Neither the researchers nor those of us who had read the paper or participated in discussions of its implications last year really expected the government and those who insist on demanding our SSN to suddenly say, “Oh well, now that we see this study, we’ll stop using SSN immediately.”  But I didn’t expect a government spokesperson to immediately try to downplay the significance of the study.

Mark Lassiter, a spokesperson for the Social Security Administration, is quoted in a New York Times article as saying:

“The public should not be alarmed by this report because there is no foolproof method for predicting a person’s Social Security number. The method by which Social Security assigns numbers has been a matter of public record for years. The suggestion that Mr. Acquisti has cracked a code for predicting an S.S.N. is a dramatic exaggeration.”

This site didn’t suggest that  the researchers cracked a code, although certainly one of the more popular headlines repeated elsewhere did use that phrase. But even if Acquisti and Gross didn’t crack a code,  what the government needs to acknowledge is that the study has shone a very bright light on  the elephant in the room and the government and everyone else  needs to stop ignoring that elephant and needs to stop approaching it without any sense of urgency.

Everyone has known for a long time that the use of SSN as an authenticator is broken. But it’s clear that it’s even more broken than anyone acknowledged. Will the government at least acknowledge that and take immediate steps? One can only hope.

Acquisti will be in Washington D.C. this week to discuss the report and its implications with representatives of some agencies. I hope that they do not minimize the importance of the study and recognize it as the call to action that it clearly is. As Acquisti wrote to me, “Let’s hope that these results can help finally change this system and move to something truly secure and private.”

Photo: Alessandro Acquisti, from CMU

Based on observation of issuance patterns of Social Security numbers in the “Death Master File” (a public database that contains SSNs of people who have died), the investigators were able to use information about an individual’s date and state of birth to predict narrow ranges of values likely to contain that individual’s SSN. The accuracy of their ability to predict an individual’s SSN increased for people born after 1988 and for people born in states with lower population numbers.

Discussing the implications of their data, Acquisti and Gross state that

SSNs, in their current form, are highly insecure passwords and should not be used for authentication. If one can successfully identify all nine digits of an SSN in fewer than 10, 100, or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN.

The investigators make several recommendations, including:

• randomizing the entire SSN number assignment process;
• reconsidering current policy initiatives with respect to SSN and ID theft. The investigators argue that because SSNs are predictable from  publicly available data, they cannot be kept confidential even if they are removed from databases and as a result, current initiatives may be futile and ineffective.;
• because SSNs can be predicted and are therefore, in some sense, semi-public information, consumers should not be required by private sector entities to use SSNs as passwords or for authentication.

The study, “Predicting Social Security numbers from public data,” will be presented at Black Hat on July 29.  A copy of the study can be downloaded from the Proceedings of the National Academy of Sciences web site. The investigators note that they have omitted sensitive details about the prediction strategy from the published article. There is also an FAQ about the study to help the public understand what the investigators found and its implications.

Prior to releasing the study, the investigators shared their results with government government agencies.

Photo credit: BigStockPhoto.com