Security Basics mailing list archives

RE: Weakness in Social Security Numbers Is Found

From: "Lorna Alamri" <lalamri () go-integral com>
Date: Wed, 8 Jul 2009 12:53:30 -0500

Ali,
Thanks, This is an interesting article. What the article did not address
is that consumers are trained to give out the last 4 numbers of their
social security number for authentication. Since the 1st 5 are the easy
ones to figure out (44% in a single try if born after 1988) 

        "From the researchers' sample, it was possible to identify in a
single try the first five digits for 44 percent of deceased individuals
who were born   after 1988 and for 7 percent of those born from 1973 to
1988. It was possible to identify all nine digits for 8.5 percent of
those born after 1988 in        fewer than 1,000 attempts.

        The accuracy of the prediction system increased for smaller
states and for people born after 1988. The accuracy was higher for those
born in the late        1980s and after because of rules that led
increasingly to the assignment of Social Security numbers at birth. The
researchers, for example, reported      that they needed 10 or fewer
tries to predict all nine digits for 1 out of 20 Social Security numbers
assigned in Delaware in 1996."

It begs the question should any organization protecting private
information (PII), use a SSN as an identifier since it is inherently
weak? Companies using the last four SSN digits for authentication need
to understand how SSN are generated to understand the risks for using as
an authenticator.
Lorna 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ali, Saqib
Sent: Wednesday, July 08, 2009 9:29 AM
To: security-basics () securityfocus com
Subject: Weakness in Social Security Numbers Is Found

Read more:
http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=2&ref=instapundit


saqib
http://www.capital-punishment.us

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Weakness in Social Security Numbers Is Found Ali, Saqib (Jul 08)
- RE: Weakness in Social Security Numbers Is Found Lorna Alamri (Jul 09)
  - RE: Weakness in Social Security Numbers Is Found ONeill David J (Jul 10)
- Re: Weakness in Social Security Numbers Is Found Kurt Buff (Jul 09)
- <Possible follow-ups>
- Re: Weakness in Social Security Numbers Is Found ron (Jul 13)