As online society becomes ever more social, and cares ever less about personal security, the phrase “social security” seems more than ever an oxymoron. Perhaps nowhere is this more clearly brought home than in this week’s announcement by researchers at Carnegie Mellon that they have cracked the social security code, and were able to predict with frightening accuracy many social security numbers (SSNs). In many cases, their hack was aided by information gleaned from such social networking sites as Facebook.
Alessandro Acquisti and Ralph Gross undertook the research to determine just how “secure” social security numbers are. Not surprisingly, they found that with just a little bit of information that in times earlier would have been considered very private, and not readily available, they were able to guess the first five digits in someone’s social security number on the very first attempt nearly half of the time, and they were able to get the full social security number nearly 10% of the time in under 1000 attempts.
While 1000 tries to get a full SSN may sound like a lot – when you consider the guessing brute strength that most computers have nowadays, it’s really nothing. Especially for someone motivated by criminal intent.
Of course, it’s been known for ages that where you are born determines the first few digits of your SSN. If you are born on the very eastern part of the east coast of the U.S., your SSN will start with 0, while if you are born in the very western part of the western U.S., your social security number will start with 9 or 8.
While that was well-known, what wasn’t so well-known was that the algorithm for generating social security numbers includes your date of birth.
Acquisti and Gross started by using the Social Security Administration’s “Death Master File” – which contains the SSNs of everyone who has died. The Death Master File is public information, primarily to ensure that the social security number of a deceased person isn’t misused by a criminal assuming the identity of the deceased.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Using the SSNs from the Death Master File, Acquisti and Gross were able to detect patterns in the assigning of the numbers.
They then turned to live people. Facebook, and similar social networking sites, provided a fertile ground. Many people on Facebook include their date of birth, along with their location, in their profile information.
Where someone was born, and the social security number was issued, in a smaller state, the accuracy rate was even higher than for those born in larger states.
Muses Acquisti, “I was surprised by the accuracy of certain predictions,” adding that “It’s good that we found it before the bad guys.”
The Social Security Administration is disputing these findings, issuing a statement that “there is no foolproof method for predicting a person’s Social Security number.” An administration spokesperson added that “The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration.”
Still, said the spokesperson, “For reasons unrelated to this report [Ed note: Uh huh..], the agency has been developing a system to randomly assign SSNs. This system will be in place next year.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
