# Why it’s easier today for a thief to guess your nine digits

Alessandro Acquisti is an associate professor of information technology and public policy at the Heinz College at Carnegie Mellon University. His work focuses on the economic and social impact of IT and in particular, the sweet spot between economics and individual privacy.

I talked to him recently about his research that looks at how easily thieves can guess a Social Security Number.

Your research shows Social Security Numbers are somewhat predictable. How is that possible?

We show that SSNs are predictable from public data, specifically from date of birth and state of birth. The predictions are statistical. So it’s not true of everyone, but there are certain categories of people born in certain years and in certain states that are more at risk. Over the years, the number assignment scheme has become much less random and unpredictable than it used to be.

How did this happen?

It used to be that the time when you get your SSN was unpredictable. Sometimes people wouldn’t get it until they started working. In the 1980s there were a number of initiatives, related to tax reform, which made it much more likely that parents would apply for the SSN as soon as their kids were born, so they could cite them as dependents in their taxes. So this caused a rush of applications. Today, more than 90 percent of parents get the SSN for newborns. There is now a process that combines the birth certificate process with the SSN process. This didn’t change the issuing scheme, but it created a system that was weaker than before. If you know someone’s date of birth and where they were born, you have clues to their SSN.

Can you explain what each set of digits represents?

The first three digits are called area number—you can see the match between different states and different area numbers. New York, for example, has 83 different area numbers. If your parents apply at birth, then it reflects where you were born. The middle digits are called the group number, and the last four are called the serial numbers. Some believe they’re random, but they’re not. They’re issued in ascending order.

So it sounds like this is potentially a big problem in identity theft.

It’s a problem of weak infrastructure. We have more than one problem with identity theft in the U.S. Not only are SSNs predictable, but it’s very easy to get personal information about people. I can find date of birth and voter registration lists online. SSNs are so widespread. Your doctor, your nurse, too many entities have the number, and it’s too easy to impersonate you.

Are we getting sloppy with these numbers?

I don’t think people can do much to protect their SSN, and asking them to do so is disingenuous. You could be doing everything right, and then it’s in the database of a company you never did business with. We’re using SSNs in a way they’re not designed for and in contradictory ways—as an identifier (like phone number) and as passwords (which should be your own secret). These contradictions lead to high rates of identity theft. But it’s much deeper than consumer responsibility.

Why is it a problem that SSNs are used as passwords?

They were designed in the 1930s to be simple identifiers for tracking purposes. Back then, identity theft was almost unthinkable—it belonged more to literature than real life. We cannot use the same number as an identifier and a password (which is done for credit card approval). It’s like using your email address as the password for your email. It’s a vulnerable system.

Where do we start to fix it?

With the financial and credit reporting industries. The Social Security Administration issues SSNs, but they didn’t create this problem. It evolved over years as use of SSNs expanded. Most likely, legislation could help switch to the usage of better technologies that we’re already using in other ways. We could use cryptographic tools, so you can show that you are who you claim you are without giving the other party enough data so they could pretend to be you. All electronic commerce is based on this. It’s complicated, but it doesn’t need to be for the consumer

Anything consumers should do, besides use a paper-shredder?

Some are common sense, like do not put your SSN online on public documents. If they ask you to send it, ask if you really need to in order for them to provide services. For a new account, they do need it, so they can do a credit check. But other requests are less grounded. Be cautious when you’re asked for it. But I want to stress–I don’t want this advice to be used to believe it’s purely the consumer’s responsibility. It’s not.

Start your week smarter with our weekly e-mail newsletter. It's your cheat sheet for good ideas. Get it.

### About Melanie D.G. Kaplan

Melanie D.G. Kaplan is a contributing writer for SmartPlanet.

#### Melanie D.G. Kaplan

Contributing Writer

Melanie D.G. Kaplan is a regular contributor to The Washington Post and WebMD and has written for The New York Times, National Geographic Traveler and People. She holds degrees from Syracuse University and Columbia University's Graduate School of Journalism. She is based in Washington, D.C.

#### Melanie D.G. Kaplan

In addition to working as a journalist, Melanie keeps the dog food fund flush with occasional consulting jobs. In the unusual event that her writing mentions a company or organization for which she has provided editorial services, she will disclose that fact. She will do the same should she cover any companies in which she holds investments.

