According to the Carnegie Mellon University study "Predicting Social Security numbers from public data," the predictability of your SSN depends on a few factors, but in up to 44% of cases, the first five digits of your nine-digit social can be guessed on the first try.

Specifically, if you were born between 1989 (when people nationwide first began to receive SSNs at birth) and 2003, and your birth date and location are available, Alessandro Acquisti and Ralph Gross claim that forty-four percent of these people could have the first five digits of their social security numbers accurately predicted in a single attempt.

The full study is interesting, but lengthy (six pages of small-font, single-spaced, double-column text)  Below I've outlined a few plain-English questions you might have about the study, its results, and some of my own thoughts about how this information can affect you and what you can do about it.

How did they predict the SSNs, and how did they know they were able to predict them correctly?

The researchers used data in a publicly-available file known as the Death Master File (DMF).  According to the researchers, the DMF lists "...SSNs [social security numbers], names, dates of birth and death, and states of SSN application..."  The file is used to curb the fraudulent use of deceased persons' socials. 

The researchers then applied information made publicly available by the Social Security Administration (SSA).   They explain that the first three digits of a SSN are assigned "based on the zipcode of the mailing address provided in the SSN application form" (which is why the researchers require a birth location to predict a social).  The next two digits of a SSN and are assigned "in a precise but nonconsecutive order between 01 and 99" (which is why the researchers require a birth date to predict a social).

By correlating the data in the DMF with the information made available by the SSA regarding how socials are assigned, the researchers were able to establish the patterns the SSA uses to assign the first five digits of social security numbers.  Once the researchers established a pattern, they tried to predict the SSNs of others in the DMF and used the full SSNs listed in the DMF as a check to see if they were "guessing" correctly.

What good are the first five digits without the last four?

Not much good.  According to the study, it would take a high number of attempts to guess the last four.

So how could an attacker get those last four digits, then?

There are a number of ways, the most common of which is probably dumpster diving (going through your trash) for documents that contain your social.

What types of documents contain the last four digits of my SSN?

These vary, but anything from paychecks to college paperwork to bank and medical records.  If not properly disposed of (e.g. micro cross-cut shredded), dumpster diving for these last 4 digits can be very effective.

If the first five digits can be predicted correctly by ID thieves using the researchers' methods, and then they obtain the last four by looking through your trash, they've got your full social.  A full social can be used for a number of harmful and malicious activities, one of the most common being applying for new lines of credit in your name.

Aren't SSNs nowadays almost always partially redacted when you get them, just like how your ATM receipts only give a few digits of your account number?  Do they redact the last four digits?

Yes, SSNs are partially redacted, but only the first five digits are obscured.  The last four digits are visible.  (i.e. XXX-XX-2071)  The first five digits are the predictable ones; the last four are much more difficult to guess.  Unfortunately, these four are the ones that are usually visible and used as identifiers.

So if birth data is all that's needed to predict partial SSNs, how do I know if my birth data is publicly available?

First, let's cover the most obvious ways it can be made available; you publish it.  Many people have their birth dates and approximate birth locations on sites like Facebook and other social networking sites.

While this information can be easily hidden in privacy settings (Facebook, for instance, allows you to choose between publishing your full birthday, only the month and day, or not publishing your birthday at all) birth dates and locations can also be found elsewhere relatively easily.  Just think about all the other records that may contain your birth information: voter, divorce, vital, DMV, correctional records and more.

If you don't believe that info is out there, you can easily check for yourself.  Run a search for your full name at the free (but weak) BirthDatabase.com or zabasearch.com, or the powerful (but ~$2 per record) PeopleFinders.com.  Your info is likely already out there for the dedicated ID thief.

I shred all sensitive documents, including those that contain just the last four digits of my social.  Aside from dumpster diving, how can someone get those last four digits to complete my social?

The study mentions targeted phishing as another possibility.  If someone sent you an email with the first five of your social visible and the last four redacted, and it looked official, you might feel safe responding to a request with your full social and other information (though you shouldn't).  After all, if they have the first five digits, you might assume, they must have the last four digits as well and are just redacting them in the email for your privacy.

I also remember a radio contest a few years ago that used the last four digits of SSNs to pick winners, and people would call up and tell people their name, location, and the last four digits of their social, all on the air.  I bet that contest would have turned out differently if those contestants knew the rest of their socials could be predicted with relative ease.

So what can I do to protect myself?

First, conceal information that could assist attackers from obtaining your birth data from sources you control (social networking, blogs, etc.).  Securely file or cross-cut shred all documents containing Personal Identifying Information (PII), including the last 4 digits of your social.  If your social is used as an identifier at college, work, or elsewhere, ask them to use a different identifier, if possible.  And for more specific tips on how to lock down your information and not fall victim to ID thieves' common practices, read our tips on how to protect yourself in JDA's "PII Quest" (under the "Protect Yourself" pull-down).