Is The US Social Security Site Still Vulnerable To Identity Theft?

Slashdot reader DERoss writes: Effective 1 August, the U.S. Social Security Administration (SSA) requires users who want to access their SSA accounts to use two-factor authentication. This involves receiving a "security" code via a cell phone text message. This creates two problems. First of all, many seniors who depend on the Social Security benefits to pay their living costs do not have cell phones [or] are not knowledgeable about texting.

More important, cell phone texting is NOT secure. Text messages can be hacked, intercepted, and spoofed. Seniors' accounts might easily be less secure now than they were before 1 August... This is not because of any law passed by Congress. This is a regulatory decision made by top administrators at SSA.
In addition, Krebs on Security reports that the new system "does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are" and "does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven't yet created accounts for themselves." Users are only more secure after they create an account on the social security site -- and Krebs also notes that ironically, the National Institute for Standards and Technology already appears to be deprecating the use of SMS-based two-factor authentication.

YES!

It is!

Security cues from Yahoo! and facebook

This involves receiving a "security" code via a cell phone text message.

Basing your authentication on Yahoo!'s mail and facebook isn't the best thing to do.

Google Voice

[duckintheface]

I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number. The text message appears in my Gmail inbox and I can reply to it as I would to an email.

Ok, maybe folks who don't have a cell phone also don't have a computer. So there needs to be an option of letting SS that you want online services to be blocked for security purposes.

Re:Google Voice

Ok, maybe folks who don't have a cell phone also don't have a computer. So there needs to be an option of letting SS that you want online services to be blocked for security purposes.

 

What are you, some kind of troublemaker? I mean coming up with a solution that the gubmint bureauweenies created?

Re:Google Voice

So what you're saying then is that the need for security is overhyped, if you're willing to give Google access to all this stuff.

Re:Google Voice

thx

Re:Google Voice

[starless]

I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number.

I mainly use Google Voice, but I find that some companies send text messages that can't be received on my GV number.
Instead I have to use my "real" cell number.
(Also, I can't send text messages internationally via GV, only receive them.)

Since Google Voice development seems to be rather stalled, I suspect things are not going to improve.

Re:Google Voice

I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number

Yes, but... Try signing up for Google Voice if you don't have a cell phone. Google does the same thing the SSA is being called out for, here - you can't enroll in Google Voice without a mobile number for Google to text a confirmation code to! You must have created your account before you had your carrier disable text messaging.

Re:Google Voice

[duckintheface]

I logged into my SS account and received the text message via my Google Voice number before I posted. So yes, it works.

Re:Google Voice

[duckintheface]

No, you just have to have some other number in order to sign up for a google voice number. It could be a friend's cell number or a POTS number, or a VOIP number. They do this to prevent someone from hogging a huge quantity of Google Voice numbers.

The verification can be by text or it can be verbal. They robocall your phone and tell you verbally the two digit code to enter into your computer.

Re:Google Voice

[duckintheface]

You mean as opposed to giving the information to my Verizon cell phone carrier? Yes.

Re:Google Voice

nowadays the cellphone is a computer. those phone/text only cellphones are being phased out more and more every day

Re:Google Voice

[duckintheface]

My cell phone is an 8 year old Motorola flip phone. But even if I had a new iPhone or Android, I wouldn't be able to run my favorite version of Linux on it. Also, for anyone signing up for Social Security, a cell phone has a screen and keyboard that are too small and too limited in performance. And too expensive.

Re:Google Voice

[quote]If you do not have a cell phone, you will not be able to access my Social Security. To access your personal my Social Security account, you need a cell phone that can receive text messages. Each time you log in, we will text your cell phone a security code that you must input in order to access your account.[/quote]

So they want to send you a text message EVERY TIME you log in.

Fucking morons.

Oh well. I can no longer use their service.

Screw Them

Screw those people who can't be bothered to keep up with technology and all the changes it brings.

