Were you born after 1988 in a small state? If so, researchers would have a particularly good chance of figuring out your Social Security number. In a new study, researchers used publicly available data, including an individual’s place and date of birth, to guess the Social Security number that would have been assigned to that person. And the study’s authors say that cyber-crooks could use similar techniques for identity theft. “We live in a precarious time, where knowledge of a Social Security number, along with other information about one’s name and date of birth, is sometimes sufficient to impersonate another individual,” said Alessandro Acquisti, the study’s lead author [Bloomberg].
Acquisti’s team shared their results with the federal government, but the Social Security office is downplaying the findings; spokesman Mark Lassiter said there is still no “foolproof” method for predicting Social Security numbers. “The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” Lassiter said via e-mail. However, he added: “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year” [AP].
For the study, which was published in the Proceedings of the National Academy of Sciences, researchers first combed through the Social Security Administration’s “Death Master File,” which lists the numbers of people who have died. The purpose of making that file public is to prevent impostors from assuming the Social Security numbers of deceased people. But by plotting the data for people listed on the file between 1973 and 2003 the researchers were able to develop patterns for number issuance [AP]. The number assigned to each individual is currently based partially on the zip code where they were born, and partially on the date the number was issued. In 1988 the government began issuing numbers at birth, making it easier for researchers to determine that second factor.
The researchers then delved into a variety of public sources to find individuals’ places and dates of birth–including social networking profiles that had been left public, for all to see. For people born after 1988, it took only one attempt to identify the first five Social Security digits for 44 percent of the people. They were able to identify all nine digits for 8.5% of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits [Los Angeles Times].
While 1,000 attempts may seem like a lot of work to figure out one Social Security number, researchers note that computers can be programmed to do the work at lightning speed. Through a process called “tumbling,” hackers can exploit instant online credit approval services — or even the Social Security Administration’s own verification database — to test multiple numbers until they find the right one. Although these services usually block users after several failed attempts, criminals can use networks of compromised computers called botnets to scan thousands of numbers at a time [Wired.com].
80beats: Hackers Infiltrate Pentagon’s $300 Billion Fighter Jet Project
80beats: Mystery of the Conficker Worm Continues: Does It Want to Scam or Spam?
80beats: Electrical Espionage: Spies Hack Into the U.S. Power Grid
80beats: Is the U.S. Government Losing the Battle Against Hackers?