Perhaps we finally have the last piece of evidence to help everyone admit that, in regards to the use of social security numbers as an authenticator, the emperor has no clothes.

The National Academy of Science today published a study from Alessandro Acquisti of Carnegie Mellon University demonstrating that Social Security Numbers (SSNs) issued after 1988 can be predicted with relative ease if you have the person’s birth date and place of birth.  It seems that, in 1988, the Social Security Administration (SSA) started issuing the numbers sequentially. Given that fact, Acquisti was able to take death records published by the SSA and identify a possible range of SSNs that were issued to a person on any given birth date. If you are born in a smaller town, the odds are pretty high that Acquisti could get your SSN on the nose.  As this population ages, it will be even easier for anyone to do this.

When I first read Acquisti’s paper, I was mortified by the implications, but thinking about it more it simply confirms what all experts in identity policy have known for a long time — the SSN is a pretty good identifier, but a horrible authenticator.  In other words, the number is good in a case when you have two people named John Smith in making sure that you don’t confuse one for the other, but not good at all in helping you assess that one John Smith is who he says he is (eg, the bank that asks for his SSN when he doesn’t have his bank account number readily available).

The SSN is just not the secret that we’ve been taught it was and, at some point, we are all (in particular, corporate entities) going to have to stop treating it as though it were.

This entry was posted on Monday, July 6th, 2009 at 4:09 pm and is filed under CDT, Consumer Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.