Researchers predict SSNs, crack algorithm putting identities at risk

By Robert Westervelt, News Editor 07 Jul 2009 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The researchers cracked the algorithm, guessing the first five digits of a SSN on the first try for 44% of people born after 1988. The method is even more reliable with a 90% success rate of cracking SSNs of individuals born after 1988 in less populated states. In fewer than 1,000 attempts, the researchers could identify a complete SSN, "making SSNs akin to 3-digit financial PINs."

In their paper, "Predicting Social Security Numbers from Public Data," researchers Alessandro Acquisti and Ralph Gross said they observed a correlation between an individual's SSN and their birth data. The duo said they gathered the data from profiles on social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration's Death Master File.

"Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums," the researchers wrote in their paper, published Monday in the National Academy of Sciences journal. "Unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identify theft on mass scales."

The less populated the state, the easier it was for the researchers to crack a SSN. The researchers said they used a brute-force matching algorithm to guess the last 4 digits of a person's SSN.

"For smaller states and recent years, the [success rate] rises to 60% -- with some of our predictions matching complete, 9-digit SSNs at the very first attempt," the researchers said.

It is also somewhat easy for a person to get the final four digits through mass spear phishing emails. Using social engineering, a person could be tricked into giving up a portion of their SSN. In addition, it could be less costly to rent out a botnet than hack into a merchant's database, the researchers concluded.

"Breaching large organizations' databases to harvest personal data can produce massive amounts of credentials but often requires significant logistical and technical efforts," they said. "On the other hand, automated vast-scale cyberattacks based on distributed computations, or mass-scale harvesting of personal data and affordability, are becoming more common because of the availability and affordability of botnets."

The researchers are recommending that the Social Security Administration fully randomize its SSN assignment scheme, protecting future identities. Ultimately, industry and policy makers may need to reassess the reliance on SSNs for authentication, the researchers said.

Security experts said the research shows the identification system is outdated and needs to be replaced with a new identifying system or improved with additional security controls.

Robert Siciliano, a security consultant and CEO of IDtheftsecurity.com, called the researcher's work an accomplishment, but said the ability of educated researchers to guess SSNs is the least of our problems.

"While white hat hackers are able to crack the code, your crack addicted human resource administrator who fell by the wayside has access to every single SSN in the filing cabinet," Siciliano said.

Scope creep has set into the current SSN system, with it taking on a greater responsibility than it ever was designed to handle, Siciliano said. Instead, the country's current identification system should be scrapped and replaced with a national identification with built-in security features, such as multifactor authentication and biometrics.

"We have to overcome the privacy hurdles that so many are screaming about," Siciliano said. "Privacy is an illusion. [It] doesn't exist and has been dead for quite some time now. Once we can overcome the fear of that we can begin to solve this problem."

Michael Argast, a security analyst at Sophos Inc., said the irony in all this is that the federal government reduced the randomness associated with an individual's SSN in the early 1980s to stop fraudsters from faking SSNs.

"The impact of the Internet and identity theft has made the need to protect SSN information critical, but the system was never designed to handle the degree of fraud that occurs today," Argast wrote on the Sophos blog. "Trying to protect a system designed over 60 years ago against today's malicious activity is growing increasingly difficult."

Tags: Data Breach Incident Management and Recovery,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary