Corporate Home Page Division Home Employment Contact CSI About CSI

IN THE NEWS:

Researchers say they can guess
your social security number


There’s new reason to worry about public exposure of private information. We at CSI have long been warning about identity theft by reconstruction of information from publicly-available electronic documents. Now, it turns out, a person’s Social Security number can be guessed relatively easily, given one’s birth date and state of SSN assignment.

Researchers at Carnegie-Mellon University have uncovered patterns in SSNs which make them simple to deduce, using only public records and statistical analysis. Click here to see full details of the research, which was recently published in the July 7th issue of the Proceedings of the National Academy of Sciences journal. The lead researcher is presenting his findings at the annual “Black Hat” computer hacker convention July 2009 in Las Vegas. His training session is titled, “I Just Found 10 Million Social Security Numbers.” With this information soon to be in the public domain, we suggest now is the time to be concerned and take action on redacting the full social security number and date of birth to protect your documents from being the source of this attack.

Although the Social Security Administration maintains that SSNs are assigned randomly, the CMU researchers discovered several patterns that make the numbers less secure. If an individual’s date and location of birth are known, the analysis can predict, within two guesses, the first five digits of the SSN for anyone born after 1988. The last four digits can be determined in anywhere from less than 10 to a few hundred tries, which is a minor obstacle for identity thieves using automated tools, or no work at all if you are leaving the last four digits unredacted on your public records.

The accuracy of the prediction increases for people born after 1988, due to IRS rules that led increasingly to the assignment of Social Security numbers at birth. In addition, individuals born in smaller states are at increased risk. Researchers reported their ability to correctly guess the entire social security number in 10 or fewer tries for smaller states, making possible that a virally compromised network of 10,000 machines could crank out the identities of State of West Virginia residents at around 2,800 per minute, based solely on easily obtained information from Facebook.

It doesn’t take much to use a statistical prediction about a person’s SSN to find his or her actual number, according to CMU Associate Professor Alessandro Acquisti, co-author of the study. Hackers can exploit instant online credit approval services – or even the Social Security Administration’s own verification database – to test multiple numbers until they find the right one. Although these services usually block users after several failed attempts, criminals can use networks of compromised computers called botnets to scan thousands of numbers at a time.

We are bringing this to your direct attention because this new research highlights the relationship between the security of personal information and what confidential information is being redacted. If you have any questions on how you can further protect your constituents via Intellidact and its future proofing technology, please feel free to contact us at 877-992-2900 or info@csisoft.com






Intellidact® lite for Kofax, the FREE version of CSI's award winning redaction solution, designed for users with minimal redaction volumes.

Click here for more information.