Start your protection now. It only takes minutes to enroll. Start your protection, enroll in minutes. ID Theft Resources. The fraudster may fill out false applications for loans, credit cards or bank accounts in your name or withdraw money from your accounts.
This can encompass credit card fraud, bank fraud, computer fraud, wire fraud, mail fraud and employment fraud. Government Identity Theft - Fraudsters may use your personal information in interactions with the government. SIRF occurs when a thief uses your Social Security number and other personal information to file an income tax return in your name to claim a tax refund—essentially stealing money from the U.
You can also call and the IRS can correct the spelling of your name over the phone. Learn more about how marriage affects your taxes.
If you have moved and your address has changed, you need to notify the IRS to ensure you receive any IRS refund or other correspondence. You may provide your new address in a variety of ways. You may correct the address by hand on the mailing label included in your tax package or simply write the new address on your return when you file. When your return is processed, the IRS will update your records.
If your address changes after you file your return, you should notify the post office that services your old address. This ensures that your mail will be forwarded not all post offices automatically forward government checks. If you want to inform the IRS of your change of address, they will need your full name, old and new addresses, and your Social Security Number or Employer Identification Number, and a signature. If you filed a joint return, you must provide the information and signatures for both spouses.
Send your information to the address where you filed your last return. IRS mailing addresses are listed in the instructions to the tax forms. If you filed a joint return and you and your spouse have established separate residences, you should both notify the IRS of your new address.
The U. Postal Service provides the IRS with regular change of address updates. These services require information such as applicants' names, dates of birth, and SSNs to screen credit or service applications, thus offering an attacker a means to verify variations of predicted SSNs;.
Such emails would include the target's first 5 or 6 SSN digits to elicit a revelation of the remaining digits;. They could be abused if an attacker succeeded in impersonating companies' representatives or self-employed individuals. A rational attacker would focus on SSNs issued in states and years with higher prediction accuracies, taking advantage of the lack of a centralized, real-time system for the notification of hits and flags on credit account requests 27 , as well as of the fact that, unlike traditional passwords, SSNs cannot be blacklisted after failed attempts, nor changed to avoid future fraud Consider, for instance, an attacker who rented a small botnet 10, IP addresses to apply for credit cards impersonating year-old West Virginia-born U.
After that, he could wait for the blacklist period to expire or rent a different set of botnet machines. Estimates for the total number of bots worldwide range from as low as , 26 to as high as 5 million The profitability of such operation depends on various factors. Breaching large organizations' databases to harvesting of personal data can produce massive amounts of credentials but often requires significant logistical and technical efforts for instance, see ref.
On the other hand, automated vast-scale cyber-attacks based on distributed computations, or mass-scale harvesting of personal data, are becoming more common 31 because of the availability and affordability of botnets. The data necessary for the predictions is, itself, widely available: SSN predictions do not require knowledge of someone's birth zipcode but just his or her state and date of birth. Whereas SSNs are becoming harder to purchase in the open market 8 and less available in public documents 33 , mass amounts of birth data for U.
They include data brokers such as www. An attacker may not even need birth data: The rise of synthetic identity theft where fake names are combined with real SSNs and birthdates suggests that a correspondence between birthdate and SSN can be sufficient to pass the screening of CRAs, even when names or addresses do not match those in the credit reports 21 , Our results show that such correspondence is inferrable even without knowledge of the target's name. These aspects are further discussed in ref. There, we present an illustrative application of the prediction algorithm in which we infer alive individuals' SSNs based on public information we mined from a social networking site.
To illustrate the actual threat of combining public records to infer sensitive information, we used DMF data as the analysis set to extract the most-frequent ANGNs and the SN regression coefficients for the range of states and birthdays corresponding to the alive individuals' birth data.
We extracted the birth data from the public profiles of students at a North American university. We then interpolated our sample's birth data with the patterns estimated from DMF records, and then predicted the formers' SSNs. We verified the accuracy of our predictions against the subjects' actual SSN data from the University Enrollment services , using a secure, IRB-approved protocol that disclosed to us only aggregate predicition accuracy statistics.
