Predicting Social Security Numbers
The Washington Post today carries a story I wrote about new research, which found that it is possible to guess many -- if not all -- of the nine digits in an individual's Social Security number using publicly available information, a finding experts say compromises the security of one of the most widely used consumer identifiers in the United States.
The full story is here. I'm mentioning it in the blog to call attention to some resources and additional information on this subject for readers who are interested in digging deeper.
In the story, we wrote of the two Carnegie Mellon University researchers:
Acquisti and Gross found that it was far easier to predict SSNs for people born after 1988, when the Social Security Administration began an effort to ensure that U.S. newborns obtained their SSNs shortly after birth.
They were able to identify all nine digits for 8.5 percent of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.
It may seem improbable that identity thieves would ever have the chance to take 1,000 guesses at a target's SSN, but there are a multitude of instant-credit application sites online. While many of these services may limit the number of incorrect guesses one could make, the researchers note that fraudsters armed with the first five digits could simply automate the task using large networks of remotely controlled compromised computers, also known as "botnets," to repeatedly apply for credit in a person's name until hitting the correct nine-digit sequence for each victim.
To make matters worse, in many cases an identity thief trying to acquire a new line of credit in someone else's name would only need to know just seven out of nine of the target's full SSN. According to a December 2004 report by the FTC, because consumer credit reports contain errors and inconsistencies, they are known to accept as valid even inquiries so-called "partial matches," where just seven of nine SSN digits are actually correct, or when the entire number is shifted by one digit.
July 7, 2009; 10:02 AM ET
Categories: Latest Warnings | Tags: acquisti, cmu, gross, ssn
Save & Share: Previous: Microsoft: Attacks on Unpatched Windows Flaw
Next: High Crimes Using Low-Tech Attacks
Posted by: Sempringham | July 7, 2009 11:41 AM | Report abuse
Posted by: DupontJay | July 7, 2009 2:03 PM | Report abuse
Posted by: Judy-in-TX | July 7, 2009 3:44 PM | Report abuse
Posted by: richg74 | July 7, 2009 5:05 PM | Report abuse
Posted by: srchasjc | July 14, 2009 4:03 PM | Report abuse
The comments to this entry are closed.