Black Hat Researcher Cracks Algorithm For Creating Social Security Numbers
Though it's not the bombshell that was dropped by Moxie Marlinspike, another researcher is here at BlackHat briefing attendees on how he cracked the Social Security Administration's code for creating social security numbers and how governments and organizations must respond now that SSNs are not secure in their commonly used contexts as passwords and identifiers (includes podcast interview).
Though it's not the bombshell that was dropped by Moxie Marlinspike, another researcher is here at BlackHat briefing attendees on how he cracked the Social Security Administration's code for creating social security numbers and how governments and organizations must respond now that SSNs are not secure in their commonly used contexts as passwords and identifiers (includes podcast interview).Today at the Black Hat Conference in Las Vegas, Carnegie Mellon Heinz College Associate Professor Alessandro Acquisti explained to attendees how, through what was largely a trial and error process, he and his fellow researcher Ralph Gross were able to predict social security numbers within an unreasonable margin of error.
I was able to catch up with Acquisti for a personal briefing on his discovery and captured it with my podcast gear. To hear the podcast interview with Acquisti, you can press the miniature play button that appears in-line (earlier in this sentence), click the tab on the lower left hand side of this Web page (which will cause the podcast player to spring out), or, right click on the aforelinked text to download the MP3.
"What we found is that social security numbers are predictable from public data," Aquisti told me. "More specifically, we see that you can use the date of birth and state where they're born to predict narrow ranges that are likely to include their social security numbers. This is a concern because in the United States, social security numbers are used as passwords. So, there is a security threat here."
When Acquisti, an economist by training, and his fellow researchers began their research, their intent wasn't to prove that social security numbers were predictable. The original premise of their research was to investigate online social networks and how much information people were willing to reveal on those networks.
"It may be possible, when you start piecing together different units of data, each alone is not particularly sensitive, you come out with a combination that's much more senstive" says Acquisti. The general scheme for arriving at a social security number is no secret. The Social Security Administration has published the scheme online. Using that as a bit of a guideline, Acquisti's group started piecing together publicly available data to see if they could zero in on something much more sensitive. Said Acquisti, "That turned out to be the case."
Although a lot of trial and error was involved before they reached their "aha" moment, Acquisti claims that once that moment arrived, they felt as though the answer was quite obvious. Acquisti fell short of saying that he should have thought of it sooner. As it turns out, he and his fellow researchers were close enough that they could have announced their findings a year ago. But the decision was made to sit on it and refine their prediction engine even more.
The engine doesn't work universally well for people born in all states. For example, Acquisti says it works best for people born in less populous states and is far less reliable when trying to predict the social security numbers of people born in California or New York. Also, according to Acquisti, the overall accuracy of the prediction algorithm works better for people born in 1989 or after. 1989 is roughly when the US government rolled out a national program called Enumeration at Birth (EAB). The idea behind the program was for parents to apply for a social security number for their babies right around the time of birth.
So, where do we go from here. Aquisti says the US government has always been aware that social security numbers aren't incredibly secure and has been advising the public sector not to rely on them as passwords. But now that it has been demonstrated to the US government just how predictable social security numbers are, the stakes have been raised to the point that the private sector must react much more swiftly. Not only to eliminate social security numbers as the last line of defense guarding sensitive data, but also to discourage the practice of using social security numbers as primary identifiers. For example, social security number one of the key identifiers that identity thieves use for their craft.
Be sure to give the podcast a listen. Aquisti and I covered a fair amount of ground including the connection between his discovery and the way that social security numbers are nearly serving as a national ID card; something they were never intended to be. It was a great discussion and Aquisti was such a gentleman to sacrifice his evening time to do this interview with me.
David Berlind is the chief content officer of TechWeb and editor-in-chief of TechWeb.com. David likes to write about emerging tech, new and social media, mobile tech, and things that go wrong and welcomes comments, both for and against anything he writes. He can be reached at email@example.com and you also can find him on Twitter and other social networks (see the list below). David doesn't own any tech stocks. But, if he did, he'd probably buy some Salesforce.com and Amazon, given his belief in the principles of cloud computing and his hope that the stock market can't get much worse. Also, if you're an out-of-work IT professional or someone involved in the business of compliance, he wants to hear from you.
Server Market SplitsvilleJust because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.