With just two attempts, the researchers correctly guessed the first five digits of SSNs for 60 percent of deceased Americans born between 1989 and 2003. With fewer than 1,000 attempts, they could identify the entire nine digits for 8.5 percent of the group.Social Security Numbers Deduced From Public Data (Wired Science)
There's only a few short steps between making a statistical prediction about a person's SSN and verifying their actual number, Acquisti said. Through a process called "tumbling," hackers can exploit instant online credit approval services -- or even the Social Security Administration's own verification database -- to test multiple numbers until they find the right one. Although these services usually block users after several failed attempts, criminals can use networks of compromised computers called botnets to scan thousands of numbers at a time.
"A botnet can be programmed to try variations of a Social Security number to apply for an instant credit card," Acquisti said. "In 60 seconds, these services tell you whether you are approved or not, so they can be abused to tell whether you've hit the right social security number."