Social Security Numbering System Is Vulnerable to Fraud, Researchers Say

[R.A. Hettinga]

Of course, cypherpunks have always known that the whole magic number
thing is pretty much sophistical...

Cheers,
RAH
"True Names" are not magical either, frankly. Mystification of
identity, and all that.
-------


<http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=2&ref=instapundit&pag
ewanted=print
 >

The New York Times

July 7, 2009

Weakness in Social Security Numbers Is Found
By JOHN MARKOFF

The nations Social Security numbering system has left millions of
citizens vulnerable to privacy breaches, according to researchers at
Carnegie Mellon University, who for the first time have used
statistical techniques to predict Social Security numbers solely from
an individuals date and location of birth.

The findings, published Monday in The Proceedings of the National
Academy of Sciences, are further evidence that privacy safeguards
created in the era before powerful computers and ubiquitous networks
are increasingly failing, setting up an architecture of
vulnerability around personal digital information, the researchers
said.

The researchers, Alessandro Acquisti, an associate professor of
information technology and public policy, and Ralph Gross, a
postdoctoral researcher, noted that there was a range of implications
from the research, including that it was now possible to routinely
reconstruct sensitive personal information from the type of online
postings frequently found on social networking sites and other public
sources.

The authors write that the predictability of Social Security numbers
is an unexpected consequence of the interaction between multiple data
sources, trends in information exposure and antifraud policy
initiatives with unintended effects.

Identify theft is a global problem that has been greatly exacerbated
by the rise of the Internet. Social Security numbers are widely used
for identification and authentication, and are sold both by digital
information aggregators and on black markets set up for the purpose of
identity theft.

The accuracy with which it is possible to correctly predict an
individual Social Security number varies both with the state in which
a person was born and the date when the number was assigned, according
to the researchers.

By testing their algorithm on a half million publicly available
records in the Social Security Administrations Death Master File, the
researchers were able to identify statistical patterns that then
permitted extrapolating to the countrys living population, making it
possible  in principle  to identify millions of Social Security
numbers for individuals whose birth date and location were publicly
available.

This report is a wake-up call, said Peter Swire, a law professor at
Ohio State University who served as the Clinton administrations chief
privacy counselor. Social Security numbers are an aging technology,
and we have to do serious planning for what will come next.

 From the researchers sample, it was possible to identify in a single
try the first five digits for 44 percent of deceased individuals who
were born after 1988 and for 7 percent of those born from 1973 to
1988. It was possible to identify all nine digits for 8.5 percent of
those born after 1988 in fewer than 1,000 attempts.

The accuracy of the prediction system increased for smaller states and
for people born after 1988. The accuracy was higher for those born in
the late 1980s and after because of rules that led increasingly to the
assignment of Social Security numbers at birth. The researchers, for
example, reported that they needed 10 or fewer tries to predict all
nine digits for 1 out of 20 Social Security numbers assigned in
Delaware in 1996.

The researchers said that while it would not be easy for
cybercriminals to reconstruct their methodology, they believed it was
within the grasp of sophisticated attackers. They also emphasized that
the prediction of Social Security numbers was just one component of
identity theft. For example, an attacker who developed a similar
algorithm might use it as part of an ambitious attack against an
online credit reporting system, where many Social Security numbers
could be tested rapidly.

A spokesman for the Social Security Administration played down the
significance of the researchers findings.

The public should not be alarmed by this report because there is no
foolproof method for predicting a persons Social Security number,
said the spokesman, Mark Lassiter. The method by which Social
Security assigns numbers has been a matter of public record for years.
The suggestion that Mr. Acquisti has cracked a code for predicting an
S.S.N. is a dramatic exaggeration.

For decades, Mr. Lassiter said, the agency has cautioned the private
sector against using the Social Security number as a personal
identifier. He also said the agency was in the process of creating a
random system for assigning numbers, which will be put in place next
year.

Mr. Acquisti said that even if the agency did assign numbers at
random, it would not increase the security of hundreds of millions of
numbers that had already been assigned.

My hope is that publishing these results may open a window of
opportunity, so to say, to finally take action, Mr. Acquisti said.
That S.S.N.s are bad passwords has been the secret that everybody
knows, yet one that so far we have not been able to truly address.