I don't honestly think that this is new, but even if it is, a 9-digit random number has a 44% chance of being a valid SSN (442 million issued to date).
Similarly, with Chase and Citi each at about 100M cards issued, and the 16-digit card number having 7 of those digits fixed-in-advance, a 16-digit random number has a 10% chance of being a valid card number. Amex cards are 15-digits and there are 50M in play, so a random 15-digit number has a 50% chance of being a valid card number. As such, an attacker is better off holding the password constant and cycling through account numbers than holding the account number constant and cycling through password guesses. Yes, these are approximations for the purpose of argument, but I don't see what the big deal is for the "All The News That's Fit to Print" paper in learning that there ain't much entropy in SSNs. Hell, my brother and I have sequential numbers. --dan --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
