How Face Recognition Can Uncover SSNs 103
nonprofiteer writes "Building on previous work showing that social security numbers are not random, CMU researchers ran experiments in which they predicted students' social security numbers after taking a photo of them with a cheap webcam. Using off-the-shelf facial recognition technology and data-mining publicly available Facebook photos and profile information, they were able to come up with the social security numbers of several of the students. (More impressive, as they note that 60% of the students were foreign, and had no SSNs, leaving them a pool of less than 50)."
This article (Score:4, Funny)
Re: (Score:2)
Agreed. Summary is massively misleading.They are only guessing the first five digits, which is not remotely random or secure.
Re: (Score:3)
They can guess the first five, and the last 4 are frequently used (at colleges) to report test scores in a pseudo-anonymous manner.
Re: (Score:2)
They can guess the first five, and the last 4 are frequently used (at colleges) to report test scores in a pseudo-anonymous manner.
That is an incredibly stupid practice. If anyone reading is a student or professor at such a college, lobby to get this changed.
want to see something really scary? (Score:4, Insightful)
Re:want to see something really scary? (Score:5, Interesting)
Life lesson: those who fear that they will lose their freedom if they lose their privacy are usually so busy defending their privacy that they do not have freedom.
Here's the thing. There's maintaining your privacy, then there's shutting yourself out of the world because you're trying to protect a part of your privacy that aren't very defendable. To some people, having a Facebook profile is like walking on a public street. People on the street know what their name is and know what they look like. Protecting the privacy of their name and likeness would be cutting them off socially. In a very real sense, that sort of privacy would be a loss of their freedom.
You may draw the line somewhere else. I know that I do. But, for some people, just wouldn't be free if they had to worry about a stranger knowing their name and face or even some of their habits.
As for the SSN thing, the government is to blame for not assigning numbers properly. The numbers themselves aren't necessarily a problem.
Re:want to see something really scary? (Score:5, Insightful)
Actually, it's the fault of the banking industry for comandeering a government number for a purpose other than what it was intended. An SSN was not supposed to be a unique identifier for anyone other than Uncle Sam as they go to collect Social Security tax money and then pay it back out.
Re: (Score:2)
The thing is, our economic growth is based upon credit. (Perhaps too easy credit, but we still need it.) Handing out credit requires some way of knowing who you're giving it to, otherwise the system is easy to cheat. Now SSNs may not have been the perfect solution since it was designed for something else, but it was readily and almost universally available.
Re:want to see something really scary? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
In what way is e-mail used as proof of identity ?
Re: (Score:2)
In what way is e-mail used as proof of identity ?
For most business correspondence in the modern world. Not formally, but in decision-making, for example.
Re:want to see something really scary? (Score:4, Insightful)
Mod parent up. TFA says: "the social security number system has a huge security flaw — social security numbers are predictable if you know a person’s hometown and date of birth."
We should read that as sounding as absurd as: "the phone numbering system has a huge security flaw -- phone numbers are discoverable if you know a person's name." This was NOT a design flaw. Nobody, as best I can tell, ever thought, when designing the system, that an SSN should be treated like a PIN, a number known only to the individual, where knowledge of the PIN is considered strong evidence of the identity of the person.
The single best thing which could be done for security at this point is to publish a nation-wide database of all SSNs matched with the names registered to those SSNs, to totally destroy the idea that SSNs should be "secret" identifiers.
The SSN exists to establish that we're identifying the John Doe who was born to Jim and Jane Doe on January 1, 1972 in Madison, Wisconsin, rather than the John Doe who was born on January 8, 1963 in New York City, or the John Doe who was born to Bill and Joan Doe on January 1, 1972 in Madison Wisconsin. It is an identifier, not a PIN.
I'd like a good class action lawyer to consider a nice lawsuit against any creditor who acts on the assumption that somebody who knows a person's SSN must be that person, or authorized by that person to take action on their behalf.
