Social Security Numbering System Is Vulnerable to Fraud, Researchers Say

Of course, cypherpunks have always known that the whole magic number thing is pretty much sophistical... Cheers, RAH "True Names" are not magical either, frankly. Mystification of identity, and all that. ------- <http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=2&ref=instapundit&pag ewanted=print

The New York Times July 7, 2009 Weakness in Social Security Numbers Is Found By JOHN MARKOFF The nations Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individuals date and location of birth. The findings, published Monday in The Proceedings of the National Academy of Sciences, are further evidence that privacy safeguards created in the era before powerful computers and ubiquitous networks are increasingly failing, setting up an architecture of vulnerability around personal digital information, the researchers said. The researchers, Alessandro Acquisti, an associate professor of information technology and public policy, and Ralph Gross, a postdoctoral researcher, noted that there was a range of implications from the research, including that it was now possible to routinely reconstruct sensitive personal information from the type of online postings frequently found on social networking sites and other public sources. The authors write that the predictability of Social Security numbers is an unexpected consequence of the interaction between multiple data sources, trends in information exposure and antifraud policy initiatives with unintended effects. Identify theft is a global problem that has been greatly exacerbated by the rise of the Internet. Social Security numbers are widely used for identification and authentication, and are sold both by digital information aggregators and on black markets set up for the purpose of identity theft. The accuracy with which it is possible to correctly predict an individual Social Security number varies both with the state in which a person was born and the date when the number was assigned, according to the researchers. By testing their algorithm on a half million publicly available records in the Social Security Administrations Death Master File, the researchers were able to identify statistical patterns that then permitted extrapolating to the countrys living population, making it possible  in principle  to identify millions of Social Security numbers for individuals whose birth date and location were publicly available. This report is a wake-up call, said Peter Swire, a law professor at Ohio State University who served as the Clinton administrations chief privacy counselor. Social Security numbers are an aging technology, and we have to do serious planning for what will come next. From the researchers sample, it was possible to identify in a single try the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born from 1973 to 1988. It was possible to identify all nine digits for 8.5 percent of those born after 1988 in fewer than 1,000 attempts. The accuracy of the prediction system increased for smaller states and for people born after 1988. The accuracy was higher for those born in the late 1980s and after because of rules that led increasingly to the assignment of Social Security numbers at birth. The researchers, for example, reported that they needed 10 or fewer tries to predict all nine digits for 1 out of 20 Social Security numbers assigned in Delaware in 1996. The researchers said that while it would not be easy for cybercriminals to reconstruct their methodology, they believed it was within the grasp of sophisticated attackers. They also emphasized that the prediction of Social Security numbers was just one component of identity theft. For example, an attacker who developed a similar algorithm might use it as part of an ambitious attack against an online credit reporting system, where many Social Security numbers could be tested rapidly. A spokesman for the Social Security Administration played down the significance of the researchers findings. The public should not be alarmed by this report because there is no foolproof method for predicting a persons Social Security number, said the spokesman, Mark Lassiter. The method by which Social Security assigns numbers has been a matter of public record for years. The suggestion that Mr. Acquisti has cracked a code for predicting an S.S.N. is a dramatic exaggeration. For decades, Mr. Lassiter said, the agency has cautioned the private sector against using the Social Security number as a personal identifier. He also said the agency was in the process of creating a random system for assigning numbers, which will be put in place next year. Mr. Acquisti said that even if the agency did assign numbers at random, it would not increase the security of hundreds of millions of numbers that had already been assigned. My hope is that publishing these results may open a window of opportunity, so to say, to finally take action, Mr. Acquisti said. That S.S.N.s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address.