[HN Gopher] BrianKrebs: Experian Vulnerability Shows Any Report ...
___________________________________________________________________
BrianKrebs: Experian Vulnerability Shows Any Report with just SSN,
DOB, ADR
Author : coloneltcb
Score : 81 points
Date : 2022-12-27 19:54 UTC (3 hours ago)
(HTM) web link (infosec.exchange)
(TXT) w3m dump (infosec.exchange)
| jrib wrote:
| "ADR" == "address" in this context
|
| > All you needed was the person's name, address, SSN and DOB.
| lol768 wrote:
| Am I reading correctly that Krebs gave the vendor _three full
| days_ (of which at least three are not working days), over the
| Christmas holiday to patch this before disclosure on Mastodon?
|
| I can understand (but not necessarily agree) with arguments for
| full disclosure when the consumer has a choice to avoid using the
| vendor .. but, in this case?
| aaomidi wrote:
| To give you an idea, when you're operating a CA, you only get
| 24 hours to respond to this type of stuff.
|
| Experian had 72.
| lapcat wrote:
| No, what Krebs said was "So it's Dec. 27, and I still haven't
| heard anything from Experian." In other words, they haven't
| even _responded_ to his report.
| 0ct4via wrote:
| Given the gravity of the issue and the supposed standing of the
| vendor, 3 days should be plenty time to at least _respond_ --
| working days or not.
|
| Additionally, Krebs has stated that Experian has _yet another_
| glaring security issue. He 's not saying exactly how to do it,
| or dropping POC in the post.
|
| Given the size and importance of Experian, there's nothing
| wrong with pointing out this issue, especially when after 4
| days they can't even _acknowledge_ an issue this serious.
|
| Krebs stating a vulnerability exists, is more responsible than
| _not_ disclosing it -- given their importance, and history of
| security screw-ups, the people have a right to know.
| mindslight wrote:
| US. GDPR. NOW. Its definition of consent is paramount. The
| fundamental reason these bastards don't care about leaking your
| information is that they're already violating your consent by
| collecting all this information about you in the first place.
|
| The modern surveillance industrial complex would have made the
| most ardent Stasi agent blush. It is an unaccountable tyrannical
| quasi-government that has no place in a supposedly free society,
| and it's long past time the whole filthy industry were severely
| neutered.
| jeffbee wrote:
| H&R Block used to give you any of their clients' tax returns with
| SSN, last name, and ZIP Code. I think this form of authentication
| is extremely common.
|
| The big problem with asking for SSN+DOB or SSN+ZIP or even
| SSN+Name is these are highly correlated. SSNs are issued in order
| by date, in tranches given to each hospital, which gives you a
| fair chance of guessing a ZIP. Once you have a ZIP and a year you
| can also make informed guesses as to last name.
| bagels wrote:
| There are, at this point, I would have to assume, databases
| with those in them available for purchase or download. No need
| to use statistics and guesses.
| water8 wrote:
| [dead]
| stonogo wrote:
| That's how SSNs are distributed _now_. The majority of adults
| did not get them assigned at birth. Before the 80s, it was
| common not to get one at all until you started working. After
| the mid-80s a child needed one for their parents to claim them
| as a dependent, with the minimum age lowering until we reached
| today 's situation.
| kylehotchkiss wrote:
| Up until 2011. The SSA adjusted the distribution technique
| then.
|
| https://www.ssa.gov/employer/randomization.html
| jeffbee wrote:
| Even before assignment at birth, they were geographically
| allocated based on the applicant's address, which is even
| worse because that allows you to make accurate guesses about
| recent ZIP instead of ZIP at birth. These correlations were
| well-known even before 1987, when they switched to assignment
| at birth.
|
| https://pubmed.ncbi.nlm.nih.gov/6613981/
| stonogo wrote:
| Your linked paper is about correlating year of birth to a
| social security number, which I would reckon is much easier
| than correlating to zip code, given that social security
| numbers both predate zip codes and were geographically
| assigned based on the US State in which the applicant lived
| when the number was requested. My own SSN was assigned to
| me at age ten when I lived fifteen hundred miles from the
| place of my birth, and I have moved a further thousand
| miles from there in the meantime; there's basically no way
| to predict my ZIP code from it.
|
| Anyway, according to that lookup table, I was born in 1927,
| a conclusion with which I strenuously disagree. Those
| methods may have been statistically useful in the year of
| publication but so many things have changed, and so many
| more people move between states than before the 80s, that I
| doubt its validity now. As a reference, the pandemic
| drastically slowed down American interstate household
| moves, but even so, 8% of the population moved states in
| 2020 -- including 18% of people between 20 and 29.
| (https://www.weforum.org/agenda/2021/12/american-
| relocation-h...)
|
| In short, I think it may have been more feasible in the
| past to draw these correlations, and now it's less
| feasible. On the other hand, massive data leaks are de
| rigueur, so it's probably just easier to buy databases from
| criminals on the internet.
| [deleted]
___________________________________________________________________
(page generated 2022-12-27 23:00 UTC)