My favorite thing that pisses me off is when I go to the grocery store or the local big-box superstore and I am in line behind a senior citizen who can't figure out how to use their check card and then, they complain to the cashier that "they can't get all this stuff with computers" or some other such dribble. Or, they can't work an ATM machine.

I cry bullshit.

All of these people in their late sixties and above were in their twenties or thirties when computerized accounting systems began rolling out in stores, offices, and even such places as the local DMV. ATMs have been around since the early- to mid-1960s (if not longer). So for them to make a statement like they don't understand it is more akin to them just being too lazy to try.

There are plenty of average senior citizens who can handle ATMs, card readers, cellphones, smartphones, and computers just fine.

So the rest of those whiny bastards need to get with the program.

Disclaimer: I'm a 43 year old white male who is tired of seeing people being lazy and such. Truthfully, I don't give a damn about their age. I'm just tired of the complaining.

Re:Screw Them

A lot of people are full of excuses for why they "can't" do something. The dead giveaway is they insist on help from someone else before they've made even a token effort to do for themselves. It's just an unwillingness to learn and try new things, even when the "new things" (like SMS) aren't really new at all and are widely used by many others.

Many of the Boomers and older folk enjoy being helpless. Not consciously, but nonetheless they do. "I can't do this" is a roundabout way to say "you should serve me". Anyone who has ever worked retail for extra money knows that older folks can't read the big brightly lit sign right in front of them (which would answer their own question) but they can spot a nametag, a thousand yards away, in the dark.

Re:Screw Them

[fustakrakich]

I'm a 43 year old white male who is tired of seeing people being lazy and such... I'm just tired of the complaining.

Oh the irony!

Re:Screw Them

[DERoss]

I consider myself an expert in modern technology. For 40+ years, I was a software specialist. For 30+ of those years, I tested software used by the military to operate their earth-orbiting space satellites. I do not have a cell phone, not because I do not understand them but because I have no need for one.

However, the big deal is that cell phone text messages are very insecure. The Social Security Administration's form of two-factor authentication will not enhance users' security. Wait until some Social Security recipient -- relying on the asserted but false enhanced security of the SSA's two-factor authentication -- discovers that a hacker has redirected the direct deposit of his monthly benefit payment into a hacker's back account.

Security

[Lando]

It does appear to be a bit more secure than what they had in the past, but since without text service it will lock out some people from using the service. With their password protocols requiring a new password every 6 months and requiring alpha-numeric and special key combinations it virtually guarantees that the password will have to be written down, so I guess by using this text requirement makes a bit of sense compared to just letting anyone in that happens across your password. I'm wondering though how will you be able to change numbers if you get a new phone.

It's a scam

Until they let you leave what you've paid in to anyone other than what meets their narrowly define criteria, I shall consider it a scam.

I lost my dad a few months back. He was penniless, for the most part, and had only been collecting for a year and a half.

All those years of paying in, for nothing to leave his children.

Re: It's a scam

I am sorry to hear your dad collected for a year and a half, I am sure that money could have put to better use. We here at the SSA work very hard to deny claims and stop payments, after all and again: there is always at least one other better thing we could spend the money on, than some decrepit old or disabled and useless citizen. I hope your dad had a fairly low benefit and leave you with the assurance that you might yourself never draw any benefits at all. You see, by the time you reach 60, we will have set the earliest age to retire at 70, by the time you are 70 it will be 80 and so on. And we will never consider disability for you either due to old age. There will always be some work you can do even if we have to invent it to satisfy the law. Germany's unemployment system pioneered that, they published wanted ads for fictitious jobs for old people on their job fair website so they could sanction the unemployment pay for that age group. Consider ys just another tax, but don't ever expect a rusty penny from us, your SSA

Re:It's a scam

It's an insurance plan, not a savings vehicle.

Re:It's a scam

[uncqual]

Yes, but had he lived to be 105 he would have taken out far more than he put in. Social Security is really a forced purchase of an inflation adjusted life annuity with a strong politically progressive component baked in.

