Study: Social Security Numbers May Be Hackable

Scientists have developed an algorithm that can reliably predict most of a person's Social Security number using public information, raising alarms about using the numbers for identifying purposes. Tom Mosser/Courtesy of www.tommosser.com hide caption

toggle caption
Tom Mosser/Courtesy of www.tommosser.com

Scientists have developed an algorithm that can reliably predict most of a person's Social Security number using public information, raising alarms about using the numbers for identifying purposes.

Tom Mosser/Courtesy of www.tommosser.com

Alessandro Acquisti (above), who authored the study with Ralph Gross, is an associate professor of information technology and public policy at Carnegie Mellon University's Heinz College. Joshua Franzos/Courtesy of Carnegie Mellon University hide caption

toggle caption
Joshua Franzos/Courtesy of Carnegie Mellon University

Alessandro Acquisti (above), who authored the study with Ralph Gross, is an associate professor of information technology and public policy at Carnegie Mellon University's Heinz College.

Joshua Franzos/Courtesy of Carnegie Mellon University

Information experts say they can predict most of a person's Social Security number if they know their name and place and date of birth.

The researchers, at Carnegie Mellon University in Pittsburgh, discovered patterns in the way Social Security numbers are assigned. They found those patterns by mining information from people whose numbers they knew: death records that list a deceased person's date and place of birth, and their Social Security numbers. They discovered they could reliably predict the right number.

The team built a mathematical algorithm based on that experiment, and tried it out with the names of students and their information, found in social networks such as Facebook.

They discovered that in one try, they could predict the first five digits of a person's Social Security number 44 percent of the time if the person was born after 1988. That's when the Social Security Administration started assigning numbers at or near a person's date of birth. That practice ties the first five numbers more closely to a specific date. For people born earlier, the success rate was much lower because numbers were assigned at different times during a person's life.

Able To Predict All Nine Numbers Some Of The Time

Alessandro Acquisti, an information technology researcher at the university, says getting the first five numbers that easily doesn't mean hackers can steal your identity easily. Getting the last four numbers of a Social Security number is much more difficult because they are assigned in a different way. However, Acquisti was able to predict all nine numbers some of the time.

Acquisti adds, however: "When one or two attempts are sufficient to identify a large proportion of issued SSNs' first five digits, an attacker has incentives to invest resources into harvesting the remaining four from public documents or commercial services." For example, some financial and credit institutions keep records of the last four digits of a person's Social Security number.

Chris Hoofnagle, a technology lawyer at the University of California, Berkeley, says computer criminals don't even have to get the whole, exact Social Security number to create a "fictitious person" and secure a credit card, something he calls "synthetic identify theft." They can do it with a fake or partial number.

Acquisti says the Social Security Administration (SSA) should stop using Social Security numbers for identifying people or authenticating transactions.

A Dramatic Exaggeration?

The SSA says it would be a "dramatic exaggeration" to say the Carnegie Mellon researchers have "cracked a code" for finding a person's Social Security number. However, the SSA is changing its system, according to Mark Lassiter, an SSA spokesman. "For reasons unrelated to this report," says Lassiter, "the agency has been developing a system to randomly assign SSNs. This system will be in place next year."

Acquisti says SSA officials have seen his research but not commented to him on it. He also says other federal agencies he declined to identify have asked him to come to Washington, D.C., and discuss his findings.

The Carnegie Mellon research appears in the Proceedings of the National Academy of Sciences.