Making Identity Theft Easier.



Student loan provider SallieMae is being careless with customer account information, including Social Security Numbers.

SallieMae is sending account statements via email. The email includes a password protected PDF attachment. The statement contains the customer's name, address, telephone number, account numbers and balances. If they're going to send that via email, a password protected PDF file may be a good way to do it. I'm not familiar enough with PDF file security to say.

The problem
They use the customer's social security number as the password to open the PDF. Quoting the email:

You are receiving this email with information regarding your SallieMae(r) student loan account.

Your account updates are viewable in the attached PDF document. The file is password-protected and you need to enter your Social Security number to open it.

They've just ensured that the PDF password can be easily determined by a simple brute force attack and that the customer's social security number will be revealed in the process.

Why does using the SSN make the password easy to defeat? Because I now know that the password is 9 characters long and is limited to numerals (0123456789). That means there are only 10^9 (1,000,000,000) possible passwords. A 5 character password using case sensitive alphanumerics (a-z, A-Z, 0-9) would be more secure and would have the benefit of not disclosing the customer's SSN as a side effect of being cracked. (64^5 =1,073,741,824 possible passwords)

How low long would it take to recover the password?
It took five minutes to find a free, Windows, command-line, brute force, PDF password recovery utility. It has command line switches to specify password length and character sets. It ran at 30k tries/ second on a 2.1 GHz Windows XP system. At that rate, it would take a maximum of 9 hours to find the password (and thus the SSN) and get access to the contents of the PDF. I'd bet other password recovery software runs much faster.

Sallie Mae has been sending out these PDF files using the customer's SSN as a password since 2004.

It's not the end of the world, but it's ill-conceived, avoidable, and violates their own guidelines for avoiding identity theft.

 04/04/2008 update: Despite requests to salliemae and an abuse report to their upstream, they continue to send me someone else's statements.

From: "Sallie Mae, Inc." <>
To: [redacted]
Subject: Sallie Mae Account Information
Date: Fri, 04 Apr 2008

Please do not respond to this automated message. Emails sent to this 
address are not monitored.
 (^^^ Obviously. Nor is anyone reading postmaster@ or abuse@.)

09/04/2008 update: They've stopped spamming me, but never did reply.
It was probably the account holder who fixed things.