Social Security Numbers Can Be Guessed From Data, Study Finds
By David Olmos
July 6 (Bloomberg) -- Social Security numbers, commonly used by criminals in identity theft, can be guessed using information found on Internet social networks such as Facebook and MySpace and other public sources, a study found.
Researchers at Carnegie Mellon University used the information they gleaned to predict, in one try, the first five digits of a person’s Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. The study appears today in the Proceedings of the National Academy of Sciences.
Annual losses from identity theft totaled $49 billion, according to a 2007 report from Javelin Strategy & Research, a Pleasanton, California, market-research company. About 8.4 million U.S. adults were victims of identity theft that year, with losses averaging $5,720 a person, according to Javelin’s figures.
“We live in a precarious time, where knowledge of a Social Security number, along with other information about one’s name and date of birth, is sometimes sufficient to impersonate another individual,” said Alessandro Acquisti, the study’s lead author, in a telephone interview.
p>Acquisti, an economist at Carnegie Mellon’s Heinz School of Public Policy and Management in Pittsburgh, and computer scientist Ralph Gross used records from the Social Security Administration’s Death Master File to search for statistical patterns in the Social Security numbers of people. They obtained birth data from voter registration lists, online white pages, social networking sites and other sources, he said.
Birth data are key to figuring out a Social Security number because the first three of the nine digits are assigned based on where a person lived at the time of obtaining a Social Security card, said Acquisti. Information about how the Social Security number is assigned is publicly available on a government Web site, the authors said.
“The first five digits are very easy to predict, while the last four are harder,” Acquisti said. Identity thieves can sometimes obtain the last four digits of a Social Security number if they have other personal information, he said.
The study arose from Acquisti’s research into why millions of people reveal personal information, such as birth date and home towns, on social networking sites. Such information can be had easily from people who don’t block access by changing their Web site security settings, Acquisti said.
“The default setting on sites such as Facebook, when you create a personal profile, is that it is visible to anyone in your network unless you change the settings,” Acquisti said.
Some evidence exists that cyber criminals already are using statistical analysis to work out Social Security numbers, Acquisti said.
When Social Security numbers were first issued in 1936, their purpose was more like a bank account number than a means for authenticating a person’s identity, said Acquisti.
Because use of these numbers is so widespread among financial institutions, health-care providers and other organizations, it’s difficult for consumers to take steps to insure their numbers remain private, he said.
“If a movie rental company asks for your number to be a member, you can easily bypass that by going to another company,” Acquisti said. “But if your health insurer wants the number, now you are talking about something different. If you refuse to give it, that could be costly or dangerous to you.”
Credit-reporting companies use Social Security numbers to match personal information, which also leads to identity theft, said Robert Ellis Smith, of the Privacy Journal, a newsletter based in Providence, Rhode Island.
Stop SSN Use
“This research, along with others, shows that the Social Security numbers are extremely vulnerable and ought not to be used,” Smith said.
The Social Security Administration has long cautioned businesses and other organizations against using Social Security numbers as a personal identifier, said spokesman Mark Lassiter, in an e-mail statement today. The agency is developing a system for randomly assigning new numbers and expects to unveil it next year, he said.
At least 25 states have enacted laws to restrict the use of Social Security numbers on public documents, from marriage and medical records to fishing and motor vehicle licenses.
The government should consider a “fully randomized” system for assigning Social Security numbers that would eliminate the current method of sequential assignment and numbers linked to where a person lives. That change would do little to protect the hundreds of millions of U.S. residents who already have Social Security numbers, Acquisti said.
“Industry and policy makers may need, instead, to finally reassess our perilous reliance on Social Security numbers for authentication, and on consumers’ impossible duty to protect them,” the authors wrote.