I had a few folks basically say:

“So what!? If the CMU researchers had to guess some number of times to get the last digits correctly, then most business systems will stop them. They talked about using “brute force” techniques. If they have to guess the last digits, then they are providing an authenticator (manual or automated) with a number of invalid SSNs before they get the correct one. They’ll be locked out before being successful.”

No, that’s not what the report is saying.

The alarming result of this report is that crooks don’t need to steal the SSNs from businesses or from people; they can just create valid ones using commonly known information and use the SSNs until the victims discover the crimes.

People get so upset, understandably, when an organization loses a laptop with SSNs, or has one stolen.

But now, upon hearing that crooks don’t even need to steal SSNs, but can just generate them from commonly known information and use them until the victims discover the crimes, it is puzzling why so many people don’t see this as something to be concerned with, and to demand changes for.

So how do the crooks know which SSNs are valid?

Crooks don’t need to validate SSNs at any business; and it seems many thought the CMU report was saying this. It wasn’t.

The crooks just need to go to any number of online locations, or even to some local government agencies providing kiosks, to validate SSNs.

For example, crooks can:

• Use one of many sites that “validate” actual SSNs, such as at http://privacy.cs.cmu.edu/dataprivacy/projects/ssnwatch/ (I believe, but not confirmed, that they’ve disabled full functionality since issuing the report, but other sites are out there and available, I just don’t like to spread the URLs of them around).
• Use any of a large number of services that validate SSNs, such as at http://www.veris-ssn.com/. Criminals often use the same services as legitimate businesses. Criminals are happy to pay a few bucks for this service to get 1000’s or millions of times in value in return. Besides, they’re probably paying for the service with someone else’s money any way.
• Go to the online, publicly available, Death Master File at the Social Security Administration site to find valid SSNs of the deceased; these will still be identified as being valid by large numbers of businesses, and provide one of the best opportunities for ongoing and undetected fraud.
• Provide them to CREs who, as the CMU SSN report indicated, only require you to provide 7 of 9 correct digits in order to get access to credit reports. This CRE practice is very beneficial to the crooks.

With the many places where SSNs can be validated, it’s a rather simple task for crooks to generate a database of probable SSNs and then run them through the checks.

Checking 1000 *probable* SSNs will result in many times more valid SSN returns than checking 1000 random numbers in SSN format.

The smart crooks will create databases of the valid SSNs.

They will then sell the valid SSNs, many times over, to other crooks who will then do the crimes that will typically go undetected until huge amounts of moeny have been charged or taken from the actual individuals.

The more businesses rely on SSNs to open accounts, or for validation and/or authentication, the bigger the risk because no flags will be going off when valid SSNs are used.

CRE, CMUCMU used a computer program to generate the valid SSNs (what they refer to as “guessing” was via the computer and how many combinations, or “guesses” were used to find valid SSNs); this does not require any type of authentication at a business system.

The report described generating authentic, real SSNs. From there they can take the SSNs and do any number of bad things, including opening accounts, and validating others’ identities to get to others’ accounts at businesses that use SSNs in this way.

There wouldn’t be a flag raised at the business if the crook is giving valid SSN information created using the algorithm.

And, since the generated SSNs were not actually stolen from an organization, there would not have been any security alert to indicate criminals have these SSNs and are using them.

The only alerts would come after the criminal activity involving the SSNs, and only if noticed by those who are the actual individuals to whom the SSNs apply.

A significant risk is that if organizations rely upon an SSN to be something that is dependable to validate, authenticate or uniquely identify an individual, this study shows that there could be potentially many others who have that SSN, without having stolen it, and could be using it without the SSN owners or businesses knowing about it.

Most of us have thought this for a very long time, but the study provided the “proof” that has, to date, been missing.

Business leaders request and usually require such proof before making significant changes such as changing how SSNs are used in their oranizations.

Both government agencies and businesses must examine how they use SSNs to verify, authenticiate and validate.

Some organizations may have absolutely no reasons to think about this if they do not use SSNs for these purposes.

However, organizations who do use SSNs in this way need to examine the related risks as they apply to their own corresponding organization.

The levels of risk will vary with each organization depending upon their own unique activities involving SSNs.

Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI, is an information privacy, security and compliance consultant, author and instructor with her own company, Rebecca Herold & Associates, LLC, who has provided assistance, advice, services, tools and products to organizations in a wide range of industries throughout the world for over two decades.

The Privacy Professor, aka Rebecca Herold & Associates, LLC, has been a trusted source for effective information security, privacy and compliance tools, education and consulting since 2004. The Privacy Professor is located in Des Moines, Iowa within easy driving distance to Minneapolis/St. Paul, Chicago, Omaha, Kansas City and St. Louis, and easy flights to the east and west coasts. The Privacy Professor brings over two decades of expertise to organizations of all sizes, in all industries throughout the world.

You can reach her at rebeccaherold@rebeccaherold.com or www.theprivacyprofessor.com.

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com