What can you find out with someones social security number

Even careful people who don’t disclose their social security numbers (SSNs) unless absolutely necessary could have them revealed by computer programs crunching publicly available data. All that’s needed to predict at least a valuable portion of someone’s nine-digit SSN is their date of birth and the state where he or she was born.

Table of Contents Show

What can people find out with your social security number?
Can you look up someone by their SSN?
Can someone access your bank account with your SSN?

That’s the conclusion of two researchers at Carnegie Mellon University in Pittsburgh. Alesssandro Acquisti and Ralph Gross say that the government forces Americans to place a “perilous reliance” on SSNs to establish their identities while giving them the “impossible duty” of trying to protect their number.

The researchers found visual and statistical patterns in publicly available SSN data, showing that “a strong correlation exists between dates of birth and all 9 SSN digits.” They were able to develop a prediction algorithm that “exploits” the fact that individuals with similar birth dates who registered in the same state “are likely to share similar SSNs,” the study says.

In some cases, they were able to predict the entire nine-digit SSN number on the first attempt. The odds of that happening randomly would be nearly one in a billion, Dr. Acquisti says.

The study, “Predicting Social Security Numbers from Published Data,” is being released online today and will be published in the Proceedings of the National Academy of Science.

The formula works best for numbers assigned in recent years and in smaller states. For individuals born after 1988, the researchers were able to predict the first five digits of a SSN on the first try 44 percent of the time. Using birth dates in Vermont from 1995, they were able to predict the first five digits in 90 percent of cases. Nationwide, for birth dates between 1989 and 2003, and using two attempts, they were able to determine the first five numbers of a SSN in 61 percent of cases.

Revealing only the last four digits of a SSN in documents, a precaution used by some organizations, provides little protection, the authors say, since the first five digits of a SSN are actually the easiest to predict.

Once the identity of a SSN can be narrowed to a range of, say, 10,000 possibilities, a network of computers controlled by a fraudster could easily make enough accurate guesses to fool websites that required a valid SSN. In many cases, only a name, date of birth, and SSN are needed to open a credit card account, Acquisti says.

“When one or two attempts are sufficient to identify a large proportion of issued SSNs’ first five digits, an attacker has incentives to invest resources into harvesting the remaining four from public documents or commercial services,” the authors conclude.

At least 10 million US residents, they estimate, have made their birth dates publicly available or easy to infer in online profiles. These can appear many places online, including Facebook or other social networking sites.

The problem with SSNs, as other researchers have pointed out, is that they are used at the same time for two purposes: to be a public identifier as well as a private password. In essence, they serve as both the name of the account and the password rolled into one.

The Social Security Administration should immediately change its system and begin assigning SSNs that are truly random, Acquisti says.

But that will be of no help to the millions of Americans who already possess “predictable” SSNs. What’s worse, unlike other passwords, SSNs can’t be easily changed or blacklisted.

The study also shows how publicly available data online can be “mined” from various sources and aggregated to reveal new information.

“Maybe no one single piece of that information in itself is personally identifiable, but when you start linking the pieces of information with even a little bit of context, you can with a high degree of probability identify someone personally,” says Helen Nissenbaum, a professor of media, culture, and communication at New York University, who did not work on the study.

The burden now, the authors conclude, is on “industry, academia, and policy makers to think about better and economically efficient ways to protect identities in a world of wired consumers.”

Keeping your Social Security number secret may not be enough to protect you from identity theft. According to a new study, a crook need only figure out where and when you were born--information often easily found on social networking sites like Facebook--to guess your number in as few as 1000 tries. Those individuals particularly at risk were born in smaller states after 1989, when receiving a Social Security number at birth became the norm.

Social Security numbers were never meant to be used for widespread identification. They were conceived solely to track taxes and benefits. But as more banks, credit card companies, and government agencies have used them as proof of identification, Social Security numbers have become a key instrument used to fake another's identity. To help credit bureaus spot fraud, the Social Security Administration (SSA) publishes all records for deceased Social Security holders, as well as publicly describing the method for assigning numbers in various states. But researchers have now found that this very information opens the door to guessing someone's number.

Here's how Social Security numbers work: Every Social Security number starts with three digits known as an "area number." Smaller states might have only one, whereas New York, for example, has 85. The next two digits are "group numbers," which can be anything from 01-99, but don't correspond to anything specific. The last four digits, the "serial number," are assigned sequentially.

On the surface, the process seems like it would lead to randomized--and thus secure--numbers. But it doesn't. When economist Alessandro Acquisti and computer scientist Ralph Gross of Carnegie Mellon University in Pittsburgh, Pennsylvania, compared SSA's public death records with birth data, they found that area numbers are not rotated until all 9999 serial numbers have been assigned. So instead of each of New York's 85 area numbers being the possible starting three digits for any Social Security number on any given day, Social Security numbers are assigned essentially in order: 576-32-0001 is followed immediately by 576-32-0002, etc. That means a potential thief can narrow down a number simply by knowing the date (often some 6 to 11 weeks after birth) on which one received it. After 1989, individuals started receiving Social Security numbers at birth, rather than at their discretion (often when they began their first job), so pinpointing these people's numbers is especially easy, says Acquisti.

So easy in fact that Acquisti and Gross were able to do it themselves. Using fairly standard computer algorithms, the duo predicted the first five digits of Social Security numbers for people born after 1989 44% of the time on the very first try. On a handful of attempts, they managed to get all nine digits on the first try, but at the very least they could predict the full numbers of 8.5% of those born after 1989 in fewer than 1000 tries, they report online today in the Proceedings of the National Academy of Sciences.

Such statistics, says Acquisti, mean that a computer-savvy attacker could simultaneously test numbers on credit applications easily accessible online and harvest some 47 numbers per minute. "Information that is publicly available is enough to predict Social Security numbers with a degree of accuracy which is quite concerning," he says.

The threat is real, agrees information privacy expert Chris Hoofnagle of the University of California, Berkeley. "Using Social Security numbers for both identification and authentication is no longer tenable, because possession of the number--unlike a fingerprint--offers no verification of identity," he says. It is also clear, says Hoofnagle, that years of consumer education to teach people not to share their Social Security number isn't adequate when one can simply predict a number.

Acquisti and Gross have brought their findings to the attention of numerous government agencies, including SSA. Several of these agencies plan to meet in Washington, D.C., this week to discuss the implications of the work.

Many businesses ask for your SSN because it is a convenient way to identify you in their system. As a result, your social security number can now reveal all kinds of information about you, including places you've lived, your credit history, and maybe even medical conditions.

Can you look up someone by their SSN?

Even though SSNs are the most reliable identifier for an individual, they are not 100 percent dependable because some records may not contain a subject's SSN. Therefore, a record for an individual may not appear when searching using SSN only. Conducting a second search using Name and State provides additional coverage.

Can someone access your bank account with your SSN?

Financial identity theft An identity thief can use your SSN together with your PII to open new bank accounts or access existing ones, take out credit cards, and apply for loans all in your name.