She writes for SmartPlanet and is not an employee of CBS.

17

### Join the conversation!

Show:
###### RE: Why it's easier today for a thief to guess your nine digits
Great article. All news on this subject should really stress to the public that it is wrong for companies to use their SSN as a form of authentication or password. If we could ban those uses of the SSN, then the SSN could be treated as a useful identifier and public information just like name, address, and telephone number. We need a public-friendly, convenient, and secure authentication system for in-person, over-the-phone, and paper/document use. Sounds like a business opportunity.
Posted by nathan.sebok@...
2nd Feb 2010
###### Partially Obscuring SSNs Useless
Ever notice how, to appear secure, you'll only be shown or asked for the last four digits of your SSN? This is the part of your number that is the least predictable from other information. It is the most unique part, and probably the most valuable to an identity thief.
Posted by MichP
2nd Feb 2010
###### RE: Why it's easier today for a thief to guess your nine digits
I have been using a made-up number for years as an SSN surrogate. The number has the proper number of digits and is easy for me to remember. I use it only when the actual SSN is not required, and always disclose that I am using a substitute number. It's gossamer armor, but it does limit the dissemination of the real one.
Posted by leber70@...
2nd Feb 2010
###### Well isn't this brilliant...
I don't know many people who aren't aware that 4 of the digits reveal information about your age and place of birth. That being said, it's not always accurate; as you noted, people in rural areas/home births were frequently not issued SSNs at all until the early '90s, and these individuals have a different numerical suffix. It is not uncommon for someone more than 20 years of age to have lived a good portion of their life without one.

This article is far too vague. If you're trying to say that 3rd party information leakage is a problem, say that and move on. Despite all the bullets, this article fails to make its point.
Posted by Spiritusindomit@...
2nd Feb 2010
###### RE: Why it's easier today for a thief to guess your nine digits
1) The SS# is mighty convenient as an identifier - just like ones name only unambiguous. The id theft problem is not because one has this unique identifier, but because financial concerns use it for purposes for which it ill-suited - i.e. giving out money. The cure is not to hide SS# but to use other / additional identification for financial matters.

2) We must be close to running out of 9 digit SS#s - 1/3 of them are currently assigned to living individuals, probably another 1/3 to expired folks, and 1/3 for business taxpayer id's.
I thought that there were already SS area numbers that had been exhausted and that the number scheme: area-group-serial had been superceded - much in the way that 'phone numbers became more random as area codes were exhausted.
Have you heard of extensions to SS# lengths? Imagine what a transition from 9 digit to even 10 digit SS# would mean ... shades of Y2K.
Posted by dsomerv
2nd Feb 2010
###### RE: Why it's easier today for a thief to guess your nine digits
In the UK they do not have this problem as SS number is only used by income tax & heath care & pension government departments not for any financial checks.
If more than one person tried to use another persons number at the same time the income tax computer would give an alert although this could take some time.
Posted by ronangel
2nd Feb 2010
###### RE: Why it's easier today for a thief to guess your nine digits
you know up en-till around 2000 - 2002 my local unemployment office
wanted your SSN# every time you went in there and got any sort of job information, they would have you write it down on a piece of paper and then they would just toss it in the trash after words.
and if you refused to give them your SSN# then you wouldn't get any information on any jobs.
Posted by whitevamp47@...
2nd Feb 2010
###### RE: Why it's easier today for a thief to guess your nine digits
Let's keep the SSN for what the SSN was designed for. Social Security.
Posted by William_P
3rd Feb 2010
###### RE: Why it's easier today for a thief to guess your nine digits
Concerning leber70@..
Making up Social Security numbers may work for the person doing it but they are likely stealing the number from someone else. That is identity theft. It causes problems for the other person.
Posted by Illusoire@...
3rd Feb 2010
###### RE: Why it's easier today for a thief to guess your nine digits
Here's an idea. Scrap SSN's entirely and require a biometric profile as identification. It's unique to an individual, and if the technology is properly implemented, impossible to duplicate.
Posted by timmermac
3rd Feb 2010
###### RE: Why it's easier today for a thief to guess your nine digits
Scary,
Both Medicare & Medicaid add a letter to the end of the SS number to 'disguise it' and then, publish it to the world.
I sure hope nobody figures out how to break their code.
4th Feb 2010
###### RE: Why it's easier today for a thief to guess your nine digits
Read something recently which stated that SSN's are reissued after the deceased has been gone to his reward over 90 days. In that case, there would be no shortage of SSN's.

