Interesting People mailing list archives
Attack guessing the SSN: we need PINs for SSNs
From: Dave Farber <dave () farber net>
Date: Fri, 07 Mar 2003 13:47:16 -0500
------ Forwarded Message From: Rich Wiggins <wiggins () msu edu> Date: Fri, 07 Mar 2003 12:05:44 -0500 (EST) To: Dave Farber <dave () farber net> Subject: Attack guessing the SSN: we need PINs for SSNs There are several problems here. The Social Security Number space is not sparse enough to prevent attack guessing. Probably the attackers limited the ranges of numbers they tried based on the geographic assignment of SSNs. This leads to several points: 1) Did the U Texas system try to detect attack guessing? How could millions of probes occur without detection? 2) The U Texas report quoted below identifies valid SSN ranges VERY specifically. Someone wanting to mount another attack guessing episode, for instance, now knows that valid SSNs exist within 449-31-98xx. That narrows it down to 100 SSNs to try in attacking some other database. You could filter by the Social Security Death Index and narrow the list further. 3) It is fine to suggest that U Texas ought to use something other than SSN for non-employment purposes, but a huge percentage of university students take student jobs at one point or another, and therefore the U *must* have the SSN in employment databases (e.g. payroll). So we're back to the issue of how the SSN is handled. 4) In general, why don't employers and others who use SSNs assign a PIN code or password for each application? Credit card issuers do this for credit card numbers, which are less sparse and therefore less guessable. If someone steals a credit card number, liability is limited. If someone steals an SSN, identity theft is next. /rich ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Attack guessing the SSN: we need PINs for SSNs Dave Farber (Mar 07)