Social Security Numbers Guessable, Study Finds

By Brian Krebs
Washington Post Staff Writer
Tuesday, July 7, 2009

Researchers have found that it is possible to guess many -- if not all -- of the nine digits in a person's Social Security number using publicly available information, a finding they say compromises the security of one of the most widely used consumer identifiers in the United States.

Some numbers could be guessed by simply knowing a person's birth date and home town, the researchers from Carnegie Mellon University said.

The results come amid increasing concern about identity theft and lawmakers in Washington push legislation that would bar businesses from requiring people to supply their Social Security number when buying goods and services.

"Our work shows that Social Security numbers are compromised as authentication devices, because if they are predictable from public data, then they cannot be considered sensitive," said Alessandro Acquisti, an assistant professor of information technology and public policy at Carnegie Mellon who co-wrote the study.

A Social Security Administration spokesman said the government has long cautioned the private sector against using a Social Security number as a personal identifier, even as it insists that "there is no foolproof method for predicting a person's Social Security number."

"For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs," which should make it more difficult to figure out numbers in the future, Mark Lassiter, an agency spokesman, said by e-mail.

In recent years, a number of states have passed legislation to redact or remove Social Security numbers from public documents, such as divorce and property records, and bankruptcy filings. In addition, legislation introduced this year by Rep. Rodney Frelinghuysen (R-N.J.) and Sen. Dianne Feinstein (D-Calif.) would prohibit the display, sale or purchase of Social Security numbers without consent, and would bar businesses from requiring people to provide their number.

The researchers wanted to see if they could discover people's numbers by first exploiting what is publicly known about how the numbers are derived.

The first three digits of the number -- called the "area number" -- is issued according to the Zip code of the mailing address provided in the application form. The fourth and fifth digits -- known as the "group number" -- transition slowly, and often remain constant over several years for a given region. The last four digits are assigned sequentially.

As a result, numbers assigned in the same state to applicants born on consecutive days are likely to contain the same first four or five digits, particularly in states with smaller populations and birth rates.

If someone is trying to find out a living person's Social Security number, the best place to start is with a list of dead people -- particularly those who were born around the time and place of the subject. The "Death Master File" is a publicly available file that lists Social Security numbers, names, dates of birth and death, and the states of all people who have applied for a number and whose deaths have been reported to the Social Security Administration.

CMU researchers Acquisti and Ralph Gross, a doctoral student, theorized that they could use the Death Master File along with publicly available birth information to predict narrow ranges of values wherein individual Social Security numbers were likely to fall. The two tested their hunch using the file of people who died between 1972 and 2003, and found that on the first try they could correctly guess the first five digits of the numbers for 44 percent of deceased people who were born after 1988, and for 7 percent of those born between 1973 and 1988.

Acquisti and Gross found that it was far easier to predict numbers for people born after 1988, when the Social Security Administration began an effort to ensure that numbers were obtained for babies shortly after birth.

They were able to identify all nine digits for 8.5 percent of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.

"Sure, the study says that if you were born in a big state on a busy day you're probably still safe" from having identity thieves guess your entire number, said Ross Anderson, a law professor at Ohio State University and chief counselor for privacy during the Clinton administration. "Still, I think many people would find it unacceptable that a system continues in use which in effect exposes tens of millions of Americans to fraud and other kinds of harm."

© 2009 The Washington Post Company