Study finds that SSNs can be guessed from data found on social networking sites

The following is a quote from an article by David Olmos and appearing on http://www.bloomberg.com/:

"Social Security numbers, commonly used by criminals in identity theft, can be guessed using information found on Internet social networks such as Facebook and MySpace and other public sources, a study found.

Researchers at Carnegie Mellon University used the information they gleaned to predict, in one try, the first five digits of a person’s Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. The study appears today in the Proceedings of the National Academy of Sciences.

Annual losses from identity theft totaled $49 billion, according to a 2007 report from Javelin Strategy & Research, a Pleasanton, California, market-research company. About 8.4 million U.S. adults were victims of identity theft that year, with losses averaging $5,720 a person, according to Javelin’s figures.

'We live in a precarious time, where knowledge of a Social Security number, along with other information about one’s name and date of birth, is sometimes sufficient to impersonate another individual,' said Alessandro Acquisti, the study’s lead author, in a telephone interview.

Acquisti, an economist at Carnegie Mellon’s Heinz School of Public Policy and Management in Pittsburgh, and computer scientist Ralph Gross used records from the Social Security Administration’s Death Master File to search for statistical patterns in the Social Security numbers of people. They obtained birth data from voter registration lists, online white pages, social networking sites and other sources, he said.

Birth Data

Birth data are key to figuring out a Social Security number because the first three of the nine digits are assigned based on where a person lived at the time of obtaining a Social Security card, said Acquisti. Information about how the Social Security number is assigned is publicly available on a government Web site, the authors said.

'The first five digits are very easy to predict, while the last four are harder,' Acquisti said. Identity thieves can sometimes obtain the last four digits of a Social Security number if they have other personal information, he said.

The study arose from Acquisti’s research into why millions of people reveal personal information, such as birth date and home towns, on social networking sites. Such information can be had easily from people who don’t block access by changing their Web site security settings, Acquisti said.

'The default setting on sites such as Facebook, when you create a personal profile, is that it is visible to anyone in your network unless you change the settings,' Acquisti said.

Cyber Criminals

Some evidence exists that cyber criminals already are using statistical analysis to work out Social Security numbers, Acquisti said.

When Social Security numbers were first issued in 1936, their purpose was more like a bank account number than a means for authenticating a person’s identity, said Acquisti.

Because use of these numbers is so widespread among financial institutions, health-care providers and other organizations, it’s difficult for consumers to take steps to insure their numbers remain private, he said.

'If a movie rental company asks for your number to be a member, you can easily bypass that by going to another company,' Acquisti said. 'But if your health insurer wants the number, now you are talking about something different. If you refuse to give it, that could be costly or dangerous to you.'

Credit-reporting companies use Social Security numbers to match personal information, which also leads to identity theft, said Robert Ellis Smith, of the Privacy Journal, a newsletter based in Providence, Rhode Island."

Interesting. One more reason to require exact matches of Social Security numbers, since the first five are often the same for siblings, for example, since they are often obtained at the same time in the same place.