However, the last four digits are the most useful to an identify thief, because given the State of residence and rough age of the proposed victim, he can often guess the first four or five digits of her SSN (then search on the whole string of digits to verify).

If asked for some SSN digits, you should supply leading digits, because people can estimate those with high probability anyway.

I suppose they got the “last four digits” idea from the (legitimate) practice of using the last four digits of a credit-card number to distinguish it “in the local context” of the owner’s wallet. A four-digit hash (somewhere between 10 and 13 “random” bits; the last digit is a checksum over the whole number) is good enough for that. The probability that a given person will have two cards with the same last-four-digits (assuming “random” distribution of account numbers) won’t exceed 50% until he has more than about 32 cards. (Google “birthday paradox.”)

A technique to remind customers which credit card they used last time without giving sales and shipping clerks the entire number is completely inapplicable to “age verification.”

However, the last four digits are the most useful to an identify thief, because given the State of residence and rough age of the proposed victim, he can often guess the first four or five digits of her SSN (then search on the whole string of digits to verify).

If asked for some SSN digits, you should supply leading digits, because people can estimate those with high probability anyway.

I suppose they got the “last four digits” idea from the (legitimate) practice of using the last four digits of a credit-card number to distinguish it “in the local context” of the owner’s wallet. A four-digit hash (somewhere between 10 and 13 “random” bits; the last digit is a checksum over the whole number) is good enough for that. The probability that a given person will have two cards with the same last-four-digits (assuming “random” distribution of account numbers) won’t exceed 50% until he has more than about 32 cards. (Google “birthday paradox.”)

A technique to remind customers which credit card they used last time without giving sales and shipping clerks the entire number is completely inapplicable to “age verification.”

SL has two options.

It can disregard, and as a result anyone can dupe the age verification system.

Or it can verify, which involves looking up people at their addresses, and somehow validating their birthdate and last four of SSN.

I’m not sure how they’d be allowed to access this information. But I think the ID theft problem is understated.

The second option will hurt their business. People don’t like to give out personal information, especially anything SSN related. If they can’t get away without it, they might not sign up at all.