[IP] Attack guessing the SSN: we need PINs for SSNs

[Dave Farber <dave@farber.net>]

------ Forwarded Message
From: Rich Wiggins <wiggins@msu.edu>
Date: Fri, 07 Mar 2003 12:05:44 -0500 (EST)
To: Dave Farber <dave@farber.net>
Subject: Attack guessing the SSN: we need PINs for SSNs


There are several problems here.  The Social Security Number space
is not sparse enough to prevent attack guessing.  Probably the
attackers limited the ranges of numbers they tried based on
the geographic assignment of SSNs.  This leads to several points:

1) Did the U Texas system try to detect attack guessing?  How
could millions of probes occur without detection?

2) The U Texas report quoted below identifies valid SSN ranges
VERY specifically.  Someone wanting to mount another attack
guessing episode, for instance, now knows that valid SSNs exist
within 449-31-98xx.  That narrows it down to 100 SSNs to try
in attacking some other database.  You could filter by the
Social Security Death Index and narrow the list further.

3) It is fine to suggest that U Texas ought to use something
other than SSN for non-employment purposes, but a huge percentage
of university students take student jobs at one point or another,
and therefore the U *must* have the SSN in employment databases
(e.g. payroll).  So we're back to the issue of how the SSN is handled.

4) In general, why don't employers and others who use SSNs assign
a PIN code or password for each application?  Credit card issuers
do this for credit card numbers, which are less sparse and therefore
less guessable.  If someone steals a credit card number, liability is
limited.  If someone steals an SSN, identity theft is next.

/rich


------ End of Forwarded Message

-------------------------------------
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/