Some Social Security Numbers Can be Deduced From Public Data

Your Social Security number may not be secure if a hacker is able to learn when and where you were born; generally publicly available info. Younger people from less populated states are especially vulnerable. While the exact method is being kept secret to protect the public, it seems only a matter of time before more nefarious players figure out the formula. This could bring the current serious problems with identity theft and credit card fraud to a whole new level. Worse yet, there is no good way to prevent this from happening even though we can see it coming. Randomizing Social Security numbers from now on will help (though maybe only slightly) people who have not yet been given one, but would do nothing to those that already have one. The only real preventative action is to dump the now prevalent policy of using Social Security Numbers as identifiers and/or authenticators.

http://www.wired.com/wiredscience/2009/07/predictingssn

"By analyzing a public data set called the “Death Master File,” which contains SSNs and birth information for people who have died, computer scientists from Carnegie Mellon University discovered distinct patterns in how the numbers are assigned. In many cases, knowing the date and state of an individual’s birth was enough to predict a person’s SSN.
...
With just two attempts, the researchers correctly guessed the first five digits of SSNs for 60 percent of deceased Americans born between 1989 and 2003. With fewer than 1,000 attempts, they could identify the entire nine digits for 8.5 percent of the group.

There’s only a few short steps between making a statistical prediction about a person’s SSN and verifying their actual number, Acquisti said. Through a process called “tumbling,” hackers can exploit instant online credit approval services — or even the Social Security Administration’s own verification database — to test multiple numbers until they find the right one. Although these services usually block users after several failed attempts, criminals can use networks of compromised computers called botnets to scan thousands of numbers at a time.

“A botnet can be programmed to try variations of a Social Security number to apply for an instant credit card,” Acquisti said. “In 60 seconds, these services tell you whether you are approved or not, so they can be abused to tell whether you’ve hit the right social security number.”"