Claims on code breaking on social security numbers dismissed, although more security needs to be applied
A recent paper ‘Predicting Social Security numbers from public data' from the Proceedings of the National Academy of Sciences claimed that an SSN is relatively quick and easy to guess if you have other information relating to the individual's place and date of birth.
David Harley, director of malware intelligence at ESET, claimed that knowing someone's SSN is not necessarily enough to give an attacker control over your finances or steal your identity - it depends on the context and on what other information they have.
The paper's authors Alessandro Acquisti and Ralph Gross claimed that an SSN is relatively quick and easy to guess if you have other information relating to the individual's place and date of birth.
However Harley said: “A SSN is not like a password. In fact, it's essentially a database primary key, an identifier that is unique to you, and the most practical way of generating such a key is often to enhance predictability, not to reduce it.
“A primary key is often just a numeric value incremented automatically. For example, if the primary key for the first record is one, the key for the second is two, the key for the tenth is ten, and so on – think autonumbering in Microsoft Access.
“For an attacker trying to guess the key for a victim's record, that might still be fairly random: if you're aiming to exploit a database known to have millions of entries, you may not be able to start to guess where in the sequence your victim's identifier is.”
The Social Security Office pointed out that Acquisti and Gross have not ‘cracked a code for predicting an SSN', instead they have made it feasible to predict the SSN for some people, given a sufficiency of resources.
“While most sites that use SSNs to verify a user's identity will not allow unlimited attempts, a [cybercriminal] can use multiple machines to access multiple resources such as online credit approval services to test numbers,” said Harley.
Stuart Okin, managing director at Comsec Consulting, said: “If you use a SSN or National Insurance number as an identifier you will have a problem, you need two-factor authentication in this day and age or even three-factor, that combines biometrics, which is inevitable.”