Originally published at: https://boingboing.net/2018/02/09/database-nation.html
…
or
both?
Both is good. Just let her get her head out of the way before the table flips.
Meredith Griffanti told CNNMoney Friday that the original list of vulnerable personal information was never intended to represent the full list of potentiality exposed information.
I really feel like this has become a matter for the police - I know the only way I could be made to utter a statement that oily and craven is if Equifax was holding a loved one hostage. Somebody help this poor woman!
While this isn’t good by any stretch of the imagination, it’s also not quite as bad as you’re thinking.
Many states use procedurally generated driver’s license numbers based on a few bits of personal information. So if a black hat has say, name, date of birth, and gender, they could generate a driver’s license ID that has a reasonable chance of correctness, and at a minimum that doesn’t look fake at first glance.
Since the driver’s license ID isn’t secure, it’s not critical for it to be leaked. The fact that it is used as some bit of secure identification in other contexts is much more of a concern.
That’s true of Social Security numbers, as well. I think one could do me much more harm if they had my actual SSN, than they could with an SSN that was similar to mine.
As for the real problem being that SSNs and driver’s license numbers are being used inappropriately? Although that is a problem, that ship has sailed and those numbers are out there. It’s like saying the real problem is that brake lines can be cut, rather than that mine have been cut. From my perspective, the latter is the real problem.
The first 3 digits of an SSN are assigned by zip code, and the next 2 are assigned chronologically. The last 4 are just arbitrarily incremented. If you know someone’s age and state of birth, you can reasonably guess the first 5 digits, but have no way to tell the last 4. “Fortunately”, most statements that include an SSN on it helpfully mask out the first 5 and only show the last 4.
When I said that you could reasonably generate a driver’s license number, I was probably unclear - with the states with known IDs based upon user information, you can guarantee to generate their actual driver’s license…unless there was a collision or some other bit of secondary info. But if you know name + age + gender, you can generate what would’ve been their DL, unless there are multiple people with the same name + age + gender that would cause a collision. So it’s not just a matter of getting a similar one, you can generate an accurate one, barring some additional info that may or may not apply.
But yes, agreed, the ship has sailed on what should and should not be used as a unique secure ID. All I’m saying is that while the DL ID leak is bad, it’s not as bad as people may think since it’s easier to guess a person’s driver’s license number than their SSN, and even guessing that is pretty easy.
It never will get that far. Equfax has too much dirt on everyone.
Like a justified SWATting…
I kid, but not really.
Help, help, there’s a hostage situation. The perps have 150 million hostages and nobody is doing anything about it.
Like voting records and access?
Scary but the driver’s license dump doesn’t seem to be new information.
Too big to care
If you know someone’s age and state of birth, you can reasonably guess the first 5 digits
For younger people, yes, because the rules changed such that parents couldn’t claim their children as dependents for tax purposes unless the kids had SSNs. But this wasn’t always true. Many older people did not have an SSN issued at birth but instead got one later, e.g., when they got their first job. For those folks, you’d have to know when and where, which can be a bit harder to derive even if you have their birth date and state of birth.
This topic was automatically closed after 5 days. New replies are no longer allowed.