Messin' with texas deriving mother's maiden names using public records

Authors:
Virgil Griffith;Markus Jakobsson
Affiliations:
School of Informatics, Indiana University Bloomington, Bloomington, IN;School of Informatics, Indiana University Bloomington, Bloomington, IN
Venue:
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
Year:
2005

Citing 1
Cited 13

How (not) to protect genomic data privacy in a distributed network: using trail re-identification to evaluate and design anonymity protection systems

Journal of Biomedical Informatics

Fourth-factor authentication: somebody you know

Proceedings of the 13th ACM conference on Computer and communications security
Delayed password disclosure

International Journal of Applied Cryptography
Personal knowledge questions for fallback authentication: security questions in the era of Facebook

Proceedings of the 4th symposium on Usable privacy and security
Digital objects as passwords

HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
Secure construction of k-unlinkable patient records from distributed providers

Artificial Intelligence in Medicine
What instills trust? a qualitative study of phishing

FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Abusing social networks for automated user profiling

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
An entropy approach to disclosure risk assessment: Lessons from real applications and simulated domains

Decision Support Systems
Attitudes toward online availability of US public records

Proceedings of the 12th Annual International Digital Government Research Conference: Digital Government Innovation in Challenging Times
Sherlock holmes' evil twin: on the impact of global inference for online privacy

Proceedings of the 2011 workshop on New security paradigms workshop
What’s in a name?

FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
The effects of location access behavior on re-identification risk in a distributed environment

PET'06 Proceedings of the 6th international conference on Privacy Enhancing Technologies
Sunlight or sunburn: a survey of attitudes toward online availability of US public records

Information Polity - Special issue on Open Government and Public Participation: Issues and Challenges in Creating Public Value

Quantified Score

Hi-index	0.00

Visualization

Abstract

We have developed techniques to automatically infer mother's maiden names from public records. We demonstrate our techniques using publicly available records from the state of Texas, and reduce the entropy of a mother's maiden name from an average of close to 13 bits down to below 6.9 bits for more than a quarter of the people targeted, and down to a zero entropy (i.e., certainty of their mothers maiden name) for a large number of targeted individuals. This poses a significant risk not only to individuals whose mothers maiden name can easily be guessed, but highlights the vulnerability of the system as such, given the traditional reliance of authentication by mother maiden names for financial services. While our techniques and approach are novel, it is important to note that these techniques – once understood – do not require any insider information or particular skills to implement. This emphasizes the need to move away from mothers maiden names as an authenticator. Using the techniques described, during testing we were able to deduce the mother's maiden name for approximately 4,105,111 Texans.