Monday, July 6, 2009

Researchers: SSNs Can Be Guessed

Via Washington Post -

Researchers have found that it is possible to guess many -- if not all -- of the nine digits in an individual's Social Security number using publicly available information, a finding they say compromises the security of one of the most widely used consumer identifiers in the United States.

Many numbers could be guessed at by simply knowing a person's birth data, the researchers from Carnegie Mellon University said.

The results come as concern grows over identity theft and lawmakers in Washington push legislation that would bar businesses from requiring people to supply their Social Security number when purchasing a good or service.

"Our work shows that Social Security numbers are compromised as authentication devices, because if they are predictable from public data, then they cannot be considered sensitive," said Alessandro Acquisti, assistant professor of information technology and public policy at Carnegie Mellon University, and a co-author of the study.

A Social Security Administration spokesman said the government has long cautioned the private sector against using a Social Security number as a personal identifier, even as it insists "there is no fool proof method for predicting a person's Social Security Number."

"For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs," which should make it more difficult to discover numbers in the future, Mark Lassiter, a spokesman for the Social Security Administration, said by e-mail.


The researchers at Carnegie Mellon set out to see if they could discover people's numbers by first exploiting what is publicly known about how the numbers are derived.

The Social Security number's first three digits -- called the "area number" -- is issued according to the Zip code of the mailing address provided in the application form. The fourth and fifth digits -- known as the "group number" -- transition slowly, and often remain constant over several years for a given region. The last four digits are assigned sequentially.

As a result, SSNs assigned in the same state to applicants born on consecutive days are likely to contain the same first four or five digits, particularly in states with smaller populations and rates of birth.


Privacy and security experts praised the Carnegie Mellon study, saying it should be a wake-up call to policy makers and industry leaders, many of whom have resisted switching to a more secure consumer authentication system due to the sheer cost of changing the current system.


Ross Anderson, a professor of security engineering at Cambridge University, said the findings suggest that businesses using SSNs as a password are being negligent, and should find other ways of verifying the claims to identity that are being made by their customers.

"Sure, the study says that if you were born in a big state on a busy day you're probably still safe," from having identity thieves guess your entire SSN, Anderson said. "Still, I think many people would find it unacceptable that a system continues in use which in effect exposes tens of millions of Americans to fraud and other kinds of harm."

Linda Foley, founder of the Identity Theft Resource Center, a San Diego based nonprofit, cited another potential problem. She said many businesses have errantly rely upon or have moved to redact all but the last four digits of a person's SSN, the very digits that are most unique to an individual.

"Because of the way the SSN has been designed, asking for the last four numbers of the SSN puts people at risk because those are the only numbers that are unique to you and cannot be guessed easily by someone who might want to use your identity," Foley said.

The National Science Foundation, the U.S. Army Research Office, Carnegie Melon Cylab, and the Berkman Faculty Development Fund provided support for the research. The study, which will be presented July 29 at the BlackHat 2009 security conference in Las Vegas, is available at this link.

No comments:

Post a Comment