Be careful with social networking sites like facebook and myspace.  A recent study published in The Proceedings of the National Academy of Sciences proves that a social security number can be guessed based on the individual’s date of birth and birthplace.

Consider, for instance, an attacker who rented a small botnet (10,000 IP addresses) to apply for credit cards impersonating 18-year-old West Virginia-born U.S. residents (whose state and
dates of birth he has obtained from commercial databases).  Assuming that an IP address gets blacklisted by an online credit card issuer after 3 incorrect attempts, that the criminal distributes his or her attacks across 20 issuers and can find birth data for 50% of the potential targets, and that inquiries with the correct first 7 of 9 digits are sufficient for a CRA to answer with a positive match in 50% of the cases, he could harvest credentials at rates as high as 47 per minute, obtaining [approximately equal to] 4,000 credentials within 2 h before his or her IPs are blacklisted…

Read the rest of this entry »