Network News

X My Profile
View More Activity

Predicting Social Security Numbers

The Washington Post today carries a story I wrote about new research, which found that it is possible to guess many -- if not all -- of the nine digits in an individual's Social Security number using publicly available information, a finding experts say compromises the security of one of the most widely used consumer identifiers in the United States.

The full story is here. I'm mentioning it in the blog to call attention to some resources and additional information on this subject for readers who are interested in digging deeper.

In the story, we wrote of the two Carnegie Mellon University researchers:

Acquisti and Gross found that it was far easier to predict SSNs for people born after 1988, when the Social Security Administration began an effort to ensure that U.S. newborns obtained their SSNs shortly after birth.

They were able to identify all nine digits for 8.5 percent of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.

It may seem improbable that identity thieves would ever have the chance to take 1,000 guesses at a target's SSN, but there are a multitude of instant-credit application sites online. While many of these services may limit the number of incorrect guesses one could make, the researchers note that fraudsters armed with the first five digits could simply automate the task using large networks of remotely controlled compromised computers, also known as "botnets," to repeatedly apply for credit in a person's name until hitting the correct nine-digit sequence for each victim.

To make matters worse, in many cases an identity thief trying to acquire a new line of credit in someone else's name would only need to know just seven out of nine of the target's full SSN. According to a December 2004 report by the FTC, because consumer credit reports contain errors and inconsistencies, they are known to accept as valid even inquiries so-called "partial matches," where just seven of nine SSN digits are actually correct, or when the entire number is shifted by one digit.

The researchers have published a list of answers to the most frequently asked questions about their research. That list is available here. The full report is at this link.

By Brian Krebs  |  July 7, 2009; 10:02 AM ET
Categories:  Latest Warnings  | Tags: acquisti, cmu, gross, ssn  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft: Attacks on Unpatched Windows Flaw
Next: High Crimes Using Low-Tech Attacks


This is actually old news. The first three numbers of older persons' Social Security numbers indicate where they were first enrolled (perhaps where they were living when they were 16 and getting their first after-school job), the middle two numbers indicate the time period the number was issued in. So the first 5 digits are pretty easy to guess for most people of working age. That leaves only 4 digits to guess, or 10,000 chances (0000 is a possibility).

The back-story that is rarely acknowledged is that despite the Social Security Administration's warnings (cards used to be printed with the warning: "Not to be used for identification"), the financial industry decided to adopt it as a primary identifier.

Now this humble number, which was intended only to keep track of a person's Social Security record, is the passkey to almost everything. And when vulnerabilities are found in that, it becomes the government's (i.e., Social Security's; i.e. the taxpayers') responsibility – not the financial industry's – to spend untold millions to improve security on a number that should require little or no security at all.

Pretty sweet deal.

Posted by: Sempringham | July 7, 2009 11:41 AM | Report abuse

Agree. There's nothing wrong with the SSN: it does its intended job as an *identifier* properly. The only reason we have a security issue is because the financial industry (specifically the credit reporting bureaus) now use it as an *authenticator*.

It would be nice if the media would put the spotlight where it belongs, on the INTENTIONALLY lax security practices of lenders, rather than just encouraging people to keep their SSN "secret".

Posted by: DupontJay | July 7, 2009 2:03 PM | Report abuse

Thank you, Brian, for your excellent article and the links.
In this era of data collection, ordinary people must be ever on guard and the more we know and understand, the more we can care for our privacy.

Posted by: Judy-in-TX | July 7, 2009 3:44 PM | Report abuse

I agree with Sempringham and DupontJay that the problem is not with the SSN, but with its (mis)use. I was told years ago that there was some location information encoded in the number, although I confess I never bothered to learn the details.

It WOULD be nice if people would focus on the lax practices of financial institutions, but an even better idea is to make them liable for damages caused by their laxity. Then you'll see things change -- just as they did when credit practices legislation limited consumer liability for unathorized credit card charges to $50, and (amazingly!) it rapidly became feasible to have on-line verification of accounts.

Posted by: richg74 | July 7, 2009 5:05 PM | Report abuse

We should be concentrating on how to mitigate the risks of disclosure, focusing on processes to prevent improper use. For instance, when a SSN is originally issued by the SSA, they require complete up to date information. Before a SSN can be used, similar to a credit card, the information could be checked electronically before an account is opened, job obtained, etc.

For instance;

Employers use a system called “E-Verify” to help verify the validity of social security numbers. This system can be expanded to banks, utility companies, and loan companies to determine if the presented card is valid. So in any case, a federal agency would be the anchor point for any such system. It would be relatively easy to implement and fund.

Forcing companies to use this system and obtain a valid “authorization code” would prevent - almost stop all identity thefts in their tracks. When an identity is stolen, it will be very easy to catch as the credit reporting agencies should also be required to verify their information before publishing it. Any red flags would cause everyone in the chain to receive change notification.

Fraud involving a valid authorization code will spring a federal agency into action to reverse the wrong actions, challenge the information, utilize intelligence and enforce Title 18 laws on a national level.

The banking system is a large part of the problem. The day of walking into a bank to open a credit card account has been replaced by just a signature on a pre-approved form in the mailbox. But the banks would welcome an automated way to verify a SSN and other PII; this would help cut down on their losses. We know the track record of credit reporting agencies (mainly who they rely on today), and the stories about people’s dogs obtaining credit. The job of the “Feds” would be to provide a vehicle for real verification.

We may never eliminate fraud, but finding ways to make obtaining the information ineffectual will greatly reduce identity theft.

Original Post:

Posted by: srchasjc | July 14, 2009 4:03 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company