Can New York Times cause Identity Thefts ? Sure.
Today I ran into an interesting New York Times article on Identify Thefts/Frauds. Here is a link to that article - Think Your Social Security Number Is Secure? Think Again.
This article informs users about the threats of identity theft and has a link to a search page developed by a company called TrustedID, where people can test if they could be a potential victim to identify fraud. Do not enter your social security number here. Here is the link to the site the article mentions - StolenIDSearch.
It is ironical that the search site violates all principles of online security which can lead to identity thefts as millions of New York Times readers who trust New York Times lose their social security numbers just to check if they have already been stolen.
New York Times should have respected user privacy, and ensured that this site used secured hash functions such as MD5 or SHA1 to verify the social security numbers instead of making users send the number unhashed to this internet site. Here is the safe way to do this -
How can such search sites verify Social Security Numbers without revealing them -
One way to do it is - to include a Java Script hash function (such as MD5 or SHA1) in the search page. At the minimum, they should hash the social security number entered on the search page before sending it to the site, and then compare it against the database of hashed social security numbers. Of course - Ideally, Web browsers should provide secured hashing functions so that users don't have to trust the web sites implementation, based on universal web standards.
Lastly, the scheme can be made more secured by including a nonce (non-repeating random number with a monotonically increasing 32 bit counter) to hash the SSN with first and last name, and then sent to the site for comparing against the database of hashed SSN entries. While this is more secure, it is more compute-intensive, since pre-generation of hashed entries cannot be done due to the use of the random key.
In conclusion, New York Times did a great job describing the threats of Identity frauds but it should have been more responsible and respected user privacy by not directing them to sites that can potentially steal social security numbers while verifying if the SSN is already stolen, by not following basic security principles (such as - using hashing to verify without revealing).
Vishal.
Today I ran into an interesting New York Times article on Identify Thefts/Frauds. Here is a link to that article - Think Your Social Security Number Is Secure? Think Again.
This article informs users about the threats of identity theft and has a link to a search page developed by a company called TrustedID, where people can test if they could be a potential victim to identify fraud. Do not enter your social security number here. Here is the link to the site the article mentions - StolenIDSearch.
It is ironical that the search site violates all principles of online security which can lead to identity thefts as millions of New York Times readers who trust New York Times lose their social security numbers just to check if they have already been stolen.
New York Times should have respected user privacy, and ensured that this site used secured hash functions such as MD5 or SHA1 to verify the social security numbers instead of making users send the number unhashed to this internet site. Here is the safe way to do this -
How can such search sites verify Social Security Numbers without revealing them -
One way to do it is - to include a Java Script hash function (such as MD5 or SHA1) in the search page. At the minimum, they should hash the social security number entered on the search page before sending it to the site, and then compare it against the database of hashed social security numbers. Of course - Ideally, Web browsers should provide secured hashing functions so that users don't have to trust the web sites implementation, based on universal web standards.
Lastly, the scheme can be made more secured by including a nonce (non-repeating random number with a monotonically increasing 32 bit counter) to hash the SSN with first and last name, and then sent to the site for comparing against the database of hashed SSN entries. While this is more secure, it is more compute-intensive, since pre-generation of hashed entries cannot be done due to the use of the random key.
In conclusion, New York Times did a great job describing the threats of Identity frauds but it should have been more responsible and respected user privacy by not directing them to sites that can potentially steal social security numbers while verifying if the SSN is already stolen, by not following basic security principles (such as - using hashing to verify without revealing).
Vishal.
