Congress May Have Inadvertently Made Identity Theft Easier, Researcher Says

By Matthew Harwood

As previously posted here, two researchers from Carnegie Mellon University recently published a paper describing how they can discover a person's Social Security number from information gleaned from social networking sites. But legislation passed by Congress that now reveals the last four digits of a person's Social Security number on public documents may make it easier for identity thieves to ply their trade if they can reconstruct the researchers' methods.

The Wall Street Journal provides a little more background:

In the study, published in the research journal Proceedings of the National Academy of Sciences, researchers correctly guessed the first five digits of a person’s Social Security number about 40% of the time, just by knowing his or her hometown and birth date. Given those two pieces of information, they could predict all nine digits of his or her SSN 8.5% of the time with fewer than 1,000 attempts.

The authors, Alessandro Acquisti, a professor of information technology and public policy at Carnegie Mellon University, and researcher Ralph Gross, initially were interested in looking at the kinds of information that people make public on sites like Facebook and MySpace, and noticed that many provide personal data such as birthdays and hometowns.

While those are not necessarily sensitive, they wondered if they could be used in dangerous ways in combination with other personal information culled from public databases.

But here's the scarier scenario: Acquisti says Congress has inadvertently made it easier for identity thieves to use their method, if reconstructed, to gain full Social Security numbers.

Recently, Congress passed legislation that favors showing the last four digits of a U.S. citizen's Social Security number on public documents. This, however, is a mistake, according to Acquisti, because if identity thieves reconstruct his and Gross' method, it's relatively easy to guess the first five digits of a person's Social Security number when you know his hometown and birth date. Therefore, if you have a person's last four digits, you can reconstruct the whole number a good percentage of the time by predicting the first five digits using their method, which is made easier by Web sites like Facebook and MySpace.

Acquisti told WSJ that the Social Security Adminsitration needs to randomize how Social Security numbers are assigned while social networkers should think twice about giving out their birthdate and where they were born online.

♦ Photo by dumbeast/Flickr


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.