Anyone want to know my Social Security Number?

Your home may be your castle, but on social networks, your friends are your perimeter. Will they enclose and protect your personal data?

Your home may be your castle, but on social networks, your friends are your perimeter. Will they enclose and protect your personal data?

Let me tell you about yet another brain-dead Facebook meme* about ‘your [something or other] name’ games. These games are the sort of round-robin post that tell you how to generate your very own witness protection name, your soap character name, and similar richly meaningful concepts.

It’s Only Rock and Roll

Apparently the rock star name meme has been around since at least 2007, but I somehow managed to miss it for most of that time. Clearly I should consider dedicating what is left of my twilight years to Facebook so that I don’t miss anything.

Perhaps this one has something to do with the way rock stars, footballers, and movie stars, worried that alternatively pampering and neglecting their offspring might not be the optimum parenting methodology, give them ludicrous names like Leafmould Cheesecake. Or I suppose it might be a way of generating a name that will get you mistaken for a celebrity and ensure that you get into nightclubs and pay a larger than normal deposit on hotel rooms. Anyway, most of the examples I’ve seen (thank you so much, Google, for brightening my life yet again) are generated by combining the name of your first pet and something like your current car, your first car, or the street where you live. (I apologize if I’ve increased the danger that some future reader will be christened Tiddley Widdley 2CV.)

Security content coming up. (Finally.)

It may not have escaped your notice that those elements are very similar to those secret questions that banks and such want us to use to supplement those passwords that they take such good care of. Sometimes. (Here’s a list of other name ‘games’, several of which have a disquieting tendency to be based on ‘secret question’ data.)

I started looking into this social phenomenon when I recently came across a variation on the rock star meme: this one offers us the following way to find our own rock star names. Ready, steady, type:

  1. Your mother’s maiden name
  2. Your first pet’s name
  3. The model of your first car
  4. Your High School mascot
  5. Your favourite uncle
  6. The last four digits of your Social Security Number (SSN)

Several of my friends in the security business found this meme extremely amusing. As you probably will too, knowing that this is a parody – or an extreme example – of the kind of ‘secret questions’ that financial providers and others are fond of passing off as additional security. In fact, the first three are common – even stereotypical – secret questions proposed by real service providers. 4 and 5, maybe not so much. But SSNs are commonly used in the US as authentication, so there’s certainly possible value there for someone trying to harvest useful information about you.

Still, surely no-one could fail to recognize the danger there? Well, some people who commented clearly thought it would be worth putting it out there to see who (or how many) fell for it, if only out of curiosity. No ethical qualms there, then.

Friendship and Fiendship

I’ve talked before (for Virus Bulletin) about the potential of the Facebook meme for collecting data that could be used for malicious purposes. One datum addressed there was your date of birth  (mildly obfuscated, but if I could find out how it worked, so could any bad guy who could use a search engine). Another was the instance cited by Graham Cluley of the Royal Wedding in 2011, inviting Facebook users to generate their ‘royal wedding guest name’ by combining an aristocratic title, one of their grandparent’s names, and the name of their first pet ‘double-barrelled’ with the name of the street they grew up on. I can assure you that if I absent-mindedly sign this article as Lord Melvin Sundance-Acacia, I won’t be giving any sensitive data away. After 25 years in security, I’m not naïve enough to think that everyone who’s a friend on social media – or a reader of my blogs – is to be trusted with personal data. I don’t think there are many burglars or identity thieves in my immediate circle of acquaintance, but friends of friends of friends are another matter. In any case, I’m pretty sure that some of my friends aren’t as paranoid with their – or my – posts and data as I am. Furthermore, I’m no fan of the way that various social networks try to insist on my giving them far more personal information than they really need to know.

Not, of course, that I’m advocating a general policy of dishonesty in social networking profiles, but as I commented in that article and elsewhere, these are organizations who regard subscribers not as customers but as sources of commoditized data. Big names in the social media are constant targets for hacking, and don’t always take the care over securing sensitive data that you might expect. In fact, they often have an agenda that is at heart anti-privacy, since our data is exactly what matters to the retail organizations and service providers who are their real customers. While we the subscribers are all too willing to give away the sort of material targeted in a data aggregation (or data inference) attack, where individual items may seem harmless, but an aggregation of such items gives an attacker all he needs to indulge in a little identity theft.

