Saturday, July 11, 2009

Guessing Social Security Numbers - What's the Big Deal?

Countless media outlets are breathlessly reporting the details of an article published last week in The Proceedings of the National Academy of Sciences that details how easily predicting US social security numbers has become, using nothing more than publicly available data such as date of birth and the state in which you were hatched.

Get a grip, people. The problem isn't so much that smallish sets of nine numbers can be so easily predicted if you know a little about how the sequences are parsed (I was born in PA, and my SSN begins with a 2), but that we continue to use such a unique identifier as part of any authentication or authorization process.

With so much personal information being made available through a variety of sources, it's nearly impossible for people to prove who they are (authentication) before proceeding with any kind of electronic transaction without being required to confirm some piece of personal data that's also just as easy for crooks to possess. Mother's maiden name? Easy as pie. Last four of SSN? Please. Place where you went to high school? Hardly difficult to ascertain.

In the days before computers and widespread Internet access, those chunks 'o data were relatively safe, because it was difficult, but not impossible, to compile them and have them readily available for fraudulent purposes. Remember when states put SSNs on your driving license, or your federal and state tax paperwork was mailed with your SSN printed (and plainly visible) through the clear envelop window?

Federal, state, and local governments have slowly improved in those areas, although occasional glitches still result in the identifiers being printed on documents that can be stolen from the mail, or mistakenly posted on some government website somewhere. The sad fact is that agencies still use SSN as a tracking identifier through the health care system, banking, and countless other situations where entities are seeking to somehow bind who you are to a series of documents or transactions.

So, using SSNs for authentication is a bad idea, regardless of how easily they can be guessed or predicted. The European Union and other non-US agencies are much more advanced in such areas and have significantly more stringent rules around the use and protection of similar data elements, like EIN.

It's also a bad idea to use the SSN for authorization of any transaction or money movement, since it's so readily available. There would be a lot less identity theft and fraud if no one could run a credit report on me based on my SSN and establish an account or line of credit without some other form of authorization. It's just silly for companies to do anything that could impact my credit rating or financial status without implementing a robust authorization mechanism.

Many firms have explored out-of-wallet processes for authentican or authorization, so named because it uses data that wouldn't typically be found, well, in your wallet if it was lost of stolen. If you thought that your SSN was tossed around carelessly, wait until I explain out-of-wallet.

In order to authenticate you using out-of-wallet information, companies reference huge databases that contain so much historical or transactional data about you that you'll wonder if there's anything about yourself that these companies don't know. The short answer is no, by the way.

So you'll be asked to provide the color of your first car, or the name of the hospital in which you were born, or the last service station that you purchased gasoline. The thought is that you would know this information, but crooks would not, since they aren't living your life. The problem with this approach is that criminals have become very tech-savvy, and now either break in, purchase, or set up accounts to be able to access these immense data stores, such as LexisNexis, so that while they are attempting to authenticate with a company either on the phone or online, they are looking up the answers to the authentication questions as quickly as the company performing the authentication.

So what's the answer? There is no easy solution, although many companies are pitching products and services they claim with provide more secure authentication, identification, and credentialing opportunities, along with a layered authentication strategy. Much like defense-in-depth has been touted as the best approach for computer and network infrastructure security, layered authentication is being sold as the next big thing. What no one wants to talk about, however, is the concept of the weakest link. If any part of your layered approach can be breached, then your strategy is somewhat brittle from a security perspective.

Hence the need for some sort of early warning system, helpfully provided in government fashion via Identity Theft Red Flags and Address Discrepancies implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), 15 U.S.C. § 1681m, and section 315 of the FACT Act, 15 U.S.C. § 1681c, that amended the Fair Credit Reporting Act (FCRA).

Until people begin to push back on how their personal information is used, maintained, and abused, and until firms develop a workable strategy for authentication that doesn't require the use of your data to ensure success, we'll continue to have struggles.

But being able to predict our SSNs is the least of our worries. As you now know, it's how they are used that's really the problem.



1 comment:

  1. Thanks, Susan. I really appreciate you taking the time to comment. Let me know if there's anything special you'd like to read about.

    Kev

    ReplyDelete

Please tell me what you think.