The politically progressive part is that those who contribute the least get back more benefit per dollar contributed than those that contribute the most. The first dollar (and all the dollars put in by by low paid workers or those who work only a few years) result in a benefit payment SIX TIMES higher than the last dollar put in just before hitting the cap for highly paid workers who approach the cap for most of their career. And all contributions past the "highest 35 years of earnings" returns NOTHING in benefits.

Re:It's a scam

[BlueStrat]

It's an insurance plan, not a savings vehicle.

That's not how it was sold to the people.

Now it's not even a plausible insurance plan, it's a blatantly-obvious Ponzi scheme that's on course for a collapse.

If you're under 50, you would be wise to not count on any Social Security retirement benefits or health coverage being around when you get older. All that money the SSA takes from your paychecks will simply be gone. It's a tax with a cool story bro.

Strat

Re:It's a scam

[93+Escort+Wagon]

You're not paying in funds which you'll eventually collect - your current payments support those people who are currently receiving benefits. Then, when you're old, you're receiving payments thanks to the taxes being paid by then-current generation of workers.

It may seem a bit confusing, since your eligibility is at least somewhat based on your having paid into the system - but in the end it's an entitlement program, and what you will eventually get out of it is (loosely) based on what the government projects it will be pulling in at the time.

Can you hear me now?

Just what I want - to turn over my cell phone number to the government. What could possibly go wrong?

Not just seniors

First of all, many seniors who depend on the Social Security benefits to pay their living costs do not have cell phones [or] are not knowledgeable about texting.

Not just seniors.

I'm not particularly old, but I cancelled my SSA account because I don't have a cell phone and I am quite unlikely to ever use one in the future.

A land line is quite sufficient for me -- In all my years on earth, I have never picked up a land-line phone and not gotten a dial tone. Cell and VoIP service are many orders of magnitude less reliable.

Re: Not just seniors

Not to mention the fact that governments have turned mobile phones into devices that primarily track and spy on the user.

Any end in sight?

[asjk]

The US seems unable to insure information. One hears of action by the US government that are offensive in nature, such as alleged hacks of state actors or in defeating encryption. What is being done about infosec defense? The most encouraging thing I've heard in the business community is from Bank of America where CEO Brian T. Moynihan said, "The only place in the company that doesn’t have a budget constraint is. . ." cyber. He further notes they spend > $400M for this purpose. Anyhow, the vibe is that things are getting worse and the good guys are losing. One's individual security is already a part time job if one is being diligent.

A ridiculous approach.

[uncqual]

The requirement for a cell phone w/text service is an absurd requirement. It may be a fine default, but there should be alternatives (other than VOIP based text services with their inherent security problems).

Some people live in areas where they have broadband (at least DSL) but, due to the terrain, there is no cell coverage at a significant percentage of the homes. To use the SSA's online service, these people are likely to end up at their local coffee house using the public WiFi to access their SSA account -- not a great idea.

But they tell you when you've already been pwned!

I did not need 2FA to get anything from SSA via the website.

What I did need was answers to a few questions about my credit history.

So I answered all the questions, "none of the above", because, as far as I know, I never had the activities they asked about. As a result, I was denied access to the info I wanted.

Further checking indicated that I had my identity stolen and that recently some mortgages and credit cards were opened as me.

(And I went to credit bureau websites to try to get my credit report and because I did not answer the questions about fraudulent accounts correctly, I was denied access to my credit reports as well. And it seems that whoever stole my identity also put in a fraud alert, which is making it even harder to get my own credit report.)

So all I could find out was that I was well & truly pwned.

Sorting this out is going to be a fun ride!

Whee.

Idiots

Should we be surprised that these overpaid bureaucrats are idiots?

But, you see, they actually are not idiots. Because their goal is not to safeguard YOUR interest, but rather THEIR OWN interests. They did not do this to make the SS site more secure. They did it to cover their own asses. Now, when people or the site are hacked, they can say "We conformed to the highest industry standards" even if they didn't.

