits” the fact that individuals with similar birth dates who registered in the same state “are likely to share similar SSNs,” the study says.
In some cases, they were able to predict the entire nine-digit SSN number on the first attempt. The odds of that happening randomly would be nearly one in a billion, Dr. Acquisti says.
The study, “Predicting Social Security Numbers from Published Data,” is being released online today and will be published in the Proceedings of the National Academy of Science.
The formula works best for numbers assigned in recent years and in smaller states. For individuals born after 1988, the researchers were able to predict the first five digits of a SSN on the first try 44 percent of the time. Using birth dates in Vermont from 1995, they were able to predict the first five digits in 90 percent of cases. Nationwide, for birth dates between 1989 and 2003, and using two attempts, they were able to determine the first five numbers of a SSN in 61 percent of cases.
Revealing only the last four digits of a SSN in documents, a precaution used by some organizations, provides little protection, the authors say, since the first five digits of a SSN are actually the easiest to predict.
Once the identity of a SSN can be narrowed to a range of, say, 10,000 possibilities, a network of computers controlled by a fraudster could easily make enough accurate guesses to fool websites that required a valid SSN. In many cases, only a name, date of birth, and SSN are needed to open a credit card account, Acquisti says.
“When one or two attempts are sufficient to identify a large proportion of issued SSNs’ first five digits, an attacker has incentives to invest resources into harvesting the remaining four from public documents or commercial services,” the authors conclude.
At least 10 million US residents, they estimate, have made their birth dates publicly available or easy to infer in online profiles. These can appear many places online, including Facebook or other social networking sites.
The problem with SSNs, as other researchers have pointed out, is that they are used at the same time for two purposes: to be a public identifier as well as a private password. In essence, they serve as both the name of the account and the password rolled into one.
The Social Security Administration should immediately change its system and begin assigning SSNs that are truly random, Acquisti says.
But that will be of no help to the millions of Americans who already possess “predictable” SSNs. What’s worse, unlike other passwords, SSNs can’t be easily changed or blacklisted.
The study also shows how publicly available data online can be “mined” from various sources and aggregated to reveal new information.
“Maybe no one single piece of that information in itself is personally identifiable, but when you start linking the pieces of information with even a little bit of context, you can with a high degree of probability identify someone personally,” says Helen Nissenbaum, a professor of media, culture, and communication at New York University, who did not work on the study.
The burden now, the authors conclude, is on “industry, academia, and policy makers to think about better and economically efficient ways to protect identities in a world of wired consumers.”
<< CompuServe Classic, a relic of the dial-up days, finally bites the dust | MainComments
2. Evji | 07.07.09
Since reading (years ago),that birthdates are used to track people’s identities,I have always put in a fake birthdate for profiles, certain kinds of accounts and other non-essential types of forms, where one is required to put in a birthdate. I have never found that I was questioned about the accuracy of a birthdate given on a form. One of course, must put the correct birthdate for passport, driverliscenses etc. But otherwise I have considered it to be an invasion of my privacy. An easy way to do this this to simply change the date and month of birth by one digit respectively so that one can remember the date if called upon to do so again. I also usually change my gender as well for most online shopping forms, questionaires etc. Anything one can do to generate “noise” regarding ones identity will throw off the computer matching software to some extent.
3. Robert Ludwig | 07.07.09
It says, right on your Social Security card, “Not to be used for identification.” It is the fault of lazy business and banking practices that the SSN is wide spread. They’re the ones that have to change their practices.
4. Barnabus | 07.07.09
I like the idea of using a phoney birthdate, and have used it for years…had never considered using a phony sex! If I’m forced to give a SSN number on line…bet yer bottom buck it will be phony!!
5. Robert | 07.07.09
Sadly the Social Security Administration admits that we are at the mercy of vendors who require us to give our SSN: while law does not require that we provide it, law DOES provide that vendors may deny us service if we do NOT give it. This from my call to the SSA years ago.
