*Editorial Note: This content is not provided or commissioned by the credit card issuer. Any opinions, analyses, reviews or recommendations expressed in this article are those of the author’s alone, and may not have been reviewed, approved or otherwise endorsed by the credit card issuer. This site may be compensated through a credit card issuer partnership.
This post contains references to products from one or more of our advertisers. We may receive compensation when you click on product links. For more information, please see our Advertiser Disclosure
Back in 2009 Carnegie Mellon University researchers published a study in the Proceedings of the National Academy of Science that was presented at a major security conference. The report outlined their research into how easy it is to correctly guess a person’s Social Security number (SSN), and the results were – and still are – rather shocking. This rather concerning study is only enhanced with all the data hacks, stolen credit cards, and identity theft that happen on a daily basis.
The research team comprised of students and professors found that they could figure out an entire string of SSN digits on the very first try, nearly one out of every 10 times they tried. They became adept enough at guessing the first five digits of the number string that they frequently nailed it on the very first attempt. That underscores the fact that your SSN is not as safe as you might think. As a matter of fact it may be quite a bit easier to crack than the PIN you use on your ATM card.
The official Carnegie Mellon research report stated, “If one can successfully identify all nine digits of an SSN in fewer than 10, 100, or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN.”
Not Hacking, Just Data Matching
In explaining their methodology the researchers were quick to point out they had not uncovered some kind of carefully guarded algorithm to break the security of the government agency’s numbering system. In fact, they said, all they did was gather information readily available to anyone and then make observations and comparisons to narrow down the choices and accurately guess Social Security numbers.
“We have not broken a secret code,” they wrote, “and yes, the assignment scheme is publicly available.” They further explained that the entire number assigning strategy or scheme was never even meant to be secure in the first place. When Social Security came into existence back in the 1930s nobody imagined the numbers would be used for such important matters like authenticating a consumer’s identity when doing a banking transaction by phone. As the researchers point out, the method of numbering is complex, and for that reason it has led to the belief that it is super secure.
Beware Posting Personal Data Online
What did help them, however, was the ease with which they could gather critical data such as people’s birthdates and information about where they were born. They found lots of that info on Facebook, actually, and by browsing through other online social networks. One of their recommendations as a result of the study is that nobody should post their vital information – including seemingly innocent things like their birthday – online, and that you should try to avoid using any of the digits of your SSN as a form of public identity verification.
“We only used publicly available information,” they reiterated, “and ended up discovering, based on that information, that the randomness is effectively so low that the entire 9 digits of a SSN can be predicted with a limited number of attempts.”
People Born After 1988 Are Especially Vulnerable
The predictions are particularly accurate for the SSNs of people who were born after 1988, when the SSA initiated a policy of issuing SSN soon after birth. People from states where the populations are lower are also more susceptible to having their numbers guessed. Just how accurate were they, and how fast can someone figure out your SSSN? The Carnegie Mellon team was able to accurately guess the first five digits of 44% of Social Security numbers issued after 1988 on the first try. They did that just by using the date and the state where the number was issued.
You may not find it too alarming that they only guessed the first five digits, but remember that many times consumers are asked to provide the last four digits as a way to identify themselves. I was asked to do that yesterday, for example, in order to cancel an old email account and the fellow who requested those last four digits was located in a call center in a foreign country. Once you have those final four digits and you have figured out the first five then you have all nine.
Not only that, but the researchers were able to guess the complete numbers almost 9% of the time. That’s right. If you are 26 years old or younger then it was possible for them to guess your number correctly on nearly one out of every 10 attempts.
Conclusions and Recommendations
In 2011, perhaps in response to the Carnegie Mellon finding, the Social Security Administration did implement a more randomized method for issuing or assigning Social Security numbers - something the Carnegie Mellon report suggested.
- Since then, for instance, each state in the USA has more than one number combination. The problem is, of course, that consumers who are old enough to be really concerned about their financial data and the potential for identity theft were all born prior to that change.
- Experts suggest that if you really want to be vigilant about protecting those precious nine digits, be extra careful about not advertising your place of birth or birthday. Don’t carry your Social Security card or number in your wallet or leave it anywhere that someone other you might see it.
- The Carnegie Mellon research teams also warned that current policy initiatives in the area of SSN and identity theft need to be reconsidered. Since SSNs can be predicted and are therefore, in a sense, semi-public information, consumers should not be required by private sector entities such as banks and credit card companies to use SSNs as passwords or for authentication.
Whether or not that recommendation is taken seriously by the banking community and others – such as the email provider I dealt with by phone this week – remains to be seen.