We found that at parity of year and state of birth and SSN assignment , the test based on online social network data and the DMF test produced comparable results: we accurately predicted with a single attempt the first 5 digits for 6. The DMF test slightly outperforms the social networking site test, since self-reported social network data about hometown and date of birth may be inaccurate or, in fact, misleading. However, these findings confirm that patterns extrapolated from deceased individuals' SSNs in fact can be used to predict the SSNs of living individuals based entirely on public data.
Although inaccurate birth data or inability to run repeated verification attempts are likely to lower prediction accuracies for alive individuals compared with those we obtained for the DMF set, various factors may actually increase prediction accuracies in the real world. Access that criminals have to external data sources with living individuals' SSNs, larger shares of population being born under EAB and then, inevitably, populating the DMF , and matched predictions or improved prediction algorithms will conspire to augment the DMF analysis set, narrow the group of testable SSN variations, and improve prediction accuracies.
Furthermore, the averages we presented above should not befog the finding that the SSN assignment scheme effectively discriminates in terms of higher identification risks against younger individuals born in less populous states. More importantly, our extrapolations conservatively focused on individuals born between and to those, one should add all individuals born after who continue to receive SSNs under the current assignment scheme [being a minor is no shield against identity theft 35 ; some lenders give accounts to individuals with no credit history 21 ].
Unlike data breaches, which are local threats that is, specific to the records contained within a certain database, however large that may be , the predictability we observed is universal, in that applies, in principle, to any current and future SSNs—unless their assignment scheme is modified. The predictability of SSNs is an unexpected consequence of the interaction between multiple data sources, trends in information exposure, and antifraud policy initiatives with unintended effects.
A number of mitigating strategies can be considered. In the short term, one of the least costly countermeasures would have the SSA fully randomize the assignment scheme, abandoning the matching of area numbers to states, and the sequential assignment of serial numbers. However, they would not do much to protect already existing SSNs. To address those concerns, various recent legislative initiatives have been focusing on removing SSNs from public exposure or redacting their first 5 digits [see www. However, our results suggest that such initiatives, although well-meaning, may be misguided: Assigned SSNs cannot be revoked to avoid future fraud, exposed data cannot be taken back, and the first 5 digits of an SSNs are those, in fact, easier to infer.
This leaves even redacted or truncated SSNs still predictable—and, therefore, still vulnerable. Industry and policy makers may need, instead, to finally reassess our perilous reliance on SSNs for authentication, and on consumers' impossible duty to protect them. We gratefully acknowledge research support from the National Science Foundation under Grant , from the U. Author contributions: A.
Stolen SSNs are lucratively exchanged in underground cybermarkets 9.
This article contains supporting information online at www. NOTE: We only request your email address so that the person you are recommending the page to knows that you wanted them to see it, and that it is not junk mail. We do not capture any email address.
Skip to main content. Alessandro Acquisti. Related Articles Should Social Security numbers be replaced by modern, more secure identifiers? Abstract Information about an individual's place and date of birth can be exploited to predict his or her Social Security number SSN.
SSNVS Information. You can: Verify up to 10 names and SSNs (per screen) online and receive immediate results. This option is ideal to verify new hires. The Social Security Number Verification Service - This free online service allows registered users to verify that the names and Social Security numbers of hired.
Pattern Analysis. Results We evaluated the performance of our prediction algorithm using the DMF as an analysis set to identify assignment patterns, and as a test set to measure the accuracy of SSN predictions based on extrapolated patterns. Discussion The prediction accuracies we have reported pertain to more than half a million DMF records of deceased individuals. These services require information such as applicants' names, dates of birth, and SSNs to screen credit or service applications, thus offering an attacker a means to verify variations of predicted SSNs; sending mass spear phishing emails 23 based on social engineering Conclusions The predictability of SSNs is an unexpected consequence of the interaction between multiple data sources, trends in information exposure, and antifraud policy initiatives with unintended effects.
Footnotes 1 To whom correspondence should be addressed. The authors declare no conflict of interest.