6. dale the fanatic | 07.07.09
I have used false identifiers for years. Forms that demand a telephone number get (area code) 999-9999. My social security number is usually bogus too. The routine question I ask is: “What useful purpose (in my interest) is served by providing factual information?” I have gone to some length to set up a completely fictitious ID that I access through a chain of proxy servers, using wireless connection, and several encryption programs. I also use the law enforcement tool,”Encase”, which is freely available software, to examine my hard drives periodically for unwanted data. I then scrub it with DOD overwrite software. I maintain several email addresses, and access the phony ones (when needed) using proxy servers. It’s amazing how much spam one can eliminate using this technique. One funny result is that I have an alias that even gets mail. I use it for free samples and it is curious how many items I get that I never applied to receive. The alias has taken on a life of its own, and I don’t use it for illegal purposes such as getting credit or a driver’s license. There is a degree of reward engendered in twisting the system’s tail by watching the mailing lists multiply! One more thing, when I get a solicitation that contains a postage free return envelope, I just put the contents of the sales pitch in the envelope with a “no thank you” note. I also send the utilities companies back all their envelope stuffers in their payment envelope. Then I pay my bill online…I may put a lot of noise in the system, but it is personally a satisfactory way to comment on the garbage I am sent.
7. Nikola | 07.07.09
I agree with Robert Ludwig and Evji above. There’s nothing that says you ow the truth to anyone who comes knocking. And, I would add, that THEY are the ones who should be forced to bear the burden of properly identifying someone, and the consequences of failing to do so.
But what am I thinking — nothing, not even common sense, must be allowed to get in the way of financial “innovation.” Such as a parent, who’s been dead for more than a decade, getting a pre-approved credit offer in the mail (and it’s happened more than once).
8. Linda | 07.07.09
What possible use could publishing this article serve except to enhance criminality?
9. Kathryn | 07.08.09
Perhaps it is someone in the Government that needs to figure out a different method of assigning the SSNs that would be more random, as was suggested. Like sending smaller batches of the same numerical order to the states. Or having the SSNs applied randomly there, or in reverse numerical order (the larger number earlier) which could then be re-organized when sent in for permanent recording. I’m sure there are many ways. Surely WE are smarter that THEY.
10. Kate | 07.08.09
re: Evji’s reply in #2. If I have not given my birth date to an institution offline, then I always give a fake birthday (among other info) when signing up for any services on the net. It is too closely tied to my financial info (what does your bank ask for you when you call them?)
11. Kate | 07.08.09
re: Linda in #8. A proficient criminal is probably already aware of this. It can inform and enlighten the “average joe” who may not realize the precarious position the govt has put us in.
12. Jen | 07.09.09
@Linda - I choose to hide my birth date on Facebook for personal reasons. Most of the Millennials I know (many of whom born in the time frame at risk), do not. This is good information to know.
13. Steve Block | 07.09.09
The untiring, unsuccessful Socialist candidate for the presidency, Norman Thomas, presciently expressed fear that these numbers would be misused in the future. The introduction of the Internet has made this more of a reality than ever before.
14. IdentityTheftSecrets.com | 07.13.09
To the person above who asked:
What possible use could publishing this article serve
except to enhance criminality?
While your concern is valid, it’s irrelevant. Even two-bit hackers have known this for years. We’ve been talking about it on IdentityTheftSecrets since 2006. It’s nice to see some more mainstream media working to educate their people. Unfortunately, it’s a case of too little, too late. Your identity is irrevocably, irretrievably “out there”.
What can you do about it? Put a plan in place now for when it does happen to you. Because statistically and realistically speaking, you will find yourself a victim of Identity Theft at some point in your life. The question will be just how prepared you are to deal with it.
Sorry to be the bearer of bad news (if you didn’t know this already).
Jonathan
http://www.IdentityTheftSecrets.com
Trackbacks/Pingbacks
Leave a Comment
We do not publish all comments, and we do not publish comments immediately. The comments feature is a forum to discuss the ideas in our stories. Constructive debate - even pointed disagreement - is welcome, but personal attacks on other commenters are not, and will not be published.
Tip: Do not write a novel. Keep it short. We will not publish lengthy comments. Come up with your own statements. This is not a place to cut and paste an email you received. If we recognize it as such, we won't post it.
Please do not post any comments that are commercial in nature or that violate copyrights.
Finally, we will not publish any comments that we regard as obscene, defamatory, or intended to incite violence.
1. Theo Chino | 07.07.09
The Social Security number should be made public as it use to be and the whole banking, ID, and etc … should STOP using it as a valid identity marker.
Just asking a person to define a custom PIN number should be enough to verify an identity.