How dangerous is it to reveal your date of birth, and why?
At some point I told a friend that it's dangerous to reveal your birth date (kind of like your social security number or your mother's maiden name), because it's a crucial piece of information for identity theft. However, I'm not sure what exactly an identity thief could do if the only non-public information he had about me was my birth date. (I'd consider my name, and probably my address, to be public here.)
How and why exactly is revealing your birth date itself dangerous?
Note that I'm not asking why knowing it in combination with other personal information (e.g. SSN) can be dangerous. I'm asking why even knowing it in isolation is dangerous. What kinds of things could an ID thief do with just with my birth date? Can he, for example, open a bank account? Recover a bank password? Open a credit card? Take a car loan? etc.
(I'm assuming the country is the United States of America.)
John Smith, DOB unknown: 3 million candidate records. John Smith, 4/5/1955: 17 candidate records.
@DeerHunter Those numbers are only representative if you assume people live 483 years on average.
Revealing your birth date or -day can encourage people to throw surprise parties for you, which can lead to heart attacks and death, among other outcomes (including cake and presents!).
Asking about knowing birthdate **not** in combination is somewhat disingenuous... the chances are that other information _is_ or _may be_ available, and not protecting all of it (unless really necessary) increases the chance of someone knowing enough to do damage.
The problem with revealing your birthday isn't the birthday itself, it is that you are giving people one more data point.
Reveal your birthday on site A, your relatives on site B (which gives for example mother's maiden name), your address on site C...before you know it people are able to pull together a huge amount of compiled information.
That information can then be used to hack things, either directly using password reset forms, guessing passwords, etc, or indirectly through spear phishing attacks.
For example a birthday message from an old school friend that arrives on your birthday and comes from their name would be much more convincing than a random email with a link saying "click this".
The issue is not the birthday itself, the issue is a that unfortunately a lot of companies and websites are still using it for verification purposes. This is certainly bad practice and lots of companies are changing their policies just for that reason.
Banks sometimes used it for retrieving a password, but in recent years they too have changed their procedures significantly (depending on bank you use).
So to answer your question is it safe to reveal your birthdate. Preferably you only reveal it whenever it is really necessary (e.g. inquire each time if they really need it), the information is not considered secret and you will be required to disclose it on occasions for legitimate purpose. As with any personal information the best thing to do is to disclose in as few occasions as possible. On the other hand if identity theft is done and the culprit turns out to be someone being able to retrieve information or performing an action by just giving your birthday (which is easy to find). Then most likely the company will be liable for not adequately protecting your personal information or being to negligent in their verification process. Of course this will mean you will have to deal with it (which is a nuisance and very time-consuming).
I don't get your first paragraph. Isn't that the same problem as with every other piece of information? The problem isn't the information itself, it's the fact that the information is used to verify your identity. I don't understand what you're saying here...
What does Lucas means is that it isn't the fact of revealing its own birthday which is dangerous. It is the fact that companies are using this **non secret** and **non revocable** piece of information as an identification mean which is dangerous. Without these companies, there wouldn't exist any risk associated to the communication of a non secret and non revocable information. Hence these bad companies are the origin of the risk.
What kinds of things could an ID thief do with just with my birthday? Can he, for example, open a bank account? Recover a bank password? Open a credit card? Take a car loan?
The answers to these questions depend on space and time. By space I mean legislation in different countries and even the life style and welfare of the country someone is living in counts a lot. You can be surprised but there are lot of countries where even having a bank account is a luxury, in which case no one has to worry if his birthday is disclosed or not.
Also, when it comes to banks for example, they adapt themselves to the legislation of the countries where they are active. Also, within the same country, law changes by time so that when such information is useless for a nefarious person it can be interesting somehow in few years.
In all cases, there is no security related system that depends only on your birthday to fulfill any step of authentication because may be your birthday is already mine according to the birthday paradox. But of course, the less you reveal about yourself the safest you are. But then this will lead us to pick between being paranoid, negligent or just a wise person.
As you are living in USA, you know better than me that your SSN is too important. In that case, after a short research, I found that there are already some algorithms a bad person could run to guess your SSN based on your birthday and place of birth leading also to identity theft.
Whould this be a problem in a country whith national ID documents with an univocous ID number for every citizen? In my country banks just ask for the ID which has a photo and some features that make it hard to forge (hologram, ultraviolet, 3D texture, embedded chip)
In the United States, birthdays are matters of public record, and there's many online databases where they can be trivially looked up. In other countries such as Italy it's even less private. Your birthdate is routinely asked for on simple web forms, and is even included in a resume.
In essence, birthdays aren't secrets, and you shouldn't treat them like one. Yes, some bad websites use them for verification purposes. But keeping something a secret that isn't a secret is a foolish practice.
With the name, birthday and address alone, an attacker could case your mailbox to find out which bank you have an account with. On your birthday, he could mail you a letter with that bank's letterhead containing some voucher for your birthday and asking you to visit a malicious link to redeem the voucher.
It is far-fetched. But the point I am trying to make is that you should try as much as possible to minimize the amount of public information because it is possible to obtain additional information from it. E.g. obtaining your bank's name from your address.
