Can Social Security Numbers Be Guessed?

July 1, 2009

Author: Catherine M. Callery (Kate)| Louise M. Tarantino

A recent study by researchers at Carnegie Mellon University posits that it is all too easy to guess many if not most of the nine digits in a Social Security number using information that is publicly available.  According to Alessandro Acquisti, assistant professor of information technology and public policy and a co-author of the study, “our work shows that Social Security numbers are compromised as authentication devices, because if they are predictable from public data, then they cannot be considered sensitive.”

The first three digits of a Social Security number - or “area number” - are issued according to the zip code of the address provided on the application form.  The middle numbers - or “group numbers” - indicate the time period when the number was issued.  They transition slowly and often remain constant over several years for a given region.  The last four digits are assigned sequentially.  Consequently, the same first four or five digits are likely to appear in SSNs issued to applicants on consecutive days, particularly in small states.  Since 1988, when Social Security began efforts to issue SSNs shortly after birth, the middle digits can be even more readily predicted.  So, the current trend of asking people for only the last four digits of their Social Security numbers is hardly comforting.

The researchers found that by using the “Death Master File,” which is publically available, they were able to use the Social Security numbers of deceased people born around the same time and place as the subject to guess the subject’s SSN correctly in an alarming number of instances. Records of an individual subject’s place and date of birth could be garnered from a variety of sources, including voter registration lists, commercial databases and even personal blogs and social networking sites.

According a recent article in the Washington Post describing the Carnegie Melon study, the Social Security Administration (SSA), for reasons unrelated to the study results, has been developing a system to assign numbers randomly that would make them less predictable. And of course SSA has never recommended that Social Security numbers be used for   authentication.

Privacy and security experts cite the study as another example of the dangers of businesses using SSNs for identification.  Peter Swire, a law professor at Ohio State University and chief counselor for privacy during the Clinton administration, is quoted in the Washington Post article as saying:  “We can’t pretend anymore that SSNs can be kept secret.  This report puts a nail in that coffin.  We’ll need new approaches, and it will cost money for the government and the private sector to build the new approaches.”

The study is available at http://blogs.heinz.cmu.edu/ssnstudy/.