Identity Woman

Independent Advocate for the Rights and Dignity of our Digital Selves

SSN

SSN's can be guessed

· · Leave a Comment

This just in from slashdot:

“The nation’s Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person’s Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003.

This is from the Wired coverage:

By analyzing a public data set called the “Death Master File,” which contains SSNs and birth information for people who have died, computer scientists from Carnegie Mellon University discovered distinct patterns in how the numbers are assigned. In many cases, knowing the date and state of an individual’s birth was enough to predict a person’s SSN.

“We didn’t break any secret code or hack into an undisclosed data set,” said privacy expert Alessandro Acquisti, co-author of the study published Monday in the journal Proceedings of the National Academy of Sciences. “We used only publicly available information, and that’s why our result is of value. It shows that you can take personal information that’s not sensitive, like birth date, and combine it with other publicly available data to come up with something very sensitive and confidential.”

Basically it means we shouldn’t be honest about our date of birth and home town on Facebook (or any other social network) or we are making ourselves vulnerable to discernment of our SSN’s. I wonder if they can figure out mine? I received my as an adult when I was attending college in California.

I decided to poke around and see what Facebook had up about Identity Theft. I did find a link to this study that created a profile by “Freddi Stauer,” an anagram for “ID Fraudster,”.

Out of the 200 friend requests, Sophos received 82 responses, with 72 percent of those respondents divulging one or more e-mail address; 84 percent listing their full date of birth; 87 percent providing details about education or work; 78 percent listing their current address or location; 23 percent giving their phone number; and 26 percent providing their instant messaging screen name.

Sophos says in most cases, Freddi also got access to respondents’ photos of friends and family, plus a lot of information about personal likes and dislikes, and even details about employers.

Facebook users were all too willing to disclose the names of spouses and partners, with some even sending complete resumes. One facebook user divulging his mother’s maiden name—the old standard used by many financial and other Web sites to get access to account information.

Most people wouldn’t give this kind of information out to people on the street but their guard sometimes seems to drop in the context of a friend request on the Facebook site, O’Brien says.

According to Sophos, the results of what it calls its Facebook ID Probe has significance for the workplace as well as personal life because businesses need to be aware that this type of social-networking site may pose a threat to corporate security.

I have tried to search the Facebook blog to see what they have to say about identity theft and apparently they haven’t mentioned it.

analog-digital Clash – HIGH transaction costs

· · Leave a Comment

Today I have had two analogue-digital clashes. Or perhaps digital loops that had to pass through an analogue phase
I went to the bank to get a print out of all the transactions on my account recently – so I could notify them of the fraudulent ones. You would think that i could tell a bank employee which ones are fraudulent and they would ‘mark them’ on my account electronically and then investigate. Nooo… I get a form that I must fill with a pen writing out each fraudulent transaction.
Then I have to come back tomorrow when the guy who can notarize them is there to mail the documents into the bank. It will then take them 15 days to even look at my claim – more time to investigate and no money is returned until they complete investigating…potentially a month or more away. Meanwhile I am out $2800.
Second clash. I did some work for PR company. They call me last week and leave a message that says…call us back. I really don’t like voicemails like that you have to write the number down. Then punch it back in to call them. I figured it was about my SSN for taxes. I changed my voicemail message that said if you really want me to call you back you have to e-mail me and left my e-mail address. So today I get this e-mail that is a W9 that i have to fill out and sign and fax back to her. Shouldn’t you be able to submit this to the company in some electronic way and then be assured they destroy this information (revocation) so it is not floating around forever in there accounting system. Not yet apparently. So first I fill out the PDF boxes then print it out to sign it. I don’t have a fax machine. So Then I scan in back into my computer and send her the JPEG.
Ross Mayfield said at an event last year that 50% of the economy was transaction costs. These experiences both have a lot of cost associated with just doing the transactions. We as a digital identity community need to address real costs baked into the system that are not working for people or organizations.