Researchers at Carnegie Mellon University demonstrated that public information such as birth state and date of birth found on commercial databases or on social networks such as Facebook is enough to guess part or all nine digits of a victim's Social Security number with relative accuracy.
In the study, published in the Proceedings of the National Academy of Sciences, researchers used available information to predict with 44 percent accuracy the first five digits of a user's Social Security number for 160,000 people born between 1989 and 2003. Details of the study's findings will be presented at the Black Hat 2009 hacker conference held in Las Vegas at the end of July.
"In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than a single piece of original information alone," said Alessandro Acquisti, Carnegie Mellon IT professor, who spearheaded the project, in a statement.
The study's findings have become increasingly relevant in recent years. In 2007, identity theft cost U.S. citizens almost $50 billion in losses, according to a Strategy & Research report issued by Javelin, a market-research company based in Pleasanton, Calif. About 8.4 million adults became victims of identity theft schemes that same year, averaging a per-person loss of $5,720.
Acquisti said that statistical patterns could be derived from the Social Security Administration's Death Master File, a public database with Social Security numbers, dates of birth and death, as well as birth states for deceased individuals.
In addition, information about how Social Security numbers are assigned is publicly available on a government Web site.
As a result, researchers concluded that the vulnerability could be mitigated by arbitrarily assigning Social Security numbers to people based on a randomized scheme.
"Given the inherent vulnerability of Social Security numbers, it is time to stop using them for verifying identities and redirect our efforts toward implementing secure, privacy preserving authentication methods," Acquisti said. Some of those techniques could include two-factor authentication and digital certificates to keep user's Social Security numbers secure.
- Juniper Honors 12 Americas Partners
- Facebook And Four More Web Sites We Love To Hate
- Cisco Honors Top Partners During 2010 Partner Summit
- HP Salutes Top Partners At APC 2010 Award Show
- Upclose And Personal With AMD And friends
- Will Oracle's Phillips' Affair Revelation Be A Distraction?
- Apple, Microsoft Unlikely Allies Against Google
- HP-Microsoft Cloud Partnership Needs To Show Us The Goods
- Blog: It's Time For A Cybercrime Public Service Announcement
- Nortel Sell-Off Continues: Ethernet Business To Ciena?
- Want To Deploy Exchange 2007 SP2 In A Server 2008 R2 Domain? Sorry
- Apple Improves iTunes 9 With Syncing, Visual Enhancements
- Oracle Ad Refutes Sun Hardware Fears
- U.S. Copyright Chief Rips Google Book Deal In Testimony
- Apple Slashes iPod Price Tags
- Price Is Right? Asus To Launch Low-Cost E-Reader
- Microsoft Xbox 360 Consoles Fail More Often Than Wii, PS3
- Privacy Group To Congress: Stop Online Advertisers In Their Tracks
- Microsoft, Intel Tout Their Collaboration On Windows 7
- Tech Data Adds Integration Services With New Center