Home Sign In Help JEMDiary is a free online diary and journal on the internet. Make new friends and write your thoughts - or keep your diary password protected. Sign up today!

Aaron Saray's Diary

Is the Fake Name Generator website a Security Risk?

Added: July 28, 2007, 5:45 pm (90 views)

When searching for a script to generate some random test cases for a social security number scanning e-mail appliance, I ran across the Fake Name Generator website. At first glance, I thought this was an awesome tool for all of us software coders out there. I even read the about us statement which alluded to the data usage for testing client side credit card verification and testing cases for developers under HIPAA constrains (that I am!).

Devil's Advocate Rears The Ugly Head

So after generating a few test cases, I started thinking about the accuracy of these random results. We're generating fake names with a nationality constraint, a city state and zip code that validate as real, and social security numbers that probably (I don't remember exactly) fall into the proper range for the state of that identity. Finally, credit cards are generated with a valid number, type and expiration date. You can now get your results in bulk in the form of a CSV or equivalent document. Combine this information with, say... the ssn - death verification website, or professional 'services' websites from Experian or Intelius, this information could be come usable and dangerous, right? Couldn't a malicious visitor to the fake name generator cross reference these 'random' results to actually statistically extract the accurate matches?

Rationality steps in

Yes, what I've talked about COULD POSSIBLY maybe sorta happen, but we're forgetting some fundamental points here:

The credit cards don't match the full names* and also don't contain a valid CVV2 code**. Gone are the days of strolling through the black hat forums and grabbing up valid CC combinations (although I never used any, I always found this access to information particularly intriguing)
Some of the public services will only tell you if the person is dead - and while some identity theft is done with deceased people's records, I would assume that this would be more difficult (although an interesting experiment would be to prove how many services would allow you to sign up with a valid deceased persons' credentials...)
The sheer size of the statistically incorrect results would make this a full time job for a computer to parse - let alone it may exceed the requests allowed by various services.

* statistically they could...

** this wouldn't be that hard to do though.

Fake Name Generator website is innocent

In all reality, to abuse that service would be far more work than it was worth. While I won't detail out the specifics of my thoughts, but there are easier ways to generate and reduce the amount of fake 'positives' if someone was really trying to do identity theft via random generation.

So thanks fake name generator - your results were helpful in one of my tests! You rock.

Entry Comments: none

Add the first comment to this entry

Newest

Oldest

Create Comment.