Can Social Security Numbers be Predicted?

CNET: Report Says It's Possible to Use Publicly Available Data to Infer Social Security Numbers

(CNET)  This story was written by CNET's Elinor Mills.

It is possible to use publicly available data on state and date of birth to predict someone's Social Security number, particularly if they were born after 1988 and in smaller states, according to an article published Monday in The Proceedings of the National Academy of Sciences.

The ability to use statistic inference to predict the sensitive data exposes the Social Security numbers to identity fraud risks on "mass scales," the article said.

Social Security numbers "were designed as identifiers at a time when personal computers and identity theft were unthinkable; today, abused as authentication devices, they enable an 'architecture of vulnerability,' in which losses are incurred even in absence of fraud, because of costs caused by attempts to defend, and exploit, the system," the article concluded.

The researchers from Carnegie Mellon University analyzed Social Security numbers of people who have died to detect statistical patterns in the assignment of numbers. They were then able to use those patterns to predict a range of values likely to include a living person's Social Security number. Birth data, meanwhile, can be inferred from data brokers, voter registration lists, online white pages, and social-networking profiles, the report said.

The researchers identified in a single attempt the first five Social Security digits for 44 percent of the records of the people listed as dead from 1989 to 2003 and the complete Social Security numbers in fewer than 1,000 attempts for 8.5 percent of those records.

On average, the researchers matched on the first attempt the first five digits for 7 percent of all records for people born nationwide between 1973 and 1988.

"Extrapolating to the U.S. living population, this would imply the potential identification of millions of SSNs for individuals whose birth data were available," the article says.

The report goes on to give an example of how someone could get the entire Social Security number by renting a botnet to apply for credit cards impersonating 18-year-old West Virginia-born residents. Following numerous assumptions, including that the attacker can find birth data for 50 percent of the potential targets and that inquiries with the correct first seven of nine digits are sufficient for a credit reporting agency to answer a positive match in half of the cases, an attacker could potentially harvest credentials at rates as high as 47 per minute, obtaining 4,000 credentials within two hours before the IP addresses used in the botnet were blacklisted, the article said.

[bptdude]

wow, people just rant, usually not specific to the article.

did it ever occur to people to issue new numbers to get rolled out with a new national ID system that would be secure, that we could use anyways?

[dartplayer501]

The total number of numbers available for Social security is 999,999,999. This is less than 3x the population of the US! Thus 1 in three 9 figure numbers is someone's SS#. Not close to enough for security. Even credit cards use a 16 number code so the total number available is 10 million times the population of the planet - and with everything on computers, not even those numbers are secure. SS#'s need to be updated or dropped altogether.

[TNisgoodenoughforme]

Why do we have SS #'s? I was born in 69, so I'm never going to see all that $$ going into it.

[speakinup22]

A pertinent comment for FDR I believe.

The SAME comment should be made to Obama about his socialistic medical program. Right now, NO ONE is refused medical care in the US. It is against the law for an emergency room to refuse you care if it is needed. The Dems just want to redistribute how it is paid for.

That is, they want to make it FREE.

They don't want folks to be responsible for their OWN payments.


Now, if they were to go after REDUCING COSTS, that I could agree with.


BUT EVERYONE NEEDS TO PAY THEIR WAY - it is what makes our country work (literially !)

[anti-global2]

simple solution. Make all identy theft punishable by death. Once we whack a few deadbeats the rest will take note.

[drummin2dabeats]

This is outrageous. I planned on living a great, secure life...but now I doubt my security. So someone can just up and steal my identity with the computer knowledge of a 5 year old? I agree with the previous posts, America is turning a little too socialized and well if nothing is done we could be in a whole lot of trouble.

[speakinup22]

Wonderful! Seems like Social Security is no longer just a "failed Socialistic problem" (but I'm being redundant) it is also NOT secure.

Once again, the good intentions by our government has proven to be a real mess. And yet, President Obama charges headlong into the known problems of Socialized Medicine, training wheels and all.

I believe this is where the statement, "The road to hell is paved with good intentions." came from. This turkey ain't no Lincoln.

[anti-global2]

Social security is not an entitlement program and is not socialist. It is our money, we paid in.
I don't care if they have to sell the naming rights of the damned country or the copyright of the flag to raise the money, but i had better get every cent I paid in plus interest. I really don't care about the country at this point, I had just better get what is mine. Give me all that I paid in as well as my interest and I'll gladly up and move to Canada, I already have most of my money invested in thier banks anyway.
It is time for people to start demanding what is theirs, and use any means necessary.

[speakinup22]

anti-global2 - so I hate to bust your bubble, but some folks don't pay in, yet receive benefits.

THAT would make it a socialistic program.

And, you AIN'T gonna get every penny you put in. Although I share your feelings about that statement, you can't get blood from a rock.

[smoknmirrors]

Social Security is not yet a failed Socialistic problem. It is also more secure than not. If you have the time and inclination, you can stand at a counter and offer the clerk 1000 possible social security numbers and be right only 8.5 percent of the time. So you are telling me if I bet $20 1000 times and get a payoff 8.5 percent of the time, I'm a winner? Forget it. I don't fall for that con. However, I will concede that I have fallen for a different con. Social Security, because of inept legislative stewardship and robbing the piggy bank (trust) to pursue every conceivable pork project available, has become simply a new form of the Ponzi scheme. Inevitably, those schemes fall under their own weight. In the meantime, I'm with anti-global 2, I paid in under terms of a social contract that empowered the government to take my earnings from me for the express purpose of providing for me in my old age. I want to hold the government to that contract. And if the Congress of the United States does not honor that contract, throw the whole lot of them in jail.