If there were any criminal elements unaware of the potential for brute-force guessing of United States Social Security numbers, we can be sure they know about it now, as the news is everywhere. Thankfully, it’s still not particularly easy to do and has a low success rate:
An SSN consists of nine digits, the first five of which are assigned by established criteria based in part on the zip code in which someone was born. Now Alessandro Acquisti and Ralph Gross of Carnegie Mellon University in Pittsburgh have shown that it is possible to predict the remaining four digits from someone’s birth date.
For 8.5 per cent people born between 1989 and 2003, the researchers were able to identify the complete SSN within less than 1000 attempts.
Obviously a rethink is required, as an SSN can be used to apply for credit cards – but what to replace it with? In this specific instance, preventing automated online credit card applications would be a wise move, incorporating the added bonus of making high-interest credit less easy to obtain on a whim. [image by TheTruthAbout]
But the SSN issue is symptomatic of the growing problem of identity theft. Are there any ID systems that can’t be hacked, spoofed, brute-forced or cloned? If not – and I rather suspect not – what do we do in situations where it’s necessary to conclusively confirm a person’s identity, especially in situations where the person isn’t present?
Perhaps some sort of localised bureau network would be of use, with every town having an office that could act as an identity clearing house for a multitude of different high-risk transactions, requiring the applicant or transactee to attend in person to confirm that they are who they claim to be. Sure, it’d add an extra layer of hassle to things like applying for credit cards, but that’s a small price to pay for a lower likelihood of having someone else apply for one in your name.
But then any national bureaucratic system will have the sort of baroque operational architecture that invites colonisation by corruption and good old fashioned human error… perhaps it would end up as a step sideways, or even backwards. Sounds like a problem for Bruce Schneier!
Perhaps it’s time to accept that in any large system where user convenience is increased, the risk of identity theft increases in proportion. But what will it take for us to give up quick credit and one-click ordering?