In today’s article, Intersections’ Consumer Security Adviser Neal O’Farrell explains why your Social Security Number might be easier to predict than you think!
Sometimes the most important security research can easily slip under the radar, depriving us valuable insight into serious vulnerabilities that we really should know about.
Such may be the case with a research project that strongly suggested how easy it could be for identity thieves to identify millions of Social Security numbers (SSNs) simply by cross referencing key pieces of public records that are available to all of us.
The research paper "Predicting Social Security numbers from public data" was written by researchers at Carnegie Mellon University and first published in May 2009. And while it should have been a wake-up call for consumers and security experts, the troubling results went largely unnoticed.
According to the authors of the paper, the key to the vulnerability of SSNs is the Death Master File, or DMF. This is a record kept by the Social Security Administration of deaths in the U.S., and the researchers were able to detect statistical patterns in these records when they cross referenced them with the dates and states of birth for living individuals.
The places and dates of birth are of course easily available - not only from public records and hacked databases, but offered up freely on social networking sites.
Using all this public information, the researchers were able to correctly determine the first five digits for 44% of deceased persons in the U.S. between the years 1989 and 2003, in just one attempt. With multiple attempts they were able to figure out the entire SSN for 8.5% of records.
The implication is that it may be just as easy to apply the same methodology to figure out the Social Security numbers of millions of living Americans, and do so legally using publicly available data.
And while a Social Security number is supposed to be a closely shared secret, the way Social Security numbers are created is not so secret. SSNs are nine-digit numbers. The first three digits are called the area number, or AN, the next two are called the general number, or GN, and the last four are known as the serial number, or SN.
The first four are based simply on the zip code of the address provided when the Social Security Number was applied for - probably where your parents lived when you were born. The next two numbers, the general number, are so called because they are assigned on a semi-random basis according to what specific area within that zip code the SSN was registered, and those regions and their accompanying general numbers are also publicly available. The last four digits of your social, the social number, are chosen from the available numbers with your GN region - numbers that range from 0000 to 9999.
Now it may sound a bit confusing, and it's supposed to. The Social Security Administration really didn't want anyone figuring out the system. But when the system was created decades ago, the SSA never imagined something as powerful as the internet.
I think the most important lesson we can take from this report is that if we ever thought that the Social Security number should be used a secret code or identifier, we should now leave that notion in the past. Yet every day I still come across organizations that use an individual's Social Security number as a mandatory identifier, with little concern for security.
For example, I've come across a number of cities that still allow employees, including police officers, to gas up at city gas pumps using a simple code — the user's Social Security number. Many of these antiquated pumps have no security and are located in isolated places where they can easily be tampered with.
And many, if not most schools still require that parents use a Social Security number to identify their kids. Yet most of these schools don't have a sufficient level of awareness, or security processes in place, to protect this wealth of secret information.
We need to revisit the debate about Social Security numbers. They weren't designed to be a secret, and yet they are the keys to the kingdom for many thieves. And keeping them secret has never been harder.
Watch on YouTube as the researchers explain what their work actually means.