Skip to main content

Social Security number study raises fears

  • Story Highlights
  • Social Security numbers fall into patterns, study says
  • Numbers can be guessed if person has your birth date, state where you were born
  • Government says this information has been available; no codes have been cracked
  • Numbers are now assigned at birth, but in future will be assigned randomly

(CNN) -- A report earlier this week that a pair of academics had discovered a way to figure out a person's Social Security number based on information people commonly post online has raised new concerns about identity theft.

Professor Alessandro Acquisti says Social Security numbers issued after the late 1980s are vulnerable.

Professor Alessandro Acquisti says Social Security numbers issued after the late 1980s are vulnerable.

The Social Security Administration said the threat is minuscule. Still, the agency plans to change to a random system of assigning the numbers, replacing the current system based on the state and date where the number is assigned.

Professor Alessandro Acquisti and researcher Ralph Gross of Carnegie Mellon University said they began by studying a half-million expired Social Security numbers obtained from the "death master file" published by the Social Security Administration.

"We can use these death master file records to infer patterns" in the way numbers are assigned, said Acquisti, who then derived formulas to zero in on a range of Social Security numbers that might have been assigned to a person.

Because the process depends on the date the Social Security number was assigned, it works best for people born after the late 1980s, when it became common to issue numbers to newborns.

Social Security numbers are made up of three segments. The first segment of three numbers represents the state issuing the number. States with a large population, such as New York, cycle through dozens of numbers, while less populous states, such as Wyoming, use only one.

The second segment is made up of two numbers that are changed periodically, while the third segments is composed of four numbers that cycle continuously from 0000 to 9999.

Knowing a person's state and place of birth, Acquisti would use the death master file to find the numbers of people with nearby birth dates in the same state. Those would be plotted on a graph that would allow Acquisti to try to predict the target person's number.

For example, for Oregon in 1996 the first three numbers cycled from 540 to 544, changing every 60 days or so. The middle segment started the year as 47, but 60 days in it changed to 49. And the last four numbers cycled around, also every 60 days or so.

To avoid giving criminals too much information, Acquisti and Gross withheld some of the details of their methods.

In a small state like Delaware, the report says, for 1 in 20 people the Social Security number can be determined in less than 10 tries.

Mark Lassiter of the Social Security Administration said the threat is not significant. "The public should not be alarmed by this report because there is no foolproof method for predicting a person's Social Security number," he said.

Indeed, for 90 percent of people, Acquisti wouldn't hit on their full Social Security number even with 1,000 tries.

"The method by which Social Security assigns numbers has been a matter of public record for years," said Lassiter. "The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration."

Still, the authors said a determined hacker could use trial and error to try dozens of educated guesses on fraudulent credit applications -- or even use a computer to automate the effort.

At a minimum, they say, their findings are a wake-up call for people who have posted their date and state of birth on Web sites like MySpace or Facebook.

"This is the challenge we face in our modern technology," Acquisti said. "By interacting so much and exposing so much information, we also sometimes expose ourselves to risk."

Starting next year, the government plans to assign numbers randomly, which will protect anyone born after 2010 from mathematical calculations. But for everyone born in the past 20 years, Acquisti said, something besides the Social Security number should be used for bank accounts and credit cards.

"Social Security numbers are very bad passwords," he said. "They were not designed to be used in that way."

CNN's Brian Todd contributed to this report.

All About Facebook Inc.Social Security Administration

  • E-mail
  • Save
  • Print