Researchers from Carnegie Melon University have found that Social Security numbers can be guessed based on easy to access information, such as individual’s birthday and the town in which they were born.
Social Security uses the same formula for all of the numbers, the first three numbers are based on the zip code on the application, the forth and fifth are based on regional numbers that change slowly over several years, and the last four are assigned in sequential order. In the study, researchers used these commonly known facts about the Social Security numbers combined with the public “DeathMaster file” to guess SSNs. They were able to guess the first 5 numbers 40 percent of the time and all 9 numbers 8.5 percent of the time, in less than 1000 tries.
The numbers were even more accurate for people who have been born more recently, as the Enumeration at Birth Initiative of 1989 encouraged parents to sign their children up at birth. It was also easier to guess numbers in less populated states.
One of the Carnegie Melon researchers, Alessandro Acquisti stated, “Our work shows that Social Security numbers are compromised as authentication devices because if they are predictable from public data, then they can not be considered sensitive.”