Can you be completely anonymous? Not while browsing the Internet, we know what Tor is for, but in real life. Johan Hybinette discussed this topic this morning at DefCon, pointing out various loopholes here and there that would allow one to gain complete anonymity.
First off, social security number. There’s no real way to get a fake one, except for manufacturing a fake card, but the government has a Web site, where one could verify social security numbers by last name. You have to be a US employer to gain access to the Web site. Faking one is close to impossible, since the number could be easily verified, and therefore an attacker would have to steal one. Stealing one is easier than one would think. Are you used to calling the bank and being asked for your social security number last four digits?
Last four digits couldn’t be too much, could it? After all, there’s 5 digits that the attacker still has to guess, and the possibilities range from 000-00 to 999-99. Not quite. The first three digits of the social security number are determined by the place that issues you the Social Security card. If you’re a native American, that’s the local Social Security administration at the time of birth. If you’re naturalized, it’s whatever office you used to get your original SSN.
What follows is the group #. The group # is those two digits following the SSN office number, and the infoirmation is available from Social Security Administration. Basically, the numbers range 00 to 99, and Social Security Administration is publishing a bulletin where it says, which group number it’s on right now. If you can estimate the victim’s age, you almost have the group number figured out, or at least guessed within a very close proximity. Get someone with access to SSA social security number verification site, and you can easily run a check of your best bets.
After that comes the passport. It’s extremely hard to gain a valid US passport, unless you’re an American, and therefore few people attempt it. However, if an attacker steals the identity of a valid SSN holder, getting a passport becomes a bit easier. Therefore, if you’re an American and you don’t have a passport, get it. Even if you don’t plan to travel, there’s a possibility that someone might abuse your identity just to get a passport. Beyond US passports, there’s a possibility of getting some other countries into helping you to create your fake identity.
Are you Jewish? Apply for Israeli citizenship. Are you Irish? You can apply for Irish citizenship and get a perfectly valid passport from Ireland? Have tons of cash? Argentina, Bahamas and some other country would be happy to issue you a passport of their own that they revoke frequently? Have some money but not a lot, and don’t intend to travel? Get a passport of Soviet Union, British Honduras, or another country that doesn’t exist anymore. Those passports are not good for travel, since the personnel is trained to spot them, but you can get a perfectly good bank account with those.
US birth certificates – hard to obtain, hard to use. Most of the attackers don’t try them. Some states, however, will renew a birth certificate if you claim it lost and provide a valid social security card and a driver’s license.
So what about driver’s license? Those are reasonably easy to get if you’re within the United States and don’t have any qualms about visiting your local DMV. However, after standing in line, being yelled at, and being exposed to people with pretty bad body odour condition, you can only get a license for yourself, so what’s the point of doing that?
There’re are always novelty driving license sites, if you do not intend to ever use the driving license in front of the government official such as cop, who can check the numbers against the database, those will work. However, frequently attackers would go against terminally ill or very old people, offering them some cash for turning over all the personal details (driver’s license, SSN, passport #, certificate of birth) and paying them not to submit the certificate of death. When the person goes away, living the very last days off attacker’s generous financial donation, an entire identity is up for grabs and becomes an extremely hot black market commodity.
Hybinette’s talk was both informative and disturbing, and some loopholes in the US legislature, such as the possibility of coming back to the country on an Irish passport (which is extremely easy to get as long as one of your ancestors can claim a drop of Irish blood) will be shut down.
