Security Basics mailing list archives
RE: Weakness in Social Security Numbers Is Found
From: "ONeill David J" <david.j.oneill () state or us>
Date: Thu, 9 Jul 2009 09:07:00 -0700
Coming from 15 years of experience in Government IT, most of it in Human Services (Welfare, Child Services, ...), I cringe anytime that someone suggests the use of SSN as an unique identifier and can't even imagine using it as a sole authentication mechanism. The reason has nothing to do with privacy, it has to do with multiple persons using the same SSN. Even though this is not possible in theory, in practice it happens every day. I know of one case where 15 individuals were receiving Food Stamps, they all had the same SSN, and we had no way to find out which one the SSN actually belonged to (their documents had the same name, DOB, and place of birth.) David O'Neill Senior Systems Analyst DCBS/IMD Phone: 503.947.7379 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Lorna Alamri Sent: Wednesday, July 08, 2009 10:54 AM To: Ali, Saqib; security-basics () securityfocus com Subject: RE: Weakness in Social Security Numbers Is Found Ali, Thanks, This is an interesting article. What the article did not address is that consumers are trained to give out the last 4 numbers of their social security number for authentication. Since the 1st 5 are the easy ones to figure out (44% in a single try if born after 1988) "From the researchers' sample, it was possible to identify in a single try the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born from 1973 to 1988. It was possible to identify all nine digits for 8.5 percent of those born after 1988 in fewer than 1,000 attempts. The accuracy of the prediction system increased for smaller states and for people born after 1988. The accuracy was higher for those born in the late 1980s and after because of rules that led increasingly to the assignment of Social Security numbers at birth. The researchers, for example, reported that they needed 10 or fewer tries to predict all nine digits for 1 out of 20 Social Security numbers assigned in Delaware in 1996." It begs the question should any organization protecting private information (PII), use a SSN as an identifier since it is inherently weak? Companies using the last four SSN digits for authentication need to understand how SSN are generated to understand the risks for using as an authenticator. Lorna -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ali, Saqib Sent: Wednesday, July 08, 2009 9:29 AM To: security-basics () securityfocus com Subject: Weakness in Social Security Numbers Is Found Read more: http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=2&ref=instapundit saqib http://www.capital-punishment.us ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442 f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Weakness in Social Security Numbers Is Found Ali, Saqib (Jul 08)
- RE: Weakness in Social Security Numbers Is Found Lorna Alamri (Jul 09)
- RE: Weakness in Social Security Numbers Is Found ONeill David J (Jul 10)
- Re: Weakness in Social Security Numbers Is Found Kurt Buff (Jul 09)
- <Possible follow-ups>
- Re: Weakness in Social Security Numbers Is Found ron (Jul 13)
- RE: Weakness in Social Security Numbers Is Found Lorna Alamri (Jul 09)