Secondly,I believe that there is no standard guideline on what information is considered public information and what information is not. For example, certain banks might consider your birthday to be private information and allow you to reset your PIN if you can provide the birthday. A good example for this is Matt Honan's identity theft. In 2012, Apple considered the last 4 digits of the credit card number to be private information but Amazon considered them public information. This resulted in him losing his entire digital life.
Yes, this is super far fetched. It's not even remotely on par with the kind of danger you face with revealing your SSN or mother's maiden name or something like that, but I'm pretty sure a birthday is almost as dangerous as those, so there must be much bigger risks...
"If an attacker knows your birthday, he or she can send you some really appropriately timed presents!"
This is a complex question because here the term of risk might be understood in 2 ways. You are asking the risk associated to the action of "communicating one's birth date to a company". Are you talking of the overall risk associated to the final result of this operation or are you talking of the added risk associated to this sole action.
From the details of your question, you are asking an evaluation of the risk just added by this operation.
Since a birth date is a public information, neither secret nor revocable, you can't change in any way the overall risk associated to this information. The risk associated with this operation is then: 0.
This look chocking, but this is due to the fact that "communicating one's birth date to a company" is a risk before the action of one communicating his birth date.
The overall risk associated to communication of birth date might be seen as a simplified formula:
false secret + bad security + crosscheck hunt + personnal communication
and my estimate of these in terms of added probabilities of bad results occuring is:
false secret: x + bad security: y (this y isn't independant x) + crosscheck hunt: z risk added by hunter of different public information to build a correct identity to attack companies promoting false secrets + personnal communication: t ________________________________________________________________________ Total probability of bad: p = 1 - (1-x)(1-y)(1-z)(1-t)
(My personnal raw estimate is that x ≃ 0,1, y ≃ 0,4, z ≃ 0,2, t ≃ 0
which leads to a p ≃ 0,6)
For the same reason, from my personnal point of view, the overall risk associated with the idea that a birth date is a secret and could be used as an authentication is of: 1 (= probability of bad event = 1 x perimeter of impact = max).
My bank is using my birth date as an identification mechanism. I explained them why I trust them less than others because of this false secret they are selling to naive customers and the risk they are creating.
They didn't change. They registered the information very politely.
The risk that I switch bank is increasing every day.
The risk that this poor practice become public increase every day.
I think your math is wrong. To find the probability of any element in a set of events happening, you can only the probability of each event happening if they are disjoint, which they obviously aren't in this case. Instead, the "total probability of bad" should equal 1 - ((1 - 0.4)(1 - 0.4)(1 - 0.2)) = 0.712, assuming the events are independent of eachother.
In the UK, one specific result of revealing your birth date - within certain parameters - is that they can find your mother's maiden name. From there they can trace your parents marriage and all of your siblings.
Given your name and birth date you can visit FreeBMD and, if your name is unusual it is possible to find registry details of your birth, including your mother's maiden name (a common security question). If your name is common then a place of birth (available from Facebook I believe) can be used to narrow down your entry.
Once they have your parents names they could then, from the same site, discover the names and dates of birth of all of your siblings. Copies of birth and marriage certificates can be bought for a small fee, from which some further details can sometimes be derived.
From there they can now use the Electoral Roll to track down your family home and address.
This is clearly information-creep. Once a certain amount of information about you is out there, more can be developed form often free sources.
I'd recommend you read Kevin Mitnick's book "Ghost in the Wires" for an eye-opening view of what someone can do with just a single, or few, datapoints. According to your question, someone might also have your name and address.
A good social engineer like Mitnick would perhaps use that to call your apartment manager and get a few more datapoints like when you moved in, who your emergency contact is, etc. (For example, maybe he poses as a doctor and says you're in his emergency room and all he has is your cell phone and drivers license.) He then uses that information to pose as an old college friend trying to find you, etc. Each call he makes gives him another piece until he can recreate enough of a story to get your SSN, account numbers, etc.
Anyway, check out the book and you'll understand really quickly why even 1 piece of information is enough for a good identity thief.
In the US, "name and date of birth" seem to be the standard authentication tokens demanded by doctors and other medical professionals. Certainly whenever I call my doctor, I'm asked for this information, and only this information, before they will discuss anything personal.
If an attacker had this information, and could guess the identity of your doctor (perhaps easy to do from your address, if you live in a small enough town), they could probably successfully impersonate you over the phone to your doctor. I'd expect them to be able to get information about your upcoming appointments, test results, etc. Getting a complete set of your records might take a little more work (perhaps forging your signature on a mailed-in form).
Birthdate is just another piece of a Personally Identifiable Information (PII). Any data that could potentially identify a specific individual. The more pieces of such PII, the easier it is to identify you or impersonate you. The banks in my country ask 2-3 personal questions before verifying that you are indeed the account owner over the phone.
As to how it can identify you from an anonymous database (E.g. Dating site, Hospital Donor Records with anonymous names), different pieces of your information can increase the probability that the moniker you are using is actually you.
Not all services require a second authentication factor (2FA), so knowing personal information about someone may gain the attacker access to a system, a bank telephone operator looking at your record, or to a nurse who is checking on some medical record over the phone, or in some cases, impersonate a business to request for payments from a supplier.