Beauty 4 Moms

Keeping your Social Security number (S.S.N.) secure is key to preventing identity theft and fraud. But there have always been bugs in the system. People have known for decades about the conventions that the Social Security Administration uses when issuing S.S.N.’s, and not long ago, scientists figured out how to use this information to determine from a given S.S.N. the birth date of the applicant and the state in which the number was issued. Thankfully, though, the reverse was not true: an unknown S.S.N. could not be determined from that data.

Until now. This year, Alessandro Acquisti, an economist, and Ralph Gross, a computer scientist, both at Carnegie Mellon, announced in The Proceedings of the National Academy of Sciences that they had figured out how to predict a person’s S.S.N. Their work was made possible, paradoxically, by steps the government took to prevent identity theft and fraud. Years ago, for instance, the administration decided to make public its Death Master File — the list of every S.S.N. taken out of circulation, together with the name, birth date and state in which the deceased originally applied for a number.

The release of the file was supposed to make it harder for criminals to hijack dead people’s S.S.N.’s, since those numbers could be easily cross-checked. But it provided Acquisti and Gross with a data set that they could analyze for patterns in how the numbers are assigned.In addition, starting in 1989 the government encouraged parents to register children with S.S.N.’s at birth — instead of registering them anytime between birth and when they started a job. The intention, in part, was to prevent the theft of numbers that hadn’t yet been claimed. One consequence, however, is that S.S.N.’s issued since then are even less randomly assigned than before — and thus easier to crack.Given a state and birth date, Acquisti and Gross were able to predict correctly all nine digits in an S.S.N. in 1,000 attempts or fewer, 8.5 percent of the time, which renders a sizable percentage of S.S.N.’s about as easy to crack as a three-number PIN. From there, it is possible to use publicly available tools like online instant credit-card approval sites to try combinations until the right number is confirmed.