Wednesday, July 8, 2009

May I have the last four digits of your social security number ... so I can sell your idenity, Fool!

If you have certain information available in public records, combined with knowing a birthday, guessing a person's Social Security number is fairly easy, suggest computer scientists.

In a report in the Proceedings of the National Academy of Sciences journal, Alessandro Acquisti and Ralph Gross of Carnegie Mellon University in Pittsburgh combed Social Security Administration death records to detect statistical patterns in how numbers are assigned.
Combining that data with birthday and birthplace information available from marketers, the researchers guessed 8.5% of test individuals' Social Security Numbers assigned from 1988 to 2003.

A criminal could likely compile 4,000 genuine numbers based on the statistical pattern alone, says the study. Social Security Numbers "were designed as identifiers at a time when personal computers and identity theft were unthinkable," concludes the study.

The study authors suggest that the federal government assign numbers randomly, instead of tying them to birthplace, and they suggest that lawmakers rethink using the numbers as identifiers.

Predicting Social Security numbers from public data
Alessandro Acquisti,1 and Ralph Gross
+Author Affiliations

Carnegie Mellon University, Pittsburgh, PA 15213
Communicated by Stephen E. Fienberg, Carnegie Mellon University, Pittsburgh, PA, May 5, 2009 (received for review January 18, 2009)

Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration's Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums.

No comments: