Security Basics mailing list archives

RE: Weakness in Social Security Numbers Is Found

From: "ONeill David J" <david.j.oneill () state or us>
Date: Thu, 9 Jul 2009 09:07:00 -0700

Coming from 15 years of experience in Government IT, most of it in Human Services (Welfare, Child Services, ...), I 
cringe anytime that someone suggests the use of SSN as an unique identifier and can't even imagine using it as a sole 
authentication mechanism.  The reason has nothing to do with privacy, it has to do with multiple persons using the same 
SSN. Even though this is not possible in theory, in practice it happens every day. I know of one case where 15 
individuals were receiving Food Stamps, they all had the same SSN, and we had no way to find out which one the SSN 
actually belonged to (their documents had the same name, DOB, and place of birth.)

David O'Neill
Senior Systems Analyst
DCBS/IMD
Phone: 503.947.7379

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Lorna Alamri
Sent: Wednesday, July 08, 2009 10:54 AM
To: Ali, Saqib; security-basics () securityfocus com
Subject: RE: Weakness in Social Security Numbers Is Found

Ali,
Thanks, This is an interesting article. What the article did not address
is that consumers are trained to give out the last 4 numbers of their
social security number for authentication. Since the 1st 5 are the easy
ones to figure out (44% in a single try if born after 1988)

        "From the researchers' sample, it was possible to identify in a
single try the first five digits for 44 percent of deceased individuals
who were born   after 1988 and for 7 percent of those born from 1973 to
1988. It was possible to identify all nine digits for 8.5 percent of
those born after 1988 in        fewer than 1,000 attempts.

        The accuracy of the prediction system increased for smaller
states and for people born after 1988. The accuracy was higher for those
born in the late        1980s and after because of rules that led
increasingly to the assignment of Social Security numbers at birth. The
researchers, for example, reported      that they needed 10 or fewer
tries to predict all nine digits for 1 out of 20 Social Security numbers
assigned in Delaware in 1996."

It begs the question should any organization protecting private
information (PII), use a SSN as an identifier since it is inherently
weak? Companies using the last four SSN digits for authentication need
to understand how SSN are generated to understand the risks for using as
an authenticator.
Lorna

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ali, Saqib
Sent: Wednesday, July 08, 2009 9:29 AM
To: security-basics () securityfocus com
Subject: Weakness in Social Security Numbers Is Found

Read more:
http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=2&ref=instapundit


saqib
http://www.capital-punishment.us

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Weakness in Social Security Numbers Is Found Ali, Saqib (Jul 08)
- RE: Weakness in Social Security Numbers Is Found Lorna Alamri (Jul 09)
  - RE: Weakness in Social Security Numbers Is Found ONeill David J (Jul 10)
- Re: Weakness in Social Security Numbers Is Found Kurt Buff (Jul 09)
- <Possible follow-ups>
- Re: Weakness in Social Security Numbers Is Found ron (Jul 13)