Report: Social Security Numbers Easy to Guess

A report released this week by researchers at Carnegie Mellon University claims Social Security numbers can be easily guessed using information available in governmental sources, commercial data bases, or online social networks such as Facebook and MySpace (See also: Seven Deadly Sins of Social Networking).

Using just a birth date and state of birth, researchers Alessandro Acquisti and Ralph Gross were able to predict most of an individual’s nine-digit Social Security number. In some instances entire social security numbers were predicted, according to a statement from Carnegie Mellon. The findings, which were published in the the online Early Edition of the Proceedings of the National Academy of Science, will also be presented at the BlackHat 2009 conference in Las Vegas later this month.

As part of their research, Acquisti and Gross analyzed the Social Security Administration’s Death Master File, a public database with Social Security numbers, dates of birth and death, and states of birth for every deceased beneficiary. The researchers used the information from the death file to detect statistical patterns that would help them predict Social Security numbers of the living.

“These statistical patterns can help narrow guesses of an individual’s Social Security number, when combined with that person’s date and state of birth,” according to the researchers. “Birth information can be obtained from various sources, including commercial databases, public records (such as voter registration lists) and the millions of profiles that people publish about themselves on social networks, personal Web sites and blogs.”

Acquisti and Gross tested their prediction method using records from the Death Master File of people who died between 1973 and 2003. They could identify in a single attempt the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts. Their accuracy was considerably higher for smaller states and recent years of birth, said Carnegie Mellon officials.

The researchers note that the predictability of Social Security numbers now make them obsolete for authentication purposes.

“The Social Security Administration could mitigate this vulnerability by assigning numbers to people based on a randomized scheme, but ultimately an alternative means of authenticating identities must be adopted,” the authors conclude.