SSN is an acronym for American, and DOB is a shorthand for English.
Yet, their meaning is widely known around the world, not least because of their widespread use in reporting and discussing identity theft and cybercrime.
Short for SSN Social security numberWhich effectively translates to a U.S. National ID number, and DOB Date of birth.
Ironically, an SSN does not actively To identify You – it’s really just one Labels That can be used as a unique Identifier For the purpose of keeping records.
In other words, just knowing someone’s SSN does not prove that you are that person.
Unfortunately, however, if you are an identity thief, knowing someone’s SSN (or the equivalent personal identifier in your country) is a good starting point, as it can often be combined with other personal information to get past identity tests.
The theory is that if you have a 1% chance of figuring out someone’s SSN and a 5% chance of guessing their DOB, then only a 1% × 5% chance (which is 0.01 × 0.05 = 0.0005) of both is found correctly, and that probability of 0.05% -The total probability represents a difference of only 1 out of 2000.
Other personal details such as a passport number, a scan of a driving license, specific home address, phone number and more …
… And, at the very least, theoretically, you can minimize the likelihood that unless you make sure that someone can provide all the data you request, that is, if they are, in fact, the real owners of SSN. Introduced to start with.
This theory, of course, bunkum.
You can only multiply the probabilities together as we did above if they are completely independent of each other, such as tossing two consecutive coins.
But the chances that someone can accurately “guess” both your SSN and your DOB are not independent.
For a start, you need to factor in the probability that if they find a way to discover your SSN, they may find a similar way to discover your DOB at the same time.
In some countries, the local equivalent of SSN is far from random. In South Africa, for example, the country’s national ID numbers are generated from data including your DOB (abbreviated YYMMDD), a serial number with gender and citizenship status, depending on how many more people were born at the same time. Give like you. In other words, if you already know someone’s ID number, you have a 50-50 chance of finding out their DOB correctly, due to the fact that no one born in 1800 is still alive. Of course, if you know how old they are, you can be sure that they were born in this millennium or the end, so you know that their real DOB starts 19xx or 20xx. In this case, if you know someone’s ID, the chances of them “guessing” DOB are effectively 100%. Similarly, if you know their DOB, their gender, and where they were born, you can almost certainly predict 8 of the 11 numbers needed to create their 13-digit ID number. (The 12th number is almost always 8 and the 13th number is a checksum calculated from the others.)
SSNs rarely infringe on themselves
As you can imagine, data breaches where miscreants hold personal data that includes SSN rarely go away with only those SSNs, due to the fact that some database files contain a list of SSNs and no other data.
For example, when crooks enter a company’s network, they often go after HR records because employers are usually required to collect a significant amount of personal information about each employee, both legal and operational.
Employers usually need to have proof that you claim and that you are legally entitled to seek employment in the country; They need to know how to pay you; They are obliged to report your earnings to the tax office; If you are expected to drive for your job, you must have your driving license in their file; And much more.
In addition, we just wrote about yesterday, the information is ours Active Adversary Playbook 2022 Suggests that the growing number of network intrusions is not about disrupted ransomware attacks, but about taking the time to submit corporate data to sell to other crooks.
In other words, darkweb data brokers usually do not acquire and sell one type of data point for each victim.
Thus the name SSNDOB Market As you can see in the headline – an online data marketer that wants viewers to know that it has sold with at least matching SSN and DOB and other personally identifiable information (PII).
According to the US Department of Justice (DOJ), SSNDOB claims to have a PII. Up to 24,000,000 Americans (Although we don’t know how much data was there, or how accurate it was).
The DOJ says the site’s operators have earned more than $ 19,000,000 in the past few years, typically using Bitcoin to transfer this data to willing buyers in exchange for pseudonym payments.
Unfortunately, the DOJ did not arrest the suspected operators of the SSNDOB market, but, with the help of law enforcement partners in Latvia and Cyprus, it obtained a court order allowing it to seize server names used by fraudulent data brokers. .
Anyone a visitor ssndob.ws, ssndob.vip, ssndob.club And blackjob.biz It will not end where it probably did.
Instead, they will see:
This may not be the result that DOJ and its European counterparts expected, but each helps a little.
As David Walker of the US FBI Comments In the DOJ press release:
These seizures demonstrate the FBI’s strong commitment to working with our international partners to thwart malicious cyber activity. Breaking down illegal marketplaces that threaten the privacy and security of the American public is a priority for the FBI.
It’s also a good reminder that gaining cyber security on your network not only protects your company, but also your employees, your business partners, your suppliers, your customers and everyone else on the Internet.
In other words, cyber security represents a very interesting kind of altruism: it is something you need to do to protect yourself and your business, but it also helps keep the online world safe overall.
Don’t be part of the information leak problem, be part of the solution!
Not enough time or staff? Learn more about the Sophos-managed threat response:
Sophos MTR – Expert-led response 3
24/7 Threat Victims, Identification, and Response 3
