The security flaws in Social Security numbers have been known for some time, but what was theory has been proven to be fact as researchers at Carnegie Mellon University have shown that publicly available data could be used to obtain about 8.5 percent of all social security numbers of people born between 1989 and 2003.
In their article, Predicting Social Security numbers from public data, Alessandro Acquisti and Ralph Gross demonstrate that using a Social Security Administration (SSA) Death Master File (DMF), they can detect statistical patterns in the assignment of social security numbers (SSNs) and use date of birth information to obtain SSNs.
“Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums,” the researchers wrote.
Part of the security problem lies with the method used to assign SSNs. The researchers note that only four digits of the nine digit SSN are random.
The first three digits are called the Area Number (AN) and the next two are the Group Number (GN). ANs are allocated to specific states and GNs to specific birth years.
Given the date of birth and place of birth, researchers need only guess at the final four digits.
Ironically, the researchers note, some privacy initiatives have ruled by law that only the last four digits be publicly available.
This publicly available data heightens the risk of identity theft. Absent publicly available SSNs, credit services and other SSN validation businesses could be used by malicious actors to obtain the rest of the data.
Another part of the problem lies with the Death Master File (DMF), a list of people who have died along with their SSNs.
“The Death Master File is publicly available from the Social Security Administration (SSA) for a little under $1,800 for a single issue ($6,900 for a quarterly subscription with monthly updates),” notes privacy outfit EPIC on their SSN advice page.
“These records contain important personal identifiable information, including the name, social security number, date of birth, date of death, state or country of residence, ZIP code of last residence, and ZIP code of lump sum payment to the decedent’s beneficiary. These records are also accessible for free on the Web at places like Ancestry.com.”
The researchers used the DMF to determine the first five digits of SSNs. They found that SSNs from less populous states were easier to crack.
The researchers said that a hacker could apply for credit cards by impersonating 18-year-olds born in West Virginia after obtaining their date of birth from commercial databases.
They said that the hacker could obtain 47 credentials per minute, harvesting about 4,000 credentials before being blacklisted, using a small botnet consisting of only 10,000 infected PCs.
“Industry and policy makers may need, instead, to finally reassess our perilous reliance on SSNs for authentication, and on consumers’ impossible duty to protect them,” the researchers concluded.
ANs and GNs were created to make it more difficult to fake an SSN. But they have made it easier to perpetrate identity theft.
“The upside of all this security is that it makes it much harder for a fraudster to obtain a fake SSN, and apply for benefits, be eligible to work, etc,” wrote Michael Argast, Sophos director of sales engineering, in a blog post.
“The downside — it makes it much easier for fraudsters to steal identity from an actual person, and all the associated costs are now borne by the individual rather than the state.”
Social Security Admininistration responds
“The public should not be alarmed by this report because there is no foolproof method for predicting a person’s Social Security Number.
The method by which Social Security assigns numbers has been a matter of public record for years.
The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” said Mark Lassiter, representative of the Social Security Administration, in an e-mail to InternetNews.com.
But he added that companies should not be using SSNs. “For decades, we have cautioned the private sector, including educational, financial and health care institutions, against using the SSN as a personal identifier,” he said.
He also said that the SSA is working on the problem. “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year,” he said.