Randomness and personal security
It’s funny how synchronized the world can be at times. Last night I was having a conversation with someone about the random part of social security numbers, and today Bruce Schneier points me at this interesting phishing attack, which was successful in part because of exactly the same problem.
The security issue is this: people are often given numbers of various sorts - identification numbers (i.e. SSNs), credit card numbers, bank accounts, etc. These numbers are pretty unpredictable as a whole, but parts of them are extremely predictable. For example, the first three digits of social security numbers have some very specific rules associated with them. I used to work at a place (11 years ago) where I had to take social security numbers down for every employee every day… sigh… Anyway, the first three digits of people’s numbers were disturbingly similar.
It gets worse: Commerce Bank, one of the biggest banks in the Midwest, issues Visa Check Cards to every checking account holder. The only problem is that a great many of them start with the same nine digits. That’s right - NINE. There goes most your randomness. Add to that the fact that there are various mathematical tests that a valid credit card number has to pass, and you lose even more of the precious little randomness you have left.
Different numbers have different randomness characteristics (also known as entropy in the crypto field). A randomly assigned PIN from a bank or a website is probably pretty random (although it’s also probably way too short; another problem for another day). Your account number at your family doctor’s office is probably totally UNrandom - it is probably a sequential number picked up from some auto-increment field in a Microsoft Access database. Every number works differently; use your head and it should be obvious.
So there are a couple of take-homes here:
- Try to avoid giving the “last four digits” of your SSN, credit card, or account numbers for identification purposes. In the case of a Commerce Bank credit card, you’re giving away nearly all of the randomness in the card, or 13 of 16 digits. That leaves an attacker with a 1/1000 chance of getting your number, or 500 guesses on average.
- Never believe anyone who tries to convince you that they are legit by telling you the first few digits of one of these numbers. They’re very easy to guess.
February 24th, 2006 at 4:11 am
I see your point; but a credit card number alone is useless. You can’t generate a new card, you can’t make charges to it (via a merchant or though a merchant) and you can’t get into someone’s account.
Let’s say for example that I correctly generate and validate 50,000 numbers. What then? I don’t have names for these numbers, I don’t have security check digits, I don’t even have correct expiry / start dates.
February 26th, 2006 at 12:34 pm
Look at it this way: If I told you that, knowing that you are a Commerce Bank customer, I know all but three digits of your credit card number, would that worry you? It would worry me!
You’re right that you usually need other information (i.e. the three-digit CCV2 code), but there’s no way to look at this as anything but a bad thing, in my opinion. Maybe not a terrible thing, but clearly a bad thing.
June 28th, 2006 at 3:38 pm
[…] Then I get an e-mail to my work account that says this in bold letters: Your credit line is $XYZ!, except the XYZ was filled in with the RIGHT NUMBER! I really thought it was spam. In fact, my Postini filter flagged it as spam, despite the fact that MBNA’s e-mails usually get through. But no: it also has the last four digits of my account number in the e-mail. ARGH! They, of all people, ought to know that the last four digits are the worst numbers to give out. […]
September 6th, 2006 at 10:37 am
[…] Remember: NEVER give out the last four digits of your SSN.. […]