The Proceedings of the National Academy of Sciences
Facebook and MySpace users may want to think twice before posting their birth dates on their online profiles. According to a recent study published in The Proceedings of the National Academy of Sciences, information as basic as this can be used to pinpoint a person's Social Security number in as few as 10 tries.
By using data from voter registration lists and social-networking sites, and studying statistical patterns in the Social Security numbers (SSNs) of people who have died, researchers Alessandro Acquisti and Ralph Gross have developed an algorithm that could potentially identify the SSNs of millions of people. Acquisti and Gross warn that "unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identity theft on mass scales."
1. On why being born after 1988 can heighten a person's vulnerability to identity theft: "[Since 1989,] times and locations of individuals' SSN applications over time have become much more correlated with those individuals' times and states of birth ... such correlations may allow a more granular understanding of the SSN assignment scheme."
2. On why living in a less populous state increases the odds of accurately predicting SSNs: "As hypothesized, a strong correlation exists between dates of birth and all 9 SSN digits. That correlation increases for individuals born in ... less populous states (where fewer births take place over a given period, determining slower and more detectable transitions through the SSN assignment scheme) ..."
3. On the best way for an identity thief to take advantage of SSN loopholes: "A rational attacker would focus on SSNs issued in states and years with higher prediction accuracies, taking advantage of a centralized, real-time system for the notification of hits and flags on credit-account requests."
In the 1930s, Social Security numbers were assigned for income-tracking purposes and determined according to an individual's date and place of birth. Back then, identity theft not to mention modern technology like the personal computer were "unthinkable." But the technological boom of recent decades, coupled with the SSN's popularity as an authentication device, has enabled an "architecture of vulnerability" that exposes millions of Americans to fraud and exploitation, the report argues.
Mark Lassiter, a spokesman for the Social Security Administration, dismissed as a "dramatic exaggeration" the suggestion that a successful prediction code has been developed. In a statement, Lassiter urged the public not to be alarmed by the report, stressing that there is "no foolproof method for predicting a person's Social Security number."
But the report has nonetheless boosted existing demand to remake the SSN system. Twenty-five states have recently enacted laws to limit the use of Social Security numbers on public documents, and the Social Security Administration is in the process of creating a random system for assigning SSNs (it will take effect next year). But according to the report, which stresses the need to reassess a "perilous" process, randomizing assigned SSNs may not be enough.