Ars Technica has an interesting article titled New algorithm guesses SSNs using date and place of birth.  It describes how the date and location of birth can be gleaned from social networking sites such as Facebook, and then used in a new algorithm to guess the person's SSN "with a startling degree of accuracy."  An inference attack, in other words. 

Per reference.com:  "An Inference attack occurs when a user is able to infer from trivial information more robust information about a database without directly accessing it. The object of Inference attacks is to piece together information at one security level to determine a fact that should be protected at a higher security level."  So consider Facebook or MySpace as one big database; the adversary just needs to put the pieces together, or in this case, use those pieces in an intelligent way to get the golden ring:  the SSN.

Some questions came to mind after reading this:

• Should we be careful about over-sharing?
• Why are we still so reliant on SSN as our unique identifier?
• Why do companies continue to trust without verifying when processing credit card and loan applications?

Companies and Congress have (slowly) been taking steps to limit the use and reliance on SSNs in response to growing public frustration.  It seems not to be worth the time for credit card companies to impose stronger security measures to protect against fraud, so it is consumers that pay the price.  A safe position may be to assume that all of our personal information is already exposed and for sale somewhere in the dark recesses of the Internet, so that we maintain a defensive position by default.  Otherwise, we only react after the damage is done.  We just have to be smarter, and perhaps more vocal, about this issue.




More...