Tuesday, November 20, 2007
The article Best practices to redact account numbers from today's RISKs 24.91 brings up some good points, and one I have failed to execute correctly myself. The general gist is that redacting or masking of personal information should be done carefully to reduce the risk of a bad person hacking the rest of it. Credit cards are well done, only revealing the last 4 digits (to tell which card you used). While some of the masked data is easily guessable, like bank ID, enough remains as an unknown, individualized string its safe. Where I for one had failed was in understanding the method by which SSNs are encoded. A lot of organizations reveal the last 4 of the SSN for identifying purposes. But aside from other errors of revealing, the first 6 are reasonably crackable as they encode the issuing location and date; revealing these will generally work well to distinguish individuals, while hiding the individualized information. Similar issues arise with other strings, like bank accounts. So, analyze your data before figuring out how to use it best, and most safely.