Re: (Score:2)
More to the point, it was meant as a unique key, not as a secret.
Other countries have similar systems where the number is public information, like your name, but unlike your name guaranteed to be unique. Much like a Dunn & Bradstreet number for people.
And yes, that makes a lot of sense for indices. But to believe it in any way can or should be used for authentication is brain dead.
Re: (Score:3)
There's nothing wrong with using a SSN as an identification. The problem is when you use it as authentication.
Re:want to see something really scary? (Score:4, Interesting)
There's nothing wrong with using a SSN as an identification.
Other than the fact that my Social Security Card says quite clearly on the front "not to be used for identification", you would be right. Maybe.
Re: (Score:2)
Re: (Score:2)
Aside from the assertion the card, why do you think it would be bad ?
Re: (Score:2)
Aside from the assertion the card, why do you think it would be bad ?
I think the promise of the government not to do something when they are trying to get rid of objections to that process should be sufficient to make it a bad idea on its face.
Beyond that, we're into a discussion of the idea of a national ID card, which is arguably bad, and not an argument I want to get into today.
Re: (Score:2)
Businesses need to have a unique way to identify their clients.
Using a unique number as identification is no different than using a combination of name, birthday, and some other properties, except that the number is much more convenient.
Silly irrational reasons aside, of course.
Re: (Score:2)
Businesses need to have a unique way to identify their clients.
So, I see you want to argue a nation id system. Ok.
I could go on, but that sufficiently deals with the "Businesses need..." argument.
Using a unique number as identification is no different than using a combination of name, birthday, and some other properties, except that the number is much more convenient.
Other than the fact that the government did not issue me my name, birthday, or "some other properties", you've forgotten that a "state issued number" which lacks any reference to name, gender, height, weight, color of hair, birthdate, pl
Re: (Score:1)
A better counter to the intended claim would be to support the above claim. Businesses should have a unique way to identify their clients, it should not be a copy of someone else's (the govt's) way.
Re: (Score:2)
You're using the same word in different ways. 'identify' can mean 'reference' or it can be mean 'authenticate'.
Your social security is, indeed, used to identify you. As in, it is as a reference, instead of a name, which is not unique. It is a unique 'identifier', that is the entire purpose of it. It is an identifier in the same way that a GPS coordinate is.
What is printed on your social security card is using the word 'identify' to mean 'authentication'. Knowledge of a social security number does not demo
Re: (Score:2)
Other than the fact that my Social Security Card says quite clearly on the front "not to be used for identification", you would be right. Maybe.
[brackets in quote from GP are material from GP which was not quoted in parent, but is very relevant]
(1) An SSN is not the same thing as the card,
(2) The sense in which GP uses "authentication" is the sense in which the card uses "identification", that is
Re: (Score:2)
They are not using it as identification. They are using to check your credit history, and if they hire you they need it to withhold and pay taxes, etc. I would expect them to want a birth certificate, driver's license, passport, or the like as ID.
Re: (Score:2)
Re: (Score:3)
People on the street know what their name is
Uh, no they don't. How would they?
Re: (Score:2)
Nobody from a small-town or a friendly neighborhood would ask this....
Re: (Score:2)
You're right, I'm from neither. But even if you are, only a handful or two of people know your name, not the entire world, so it's nothing like having a public profile page with your name on the Internet, which is accessible by all.
Re: (Score:3)
This is the same problem with the TSA: 75% of Americans only fly about once every 5 to 10 years. So they don't care about the groping. In fact, most haven't even been to an airport since the groping started.
Re: (Score:2)
It makes you wonder how long it will be before the TSA has groped enough people to have pissed everyone off (or enough people to get policy changed).
Re: (Score:2)
Re: (Score:1)
I still do. It's an almost useless waste of time, money, and resources. About all we needed was more secure doors for the cockpits and increased public awareness. The TSA is nothing more than security theater to me (even if they aren't violating everyone's privacy, but they currently still are).
