Monday, February 20, 2006
Followup: Birthright application (In)security
I received a reply from Birthright Israel's information address about the transmission of the last four digits of a social security number over the Internet in clear text. They said I could make up four digits if I wanted to. So, my theory was right. It is being used as an internal identifier. The responder also asserted that because they are only asking for the last four digits, no identity theft would be possible. Is that true? My feeling would be that it isn't. Here's why.
Anyone who has ever called any company they have a personal account with, from a bank to a cable company, knows that the following information is sufficient to verify their identity:
Secondly, any of that information combined with the whole social security number will certainly be able to be used for identity theft. Can a whole nine digit SSN be reconstructed with only the last four digits? To figure that out, you need to know how a social security number is constructed. The first three digits are an area number. All that someone would need to know to figure that out is my place of birth. Given my real name, it's not that hard to figure out from Google or other public records. The middle two digits, the group number, are a bit harder to figure out, but they're issued in a regular pattern. Anyone who has figured out the pattern (like a sophisticated identity thief or a sophisticated identity thief's customer) could know them. The last four digits are the only ones that are truly random! So, by giving them away, I could effectively be giving away all nine digits, or minimally, seven of them, reducing the probability of randomly guessing it from an unreasonably high number slightly above one in a billion to a doable number slightly above one in a hundred.1
It is true, (as far as I can tell) that if the only information a nefarious man-in-the-middle had were the last four digits of a social security number, then, he cannot steal an identity. Here, that is not the case. All the other information that's transmitted (or the password to which are transmitted) with it do give enough information to be a serious identity theft risk.
Given the risk, it is inconceivable why anyone would design a website that transmits such information in clear text, or even that uses any part of a social security number as an internal identifier. Why not simply assign the application a number in the order it's received?
1 The reason the probabilities are "slightly above" the values that would be suggested by the number of digits are because certain SSN's are publically known to be invalid.
Technorati tags: computer+security, social+security+number, website+design
Anyone who has ever called any company they have a personal account with, from a bank to a cable company, knows that the following information is sufficient to verify their identity:
- Name (on application)
- Birthdate (on application)
- Address and/or telephone number (not on first page, but I assume it will be asked for elsewhere in the application)
- Last four digits of the social security number
Secondly, any of that information combined with the whole social security number will certainly be able to be used for identity theft. Can a whole nine digit SSN be reconstructed with only the last four digits? To figure that out, you need to know how a social security number is constructed. The first three digits are an area number. All that someone would need to know to figure that out is my place of birth. Given my real name, it's not that hard to figure out from Google or other public records. The middle two digits, the group number, are a bit harder to figure out, but they're issued in a regular pattern. Anyone who has figured out the pattern (like a sophisticated identity thief or a sophisticated identity thief's customer) could know them. The last four digits are the only ones that are truly random! So, by giving them away, I could effectively be giving away all nine digits, or minimally, seven of them, reducing the probability of randomly guessing it from an unreasonably high number slightly above one in a billion to a doable number slightly above one in a hundred.1
It is true, (as far as I can tell) that if the only information a nefarious man-in-the-middle had were the last four digits of a social security number, then, he cannot steal an identity. Here, that is not the case. All the other information that's transmitted (or the password to which are transmitted) with it do give enough information to be a serious identity theft risk.
Given the risk, it is inconceivable why anyone would design a website that transmits such information in clear text, or even that uses any part of a social security number as an internal identifier. Why not simply assign the application a number in the order it's received?
1 The reason the probabilities are "slightly above" the values that would be suggested by the number of digits are because certain SSN's are publically known to be invalid.
Technorati tags: computer+security, social+security+number, website+design