Local scam-meisters allow illegal immigrants to use their SSN, have the illegal authorize sufficient withholding to cover all of their taxes, and draw huge Social Security or disability checks when they are of age or find a good disability attorney.
Posted by littlepitcher
4th Feb 2010
###### Enabling Identity Theft
Social Security Numbers were never intended to be used for
identification purposes. Both scans of such language as
included on a social security card as well as the legal
documentation may be found at the included URL:

http://www.apfn.org/apfn/ssn.htm

As this is not a government website, I strongly recommend the
general practice of researching the legal references (Title
number, etc.) provided at this site as to retrieve a trusted
source for the actual document.

"Security" in the U.S. is a joke. We are subjected to insecure
methods for the sake of increasing security. The RFID passports
aren't made in the U.S. and use technology already proven
trivial. Drivers License Numbers are based on an algorithm and
can be generated based on name, sex, and date. Also let it be
reminded that Social Security Numbers are recycled after about
150 years.

In the computer world, we are expected to become Certified
Ethical Hackers in order to combat malicious hackers. In the
checking industry, we employed one of the most notorious
check fraud people, Frank W. Abagnale Jr. Find a ring leader
enabling Illegal Immigrants and learn from them how to secure
the system.
Posted by ct2193@...
4th Feb 2010
###### Identity Theft Could Be Stopped Immediately
We could stop identity theft immediately if the gov't passed a law that NO one could access your credit information except you. Make it so that only the person himself could go "in person" to get a copy of their credit report, where they would have to provide a fingerprint to get it. Then, the person could take the certified report (only good for 7 days) directly to the mortgage company, bank, etc. where they present it only for that approval purpose. The person himself would retain the file, the creditor could only view it for approval. That way the full control of one's information would be under your protection. No one, especially, the credit agencies, credit card companies, mortgage companies, banks, whatever, could have any access to your information unless you yourself took it to them for "viewing only". Make it the law that none of these agencies could store your information, ever! We have to give back control to the people.The way it is now, your constitutional rights, the 4th amendment, are being broken by these agencies and companies having access to information without your consent, or a warrant from a federal judge.
Posted by nevertell
16th Feb 2010
###### nevertell #14: That makes so much sense...
...that our financial-industry overlords would wardial their paid
shills in The Best Congress (Corporate) Money Can Buy? and
make sure that it doesn't happen, at least not before Hell freezes
to less then 3 degrees K.

And that, sad to say, is the root of many, many of our problems:
we need to fundamentally rework the legislative branch ?
structurally and philosophically ??before we go the way of the
Holy Roman Empire.
Posted by Jeff Dickey
21st Feb 2010
###### social security numbers should be kept private
With this in mind, let us also remember to stay vigilant at all times that our credit card number is safe and that no one else can access them to commit fraud. Students need to be more careful in keeping their private information and not to share too much information about themselves to avoid getting victimized by fraud. I do hope that more and more people will learn about ID theft and how this kind of fraud can be prevented.
Posted by shreddingdallas
10th Nov 2010
###### your password should be kept secret at all times
What we need to do is to be extra careful and keep our passwords and account numbers secret. Do not share too much personal information especially online because you do not know everyone that can gain access to it. This is why fraud is one of the most committed crimes in the country - because people go on their daily lives without the idea that they can be victimized at any time and place.
http://www.sanantonioshredding.com
This is why we need to pay more attention to what comes and goes in our mailboxes because we may not know that fraudulent minds are already on the lookout for something they can use to their advantage. This is a sad but true reality and we have to do our part in preventing this kind of scam from ever happening to us.
Posted by shreddingdallas
10th Nov 2010
###### Join the conversation
Formatting +
BB Codes - Note: HTML is not supported in forums
• [b] Bold [/b]
• [i] Italic [/i]
• [u] Underline [/u]
• [s] Strikethrough [/s]
• [q] "Quote" [/q]
• [ol][*] 1. Ordered List [/ol]
• [ul][*] · Unordered List [/ul]
• [pre] Preformat [/pre]
• [quote] "Blockquote" [/quote]

Join the SmartPlanet community and join the conversation! Signing up is fast and free. Don't wait -- we want to hear your opinion!