Current Issue
This Month's Print Issue

Follow Fast Company

We’ll come to you.

On Facebook? New Algorithm Can Guess Your SSN

Two researchers at Carnegie Mellon University have shown they can reverse engineer a person's Social Security number using, ironically, nothing more than data from publicly available data on government sites, and the data you share with the world on Facebook.

Like many confirmation numbers we use daily, from bus tickets to software purchase codes, Social Security numbers are assigned based on a formula that uses two inputs to generate a code. The inputs for SSNs are state of birth and date of birth, two things that most people have made available on social networking sites. That alone isn't dangerous.

100% CottonThe government enables the other half of the caper by making the SSNs of deceased Americans available publicly in a database called the Death Master File. This file was created to help institutions detect bogus Social Security numbers on tax and benefits forms, but it also provides a massive test dataset for someone trying to reverse engineer SSNs. Using the Death Master File, CMU engineers were able to determine which parts of the numbers correlated to which of the facts about a person's birth. When they applied their algorithm to SSNs in the DMF that they hadn't tested, they could accurately guess the first five numbers of a given SSN with up to 90% accuracy in smaller states, where the pool of numbers is smaller.

According to ArsTechnica, cracking the last four digits of an SSN, which are seemingly assigned at random, cuts the rate of accuracy considerably; the authors of the study were able to get a number right only after about 10 tries, more than enough failed tries to lock out an IP address on most banking sites. But they note that a botnet working in concert could attack smaller states with alarming alacrity—a virally-controlled network of 10,000 machines could crank out the identities of residents of the State of West Virginia at around 2,800 a minute, based solely on basic information from Facebook. It might be time to abandon the SSN as our primary credential in favor of something more comprehensively secure.

[Via ArsTechnica; Photo by chezrump]