Re: (Score:2)
The scanners have been adjusted for radiation levels
Oh, really? How did they do that?
The showing a "cartoon" software change has been done to SOME scanners, not all, AFAIK.
Re: (Score:1)
Just flew this weekend and made sure to ask for a groping so I knew how it went. Wasn't that bad.
The larger question of whether they should be doing it at all definitely remains, though.
Re: (Score:2)
1. Create a new national ID system.
2. Use this as an excuse to get rid of the entire social security system.
Re:But SSNs aren't identifiers! (Score:4, Insightful)
The SSN was never intended as a means of identification initially, but:
1. When a system of identification was needed, the SSN system was already in place;
2. In theory, SSNs have a 1:1 person-to-number correspondence, unlike other forms of identification (name, birthplace, birthdate, etc.);
3. Without such a system, the government would perform much more invasive checks for things like employment, voting, and banking.
So either you accept that the government shouldn't be doing such things (so "illegal" immigrants can work, dead people can vote, and terrorists can open bank accounts, e.g.) or you recognize that SSNs are the lesser of two evils.
That doesn't mean there couldn't be a better system, but such a system would invariably require the government to keep even more information about its citizens.
Re: (Score:2)
that'd mean the government broke its promise when it instituted the Social Security program.
Wait, what? What do you think the two S in SSN mean?
Re: (Score:2)
Wait, what? What do you think the two S in SSN mean?
"Social" and "security".
That has nothing to do with the promise that the SSN would never be used as a nation ID, which is the promise already broken.
The next promise to go will be the "security" part.
It will always be "social". I guess. Kinda like a government-run Facebook or MySpace. More like MySpace, since it will be suckier.
Bad writeup (Score:5, Informative)
Roundabout... (Score:3)
I find this article title to be silly.
What they do is use facial recognition to match people to their Facebook profile, then use the details stored there to obtain the SSN.
Up next:
- How names and surnames can Uncover SSN
- How giving people your email address can Uncover SSN.
- How running a facebook search can Uncover SSN
Re:Roundabout... (Score:5, Insightful)
I find this article title to be silly.
What they do is use facial recognition to match people to their Facebook profile, then use the details stored there to obtain the SSN.
Up next:
- How names and surnames can Uncover SSN - How giving people your email address can Uncover SSN. - How running a facebook search can Uncover SSN
Researchers demonstrated a clearly fatal flaw in SSNs. They have shown beyond a shadow of a doubt that the current SSN system is unsuitable for usage. They did this years ago ... and nothing has changed. It's not a political talking point. There's no proposed solution sweeping in to correct the problem. SSNs still are the gateway to every American's private information, and there's no sign that this will stop being the case, despite clearly-fatal flaws.
I welcome anything that makes this scary enough for people to demand that SSNs be immediately deprecated. This article is just the same researchers shouting louder, but the system does need to change.
Re: (Score:2)
That's because the only workable solution is to replace the SSN with another government issued ID - Real ID. And that went over like a lead balloon in a lot of places, as people tend to freak out when you explicitly tell them that they will be issued a unique ID number. If it's an SSN people don't freak out because they've had it since birth and accept it as a normal part of life.
Scaremongering (Score:2)
The algorithm found out people hometowns and dates of birth, and used it to determine the first 5 digits of the SSN (not the scarier last 4 digits).
Re: (Score:3)
The same 4 digits that Universities regularly post on the walls of lecture halls because they don't want to post your grade next to your name?
Re: (Score:2)
Not exactly. (Score:2)
Not even nearly... (Score:2)
SS numbers are 9 digits long. Matching the first 5 digits isn't matching 9 digits. The first 3 are associated with place, the second 2 are fairly predictable based on when the SSN was issued, but the last 4 are just assigned sequentially [ssa.gov]. Also, there is no requirement to get an SSN shortly after birth [ssa.gov], so SSNs aren't even
Re: (Score:2)
I have a twin. We were (obviously) born in the same place at roughly the same time (three minutes apart). The first five digits of our SSNs differ.....I'll leave it as an exercise for the reader to determine by how much.
