Two Carnegie Mellon researchers published a study the other day "Predicting Social Security Numbers from Public Data" in which they demonstrated that it was almost trivially easy to guess the first 5 digits of a person's social security number based on where and when they were born. Since many (most?) security functions rely on the secrecy of those 5 digits and the public confirmation of the last 4 digits by a user, it is now almost trivially easy to extrapolate a person's full 9-digit SSN.
Any company that continues to use SSNs for security features is well beyond foolish. And any user who voluntarily chooses a partner who uses SSNs as a security feature is simply courting identity theft. Why anyone would do so is beyond me ... but companies and users continue down this benighted path.
Is there any way to make them stop this unwise practice? I suppose we could outlaw it and make it a crime or some such heavy handed regulatory solution. But, in keeping with my view that more transparency generally equals greater security, here's an easier solution -- the US government should simply publish a book (call it the Green Pages, since Yellow and White are already taken) listing everyone who has a social security number and making the SSNs public.
That would instantly drain the SSN of all security value and return it to its original function as an accounting identifier. At that point, anyone who continued to use SSNs for security would be so negligent that the tort lawyers would have a field day.
Excellent idea! We think alike: http://spiresecurity.typepad.com/spire_security_viewpoint/2006/04/a_modest_propos.html
Pete
Posted by: Pete | Aug 20, 2009 at 12:51 AM