Mimsy Were the Borogoves

Editorials: Where I rant to the wall about politics. And sometimes the wall rants back.

The last four digits of your social security number

Jerry Stratton, June 3, 2006

Because of identity theft and privacy concerns, many businesses ask for only the last four digits of our Social Security numbers. There seems to be an assumption that only four digits of a nine-digit-number shouldn’t be a concern.

“How hard would it be for someone to guess the first five digits of my Social Security Number if they only had the last four?”

The obvious answer is, about 9,999 times easier than if they didn’t know the last four.

In fact it’s even easier than that. Your Social Security number is not a random set of digits. The last four numbers are created sequentially. They have no other relation to you. The rest of your Social Security number, however, is determined by where you requested it; usually, this is where you were born.

There is a sense in which this entire discussion is irrelevant: because the last four numbers of your SSN are what businesses ask for, they are all that a criminal sometimes needs to use your cash or credit.

The first three digits of your Social Security number are an “area number”. If someone can determine what area the person applied for the SSN in, they can determine the first three digits; it is currently based on zip code. There are currently no more than 772 area codes.

You can check the state ranges against your SSN at the Social Security Number Allocations page on the Social Security Administration web site.

The middle two digits are the “group number”. This is probably more difficult to determine, but they are distributed in a pattern. In any case there are only 99 of them, usually less. For any specific area code, the Social Security Administration publishes the highest group number used.

There are also some other Social Security numbers that have been invalidated. For example, if the last four digits are 1120, identity thieves know at least one area code/group number combination that it is not.

When you give out the last four digits of your Social Security number, you are giving out what is probably the least-easily determined part of it. Once a criminal has the last four, if they truly want your identity (as opposed to just anybody’s identity), they ought to be able to bring down the total possibilities to no more than several hundred.

Giving out the last four digits of your Social Security number makes your entire number a lot more vulnerable. Armed with a computer and an on-line authorization site that doesn’t care if an SSN is checked every day, they probably won’t have any problem finding the rest. Your only hope is that they won’t want to.

January 18, 2010: Tumbling to SSN privacy

Being right isn’t always satisfying. In June 2006, I wrote:

Giving out the last four digits of your Social Security number makes your entire number a lot more vulnerable. Armed with a computer and an on-line authorization site that doesn’t care if an SSN is checked every day, they probably won’t have any problem finding the rest. Your only hope is that they won’t want to.

Hadley Leggett interviewed privacy researcher Alessandro Acquisti in a July 2009 article on Wired:

There’s only a few short steps between making a statistical prediction about a person’s SSN and verifying their actual number, Acquisti said. Through a process called “tumbling,” hackers can exploit instant online credit approval services—or even the Social Security Administration’s own verification database—to test multiple numbers until they find the right one.

And that was without having the last four digits. Social Security Numbers should never have been used as a combination username and password.

Read the full post and comments

  1. <- Chemistry Boom
  2. Voting Papers ->