The Danger of Algorithms
There is a report that came out recently that shows how you can predict Social Security numbers, an important piece of identity information in the US. This, according to this C|Net article, could result in massive fraud taking place if someone’s birthday is disclosed.
So many sites want to get this piece of information from you, often to ping you on your birthday or give you some gift. I’ve always been wary, however, and usually put in April 1 instead of my real birthday. It makes for lots of birthday wishes on that day, but that’s OK. I appreciate the thoughts, even if they are a few months off.
This does highlight the danger of using an algorithm to generate data. Unfortunately there are plenty of people out there that will maliciously find ways to mis-use data, and if they can guess how you generated the data, they can extrapolate that out to calculate what other data might exist in your system. I know most people that need to generate codes often don’t spend a lot of time ensuring they’ve picked a good method from a security point of view.
The key here is to keep pieces of information somehow separate, to make it more difficult for a criminal of some sort to perform the extrapolation. That gets harder and harder to do, primarily because of the job many of us do. We gather data into SQL Server and other platforms, and make it easy to put this data together.
As with many of the problems I see in today’s world, I don’t have a perfect solution to this problem. However I think that many of us handle data insecurely, often comparing actual values when a hash, or digital signature might work instead. I know some of that is because we don’t have great tools for working with digital signatures, but also because it’s a complex process.
Credit card companies, banks, and other institutions often have complex rules for how they handle and process data. I think this more of their secure methods of handling data should be published and taught so that other companies can better learn how to build more secure applications.