The idea of identity thieves stealing Social Security numbers has always been frightening. With every data breach, the risk of identity theft is determined by the security of the keys to the castle—the constituents’ SSNs.
Results from a Carnegie Mellon University study shows that the numbers don’t have to be stolen; they can be discerned with just a small amount of information about the intended target.
“Our work shows that Social Security numbers are compromised as authentication devices, because if they are predictable from public data, then they cannot be considered sensitive,” said Allessandro Acquisti, assistant professor of information technology and public policy at CMU.
The weakness comes from the system used to create SSNs. The first three digits are assigned based on applicants’ zip code. The next two numbers, called the “group number,” are sometimes used for several years in for a specific region. The final four digits—the ones frequently used to authenticate identity–are assigned sequentially.
The researches began their attempts to predict SSNs by referring to the Social Security Administration’s Death Master File to find the SSNs of dead people born at near the same time and place.
When the subjects were from smaller, or sparsely populated states–say, Rhode Island, New Hampshire, Vermont, and North Dakota—the researchers were sometimes able to determine the SSNs in fewer than 10 attempts.
