In a study that challenges current initiatives to reduce identity theft, researchers Alessandro Acquisti and Ralph Gross of Carnegie Mellon University have released the results of a study showing how easily all nine digits of an individual’s Social Security Numbers can be accurately predicted from information that is readily available in numerous public databases.
Based on observation of issuance patterns of Social Security numbers in the “Death Master File” (a public database that contains SSNs of people who have died), the investigators were able to use information about an individual’s date and state of birth to predict narrow ranges of values likely to contain that individual’s SSN. The accuracy of their ability to predict an individual’s SSN increased for people born after 1988 and for people born in states with lower population numbers.
Discussing the implications of their data, Acquisti and Gross state that
SSNs, in their current form, are highly insecure passwords and should not be used for authentication. If one can successfully identify all nine digits of an SSN in fewer than 10, 100, or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN.
The investigators make several recommendations, including:
- randomizing the entire SSN number assignment process;
- reconsidering current policy initiatives with respect to SSN and ID theft. The investigators argue that because SSNs are predictable from publicly available data, they cannot be kept confidential even if they are removed from databases and as a result, current initiatives may be futile and ineffective.;
- because SSNs can be predicted and are therefore, in some sense, semi-public information, consumers should not be required by private sector entities to use SSNs as passwords or for authentication.
The study, “Predicting Social Security numbers from public data,” will be presented at Black Hat on July 29. A copy of the study can be downloaded from the Proceedings of the National Academy of Sciences web site. The investigators note that they have omitted sensitive details about the prediction strategy from the published article. There is also an FAQ about the study to help the public understand what the investigators found and its implications.
Prior to releasing the study, the investigators shared their results with government government agencies.
Photo credit: BigStockPhoto.com