PDA

View Full Version : News Hey Facebookers: we know your SSN...


T-post Tom
07-07-2009, 01:59 PM
http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hacking.ars

BTW, did you know Michael Jackson was in the news today?

New algorithm guesses SSNs using date and place of birth

Two researchers have found that a pair of antifraud methods intended to increase the chances of detecting bogus social security numbers has actually allowed the statistical reconstruction of the number using information that many people place on social networking sites.

By John Timmer | Last updated July 6, 2009 4:00 PM CT

For citizens of the US, the social security number (SSN) is the gateway to all things financial. It fills its government purpose of helping us pay our taxes and track our (in many cases, hypothetical) government benefits, and it has also been widely adopted as a means of verifying identity by a huge range of financial institutions. As a result, anytime you disclose an SSN you run a real risk of enabling identity theft. So far, most of the SSN-related ID theft problems have resulted from institutions that were careless with their record keeping, allowing SSNs to be harvested in bulk. But a pair of Carnegie Mellon researchers has now demonstrated a technique that uses publicly available information to reconstruct SSNs with a startling degree of accuracy.

The irony of their method is that it relies on two practices adopted by the federal government that were intended to reduce the ability of fraudsters to craft a bogus SSN. The first is that the government now maintains a publicly available database called a Death Master File, which indicates which SSNs were the property of individuals who are now deceased. This record provided the researchers with the raw material to perform a statistical analysis of how SSN assignments related to two other pieces of personal information: date and state of birth.

The second is that the government has centralized its handling of SSN assignments and provided documentation of the procedures. The first three digits are based on the state where the SSN was originally assigned, and the next two are what's termed a group number. The last four digits are ostensibly assigned at random. Since the late 1980s, the government has promoted an initiative termed "Enumeration at Birth" that seeks to ensure that SSNs are assigned shortly after birth, which should limit the circumstances under which individuals apply for them later in life (and hence, make fraudulent applications easier to detect).

That last program proved to be the key feature that allowed the new research, as it ensured that SSN assignments were more tightly correlated to date of birth. The researchers used the Death Master File to split out data from individual states (which determine the first three digits) then order them by date. At that point, they searched for statistical patterns within the resulting data.

Even from data before the 1990s, rough patterns were apparent in the assignment of region and group numbers but, by the mid-90s, it's obvious that, with a few exceptions, individual region and group numbers are used in a clear sequential order for most SSNs. The patterns are even easier to pick out in less populous states. Patterns in the final four digits were harder to detect, but the authors created an algorithm that predicted them with a lower degree of confidence.

The accuracy of these algorithms is positively disturbing. Using a separate pool of data from the Death Master File, the authors were able to get the first five digits right for seven percent of those with an SSN assigned before 1988; after that, the success rate goes up to a staggering 44 percent. For a smaller state, like Vermont, they could get it right over 90 percent of the time.

Getting the last four digits right was substantially harder. The authors used a standard of getting the whole SSN right within 10 tries, and could only manage that about 0.1 percent of the time even in the later period. Still, small states were somewhat easier—for Delaware in 1996, they had a five percent success rate.

That may still seem moderately secure if it weren't for some realities of the modern online world. The authors point out that many credit card verification services, recognizing the challenges of data entry from illegible forms, may allow up to two digits of the SSN to be wrong, provided the date and place of birth are accurate. They often allow several failed verification attempts per IP address before blacklisting it. Given these numbers, the authors estimate that even a moderate-sized botnet of 10,000 machines could successfully obtain identity verifications for younger residents of West Virginia at a rate of 47 a minute.

All of that requires that the botnet master have access to date and place of birth information, and a number of commercial services will happily provide that data for a price. But the authors also point out that it may not be necessary to pay; they cite a publication in progress that indicates it's easy to harvest a lot of that information from social networking sites like Facebook.

KCtotheSB
07-07-2009, 02:02 PM
I have a unique social security number.
It's 123-45-6789

Gonzo
07-07-2009, 02:03 PM
You see???

I've been telling you fuckers that those sites are bad ideas. The government is tracking each and every one of us. If hackers have this type of technology can you imagine what the Govt. has?

DOOMED!!11!!11!11eleventy!1!

T-post Tom
07-07-2009, 02:08 PM
You see???

I've been telling you ****ers that those sites are bad ideas. The government is tracking each and every one of us. If hackers have this type of technology can you imagine what the Govt. has?

DOOMED!!11!!11!11eleventy!1!

http://www.easier.com/myads/images/92991-Big_Brother_Logo.jpg

cdcox
07-07-2009, 02:11 PM
Fascinating. I have detected that the first 3 numbers were geographically related just from the SSN's I have come across. That wasn't surprising. What makes this more of concern is it seems like the last 4 digits of a person's SSN are less protected that the first 5 digits. For example, a bank might use the last 4 digits to identify you as being who you say you are. Those files might be easier to come by than the whole SSN. This method seems to be able to predict the first 5 digits with relative accuracy.

Same thing for CC numbers. The first 4 digits are kind of common for large banks and the last 4 digits are not typically encrypted in many online transactions. I bet there are patterns related to financial institution in the second set of 4 digits as well. That only leaves 4 digits are completely "unknown" in a CC number. Needing the expiration date and security code would seem to add another layer of protection to make it relatively secure.

The point is that the long numbers used for SSN and CC don't add as much security as they appear to.

CoMoChief
07-07-2009, 02:12 PM
Skip's SSN:

000-00-0005






Ah jk.....jk God, I am fucking funny as shit today.

