Aggregation Scam

May 31, 2017

Aggregation A collection of information strung together to complete a report or analysis.

 

Inference  Using an educated guess to figure out the complete picture from small and unrelated bits of information.    

 

In this example, aggregation has occurred, and not inference.  

 

In the United States we are each given a social security number that consists of 9 numeric digits.  

 

Social security numbers are like unique identifiers for American citizens.  They are used to track American workers and non-workers for taxation purposes.  In America, there are two things that is guaranteed: death and taxes.  So social security numbers are pretty important.  Think of them as MAC addresses for hardware, each one is unique.  

 

If you lose your license, government ID, passport and you have nothing else left to identify yourself...your social security can identify who you are.  The only person that really should EVER have access to your social security number is you, the US government, the company you work for, and maybe hospitals.  

 

Anyway, a few weeks ago I received an email from a technical recruiter.  Everything looked like the normal syntax for these emails like what is my name, my salary requirement, my experience level etc. etc.  

 

Then at the very bottom of the email I noticed a request for the first 5 digits of my social security number: 

 

 

 

Then, in the attached document for me to fill out, I noticed they wanted the LAST 4 DIGITS of my social security number.  

 

 

 

So if someone were to provide the first 5 digits of their social security number, and then the last 4 digits, without being self-aware of what they are doing, the person who sent the email now has your social security number with which they can commit identity fraud.  They "aggregated" the information from different methods and put them together for the complete picture. 

Inference would be if the individual had asked for the first five digits of the SSN, and then guessed the rest of the numbers.  Luckily, inference is not the case, only aggregation.      

 

I had to laugh because this was pretty clever.

 

But seriously, don't EVER, EVER say your social security number over the phone or tell anyone that is not authorized to have it.  

 

Share on Facebook
Share on Twitter
Please reload

STUDY RESOURCES
MEMBERSHIP
  • 231+ CISSP VIDEOS
  • 650+ PRACTICE QUESTIONS
  • PDF NOTES
  • 1,200 FLASHCARDS
  • TELEGRAM GROUP
  • EMAIL UPDATES
  • $29.99 per month
  • $74.99 3-months
  • $144.99 6-months
CRACK THE EXAM

How Zaid Cracked His CISSP Exam

May 22, 2020

1/26
Please reload

LEARN ABOUT

© 2013 Study Notes and Theory
Terms and Conditions/Privacy Policy

Proudly created to make you

a better security professional.