As I have long maintained, it is quite foolish of folks to post accurate details about themselves on social networking sites because its like a shopping list for identity thieves. A recent study at Carnegie Mellon which will be released at an upcoming black hat conference shows how identity thieves might be able to guess your social security number given only your date and place of birth.

Nobody imagined how important the social security number (SSN) would become when the system was first instituted in 1935. Computers and electronic commerce were things of science fiction. But today, the SSN is one of the more important identifying numbers used to conduct personal business. Everyone knows they shouldn’t post that number publicly because an identity thief might be able to use that number and several other pieces of public information to impersonate you. But what if an enterprising programmer wrote a program to guess your SSN with an algorithm?

Some of you may already know this, but your SSN isn’t random.

For individuals who received their social security number at birth, the SSN was assigned as a numerical representation of the state and the date of issue.

in general, the first 5 digits can be predicted with a very high degree of accuracy with a single attempt – especially for individuals born after 1988 and in less populous states. In some cases, we were able predict the whole 9 digits of individual SSNs at the very first attempt. More often, the predictions produce windows of values that are likely to include the actual 9 digits. These windows can be very large (and, therefore, inaccurate) for certain years and states (for instance, for individuals born in California in 1973), but can get very narrow (and therefore more concerning, in terms of identity theft risks) for smaller states and recent years (for instance, 1 out of 20 SSNs of individuals born in DE in 1996 in our dataset could be identified with just 10 or fewer attempts per SSN).

As long as we continue to use the SSN as identifying number, we should at least be assigning a random number to folks. In the meantime, don’t post your real birthday or place of birth on the internet for identity thieves to put on their shopping list.