How Safe Is Your Social Security Number?

by Dawn Handschuh, Personal Finance Writer   

In a July 2009 report sure to set off alarm bells among identity theft experts, researchers at Carnegie Mellon University said that Social Security numbers (SSNs) could be guessed at with some accuracy, simply by knowing the person's place and date of birth.

Researchers found it possible to make "statistical inferences" of SSNs, thanks in part to widely available sources of personal identifiers on social networking sites and the Social Security Administration's (SSA) own Death Master File (DMF). Anyone with Internet access and some basic knowledge of statistics could exploit this vulnerability, researchers said.¹

"Unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identity theft on mass scales," the report said.

Researchers said they were able to correctly identity 8.5 percent of the SSNs of deceased persons born in the U.S. from 1989 to 2003 in less than 1,000 attempts. In a single attempt, they were able to identify the first five digits for 44 percent of SSNs of deceased Americans born in the same time period. Researchers analyzed more than 500,000 DMF records in the study.

SSNs are made up of three groupings of numbers. The first three digits, known as the "area number (AN)," are assigned by the SSA based on the zip code of the SSN applicant. (Most parents obtain a SSN for their child shortly after the child's birth.) Depending on a given state's population, there may be one or dozens of state-assigned ANs. The second grouping, made up of two digits called the "group number (GN)," is assigned to an individual in a nonconsecutive order between 01 and 99. The last four digits, known as the "serial number (SN)," are assigned consecutively from 0001 through 9999.

The Carnegie Mellon study segregated death records by state of application and then chronologically by birthday to prove that people with similar birthdays who lived in the same state would have similar SSNs. After that, the researchers were able to predict unknown SSNs based on birth information. Those born after 1989 and those born in lower population states were seen as particularly vulnerable. For example, researchers were more successful predicting the SSNs of younger Americans born between 1989 and 2003 than for the general population; they accurately identified the first five SSN digits of six out of 10 SSN records for the younger population in just two attempts.

In their conclusion, the researchers urged the SSA to fully randomize its SSN assignments, stop matching area numbers to states, and refrain from using sequential serial numbers assignments. "[E]ven redacted or truncated SSNS [are] still predictable — and, therefore, still vulnerable," the researchers wrote. "Industry and policymakers may need, instead, to finally reassess our perilous reliance on SSNs for authentication and on consumers' impossible duty to protect them."

Footnote
¹ "Predicting Social Security Numbers from Public Data," Alessandro Acquisti and Ralph Gross, Carnegie Mellon University, Proceedings of the National Academy of Sciences (PNAS), July 7, 2009