Just saying.
Re: (Score:2)
Re: (Score:2)
My point was that knowing my hometown (place of birth) and birthdate wasn't sufficient to distinguish the first five digits of my SSN given that I have an example of a person with the same place of birth and same birth date (my twin). It's a counter example to the hypothesis that knowing those two bits of information give you the first 5 digits.
You've added another variable which cannot be gleaned from FB (as far as I know).....that variable is one of a) assignment date, b) application date, or c) pile the
Re: (Score:2)
What I'm reading from this is that as an individual you'll probably get lost in the crowd, but for someone using this technique they'll be able to get SSNs from a significant proportion of the people they look at. So I'm sleeping at night by thinking attack vectors are possible, but they probably won't hit me.
Re: (Score:2)
Re: (Score:2)
the social security number system has a huge security flaw â" social security numbers are predictable if you know a personâ(TM)s hometown and date of birth
That's not a security flaw - that's a good thing. As long as the SSN is used as intended - as a unique key - everything that makes it easier to find that key is good.
The flaw is trying to use that key for authentication.
the article says they only got the first 5 digits (Score:2)
Which makes sense, since you couldn't more than guess at the last 4 no matter how much info you have.
Is it really an issue that people can use a webcam to make up a number which shares 5 digits with my SSN?
a con-artist could ask for your whole SSN (Score:2)
Why do I need the webcam again?
Yes, I'm aware of the link to the first 5 digits. That's how they make up their SSN that matched 5 digits.
It's the last 4 that is the trick and they didn't move the needle on this.
You're far more likely to have your SSN taken in a hacking right now than by this webcam anyway.
Weird way to put it (Score:1)
Finding SSNs by using facial recognition software is just one use of this, more importantly is that facial recognition can be used to search for people and find who they are. Sure, SSN is part of that data, but it looks like more important part here is connecting the face to the name and location.
headline fail (Score:1)
first thought: "... how could the government know what your face will look like when they give you your ssn?"
The real headline should be: "Access to your Facebook Profile can uncover your SSN"
First line: "Oh btw, you can figure out whose facebook profile to troll by using facial recognition."
Article doesn't even make sense (Score:3)
Finally, the third experiment was the one to link faces to their unique nine digits
For those participants who had date of birth and city publicly available on their account, the researchers could predict a social security number (based on the work from their 2009 study). The researchers sent a follow-up survey to their student participants asking them whether the first five digits of the social security number their algorithm predicted was correct.
I'm missing a little something here.
Until recently, the first five digits, were, by definition, based on state/city and birthdate. Ask a genealogist or anyone interested in "private eye" stuff from the past couple decades... they probably have a table you can look up the first five vs location. The first three were strictly based on state; I was born in WI in the 70s; We all have the same first 3. The next two were issued more or less by city/hospital. So everyone born in the same hospital, pretty much for that year, has the same first five. At most, they had a rather shallow pool of a couple to draw from. Why they needed a study in 2009 to "discover" something that has been in endless publications is a mystery. Its like saying we need a "study" to "discover" how to fill out a IRS 1040 form based on neural network analysis of a statistical sample of tax returns, or we could just RTFM or RTF govt publication explaining in great detail what the answer already is.
You don't even need a statistical sample study. Just pull the SSDI and chug away. Social Security Death Index. Notice anything interesting about the publicly available SSNs for people born in Milwaukee in the mid 70s who are already dead? You have to wonder about old people, if the only person left alive from my Grandma's birthplace/birthyear is granny, and all SSNs for that year and hospital are in the SSDI except for the one ending in 1234, and she's the only one left alive, hmm, I wonder what grannies SSN might be? The point being that the "secret" is by no means 4 digits long = 1 out of 1e4. Its more like 1 out of (1e4 minus the number of dead people per the SSDI) I would imagine some entire swaths of the SSN namespace are dead people in the SSDI, except for the few elderly still living.
