CMU study finds Social Security IDs easy to predict
Share with others:
Local researchers say it's too easy to predict Social Security numbers, increasing the risk of identity theft, and that the numbers should no longer be used as a form of personal identification.
In a study to be released this week, Carnegie Mellon University researchers Alessandro Acquisti and Ralph Gross say they were able to use public information to predict most, and sometimes all, of an individual's nine-digit number.
"The system for assigning the numbers is predictable, and it will remain vulnerable," said Dr. Acquisti, associate professor of information technology and public policy at Carnegie Mellon's H. John Heinz III College.
The study suggests that the government start assigning numbers randomly instead of by geography and date of birth.
The Social Security Administration said that it may do just that, although its plans have nothing to do with the study.
"We are considering all alternatives, including randomizing all nine numbers," spokesman Mark Lassiter said in an e-mail. "No final decision has been made."
But the agency also pointed out that its current system is no secret; the numbering sequence is explained on its Web site. The scheme, in which the first three digits stand for a region of the country, was designed in 1936 to make it easier for the agency to store applications in its files in Baltimore.
Mr. Lassiter said officials saw the Carnegie Mellon study last week and concluded that it didn't reveal anything that wasn't widely known by those familiar with Social Security.
"The public should not be alarmed by this report because there is no foolproof method for predicting a person's Social Security number," he said. "The method by which Social Security assigns numbers has been a matter of public record for years."
What's more, many Social Security numbers are already available from any number of public sources online.
The Carnegie Mellon researchers noted that the numbers are getting harder to find because of legislative efforts to remove all or part of them from public exposure in the hopes of cutting down on identity theft.
The authors said such efforts are well-meaning but misguided because assigned Social Security numbers can't be revoked to avoid future fraud and the first five digits of numbers are especially easy to predict.
"This leaves even redacted or truncated SSNs still predictable -- and, therefore, still vulnerable," they wrote.
The Carnegie Mellon study, which will appear this week in the online Early Edition of the Proceedings of the National Academy of Science, found that someone's date and state of birth are often enough to guess a Social Security number.
To test their prediction method, Dr. Acquisti and Mr. Gross examined records from the Social Security Administration's "Death Master File" of people who died between 1973 and 2003.
They said they could identify in one attempt the first five digits for 44 percent of dead people who were born after 1988 and 7 percent of those born between 1973 and 1988. They said they were able to identify all nine digits for 8.5 percent of people born after 1988 in fewer than 1,000 attempts.
Their accuracy was greater for smaller states and more recent birth dates, they said.
The solution, the researchers say, is randomization. But even that would be a short-term approach.
In the long run, both the researchers and the Social Security Administration agree, everyone should stop using the numbers as forms of identification beyond tracking a Social Security account.
"For decades," said Mr. Lassiter, "we have cautioned the private sector, including educational, financial and health care institutions, against using the [number] as a personal identifier."
Many businesses use Social Security numbers as passwords or for other forms of authentication, something that was not anticipated when Social Security was devised in the 1930s.
And certainly no one back then could foresee a day when personal information of all types would be a click away on the Internet.
"Industry and policy makers may need, instead, to finally reassess our perilous reliance on [Social Security numbers] for authentication, and on consumers' impossible duty to protect them," the study concludes.
"Everybody who works in this area knows the numbers are bad passwords," said Dr. Acquisti. "But they still are used that way."
First Published July 7, 2009 12:00 am