Social Insecurity

But let’s talk about SSNs. Is giving away just part of your SSN really dangerous? In a paper published in 2009 by Alessandro Acquisti and Ralph Gross in the Proceedings of the National Academy of Sciences of the United States of America, it was claimed (as I summarized here) that there is:

a correlation between an SSN and the birthdate of its “owner” that makes it feasible to infer the SSN, given knowledge of that birthdate and … public access to the Social Security Administration’s Death Master File … to determine SSN allocation patterns based on the zip code of their birthplace and the date of issue.

So how secure is your Social Security Number? Well, here a couple of issues:

  • Some legitimate, convenient-to-subscribe-to organizations may require it who are, nevertheless, not “entitled” to it.
  • The difference between legitimate and illicit organizations (or their web pages, URLs and so on) is not always as pronounced as you might think – otherwise, we wouldn’t have to worry about phishing.

A Social Security Number (like a National Insurance Number in the United Kingdom) is an identifier, not an authenticator, because it isn’t secret: many people know (or at least could gain access to) your SSN. But a problem arises whether or not an organization providing some kind of service to you insists on using it as an authenticator rather than as an identifier.  Even if a criminal doesn’t have direct access to an SSN, he may be able to guess it based on information aggregated from other sources.

The Social Security Office has stated in the past (apparently in the hope of making it easier to spot a fake) that the 9 digits of the Social Security Number are grouped as follows.

  • The first three digits represent the Area Number
  • The next two digits represent the Group Number
  • The four digits at the end are called the Serial Number

And, of course, it’s exactly those four final digits that are under discussion. According to an article in the LA Times from 2009, Acquisti and Gross were able”to identify all nine digits for 8.5% of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.” However, the Social Security Office stated at that time that it was moving over to a more randomized SSN allocation system. Unfortunately, that probably hasn’t decreased the risk for many people whose SSN was already allocated by the time such changes were introduced.

Hopefully, most sites that ask for SSN info won’t allow unlimited guesses. Even more hopefully, few people will fall for a blatant, exaggerated data harvesting/phishing attempt resembling the meme described above.

The Sum of the Parts

But how about a story recently passed on by one of my colleagues in the security industry? He related how one of his friends received what appears to have been an automated phone call claiming that his or her debit card had been locked for fraud. Such calls are actually quite common, as in the cases described here, where the recording asks for the target to press 1 and then to ‘unlock’ their card by inputting sensitive financial information including the card number and the PIN associated with it in chip and PIN transactions. This isn’t a new threat, of course. A post at Scamcallfighters indicates that characteristically:

The automated system will ask the victim to key-in, card number, name, date of birth and even the security code! And at the end of it, it will declare that your card is reactivated!

In this case, however, the first thing requested was to input a full 9-digit SSN. Fortunately, the intended victim in this instance knew better than to actually give that information. I suspect, however, that a less greedy scammer might get quite a good hit rate in the right context.

By ‘less greedy’ I don’t just mean not asking for so many data items that even the most naïve end user might start to get suspicious, but also being prepared to do some data aggregation. After all, a victim who just volunteered 2-3 potentially useful data items is probably more likely than average to volunteer further items the second time round. And while a partial SSN requires more effort to build into a full SSN, the trade-off is that a victim is less likely to be scared off by a request for too much information.

After all, we’re conditioned to think that when a bank or other agency asks us to identify ourselves by giving part of an identifier or authenticator – “the 1st, 3rd and 4th character of your special word” or “the last four digits of your credit card number”, they already have the whole identifier/authenticator. Of course, this isn’t necessarily true at all. A scammer might even camouflage a harvesting probe by ‘sacrificing’ a data item that can’t be fully established so as to establish a context of trust in which the victim will:

  • Not take the trouble to check that the call is genuine by ending the call and calling back to a known-genuine number.
  • Go on to supply data items that can be used to implement some form of fraud.

However, in this case, a partial SSN might actually be enough to establish yet another useful (in terms of identity theft) data item.

Sadly, this use of automation for fraudulent purposes is another case where well-meaning (but not necessarily well-implemented) attempts by banks to reduce the impact of fraud has actually been perverted by criminals into an attack.

Technology versus Education

In the security industry, there’s a longstanding debate between those who advocate more user education and those who say that if education was going to fix the cybercrime problem it would have worked by now. (Randy Abrams and I discussed that debate at some length back in 2008: People Patching: Is User Education Of Any Use At All?

This particular threat exemplifies that conflict/tension: the efficiency of a technical solution – automated detection of fraudulent (or at least unusual) transactions – is compromised because card users are not well enough informed to distinguish between legitimate and fraudulent phone calls.

David Harley
ESET Senior Research Fellow

* Meme: An idea, behaviour, style, or usage that spreads from person to person within a culture. (Merriam-Webster)

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center