Alessandro Acquisti is an associate professor of information technology and public policy at the Heinz College at Carnegie Mellon University. His work focuses on the economic and social impact of IT and in particular, the sweet spot between economics and individual privacy.
I talked to him recently about his research that looks at how easily thieves can guess a Social Security Number.
Your research shows Social Security Numbers are somewhat predictable. How is that possible?
We show that SSNs are predictable from public data, specifically from date of birth and state of birth. The predictions are statistical. So it’s not true of everyone, but there are certain categories of people born in certain years and in certain states that are more at risk. Over the years, the number assignment scheme has become much less random and unpredictable than it used to be.
How did this happen?
It used to be that the time when you get your SSN was unpredictable. Sometimes people wouldn’t get it until they started working. In the 1980s there were a number of initiatives, related to tax reform, which made it much more likely that parents would apply for the SSN as soon as their kids were born, so they could cite them as dependents in their taxes. So this caused a rush of applications. Today, more than 90 percent of parents get the SSN for newborns. There is now a process that combines the birth certificate process with the SSN process. This didn’t change the issuing scheme, but it created a system that was weaker than before. If you know someone’s date of birth and where they were born, you have clues to their SSN.
Can you explain what each set of digits represents?
The first three digits are called area number—you can see the match between different states and different area numbers. New York, for example, has 83 different area numbers. If your parents apply at birth, then it reflects where you were born. The middle digits are called the group number, and the last four are called the serial numbers. Some believe they’re random, but they’re not. They’re issued in ascending order.
So it sounds like this is potentially a big problem in identity theft.
It’s a problem of weak infrastructure. We have more than one problem with identity theft in the U.S. Not only are SSNs predictable, but it’s very easy to get personal information about people. I can find date of birth and voter registration lists online. SSNs are so widespread. Your doctor, your nurse, too many entities have the number, and it’s too easy to impersonate you.
Are we getting sloppy with these numbers?
I don’t think people can do much to protect their SSN, and asking them to do so is disingenuous. You could be doing everything right, and then it’s in the database of a company you never did business with. We’re using SSNs in a way they’re not designed for and in contradictory ways—as an identifier (like phone number) and as passwords (which should be your own secret). These contradictions lead to high rates of identity theft. But it’s much deeper than consumer responsibility.
Why is it a problem that SSNs are used as passwords?
They were designed in the 1930s to be simple identifiers for tracking purposes. Back then, identity theft was almost unthinkable—it belonged more to literature than real life. We cannot use the same number as an identifier and a password (which is done for credit card approval). It’s like using your email address as the password for your email. It’s a vulnerable system.
Where do we start to fix it?
With the financial and credit reporting industries. The Social Security Administration issues SSNs, but they didn’t create this problem. It evolved over years as use of SSNs expanded. Most likely, legislation could help switch to the usage of better technologies that we’re already using in other ways. We could use cryptographic tools, so you can show that you are who you claim you are without giving the other party enough data so they could pretend to be you. All electronic commerce is based on this. It’s complicated, but it doesn’t need to be for the consumer
Anything consumers should do, besides use a paper-shredder?
Some are common sense, like do not put your SSN online on public documents. If they ask you to send it, ask if you really need to in order for them to provide services. For a new account, they do need it, so they can do a credit check. But other requests are less grounded. Be cautious when you’re asked for it. But I want to stress–I don’t want this advice to be used to believe it’s purely the consumer’s responsibility. It’s not.