Social security number predictability exposes citizens to ID theft

US researchers were able to predict US citizens' social security numbers from publicly available information, raising the risk that criminals might steal identities to commit fraud.

Alessandro Acquisti and Ralph Gross of Carnegie Mellon University, found that information about an individual's place and date of birth could be used to predict his or her social security number (SSN).

Writing in the Proceedings of the National Academy of Sciences they said, "Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data, and found that for younger cohorts the correlation allows statistical inference of private SSNs."

The inferences are made possible by the public availability of the Social Security Administration's Death Master File (DMF) and the widespread availability of personal information from multiple sources, such as data brokers or profiles on social networking sites, they said.

"Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums," they said.

The authors said that SSNs had become authenticators of many different types of transaction in much the same way that an identity number does, and as such they have become sought after by identity thieves.

"We showed that it is possible to predict, entirely from public data, narrow ranges of values wherein individual SSNs are likely to fall. Unless mitigating strategies are implemented, the predictability of SSNs exposes people to risks of identify theft on mass scales," they said.

Using their method, they identified the first five digits for 44% of DMF records of deceased individuals born in the US between 1989 and 2003 in a first attempt, and the complete SSN in fewer than 1,000 attempts for 8.5% of those records. This made an SSN the equivalent of a three-digit financial PIN, they said.

"Such findings highlight the hidden privacy costs of widespread information dissemination and the complex interactions among multiple data sources in modern information economies. This underscores the role of public records as breeder documents of more sensitive data," they said.