

Carnegie Mellon can use your FB photo to find the first five digits of your SSN - sidcool
http://oregonbusinessreport.com/2011/08/facebook-and-facial-recognition-software/

======
tantalor
Headline missed an important point. FTA:

"Nearly 25 years ago, the Social Security Administration changed its system
for generating new social security numbers, inadvertently making it easier to
predict someone’s number from basic information. Once Carnegie Mellon
researchers identified students, they were able to access and match publicly
available information. In just four attempts, they successfully predicted the
first five digits of students’ social security numbers nearly 30 percent of
the time—all from a single photo."

The first step was to map a given photo to the identity of a student. That
might be something like name, DOB, and gender (ie, "basic information").

The next step was to guess the SSN first five from the basic information.

The important point that the headline missed is that CMU already had the
student's basic information. There is no way you can guess the basic
information from a photo.

~~~
joe_the_user
No,

I think a read of the article shows they claim they matched the student's
photo to their Facebook profile and then the Facebook profile to other
publicly available information, getting them DOB or something equivalent.

So they indeed got all their information starting from a single photo.

~~~
dfxm12
Exactly. The HN headline still spreads FUD, unlike the headline on the actual
article. If you have reasonable privacy settings, you are protected from this
type of attack and this type of attack isn't made any more effective with the
use of facial recognition.

------
IanDrake
>In just four attempts, they successfully predicted the first five digits of
students’ social security numbers nearly 30 percent of the time—all from a
single photo.

The first 5 digits are not of much interest (compared to the last 5) AND it
can only guess right 30% of the time if it has 4 tries....

This is a non event. This type of FUD is going to generate some sort of
legislation that solves a problem we don't have. There are legitimate privacy
problems, but this isn't one of them.

~~~
tzs
They are getting it right about 4 orders of magnitude more often than one
would get from random guessing. You consider that a non-event?

~~~
IanDrake
>You consider that a non-event?

Yes. Guessing the first 5 SSN numbers gets you nowhere. Plus don't compare it
to "random guessing". There's some simple logic to make educated guess that
any human could do with a little effort. You should compare it to that, which
really means they're not doing anything new.

Guessing the last 4 would be different, but they can't do that.

------
qjz
For SSNs issued before 1973, you need to know the location of the issuing
office. For those issued after 1973, you need to know the mailing address on
the application. Therefore, location of birth seems to be the most important
piece of information, however you are led to it. This year, the process was
randomized to reduce geographical significance and increase the amount of
available numbers: <http://www.ssa.gov/employer/stateweb.htm>

------
yarone
I've wondered for a while about doing something similar for authentication.

1) Visit a new web app, click Sign In

2) For a moment, your webcam turns on (some UI clearly telling you so)

3) Your photo is taken and compared to millions of tagged photos on Facebook.

4) System determines that you are indeed John Smith[1], due to the fact that
dozens of facebook users (with similarities in their profile such as
age/location/college/etc.) tagged someone that looks just like you as "John
Smith." Therefore, the wisdom of the crowd (as measured by previously created
and tagged photos on Facebook) have determined that you are who you say you
are.

Zero-click sign-in.

[1] One teeny tiny issue: maybe you're not John Smith but just some guy with a
printed-out photo of John Smith :-)

In any case, I think authentication is a fascinating area that needs some
attention. It's really hard to create a not-easily-breakable-or-gamed way of
determining that a person is who they say they are.

------
alextingle
Fortunately I have neither Facebook photos, nor an SSN.

