Slashdot Mirror
Social Security Numbers Can Be Guessed
BotScout writes "The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003. A Social Security Administration spokesman said the government has long cautioned the private sector against using a social security number as a personal identifier, even as it insists 'there is no fool-proof method for predicting a person's Social Security Number.'" Update: 07/07 00:01 GMT by T : Reader angrytuna links to Wired's coverage of the SSN deduction system, and links to the researchers' FAQ at Carnegie Mellon, which says that the research paper will be presented at BlackHat Las Vegas later this month.
Who needs to guess when it's so easy to get someone to just give you their social security number if you just present a vaguely legitimate reason? For instance, I could pretend to be hiring people for a new business I am opening. Pretty much every application I've ever filled out has asked for a social security number.
I could also see this technique being combined for some nasty phishing methods. Set up a fake credit check website, ask for their date of birth, the security question is their place of birth, and the last four digits of their social security number is their pin number. Using the technique of these researchers, you can guess a significant portion of people's SS numbers. 40% is probably a huge number for phishing, where most people avoid them, but by shear volume enough get caught to make money off it.
Even though your post was quite amusing, I think the whole "last 4 digit" thing is overused as well. Since pretty much everyone only needs the "last 4 digits" to verify identity, if one of your conversations is compromised (ever overhear a co-worker's phone call?) then pretty much all of your accounts will be easy to break into. Coupled with the fact that it is next to impossible to actually change a SSN, you are pretty much screwed for life. Why SSNs were used as security devices is beyond me, though I am guessing the fact that "everyone already has one!" was a big part of it.
<Complete your profile by adding a signature!>
Because SSNs are supposed to be unique identifiers. Identifiers only. The problem is that they're also being used as the shared secret! There's nothing secret about an SSN, people, and there shouldn't be. I think at this point, the government needs to simply legislate the correct behavior, because companies like Comcast (who asked me for my SSN for 'security reasons' just the other day) just don't get it. Of course, getting the government to know the 'correct behavior' is yet another battle...
Identification != authentication. Failure to understand that is the problem.
Take your e-mail account. Your username identifies you. Your password authenticates you. Your provider (and everyone else in the world) use your username or e-mail address to identify you or to identify who they're sending their mail to. But when you go to log on to read your mail your provider doesn't just assume that if you know who you are that you're authorized to read your e-mail. They ask for your password (which you don't give out to anybody else) to authenticate that you're really who you're claiming to be.
The basic problem is that a lot of businesses want to verify your identity, but they want to do it fast and not waste time or resources actually authenticating you. So they've taken shortcuts. And now it's biting them, and they want someone to make the problem go away. Note: they do not want to fix the problem. To quote someone, "When the users say "When I drop this bowling ball on my foot it hurts. Make it stop hurting.", they mean just that. They don't want to stop dropping the bowling ball on their foot. They want you to make it not hurt when they do.".
"I am altering our agreement. Pray I do not alter it further."
"Be grateful for what you have. You may never know when you may lose it."