This report is related to the results of the sinkholing activity we conducted on a CARBERP communication-and-control (C&C) server. Our findings were initially published in this blog post.
We contacted identifiable hosts that may have been affected by the CARBERP infections monitored by a particular C&C server. Beyond typical name/account information and perhaps information related with electronic manufacturers, it appears another goal may have been to obtain names associated with social security numbers.
|Victim Sectors||Victim Domains|
Victims of such a crime may discover a few good remedies. The Social Security Administration will not place alerts on social security numbers reported in a breach or fraudulently used. Victims must detect fraudulent transactions and report these crimes to local law enforcement agencies and request that alerts be placed by a credit reporting agency, ironically after entrusting them with their social security numbers.
A strategy to deal with a breach is not directly handled by either local law enforcement or assigning government agencies. With the possible exception of credit card accounts, the individuals rather than the organizations permitting a breach may bear the consequence.
Once government-assigned identity information has been breached, malefactors may commit fraud using the information to change records, to open bank accounts, to order goods, or to obtain loans. Victims are expected to closely monitor their accounts and credit ratings. Unlike reassigned 16-digit credit card numbers, government-assigned identifiers or those for other types of instrument may not hold those allowing a breach accountable. The lack of accountability represents a far more vexing problem.
Not Intended Function
The federal government employed social security numbers in 1936 by order of Franklin Roosevelt to track citizens’ earnings and retirement benefits eligibility. In the 1960s, federal agencies adopted social security numbers for data tracking at both the federal and state levels, greatly increasing their required use of these for other purposes. Social security numbers are now used in both the public and private sectors for purposes unrelated to the retirement benefits managed by the Social Security Administration. The Social Security Number Confidentiality Act of 2000 addressed some concerns by requiring that social security numbers not be used as a “primary” identifier and not be visible on unopened mail.
In July 1, 2010, the Report to the California State Senate on the use of social security numbers stated:
“As a reliable key capable of linking records of all types to an individual, across systems and agencies (e.g., for aggregating data from different sources, permitting businesses, law enforcement, and other government agencies to create profiles on individuals for use in marketing and surveillance; for higher education to meet legislative requests for greater accountability; or to facilitate patient care, meet the requirements of health insurers, and permit linking patient information across multiple health care providers.”
Social Security Number Mandates
The report lists several federal laws mandating the collection of the social security numbers of both parents and students to protect an institute’s loan, grant, and assistance eligibilities. There are also federal laws mandating the collection of social security numbers by organizations receiving Medicare payments and those that incur indirect costs for graduate medical education for which the social security number of each resident must be collected. The report further states that: “Private sector use of the social security number is widespread and continues to be largely unregulated by the federal government.”
The Social Security Administration offers no aggressive policies to deal with widespread abuse. For example, this agency will not place alerts on social security numbers reported in theft or fraudulent use and resists making new assignments without documented histories of repeated abuse. As of now, social security number reassignment may also cause loss of work and credit history. Clearly, government-assigned identifiers with these limitations will not meet today’s security and law enforcement needs.
Behind the Curve
On June 25, 2011, the U.S. Social Security Administration will assign random nine-digit social security numbers. The first three digits will no longer represent geographic assignments nor the next two, the group. For more than a year, social security number reassignment in conjunction with a cross-referral to previously assigned social security numbers have been automated using the Social Security Number Application Process (SSNAP).
Unlike credit card names and numbers, the Social Security Administration provides no automated phone information explaining how new social security numbers can be obtained nor specific Web links for this service on their website. Although most of their policies are public, this agency’s representatives indicate policies for new social security numbers are confidential and victims MUST provide evidence of ongoing victimization as determined on a case-to-case basis.
If social security number reassignment is implemented to properly respond to abuse, the demand will quickly exceed the present rate of about 6 million assignments per year. Within a few decades, larger social security numbers will then be required, greatly impacting this 75-year-old practice.
A change can be forced by adopting larger numbers managed by a different department required to directly issue alerts and to ensure that work and credit history integrity is retained after reassignment. To hold organizations for breaches accountable, the larger number should represent a public key held in conjunction with signed data.
- For identity theft, contact the Federal Trade Commission (FTC) at:
- For free credit reports that require giving an entity your social security number, contact: