H&R Block used to give you any of their clients' tax returns with SSN, last name, and ZIP Code. I think this form of authentication is extremely common.
The big problem with asking for SSN+DOB or SSN+ZIP or even SSN+Name is these are highly correlated. SSNs are issued in order by date, in tranches given to each hospital, which gives you a fair chance of guessing a ZIP. Once you have a ZIP and a year you can also make informed guesses as to last name.
There are, at this point, I would have to assume, databases with those in them available for purchase or download. No need to use statistics and guesses.
That's how SSNs are distributed now. The majority of adults did not get them assigned at birth. Before the 80s, it was common not to get one at all until you started working. After the mid-80s a child needed one for their parents to claim them as a dependent, with the minimum age lowering until we reached today's situation.
Even before assignment at birth, they were geographically allocated based on the applicant's address, which is even worse because that allows you to make accurate guesses about recent ZIP instead of ZIP at birth. These correlations were well-known even before 1987, when they switched to assignment at birth.
Your linked paper is about correlating year of birth to a social security number, which I would reckon is much easier than correlating to zip code, given that social security numbers both predate zip codes and were geographically assigned based on the US State in which the applicant lived when the number was requested. My own SSN was assigned to me at age ten when I lived fifteen hundred miles from the place of my birth, and I have moved a further thousand miles from there in the meantime; there's basically no way to predict my ZIP code from it.
Anyway, according to that lookup table, I was born in 1927, a conclusion with which I strenuously disagree. Those methods may have been statistically useful in the year of publication but so many things have changed, and so many more people move between states than before the 80s, that I doubt its validity now. As a reference, the pandemic drastically slowed down American interstate household moves, but even so, 8% of the population moved states in 2020 -- including 18% of people between 20 and 29. (https://www.weforum.org/agenda/2021/12/american-relocation-h...)
In short, I think it may have been more feasible in the past to draw these correlations, and now it's less feasible. On the other hand, massive data leaks are de rigueur, so it's probably just easier to buy databases from criminals on the internet.
Am I reading correctly that Krebs gave the vendor three full days (of which at least three are not working days), over the Christmas holiday to patch this before disclosure on Mastodon?
I can understand (but not necessarily agree) with arguments for full disclosure when the consumer has a choice to avoid using the vendor .. but, in this case?
No, what Krebs said was "So it's Dec. 27, and I still haven't heard anything from Experian." In other words, they haven't even responded to his report.
Given the gravity of the issue and the supposed standing of the vendor, 3 days should be plenty time to at least respond -- working days or not.
Additionally, Krebs has stated that Experian has yet another glaring security issue. He's not saying exactly how to do it, or dropping POC in the post.
Given the size and importance of Experian, there's nothing wrong with pointing out this issue, especially when after 4 days they can't even acknowledge an issue this serious.
Krebs stating a vulnerability exists, is more responsible than not disclosing it -- given their importance, and history of security screw-ups, the people have a right to know.
But it’s not three arbitrary days, is it? It’s December 24th, 25th and 26th, none of which are working days in the US, and which encompass one of the biggest global holidays of the year.
Experian is here to ruin everyone’s Christmas, that is kind of their gig to be Scrooge. Not a big Krebs fan, but I do enjoy watching him go against some of these big guys with a “Too bad, so sad” mentality. I can’t imagine having to tell someone that what I do for work is track an indebted populous, eck.
So? Christmas is a public holiday in 80% of countries. It is by some distance the most widely shared global business holiday. And Experian is an American company.
It's a global company and yes some people have to work on holidays. Info Sec for a business like Experian absolutely necessitates 24/7 coverage. I can't believe this is even a debate.
There’s a big difference between getting paged over the holidays for a real incident vs getting paged because Brian Krebs wants to make some internet drama.
Unfortunately, this issue lowers the bar for exploiting a months-old vulnerability.
The older ongoing problem is that any person can create a new Experian account with a new email address, and answer a few credit-related quiz to take over somebody's credit file. When doing this Experian will helpfully even offer to unlock the credit file and you can reset security questions etc. All without the consent of the victim. All the "security" systems are bypassed.
This new vulnerability means you need even less information to take over somebody's credit/identity. You can get the answers to their quiz directly from Experian's own systems. That makes it a bigger deal.
I thought he was extremely nice to wait that long. That's 72 hours more than these abusive corporations deserve. I actually wish these people would just publish these vulnerabilities out of nowhere to force them to deal with it or go bankrupt from liability. Any damage caused by such "reckless" disclosures isn't severe enough punishment for their surveillance capitalism business even existing in the first place. There should have been no data to be compromised in the first place.