The other mystery is all they verified was the "public" half of the SSN. The "private" 4 digits was not verified. So, they've accomplished ... nothing.
Re: (Score:2)
For somebody born in the 1970s, an SSN application might not have been filed until needed for a job.
Simply not true. I lived it. Back in ye olden days when SSNs were considered the public identifier that they are, I think about 1/4 of my army reserve unit had the same first 5 as me...
There has been a big push to get hospitals to get kids SSNs upon birth for a long time. Maybe a kid born with a midwife in a commune in the 70s wasn't assigned a SSN until the early 90s, but I've never heard of that.
Check out
http://www.ssa.gov/history/ssn/ssnchron.html [ssa.gov]
If mom an dad opened a minor savings account for the ki
Re: (Score:2)
The first three numbers are indeed a geographic tag, but it's where the SSN office is that processed the application. I was born in Wisconsin in the 70s, too - the first digit of my SSN is "2", because my SSN is not a Wisconsin SSN, I agree with most of the other stuff you posted; in fact, I'm surprised that you got that wrong.
No I willfully ignored it. I do some genealogy and as you probably know, the SSDI makes dead relatives SSNs public upon death. Both evidence from my own family, and in general reading on genealogical research, your situation is very unusual. Going "all the way back" pretty much everyone born after the late 30s has a SSN from the hospital they were born in, usually in the state the live in.
I'm guessing a special situation that doesn't apply to many people:
1) Military family getting transferred around?
2) Y
Guys? (Score:1)
The article says they used a $35 webcam. Imagine what they could have done if the had a $100 webscam! That would be almost 3 times the facial recognition and 3 times the SSN cracking! Oh noes! Don't give them any more funding! -www.awkwardengineer.com [awkwardengineer.com]
The first 5 digits of a SSN is not a SSN (Score:1)
No word on how well they did, either.
From the Schneier Study: "Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data and found that fo
Re: (Score:2)
And in fact, if I recall correctly, they are moving away from the old method with newly issued numbers.
It's not the birthdate that matters as much as the date of SSN issue though. For those of us the age of college students parents, we weren't issued numbers at birth.
My sister, three years younger, and I both got ours at the same time. They differ by the last two digits.
Re: (Score:2)
Since few years SSNs have not been issued to international students on arrival / enrollment, but only when they take up their first student job (if any)... On arrival they get an ITIN number instead. And yes, many places that demand the SSN don't know what to do with the ITIN when they get one (despite the fact that the law states it should function in almost the same fashion).
Problem is not SSN. It is the banks. (Score:2)
As long as the Republicans are in the pockets of these banks and fight
Re: (Score:2)
You think Democrats aren't in the pockets of banks? Seriously?
Re: (Score:1)
libel and slander of aggregation (Score:2)
Hate to intrude with an original thought. We have fairly strict libel laws to prevent slathering misinformation about a person hither and yon, whether the SOB deserves it or not.
Linking vast swathes of electronic records together of dubious provenance, accuracy, and agenda is in many ways worse than public slander: it only takes place in closed rooms behind your back with your immediate financial interests at stake, it's hard or impossible to prove this is going on, and recourse under the law heavily favo
What kind of algorithm ... (Score:1)
please (Score:1)
First off, hometown don't mean shit.
I didn't get assigned my SSN in my hometown, i was across the country at the time.
In fact, i've had local pigs claim i was giving them a fake SSN back when i would get hassled more (when i was a junkie).
Of course, the average IQ of the local police is like 12 or something.
But whatever.
The other weird part is, most peeps I grew up with, don't live here anymore. So once again, what does hometown have to do with shit?