Comment by BeefySwain
3 years ago
Hijacking here to say, literally all you need to get access to someones employment + salary history is their SSN and birthdate.
edit: and a past employer that used this system
Birthdays are extremely easy to get (public record), and I seem to recall a specific large organization leaking a bunch of SSN's not too long ago.......
Unless you are very young (read: born after 2011) your SSN can be trivially brute forced if an attacker knows where and when you were born, because those details were (before 2011) mapped onto 5 of the 9 digits in an SSN.
You should assume your SSN is public anyway. There have been so many leaks, and it's not like a credit card where you get a new number if it is compromised.
Because it was intended as an identifier, not as a secret. The financial industry couldn't tell the difference between the two so now everyone tries to hide their IDs.
2 replies →
More accurately where you were born and when your SSN was issued (my brothers who are four years older than me got their SSNs at the same time I did). Some of us older folks were born in an era in which you didn't automatically get an SSN along with the birth certificate. And then there are people who weren't born in the US so will have had their SSN not matching birth year.
I also think it's less than 5 of the 9 digits that are reflected in this manner. That would not leave room for a lot of distinction in SSNs.
The first three digits are allocated in blocks to each state.
1 reply →
In Italy you don't even need to brute force them, you can generate them because the algorithm is public.
Except same rare case of same name, same birthday, same place of birth, the generated code is always valid.
https://en.wikipedia.org/wiki/Italian_fiscal_code
Hate to break it to you but that’s 21 year olds now :)
[edit: so I program for a living. you'd think I know how to subtract to integers??? I /assume/ I read 2001? at least I hope I did]
You mean 11? This freaked me out for a sec.
2022 - 2011 = 11, not 21.
It seems crazy to allow a large organization like that to continue operation after such an egregious error, especially if their business is centered around a bunch of personal information.
Their customers are happy. And that means Congress is kept happy. You are not their customer and Congress doesn't care if you are happy.
This is what crony capitalism looks like.
49 replies →
SSNs are generated by a not very secret algorithm. They were explicitly designed to be public information.
You don't need a data leak to get someone's SSN.
Also, malicious actors are almost never targeting you specifically. It is enough for them to
1) choose a birthdate
2) generate all SSNs associated with that birthdate
3) get all employment/salary histories accessible with that info.
4) scan the list for interesting tagets
5) ...
6) profit
And you'd need to know a past employer, right? I couldn't seem to find a way to get access to the info without inputting an employer first.
Many people post their professional career on LinkedIn. Again, it seems easy to find this information through public sources.
Yep, 100% agree.
Good catch, I'll add that.