Social Security numbers fall out of favor as personal identifiers

Government and industry should stop using Social Security numbers as a primary method for verifying identity, according to the author of a recent study that showed how easily thieves can use a combination of personal information and computer software programs to figure out the nine digits.

The study by Carnegie Mellon researchers found that identity thieves could guess Social Security numbers using information such as birth dates obtained from public records held by federal and state agencies, then verify the numbers using sophisticated computer attacks.

"We should be on the lookout for these kinds of attacks, and try to find patterns through real-time monitoring that can immediately tell us whether someone is trying to use brute force to steal identities or information," said Alessandro Acquisti, author of the study.

The report noted that the first three digits in Social Security numbers -- called the area number -- are issued according to the ZIP code of the mailing address provided in the application form, while the fourth and fifth digits, known as the group number, often remain constant over the years for a given region. The last four digits are assigned sequentially, making them closely tied to a person's date of birth.

Hackers that know a person's birthplace and birthday can make educated guesses about their SSNs, and then use a practice called tumbling to systematically test numbers using credit card applications -- making slight changes to the digits until an application is approved. This process can be sped up using a botnet, which is a type of cyberattack that infiltrates computers with malicious code that turns them into zombies that attackers can use to test the validity of hundreds of Social Security numbers.

The Social Security Administration recently proposed randomizing the first three digits in the assignment scheme, which would eliminate the statistical predictability of newly assigned numbers, but would not protect already existing SSNs, Acquisti said.

"We should not try to salvage the role of SSNs as they're used today and not retrofit the system to protect SSNs," he said. "We should abandon them."

But some security experts argue that the ability to crack Social Security numbers has little impact, in part because hackers can find them through other means.

"Social Security numbers can be generated, but more importantly, they can be stolen from bank databases and government agencies whose systems have been penetrated by hacker syndicates," said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team. He agreed government should move away from the traditional SSN as a primary identifier, but said agencies also should focus on locking down computer networks and systems by participating in more frequent red teaming exercises that simulate cyberattacks and help identify vulnerabilities prior to the exploitation.

"ID theft is the largest growing crime in America and it is a result of SSNs being hacked from sensitive databases that are not sufficiently protected," Kellermann said.

But Alan Paller, director of research at the SANS Institute, said the latest methods for identity theft rarely rely on Social Security numbers anyway.

"I don't think this is a high priority, because it doesn't deliver a big enough payoff" for hackers, he said. "You do identify theft so you can steal money, but it's easier to steal money by taking over someone's computer."

The bigger risk, Paller said, is visiting a Web site that's been infected with malicious software that installs a keystroke logger on the computer, which allows the attacker to grab the key strokes used to sign into an online banking application.

"They go in and move some money from your account into theirs, all without any Social Security number," he said. "To me, the Social Security number is a red herring."