Researchers Guess Social Security Numbers From Public Data

By Eliza Strickland | July 7, 2009 10:42 am

social security cardWere you born after 1988 in a small state? If so, researchers would have a particularly good chance of figuring out your Social Security number. In a new study, researchers used publicly available data, including an individual’s place and date of birth, to guess the Social Security number that would have been assigned to that person. And the study’s authors say that cyber-crooks could use similar techniques for identity theft. “We live in a precarious time, where knowledge of a Social Security number, along with other information about one’s name and date of birth, is sometimes sufficient to impersonate another individual,” said Alessandro Acquisti, the study’s lead author [Bloomberg].

Acquisti’s team shared their results with the federal government, but the Social Security office is downplaying the findings; spokesman Mark Lassiter said there is still no “foolproof” method for predicting Social Security numbers. “The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” Lassiter said via e-mail. However, he added: “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year” [AP].

For the study, which was published in the Proceedings of the National Academy of Sciences, researchers first combed through the Social Security Administration’s “Death Master File,” which lists the numbers of people who have died. The purpose of making that file public is to prevent impostors from assuming the Social Security numbers of deceased people. But by plotting the data for people listed on the file between 1973 and 2003 the researchers were able to develop patterns for number issuance [AP]. The number assigned to each individual is currently based partially on the zip code where they were born, and partially on the date the number was issued. In 1988 the government began issuing numbers at birth, making it easier for researchers to determine that second factor.

The researchers then delved into a variety of public sources to find individuals’ places and dates of birth–including social networking profiles that had been left public, for all to see. For people born after 1988, it took only one attempt to identify the first five Social Security digits for 44 percent of the people. They were able to identify all nine digits for 8.5% of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits [Los Angeles Times].

While 1,000 attempts may seem like a lot of work to figure out one Social Security number, researchers note that computers can be programmed to do the work at lightning speed. Through a process called “tumbling,” hackers can exploit instant online credit approval services — or even the Social Security Administration’s own verification database — to test multiple numbers until they find the right one. Although these services usually block users after several failed attempts, criminals can use networks of compromised computers called botnets to scan thousands of numbers at a time []. 

Related Content:
80beats: Hackers Infiltrate Pentagon’s $300 Billion Fighter Jet Project
80beats: Mystery of the Conficker Worm Continues: Does It Want to Scam or Spam?
80beats: Electrical Espionage: Spies Hack Into the U.S. Power Grid
80beats: Is the U.S. Government Losing the Battle Against Hackers?

Image: FBI

  • Gadfly

    Fortunately for me, I’m old. Missed me by a few decades but you young pups will need to watch out.
    Seriously, they nailed it 8.5% of the time? Like, wow. 8.5%. So the other 91.5% of the time they were dead wrong?
    How will I ever sleep tonight?

  • James E.

    That is 8.5% in fewer than a 1000 tries. A computer can process a 1000 tries in a very short time. If they had a list of sites that would do credit authentication biased on SSN, so they could rotate the site tried to prevent lockout, and had several computers, to prevent a single IP from being registered continuously, that can be a long list that a single indivgual generates. If this becomes widely know in the hacker community, higher level coders will write scripts that less experienced hackers can run to do this. Then you could have several thousand people running multiple computers matching 8.5% of their list. And let us not forget that 8.5% in 1000, according to the article, is the average. If someone is smart then they can focuses on smaller stated and get 8.5% of their list matched in as few as 10 tries. That can be a very fast growing list. Now with the new random system that is being implemented, that helps protect newly issued SSN but not the rest of us that are in the target range.

  • Nick

    We should really be more worried about the fact that Hollywood Video asks (illegal for them te require it) you to hand your SSN to a teenager when you sign up for your account. Seriously, how many people ignorant of the fact it’s illegal for it to be required for anything other than bank/credit have willingly handed over the keys to ID theft to places like that?

  • Brian

    How did we ever get to this place? A SSN should just be a string of digits. Yes it identifies you, but so does your name (don’t bother posting how the SSN is more unique. I already know that). We don’t try to keep our names a big secret do we?

    The whole problem here is that the SSN needs to be kept secret, when it never should have been a secret. Neither is it something that you’d want to share out willy-nilly, but it should not have to be guarded like the KFC recipe, or the alien spacecraft they have at Groom Lake (aka Area-51). Just kidding about that last one. Seriously, what have you heard?

    Anyhow the SSN should not be like some magic password for identity.

  • http://www.Evil-Packet.Com Samantha

    Awesome post!

  • Melony Mcculley

    I dispise the phishing emails they appear to get more desperate by the day I get two or three everyday and submit them to phishtrackers a site I recently found that allows you to report them anonymously.

  • tramadol wirkung

    eKMEhl no spam here i ncomments?


Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!


80beats is DISCOVER's news aggregator, weaving together the choicest tidbits from the best articles covering the day's most compelling topics.

See More

Collapse bottom bar