No, this isn’t a new game at the county fair. Researchers at Carnegie Mellon University say they’ve figured out a way to predict Social Security numbers — in some cases, with frightening accuracy.
From the researchers’ sample, it was possible to identify in a single try the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born from 1973 to 1988. It was possible to identify all nine digits for 8.5 percent of those born after 1988 in fewer than 1,000 attempts.
The accuracy of the prediction system increased for smaller states and for people born after 1988. The accuracy was higher for those born in the late 1980s and after because of rules that led increasingly to the assignment of Social Security numbers at birth.
In one case, the study nailed down one out of 20 entire SSN’s in less than 10 tries for people born in Delaware in 1996.
Researchers used government data that is publicly available in a database called the Death Master File. It lists the SSN’s of people who have died. They combined that data with date of birth and birthplace information, which are used to construct SSN’s. Plenty of people make that information available, on Facebook, for example. Ironically, financial companies use the Death Master File to match records in hopes of preventing identity theft.
The researchers said it wouldn’t be easy for cybercriminals to reconstruct their methodology, but sophisticated hackers might be able to do it. Without going into too much detail, they lay out a scenario in which cybercriminals trying to guess SSN’s for men born in West Virginia in 1991 could get the numbers of as many as 47 people per minute.
The Social Security Administration’s response:
“The public should not be alarmed by this report because there is no foolproof method for predicting a person’s Social Security number,” said the spokesman, Mark Lassiter. “The method by which Social Security assigns numbers has been a matter of public record for years. The suggestion that Mr. Acquisti has cracked a code for predicting an S.S.N. is a dramatic exaggeration.”
For decades, Mr. Lassiter said, the agency has cautioned the private sector against using the Social Security number as a personal identifier. He also said the agency was in the process of creating a random system for assigning numbers, which will be put in place next year.
That sounds like a good idea. Here’s the link to the study.
Stories You Might Like
There’s a lot happening in the world. Through it all, Marketplace is here for you.
You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible.
Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.
