If she knows anything about the target (glossing over the fact that the actual target is square), an attacker could get correct answers with high probability. Twitter, FB, LI, etc. provide people the target is likely to know. In many locales you wouldn't even need an exact address to know which streets cross which other ones (although frankly how hard is it to know someone's address?). And of course there is a direct mapping from social security numbers to states, so asking the SS question in that fashion adds no security.

All of this ignores the fact that these are multiple choice questions. Attackers don't have to win every time. 1/64 of targets would be vulnerable given no knowledge whatsoever. This is just an upper bound on how useful this set of questions is for Square, while the rest of TFA constitutes a convincing lower bound on how harmful they are to those who would legitimately use Square.