Online Fraud Easier Due to Social Security Flaw

Researchers have discovered that it's easier to predict social security numbers than previously realized. The discovery means giving away too many personal details online is even more dangerous.

A report by Carnegie Mellon University, published in The Proceedings of the National Academy of Sciences, says that social security numbers were never intended to be used as a way of confirming somebody's identity. Instead they were meant purely as a way of keeping track of an individual's tax and benefit payments.

The researchers were investigating a theory that there was a distinct pattern to the way numbers are assigned. They studied the Death Master File, a list of personal details of anyone with a social security number who has died since 1962. The document is publicly available and is commonly used by people researching family histories.

Numbers Not Random

It was already known that the first three digits of a social security number relate to a person's mailing address when they were issued the number. The remaining six numbers are split into two blocks -- each relate to the order numbers are issued in that particular block. The final four number block is issued consecutively, but the middle two number block is issued in a set, in a non-consecutive order. (Source: ssa.gov)

This means people born on or near the same state on consecutive days will likely share the first four or five digits, particularly in less-populated states.

Using this theory, the researchers attempted to figure out the social security numbers of 500,000 people listed in the death master file. In 7% of cases with people born between 1973 and 1988 they were able to correctly predict the entire first five numbers on a single attempt. However, this rose to 44% of people born after 1988 when it became standard practice to assign numbers as soon as a child was born. Among this group, the figure was 61% if the researchers allowed themselves two attempts (which, in reality, could often happen if the first incorrect attempt was passed off as a mistake.)

Protection Too Weak

The implications are pretty serious. At its simplest, the researchers found that for 8.5% of people born after 1988, they were able to guess the entire social security number in under 1,000 attempts. That may sound low, but it's equivalent to only a three-digit PIN, which most security experts consider protection that's too weak.

Another problem is that many systems which use social security numbers don't check all the digits; the researchers suggest half only use the first seven or fewer. In one hypothetical example the researchers gave, a determined criminal could apply for 4,000 credit cards under other people's names before being blacklisted. (Source: pnas.org)

The researchers also warn the system could be exploited for phishing-style attacks in which scammers pose as officials. If the letter or emails correctly states the first five digits, many recipients may assume the sender must be genuine.

Flaw Too Late To Solve

The study's conclusion is that although future social security numbers can be more randomized, that won't solve the problem of existing numbers being so comparatively predictable. They insist the only solution is that firms stop using the numbers as a way of verifying identities.

In the meantime, the public needs to make greater efforts to protect their personal information and make sure that complete details (full name, mailing address, date of birth) aren't available to people they don't trust.