Crooks Can Guess Digits in Your Social Security Number, Study Finds
Jan 9th 2011 9:00AM
Updated Jan 11th 2011 2:41PM
Sure, you keep your Social Security number confidential. However, according to researchers from Carnegie Mellon University, it's possible for crooks to guess most of the digits in the Social Security number of many Americans using publicly-available information.
Researchers Alessandro Acquisti and Ralph Grossy took advantage of a couple of practices of the Social Security Administration. Since its inception, there has been a pattern to the issuance of numbers. The first three indicate the state in which you lived when you received your number. The two in the middle, called group numbers, are assigned in a known sequence. The final four are also assigned sequentially, 0001 to 9999.
The third piece of information they needed was the date and location of birth of test subjects. They found these details readily available for purchase from information brokers, or even divulged for free by users of Facebook and other social networking sites.
While the authors wouldn't divulge the exact method by which they narrowed down potential SSNs to a small set of possibilities, it's not all that hard to figure out.
Since 1988, babies have been automatically assigned Social Security numbers at the time of birth. So, suppose you were born September 21, 1989 at 10:11 a.m. in Springfield, Mass. If there was a Death Master File entry on someone born in the same location as you on the same date, given that the numbers are assigned sequentially, it would narrow down what number you were assigned to one very close to the deceased.
While the researchers couldn't usually determine the exact numbers of their subjects, they were able to eliminate enough that a hacker would have only 9 or 99 or 999 possible combinations to try, a problem easily solved with a brute-force attack.
As the authors of the study say, "If one can successfully identify all nine digits of a SSN in fewer than 10, 100 or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN." In fact, your high-school locker was probably more secure than your Social Security number.
There's good news on the horizon for newborns, though. As of June 25, 2011, the Social Security Administration is moving to randomize assignment of numbers. However, those of us who already have numbers are stuck with them.
What can the rest of us do to address this vulnerability? First, don't flaunt your birthday, age, or place of birth on social networks. Keep a careful eye on your bank and medical accounts. And encourage businesses that ask for part of your Social Security number to come up with a better password scheme.