Privacy and your social security number
Pretty much everybody in the USA has a social security number (SSN) and much of the private and public data related to us is attached in one way or another to that SSN. Not a bad system, you might say. After all, a more-or-less random 9 digit number is fairly secure.
The problem is that our SSN is anything but random. In fact, apparently it's pretty predictable. In a new study conducted by Alessandro Acquisti, associate professor of information technology and public policy at Carnegie Mellon, has shown that public information readily gleaned from governmental sources, commercial data bases, or online social networks can be used to routinely predict most and sometimes all of a person's SSN. The study findings will appear this week in the online Early Edition of the Proceedings of the National Academy of Science (PNAS)
Carnegie Mellon views this news as sufficiently serious to merit setting up a website solely for the purpose of educating people about security and SSN.
Pretty scary stuff for younger people. People in my age group didn't get SSNs until we got jobs so we're less easy to predict. In cases where you can guess the complete SSN in 10 or less attempts---something that is essentially instant when using a computer program to automate coded number entries---using the SSN for security is a joke. Any hacker who bothered to get just a few items of data, easily found, like birthplace and hometown, can then hack into all sorts of supposedly private accounts.
I guess it might be a good idea to be a wee bit secretive about where I was born---and when. You might want to take that precaution too!
The problem is that our SSN is anything but random. In fact, apparently it's pretty predictable. In a new study conducted by Alessandro Acquisti, associate professor of information technology and public policy at Carnegie Mellon, has shown that public information readily gleaned from governmental sources, commercial data bases, or online social networks can be used to routinely predict most and sometimes all of a person's SSN. The study findings will appear this week in the online Early Edition of the Proceedings of the National Academy of Science (PNAS)
Carnegie Mellon views this news as sufficiently serious to merit setting up a website solely for the purpose of educating people about security and SSN.
Acquisti and Gross tested their prediction method using records from the Death Master File of people who died between 1973 and 2003. They could identify in a single attempt the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts. Their accuracy was considerably higher for smaller states and recent years of birth: for instance, they needed 10 or fewer attempts to predict all nine digits for one out of 20 SSNs issued in Delaware in 1996. Sensitive details of the prediction strategy were omitted from the article.
Pretty scary stuff for younger people. People in my age group didn't get SSNs until we got jobs so we're less easy to predict. In cases where you can guess the complete SSN in 10 or less attempts---something that is essentially instant when using a computer program to automate coded number entries---using the SSN for security is a joke. Any hacker who bothered to get just a few items of data, easily found, like birthplace and hometown, can then hack into all sorts of supposedly private accounts.
I guess it might be a good idea to be a wee bit secretive about where I was born---and when. You might want to take that precaution too!
Comments