WASHINGTON – Researchers have found that it is possible to guess many – if not all – of the nine digits in an individual’s Social Security number using publicly available information, a finding they say compromises the security of one of the nation’s most widely used consumer identifiers.
Many numbers could be guessed simply by knowing a person’s birth data, researchers from Carnegie Mellon University said.
“Our work shows that Social Security numbers are compromised as authentication devices, because if they are predictable from public data, then they cannot be considered sensitive,” said Alessandro Acquisti, an assistant professor of information technology and public policy at Carnegie Mellon University and a co-author of the study.
A Social Security Administration spokesman said the government has long cautioned the private sector against using a Social Security number as a personal identifier, even as it insists “there is no foolproof method for predicting a person’s Social Security number.”
“For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs,” which should make it more difficult to discover numbers in the future, Mark Lassiter, a spokesman for the Social Security Administration, said by e-mail.
Introduced in the 1930s as a way to track individuals for taxation purposes, Social Security numbers were never designed to be used for authentication. Over time, however, private and public institutions began keeping tabs on consumers using the numbers, requiring people to present them as proof of identity, such as when applying for loans, employment or health insurance.
Social Security numbers assigned in the same state to applicants born on consecutive days are likely to contain the same first four or five digits, particularly in states with smaller populations and rates of birth.
CMU researchers Acquisti and doctoral student Ralph Gross theorized that they could use the Death Master File and publicly available birth information to predict narrow ranges of values in which individual Social Security numbers were likely to fall. The publicly available Death Master File lists Social Security numbers, names, dates of birth and death, and states of all individuals who have applied for a number and whose deaths have been reported to the Social Security Administration.
The researchers tested their hunch using the Death Master File of people who died between 1972 and 2003 and found that on the first try they could correctly guess the first five digits of the number for 44 percent of deceased people who were born after 1988, and for 7 percent of those born between 1973 and 1988.
Acquisti and Gross found that it was far easier to predict Social Security numbers for people born after 1988, when the Social Security Administration began an effort to ensure that U.S. newborns obtained their numbers shortly after birth.
They were able to identify all nine digits for 8.5 percent of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.
Records of an individual’s state and date of birth can be obtained from a variety of sources, including voter registration lists and commercial databases. Many people now self-publish this information as part of their personal profiles on blogs and social networking sites. The researchers tested their method using birthdays and hometowns that CMU students published on social networking sites, with similar results.
Privacy and security experts praised the study, saying it should be a wake-up call to policymakers and industry leaders.
“We can’t pretend anymore that SSNs can be kept secret,” said Peter Swire, a law professor at Ohio State University and chief counselor for privacy during the Clinton administration. “This report puts a nail in that coffin. We’ll need new approaches, and it will cost money for the government and the private sector to build the new approaches.”