Researchers Use Facebook and Other Social Network Data to Hack Social Security Numbers

The Internet Patrol - Patrolling the Internet for You

As online society becomes ever more social, and cares ever less about personal security, the phrase “social security” seems more than ever an oxymoron. Perhaps nowhere is this more clearly brought home than in this week’s announcement by researchers at Carnegie Mellon that they have cracked the social security code, and were able to predict with frightening accuracy many social security numbers (SSNs). In many cases, their hack was aided by information gleaned from such social networking sites as Facebook.

As online society becomes ever more social, and cares ever less about personal security, the phrase 'social security' seems more than ever an oxymoron.

Alessandro Acquisti and Ralph Gross undertook the research to determine just how “secure” social security numbers are. Not surprisingly, they found that with just a little bit of information that in times earlier would have been considered very private, and not readily available, they were able to guess the first five digits in someone’s social security number on the very first attempt nearly half of the time, and they were able to get the full social security number nearly 10% of the time in under 1000 attempts.

While 1000 tries to get a full SSN may sound like a lot – when you consider the guessing brute strength that most computers have nowadays, it’s really nothing. Especially for someone motivated by criminal intent.


Of course, it’s been known for ages that where you are born determines the first few digits of your SSN. If you are born on the very eastern part of the east coast of the U.S., your SSN will start with 0, while if you are born in the very western part of the western U.S., your social security number will start with 9 or 8.

While that was well-known, what wasn’t so well-known was that the algorithm for generating social security numbers includes your date of birth.

Acquisti and Gross started by using the Social Security Administration’s “Death Master File” – which contains the SSNs of everyone who has died. The Death Master File is public information, primarily to ensure that the social security number of a deceased person isn’t misused by a criminal assuming the identity of the deceased.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

 

Using the SSNs from the Death Master File, Acquisti and Gross were able to detect patterns in the assigning of the numbers.

They then turned to live people. Facebook, and similar social networking sites, provided a fertile ground. Many people on Facebook include their date of birth, along with their location, in their profile information.

Where someone was born, and the social security number was issued, in a smaller state, the accuracy rate was even higher than for those born in larger states.

 

Muses Acquisti, “I was surprised by the accuracy of certain predictions,” adding that “It’s good that we found it before the bad guys.”

The Social Security Administration is disputing these findings, issuing a statement that “there is no foolproof method for predicting a person’s Social Security number.” An administration spokesperson added that “The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration.”

Still, said the spokesperson, “For reasons unrelated to this report [Ed note: Uh huh..], the agency has been developing a system to randomly assign SSNs. This system will be in place next year.”

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.