One in 10 social security numbers guessed with public info
Technology has made it cheaper and easier than ever for others to find out when you were born, but sadly it won't be to send you a present on Facebook. The study points out that birth information can be found on numerous social networking sites, or purchased cheaply, for "almost every adult in the United States".
Even worse, most credit card issuers will still process an application even though two digits of a Social Security number are wrong, as long as the birth information is correct. Hackers who know how to use this prediction method may succeed up to three out of ten times in guessing the Social Security number of people born in the 25 least populated states. The lax standards of the credit card companies makes their job even easier.
The study estimates that in a large-scale attack in a small state like West Virginia, criminals could, "harvest credentials at rates as high as 47 per minute, obtaining ~4,000 credentials within 2 h(ours) before his or her IPs are blacklisted." After being blacklisted, the attacker could simply rent another group of infected computers for as little as $1,000 and keep going.
The study also suggests that the ability to accurately predict the first five digits for six out of ten Social Security numbers could lead to new, more targeted email scams in which the scammer would include the first portion of the victim's social security number to gain trust and obtain more personal information.
Unfortunately this isn't any easy problem to fix; even if the government randomized all digits of new Social security numbers, as the authors suggest, it would still leave the rest of us with predictable and therefor vulnerable social security numbers. Yet another reason to check your free annual credit report regularly.