Re: Weakness in Social Security Numbers Is Found
d...@geer.org wrote: I don't honestly think that this is new, but even if it is, a 9-digit random number has a 44% chance of being a valid SSN (442 million issued to date). I wonder if the UK NI numbers suffer from a similar problem. The look a little like this: AB 12 34 56 C Information on how they are strutured is here: http://en.wikipedia.org/wiki/National_Insurance#National_Insurance_number However given we don't use the NI number in the UK like the SSN is abused in the US there isn't the same security risk in guessing them. Although the Wikipedia article claims they are sometimes used for identification I know I have never been asked for mine other than by an employer or suitably authorised government body how has a real need to know. -- Darren J Moffat - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Weakness in Social Security Numbers Is Found
On Jul 8, 2009, at 8:46 PM, d...@geer.org wrote: I don't honestly think that this is new, but even if it is, a 9-digit random number has a 44% chance of being a valid SSN (442 million issued to date). Different attack. What they are saying is that given date and place of birth - not normally considered particularly sensitive - they have a good chance of predicting *a particular person's* SSN. For untargetted attacks, broad statistics about the number of SSN's out there are fine. But much attention these days is on targetted attacks against high value individuals. It's in fact probably *easier* to find basic biographical information about date and place of birth of such individuals - you can often get much of it for, say, CEO's of public companies from their own brief bio's of their senior officers; scan newspapers for charity birthday events and you can get quite a bit more - than for a random member of the population. Now, whether this really buys you all that much over other ways of getting hold of SSN's is questionable - and in fact the researchers are quoted as saying it's more of a demonstration of principle than anything practical. BTW, 442 million SSN's have been issued, but how many are for people who have since died? For many attacks, you need one for a living victim, which lowers the probability. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Weakness in Social Security Numbers Is Found
I don't honestly think that this is new, but even if it is, a 9-digit random number has a 44% chance of being a valid SSN (442 million issued to date). Similarly, with Chase and Citi each at about 100M cards issued, and the 16-digit card number having 7 of those digits fixed-in-advance, a 16-digit random number has a 10% chance of being a valid card number. Amex cards are 15-digits and there are 50M in play, so a random 15-digit number has a 50% chance of being a valid card number. As such, an attacker is better off holding the password constant and cycling through account numbers than holding the account number constant and cycling through password guesses. Yes, these are approximations for the purpose of argument, but I don't see what the big deal is for the All The News That's Fit to Print paper in learning that there ain't much entropy in SSNs. Hell, my brother and I have sequential numbers. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Weakness in Social Security Numbers Is Found
Read more: http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=2ref=instapundit saqib http://www.capital-punishment.us [Moderator's note: this isn't really a weakness in SSNs, unless you're stupid enough to use them as a password -- which we already knew was bad. None the less, interesting work. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Weakness in Social Security Numbers Is Found
docbook@gmail.com (Ali, Saqib) on Wednesday, July 8, 2009 wrote: Read more: http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=2ref=instapundit saqib http://www.capital-punishment.us [Moderator's note: this isn't really a weakness in SSNs, unless you're stupid enough to use them as a password -- which we already knew was bad. None the less, interesting work. --Perry] How separate algorithms reduce security when used together: The last 4 digits of the SSN are frequently used as an authenticator. These may be the hardest digits to recover with the technique which, according to the researchers (Alessandro Acquisti and Ralph Gross) at CMU, would not be easy for cybercriminals to reconstruct but would be within the grasp of sophisticated attackers. My solution is to have the Social Security Administration announce that they will publish names and SSNs for everyone in their database on a certain date. Fat chance it will happen. Cheers - Bill --- Bill Frantz|Web security is like medicine - trying to do good for 408-356-8506 |an evolved body of kludges - Mark Miller www.periwinkle.com | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com