Mar 20, 2008
Your State ID
By now, everyone clearly understands that, in the grand scheme of things, their SSN is probably one of the most important numbers they need to keep safe and secure from public view. That's usually because most of their other information that the Credit Agencies require to validate their identity is known to mostly anyone who wants to know. Their birthday. Their home phone. Their home address. Not that it is _critical_ for them to get your report - Oh No - the CRAs can look you up even without your SSN _and_ give that to certain parties who sign a statement claiming to be from law enforcement (or a few other related categories) - ever wonder why certain utilities will ask for your SSN, but if you refuse, they seem satisfied with just getting other identifying information ? But at least there are a few locks on the door to this data.
If you were to think about the information you memorize - you realize they fall into two broad categories. Sensitive information about you that is difficult to get such as Credit card numbers, PIN numbers, Social Security Number etc. and non sensitive information such as your birthday, your listed telephone number etc. I strongly believed one's State ID/ Driver's License Number belonged to the former category.
I was wrong.
Recently, I stumbled upon the algorithm used by a few states used to generate driver's license numbers. Its been public knowledge for a long time. So, if you know someone's name and birth date - you can generate their DL number. Why is this so unnerving ?
Well - for starters - every mom and pop shop I know that wants to use your card for a high value transaction, wants you to fax a copy of your DL and CC. Depending on the Mom (or Pop), this DL number is checked to make sure it is valid before allowing the transaction. Also, at least one of the CRAs I know, would like you to fax a copy of your Driver's Licence if you fail to authenticate at their site, if you, you pathetic non-law-enforcement civilian, want to get your hands on your credit report. Once they get the fax, they review the DL# against their database, and if it matches - you're in! You generate the correct DL number, you can charge whatever you want. Become whoever you want.
Posted by Random InfoSec Guy at 2:39 PM