[HN Gopher] BrianKrebs: Experian Vulnerability Shows Any Report ... ___________________________________________________________________ BrianKrebs: Experian Vulnerability Shows Any Report with just SSN, DOB, ADR Author : coloneltcb Score : 81 points Date : 2022-12-27 19:54 UTC (3 hours ago) (HTM) web link (infosec.exchange) (TXT) w3m dump (infosec.exchange) | jrib wrote: | "ADR" == "address" in this context | | > All you needed was the person's name, address, SSN and DOB. | lol768 wrote: | Am I reading correctly that Krebs gave the vendor _three full | days_ (of which at least three are not working days), over the | Christmas holiday to patch this before disclosure on Mastodon? | | I can understand (but not necessarily agree) with arguments for | full disclosure when the consumer has a choice to avoid using the | vendor .. but, in this case? | aaomidi wrote: | To give you an idea, when you're operating a CA, you only get | 24 hours to respond to this type of stuff. | | Experian had 72. | lapcat wrote: | No, what Krebs said was "So it's Dec. 27, and I still haven't | heard anything from Experian." In other words, they haven't | even _responded_ to his report. | 0ct4via wrote: | Given the gravity of the issue and the supposed standing of the | vendor, 3 days should be plenty time to at least _respond_ -- | working days or not. | | Additionally, Krebs has stated that Experian has _yet another_ | glaring security issue. He 's not saying exactly how to do it, | or dropping POC in the post. | | Given the size and importance of Experian, there's nothing | wrong with pointing out this issue, especially when after 4 | days they can't even _acknowledge_ an issue this serious. | | Krebs stating a vulnerability exists, is more responsible than | _not_ disclosing it -- given their importance, and history of | security screw-ups, the people have a right to know. | mindslight wrote: | US. GDPR. NOW. Its definition of consent is paramount. The | fundamental reason these bastards don't care about leaking your | information is that they're already violating your consent by | collecting all this information about you in the first place. | | The modern surveillance industrial complex would have made the | most ardent Stasi agent blush. It is an unaccountable tyrannical | quasi-government that has no place in a supposedly free society, | and it's long past time the whole filthy industry were severely | neutered. | jeffbee wrote: | H&R Block used to give you any of their clients' tax returns with | SSN, last name, and ZIP Code. I think this form of authentication | is extremely common. | | The big problem with asking for SSN+DOB or SSN+ZIP or even | SSN+Name is these are highly correlated. SSNs are issued in order | by date, in tranches given to each hospital, which gives you a | fair chance of guessing a ZIP. Once you have a ZIP and a year you | can also make informed guesses as to last name. | bagels wrote: | There are, at this point, I would have to assume, databases | with those in them available for purchase or download. No need | to use statistics and guesses. | water8 wrote: | [dead] | stonogo wrote: | That's how SSNs are distributed _now_. The majority of adults | did not get them assigned at birth. Before the 80s, it was | common not to get one at all until you started working. After | the mid-80s a child needed one for their parents to claim them | as a dependent, with the minimum age lowering until we reached | today 's situation. | kylehotchkiss wrote: | Up until 2011. The SSA adjusted the distribution technique | then. | | https://www.ssa.gov/employer/randomization.html | jeffbee wrote: | Even before assignment at birth, they were geographically | allocated based on the applicant's address, which is even | worse because that allows you to make accurate guesses about | recent ZIP instead of ZIP at birth. These correlations were | well-known even before 1987, when they switched to assignment | at birth. | | https://pubmed.ncbi.nlm.nih.gov/6613981/ | stonogo wrote: | Your linked paper is about correlating year of birth to a | social security number, which I would reckon is much easier | than correlating to zip code, given that social security | numbers both predate zip codes and were geographically | assigned based on the US State in which the applicant lived | when the number was requested. My own SSN was assigned to | me at age ten when I lived fifteen hundred miles from the | place of my birth, and I have moved a further thousand | miles from there in the meantime; there's basically no way | to predict my ZIP code from it. | | Anyway, according to that lookup table, I was born in 1927, | a conclusion with which I strenuously disagree. Those | methods may have been statistically useful in the year of | publication but so many things have changed, and so many | more people move between states than before the 80s, that I | doubt its validity now. As a reference, the pandemic | drastically slowed down American interstate household | moves, but even so, 8% of the population moved states in | 2020 -- including 18% of people between 20 and 29. | (https://www.weforum.org/agenda/2021/12/american- | relocation-h...) | | In short, I think it may have been more feasible in the | past to draw these correlations, and now it's less | feasible. On the other hand, massive data leaks are de | rigueur, so it's probably just easier to buy databases from | criminals on the internet. | [deleted] ___________________________________________________________________ (page generated 2022-12-27 23:00 UTC)