Gonzo
07-07-2009, 02:12 PM
http://www.easier.com/myads/images/92991-Big_Brother_Logo.jpg

http://i32.tinypic.com/vsoq51.jpg

Mr. Plow
07-07-2009, 02:12 PM
http://www.v7n.com/forums/attachments/politics/9578d1243753359-americans-your-household-owes-federal-government-record-546-668-i_m_watching_you_.jpg

BWillie
07-07-2009, 02:39 PM
Well, I'm changing my facebook name to Turd Ferguson ASAP

BigRedChief
07-07-2009, 02:40 PM
It's just a scheme to get you to buy life lock.

Frazod
07-07-2009, 02:46 PM
It's just a scheme to get you to buy life lock.

Well, I think I might do exactly that. Both my wife and I have been the victims of identity theft; mine was minor, but her's was a real pain in the ass. There's also a woman with the same first name as my wife whose SSN is one digit off from my wife's, and her shit has routinely shown up on our credit reports for years. Knowing that the authorities don't give a shit about this (I had the name, address and phone number of the guy who stole my credit card info and the fucking cops wouldn't even go to his house), and also knowing that the credit agencies are staffed by idiots who don't care that their stupid little mistakes can totally fuck me up, basically I (and most everybody else) am one careless mistake away from ruin.

I'm not sure what they charge a month, but it may well be worth it. Basically another form of insurance.

Fish
07-07-2009, 03:24 PM
Well, I think I might do exactly that. Both my wife and I have been the victims of identity theft; mine was minor, but her's was a real pain in the ass. There's also a woman with the same first name as my wife whose SSN is one digit off from my wife's, and her shit has routinely shown up on our credit reports for years. Knowing that the authorities don't give a shit about this (I had the name, address and phone number of the guy who stole my credit card info and the ****ing cops wouldn't even go to his house), and also knowing that the credit agencies are staffed by idiots who don't care that their stupid little mistakes can totally **** me up, basically I (and most everybody else) am one careless mistake away from ruin.

I'm not sure what they charge a month, but it may well be worth it. Basically another form of insurance.

I would strongly recommend not dealing with Lifelock in any way. They cannot provide the protection they claim. It's a total sham. Even their $1M guarantee is a complete joke.

http://lifelock-scam.com/

http://identitytheft-protection.org/lifelock/the-great-lifelock-com-scam/

BigRedChief
07-07-2009, 03:29 PM
I signed away most of my privacy to the government already but I don't want to hassle with cleaning up a credit mess.

Stewie
07-07-2009, 03:35 PM
I don't get it. Does Facebook require your SSN for some reason?

Frazod
07-07-2009, 03:36 PM
I would strongly recommend not dealing with Lifelock in any way. They cannot provide the protection they claim. It's a total sham. Even their $1M guarantee is a complete joke.

http://lifelock-scam.com/

http://identitytheft-protection.org/lifelock/the-great-lifelock-com-scam/

Hmm. Well, fuck that.

Thanks.

Frazod
07-07-2009, 03:38 PM
I don't get it. Does Facebook require your SSN for some reason?

No. But you can put up your hometown and date of birth, and if you were born in your hometown, someone apparently can use that information to determine the first five digits of your SSN.

KC native
07-07-2009, 03:38 PM
I don't get it. Does Facebook require your SSN for some reason?

No, they basically did a regression based on people that have died (because their social's are public info) and based upon those regressions they are able to accurately predict what your social would be based upon your DOB and state of birth.

Frazod
07-07-2009, 03:39 PM
I wasn't born in the town I list as my hometown, so this wouldn't work on me.

Stewie
07-07-2009, 03:51 PM
No. But you can put up your hometown and date of birth, and if you were born in your hometown, someone apparently can use that information to determine the first five digits of your SSN.

Ah, got it. If the first five digits are easy to derive I can see some sneaky bastard calling someone up with the "I only need the last four digits of your social to verify your account." Seems innocuous, but fills in the rest of the puzzle.

Frazod
07-07-2009, 03:58 PM
Ah, got it. If the first five digits are easy to derive I can see some sneaky bastard calling someone up with the "I only need the last four digits of your social to verify your account." Seems innocuous, but fills in the rest of the puzzle.

There are multiple service providers I use who ask me the last four digits to verify my identity, whether by phone or on line.

Yeah, this is not good.

KC native
07-07-2009, 04:14 PM
There are multiple service providers I use who ask me the last four digits to verify my identity, whether by phone or on line.

Yeah, this is not good.

Request they use something different. Most places have protocols for individuals who won't give their social over the phone (I won't ever give mine for verification over the phone).

Frazod
07-07-2009, 04:15 PM
Request they use something different. Most places have protocols for individuals who won't give their social over the phone (I won't ever give mine for verification over the phone).

Sounds like a plan.

Buck
07-07-2009, 04:16 PM
I only have 6 numbers in my SSN.

Figure it out now bitch.

KC native
07-07-2009, 04:18 PM
I only have 6 numbers in my SSN.

Figure it out now bitch.

That would actually make it much easier as all they would need to figure out is the first five based on the regression and then trial and error for the last digit (0-9).

Buck
07-07-2009, 04:19 PM
That would actually make it much easier as all they would need to figure out is the first five based on the regression and then trial and error for the last digit (0-9).

DAMNIT!!!!

I was just kidding, its 9 digits, but only uses 6 unique numbers.

Stewie
07-07-2009, 04:20 PM
I only have 6 numbers in my SSN.

Figure it out now bitch.

OI812... that doesn't work AT ALL. I'll have to think about this one.

"Bob" Dobbs
07-07-2009, 04:29 PM
Skip's SSN:

000-00-0005






Ah jk.....jk God, I am fucking funny as shit today.

Heh. Beat me to it. I was gonna say it was "VII"