> Glad I checked, too, because the info in there is so completely wrong I don't even know where to start.
So a guy who holds himself out as a security expert hasn't even been monitoring his own credit report. I guess the Ubiquiti incident already made clear this guy is a charlatan.
This is just Experian's credit report. Everyone knows you can't trust them. Only a first-party credit report should be accepted when the stakes are high.
The mechanics are no different from giving your info to a potential landlord for them to do a security check. So in that respect, the system is working exactly as intended.
The difference is, this allows somebody to do a non-consensual credit check on you. Not to mention the whole other raft of problems brought on by the credit reporting industry.
This is the problem with companies that want to hoard "high value" data as a business model: they become the juiciest targets. When the inevitable happens, they play too big, too essential to fail.
I’m not seeing whether this bypasses a freeze or not. Anyone have more details? I find it very odd that he would leave that important piece of information out.
IDK why this surprises anyone. I applied to expand my HELOC last month with my credit union.
TransUnion sold my info to every mortgage company out there and I guarantee you I got 100+ calls and text messages from companies I've never heard of asking me to apply with them.
They just sell any and all of our data over and over again.
Can't opt out and can't stop it. 100s of calls to my cell phone.
42 comments
[ 3.0 ms ] story [ 81.2 ms ] threadThe big problem with asking for SSN+DOB or SSN+ZIP or even SSN+Name is these are highly correlated. SSNs are issued in order by date, in tranches given to each hospital, which gives you a fair chance of guessing a ZIP. Once you have a ZIP and a year you can also make informed guesses as to last name.
https://www.ssa.gov/employer/randomization.html
https://pubmed.ncbi.nlm.nih.gov/6613981/
Anyway, according to that lookup table, I was born in 1927, a conclusion with which I strenuously disagree. Those methods may have been statistically useful in the year of publication but so many things have changed, and so many more people move between states than before the 80s, that I doubt its validity now. As a reference, the pandemic drastically slowed down American interstate household moves, but even so, 8% of the population moved states in 2020 -- including 18% of people between 20 and 29. (https://www.weforum.org/agenda/2021/12/american-relocation-h...)
In short, I think it may have been more feasible in the past to draw these correlations, and now it's less feasible. On the other hand, massive data leaks are de rigueur, so it's probably just easier to buy databases from criminals on the internet.
I can understand (but not necessarily agree) with arguments for full disclosure when the consumer has a choice to avoid using the vendor .. but, in this case?
Additionally, Krebs has stated that Experian has yet another glaring security issue. He's not saying exactly how to do it, or dropping POC in the post.
Given the size and importance of Experian, there's nothing wrong with pointing out this issue, especially when after 4 days they can't even acknowledge an issue this serious.
Krebs stating a vulnerability exists, is more responsible than not disclosing it -- given their importance, and history of security screw-ups, the people have a right to know.
A malicious actor wouldn’t wait until business hours.
The older ongoing problem is that any person can create a new Experian account with a new email address, and answer a few credit-related quiz to take over somebody's credit file. When doing this Experian will helpfully even offer to unlock the credit file and you can reset security questions etc. All without the consent of the victim. All the "security" systems are bypassed.
This new vulnerability means you need even less information to take over somebody's credit/identity. You can get the answers to their quiz directly from Experian's own systems. That makes it a bigger deal.
Experian had 72.
> All you needed was the person's name, address, SSN and DOB.
You can check me on this here https://consumer.ftc.gov/articles/free-credit-reports
> Glad I checked, too, because the info in there is so completely wrong I don't even know where to start.
So a guy who holds himself out as a security expert hasn't even been monitoring his own credit report. I guess the Ubiquiti incident already made clear this guy is a charlatan.
The difference is, this allows somebody to do a non-consensual credit check on you. Not to mention the whole other raft of problems brought on by the credit reporting industry.
Yes, but you can change your SSN anytime, it is still considered confidential info and the US has no easily changeable national ID system.
Most banks let you take over an account with just SSN and knowledge of debitcard number (without cvv code) and sometimes dob.
If you think your ssn is exposed don't count on companies and government bureaus not relying on it. Change it.
TransUnion sold my info to every mortgage company out there and I guarantee you I got 100+ calls and text messages from companies I've never heard of asking me to apply with them.
They just sell any and all of our data over and over again.
Can't opt out and can't stop it. 100s of calls to my cell phone.
No acct with that mail. Odd.
Tried signing up… “email already in use..”
…umm.