Social security number predictability exposes citizens to ID theft

US researchers were able to predict US citizens' social security numbers from publicly available information, raising the risk that criminals might steal identities to commit fraud.

Download this free guide

From forensic cyber to encryption: InfoSec17

Security technologist Bruce Schneier’s insights and warnings around the regulation of IoT security and forensic cyber psychologist Mary Aiken’s comments around the tensions between encryption and state security were the top highlights of the keynote presentations at Infosecurity Europe 2017 in London.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Alessandro Acquisti and Ralph Gross of Carnegie Mellon University, found that information about an individual's place and date of birth could be used to predict his or her social security number (SSN).

Writing in the Proceedings of the National Academy of Sciences they said, "Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data, and found that for younger cohorts the correlation allows statistical inference of private SSNs."

The inferences are made possible by the public availability of the Social Security Administration's Death Master File (DMF) and the widespread availability of personal information from multiple sources, such as data brokers or profiles on social networking sites, they said.

"Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums," they said.

The authors said that SSNs had become authenticators of many different types of transaction in much the same way that an identity number does, and as such they have become sought after by identity thieves.

"We showed that it is possible to predict, entirely from public data, narrow ranges of values wherein individual SSNs are likely to fall. Unless mitigating strategies are implemented, the predictability of SSNs exposes people to risks of identify theft on mass scales," they said.

Using their method, they identified the first five digits for 44% of DMF records of deceased individuals born in the US between 1989 and 2003 in a first attempt, and the complete SSN in fewer than 1,000 attempts for 8.5% of those records. This made an SSN the equivalent of a three-digit financial PIN, they said.

"Such findings highlight the hidden privacy costs of widespread information dissemination and the complex interactions among multiple data sources in modern information economies. This underscores the role of public records as breeder documents of more sensitive data," they said.