Researchers predict SSNs, crack algorithm putting identities at risk

By Robert Westervelt, News Editor 07 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Social Security numbers have a predictable pattern, according to researchers at Carnegie Mellon University, who have developed a reliable method of cracking a person's SSN based on data gleaned from multiple sources, including profiles on social networking sites.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The researchers cracked the algorithm, guessing the first five digits of a SSN on the first try for 44% of people born after 1988. The method is even more reliable with a 90% success rate of cracking SSNs of individuals born after 1988 in less populated states. In fewer than 1,000 attempts, the researchers could identify a complete SSN in 8.5% of those born after 1988, "making SSNs akin to 3-digit financial PINs."

In their paper, "Predicting Social Security Numbers from Public Data," researchers Alessandro Acquisti and Ralph Gross said they observed a correlation between an individual's SSN and their birth data. The duo said they gathered the data from profiles on social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration's Death Master File.

"Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums," the researchers wrote in their paper, published Monday in the National Academy of Sciences journal. "Unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identify theft on mass scales."

Protecting Social Security numbers: How to avoid HIPAA Social Security number compliance violations: It can be difficult to decipher what a HIPAA Social Security number violation is. In this information security management expert response, David Mortman explains how to avoid HIPAA violations. How to implement and enforce a social networking security policy: For a new generation of employees entering the workforce, social networking isn't a luxury, it's a necessity.   Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert: Kaspersky Lab researchers have tracked more than 25,000 malware samples spreading through social networks in 2009.

The less populated the state, the easier it was for the researchers to crack a SSN. The researchers said they used a brute-force matching algorithm to guess the last 4 digits of a person's SSN.

"For smaller states and recent years, the [success rate] rises to 60% -- with some of our predictions matching complete, 9-digit SSNs at the very first attempt," the researchers said.

It is also somewhat easy for a person to get the final four digits through mass spear phishing emails. Using social engineering, a person could be tricked into giving up a portion of their SSN. In addition, it could be less costly to rent out a botnet than hack into a merchant's database, the researchers concluded.

"Breaching large organizations' databases to harvest personal data can produce massive amounts of credentials but often requires significant logistical and technical efforts," they said. "On the other hand, automated vast-scale cyberattacks based on distributed computations, or mass-scale harvesting of personal data and affordability, are becoming more common because of the availability and affordability of botnets."

The researchers are recommending that the Social Security Administration fully randomize its SSN assignment scheme, protecting future identities. Ultimately, industry and policy makers may need to reassess the reliance on SSNs for authentication, the researchers said.

Security experts said the research shows the identification system is outdated and needs to be replaced with a new identifying system or improved with additional security controls.

Robert Siciliano, a security consultant and CEO of IDtheftsecurity.com, called the researcher's work an accomplishment, but said the ability of educated researchers to guess SSNs is the least of our problems.

"While white hat hackers are able to crack the code, your crack addicted human resource administrator who fell by the wayside has access to every single SSN in the filing cabinet," Siciliano said.

SearchSecurity radio:

Scope creep has set into the current SSN system, with it taking on a greater responsibility than it ever was designed to handle, Siciliano said. Instead, the country's current identification system should be scrapped and replaced with a national identification with built-in security features, such as multifactor authentication and biometrics.

"We have to overcome the privacy hurdles that so many are screaming about," Siciliano said. "Privacy is an illusion. [It] doesn't exist and has been dead for quite some time now. Once we can overcome the fear of that we can begin to solve this problem."

Michael Argast, a security analyst at Sophos Inc., said the irony in all this is that the federal government reduced the randomness associated with an individual's SSN in the early 1980s to stop fraudsters from faking SSNs.

"The impact of the Internet and identity theft has made the need to protect SSN information critical, but the system was never designed to handle the degree of fraud that occurs today," Argast wrote on the Sophos blog. "Trying to protect a system designed over 60 years ago against today's malicious activity is growing increasingly difficult."

Tags: Identity Theft and Data Security Breaches,  Data Privacy and Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Data Privacy and Protection Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Kodak CISO on virtualization, compliance Data Privacy and Protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary