Identity Theft Expert Robert Siciliano
Robert Westervelt from SearchSecurity.com reports that researchers at Carnegie Mellon University developed a reliable method of cracking a person’s SSN based on data mined from social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration’s Death Master File.
The researchers had a full understanding of what the Social Security numbers mean;
The first three numbers on a Social Security card originally represented the state in which a person first applied for a Social Security card. Numbers started in the northeast and moved westward. This meant that people on the east coast had the lowest numbers and those on the west coast had the highest.
From WikiPedia; Before 1986, people often did not have a Social Security number until the age of about 14 since they were used for income tracking purposes.
The researchers further cracked the algorithm, guessing the first five digits of a SSN on the first try for 44% of people born after 1988 and in less populated states a 90% success rate. In fewer than 1,000 attempts, the researchers could identify a complete SSN, “making SSNs akin to 3-digit financial PINs.”
In a statement made “Unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identify theft on mass scales.”
In this case the researchers work is certainly an accomplishment, but the ability of researchers to guess SSNs is the least of our problems. We are functioning in a system where Social Security numbers are in unprotected file cabinets and data bases in thousands of government offices, corporations and educational institutions. Networks are like candy bars, meaning SSNs can be either hacked from the outside hard candy shell or from the soft and chewy inside.
The problem stems from that fact that our existing system of identification is seriously outdated and needs to be significantly updated. We are relying on 9 digits as a single identifier, the Social Security number is the “be-all” key to the kingdom and has no physical relation to who we are.
When we incorporate multi-factor authentication into how we are identified, we will begin to solve this problem.
The process of full and complete authentication begins with “Identity Proofing”. Identity Proofing is a solution that begins to Identify, Authenticate and Authorize. Consumers, merchants, government donâ€™t just need authentication they need a solution that ties all three of these components together.
Jeff Maynard, President and CEO of Biometric Signature ID provides a simple answer to a complicated issue in 4 parts;
Identify â€“ A user must be identified when compared to others in a database. We refer to this as a reference identity. A unique number (PIN or password) or something else unique to you like your e-mail address is created and is associated with your credential or profile.
Authenticate â€“ Authentication is different than verification of identity. Authentication is the ability to verify the identity of an individual based on their unique characteristics. This is known as a positive ID and is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples of each are: Static – iris, fingerprint, facial, DNA. Dynamic – signature gesture, voice, keyboard and perhaps gait. Also referred to as something you are. This explains why, in multi-factor solutions, you must use 2 of the following identifiers â€“ Something you HAVE (token, card), something you ARE (biometric), something you KNOW (pin, password).
Verification – is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We donâ€™t know who the individual is but we try to get as close as we can to verify their asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.
Authorization â€“ Once the user has passed the identification test, has authenticated their identity and now they want to buy something or approve an action. Merchants would love to have a customerâ€™s authenticated signature that gives an approval from the customer to charge their credit card. This is authorization.
This means effective identification resulting in accountability. In many small segments of government and in the corporate world, this is happening. But not systematically. Unfortunately we are years away from full authentication.
In the meantime we must make the data useless to the thief. The data I refer to is the SSN. If the SSN cant be used to open a new credit account then we have solved one part of the identity theft problem. This can be done in a few simple ways.
1. Get a credit freeze. Go online now and search â€œcredit freezeâ€ or â€œsecurity freezeâ€ and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.
2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing whatâ€™s buzzing out there in regards to YOU.
Personal Identity Profile – Find out if youâ€™re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.
24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.
Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.
Robert Siciliano Identity Theft Speaker discussing identity theft