Social Security numbers have a predictable pattern, according to researchers at Carnegie Mellon University, who have developed a reliable method of cracking a person's SSN based on data gleaned from multiple sources, including profiles on social networking sites.
The researchers cracked the algorithm, guessing the first five digits of a SSN on the first try for 44% of people born after 1988. The method is even more reliable with a 90% success rate of cracking SSNs of individuals born after 1988 in less populated states. In fewer than 1,000 attempts, the researchers could identify a complete SSN in 8.5% of those born after 1988, "making SSNs akin to 3-digit financial PINs."
In their paper, "Predicting Social Security Numbers from Public Data," researchers Alessandro Acquisti and Ralph Gross said they observed a correlation between an individual's SSN and their birth data. The duo said they gathered the data from profiles on social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration's Death Master File.
"Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums," the researchers wrote in their paper, published Monday in the National Academy of Sciences journal. "Unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identify theft on mass scales."
Protecting Social Security numbers:
How to implement and enforce a social networking security policy: For a new generation of employees entering the workforce, social networking isn't a luxury, it's a necessity.
Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert: Kaspersky Lab researchers have tracked more than 25,000 malware samples spreading through social networks in 2009.
The less populated the state, the easier it was for the researchers to crack a SSN. The researchers said they used a brute-force matching algorithm to guess the last 4 digits of a person's SSN.
"For smaller states and recent years, the [success rate] rises to 60% -- with some of our predictions matching complete, 9-digit SSNs at the very first attempt," the researchers said.
It is also somewhat easy for a person to get the final four digits through mass spear phishing emails. Using social engineering, a person could be tricked into giving up a portion of their SSN. In addition, it could be less costly to rent out a botnet than hack into a merchant's database, the researchers concluded.
"Breaching large organizations' databases to harvest personal data can produce massive amounts of credentials but often requires significant logistical and technical efforts," they said. "On the other hand, automated vast-scale cyberattacks based on distributed computations, or mass-scale harvesting of personal data and affordability, are becoming more common because of the availability and affordability of botnets."
The researchers are recommending that the Social Security Administration fully randomize its SSN assignment scheme, protecting future identities. Ultimately, industry and policy makers may need to reassess the reliance on SSNs for authentication, the researchers said.
Security experts said the research shows the identification system is outdated and needs to be replaced with a new identifying system or improved with additional security controls.
Robert Siciliano, a security consultant and CEO of IDtheftsecurity.com, called the researcher's work an accomplishment, but said the ability of educated researchers to guess SSNs is the least of our problems.
"While white hat hackers are able to crack the code, your crack addicted human resource administrator who fell by the wayside has access to every single SSN in the filing cabinet," Siciliano said.
Scope creep has set into the current SSN system, with it taking on a greater responsibility than it ever was designed to handle, Siciliano said. Instead, the country's current identification system should be scrapped and replaced with a national identification with built-in security features, such as multifactor authentication and biometrics.
"We have to overcome the privacy hurdles that so many are screaming about," Siciliano said. "Privacy is an illusion. [It] doesn't exist and has been dead for quite some time now. Once we can overcome the fear of that we can begin to solve this problem."
Michael Argast, a security analyst at Sophos Inc., said the irony in all this is that the federal government reduced the randomness associated with an individual's SSN in the early 1980s to stop fraudsters from faking SSNs.
"The impact of the Internet and identity theft has made the need to protect SSN information critical, but the system was never designed to handle the degree of fraud that occurs today," Argast wrote on the Sophos blog. "Trying to protect a system designed over 60 years ago against today's malicious activity is growing increasingly difficult."