[144576] in cryptography@c2.net mail archive
Re: Weakness in Social Security Numbers Is Found
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Sun Jul 12 11:51:09 2009
Cc: "Ali, Saqib" <docbook.xml@gmail.com>,
Cryptography <cryptography@metzdowd.com>
From: Jerry Leichter <leichter@lrw.com>
To: dan@geer.org
In-Reply-To: <20090709004628.F183B33EC0@absinthe.tinho.net>
Date: Thu, 9 Jul 2009 22:12:44 -0400
On Jul 8, 2009, at 8:46 PM, dan@geer.org wrote:
> I don't honestly think that this is new, but even
> if it is, a 9-digit random number has a 44% chance
> of being a valid SSN (442 million issued to date).
Different attack. What they are saying is that given date and place
of birth - not normally considered particularly sensitive - they have
a good chance of predicting *a particular person's* SSN.
For untargetted attacks, broad statistics about the number of SSN's
out there are fine. But much attention these days is on targetted
attacks against "high value" individuals. It's in fact probably
*easier* to find basic biographical information about date and place
of birth of such individuals - you can often get much of it for, say,
CEO's of public companies from their own brief bio's of their senior
officers; scan newspapers for charity birthday events and you can get
quite a bit more - than for a random member of the population.
Now, whether this really buys you all that much over other ways of
getting hold of SSN's is questionable - and in fact the researchers
are quoted as saying it's more of a demonstration of principle than
anything practical.
BTW, 442 million SSN's have been issued, but how many are for people
who have since died? For many attacks, you need one for a living
victim, which lowers the probability.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