. . . and then you die!

https://www.ssa.gov/oact/STATS...

I don't understand the text security angle

[mx+b]

Fully agree with potential problems of requiring a cell phone: not all people that use the system will have access to cell phones or text messages, for example. There's also the question of how to update your cell phone number in the system if it changes. Krebs seems to be focused on the creation of accounts, which allows you to register a phone number and lock others out (which gets back to that updating your number thing); that seems to be a potentially big problem, considering how many security breaches have leaked our SSNs and what not. If all I need is a name and SSN to initially register and get benefits, then the system needs a better way of verifying identity before allowing to apply.

But I don't understand the text message security complaint that is "more important". Two factor auth means I need *two* things. Even if someone were to intercept the text message (which I believe is difficult, requiring special equipment and proximity to the victim, but feel free to correct me), the point of the system is that nothing can be done with that text without also knowing the password. And if someone knows your password and text messages, then no system is going to prevent an intruder. I understand that NIST is working to update the recommendation (which is a good idea), but I feel like its more safe than not using 2FA (it at least requires attackers to do much more work!), and I'm sure when the NIST guidelines are finalized, other agencies will begin the move to the new recommendation too. It seems a mountain out of a molehill. Am I missing something?

Re:I don't understand the text security angle

there is no reason for any US citizen to not have a cellphone. the ones who have money to pay for their own and getting charged monthly for a universal lifeline charge to subsidize those who can't pay for their own cellphones. aka, the obamaphone.. http://www.obamaphone.com/obamaphone-providers. seems to be available all over the USA. maybe its not being advertised properly, that's why some people still don't have cellphones. but if everyone here, told their grandparents about it, and asked them to spread the news to their friends and to their friends, it could probably go viral and solve this problem of not everyone having access to a cellphone or text messages.

Re: I don't understand the text security angle

Eve if you ignore the "I don't fucking want one" reason, it is simply not true that just because you have a cell phone that you have SMS enabled on it, or ever want to.

Re:I don't understand the text security angle

[radarskiy]

The problem is that texts are not addressed to your phone or even your SIM card but to your number. The security of SMS 2FA is limited by the security of getting a new SIM for a given number which is just a small amount of social engineering. You may not even notice right away that your number has been redirected.

Re:I don't understand the text security angle

Sure. But isn't that still strictly better? You still need the password, which is completely out-of-band with respect to the SMS channel, and you also now need the SMS channel. Why are we talking about this like it's bad for security -- it's clearly an improvement in security, even if there are still further improvements which could be made.

Re:I don't understand the text security angle

[CAOgdin]

Only an A.C. can make this claim. Fully one third of people DON'T want or need a cellphone, and of those, about half can't afford it. Further, as others have noted, many people don't even KNOW HOW to enable SMS on their cellphone. This is gubmint bureaucracy at it's worst: MY WAY OR THE HIGHWAY system design. They can use email, and anyone who access My SSA through the internet has an email address...or can get one, free.

This is bullsht

I have one of the most latest devices and I know how to use it. I also have ALL text messages (SMS) blocked from my phone because I don't need or want text messages in my life (let alone the spam that comes with them). So now I'm supposed to be unable to use govt services? This is a bunch of techno-bullshit.

There's nothing to steal

[ronmon]

If they break into mine all they can do is deposit.

Bring it on, bitches.

If there is one vulnerability, there are two

[phantomfive]

Vulnerabilities never come alone.

Who cares? The most they will get is some dookie.

They don't need better hacker security this is just another push.

Who already have your data are the US Surveillance agencies. Will they distribute it? Will they still be alive to do so?

Yes.

[h8sg8s]

"Is The US Social Security Site Still Vulnerable To Identity Theft?" The answer is almost certainly, yes. But is it vulnerable to the *same* threat as last time, and the answer, again, is probably yes.

Braindead SSA

[CAOgdin]

I've tried to address this issue with SSA: One-third of Americans have no cellphone service. That's all SSA will allow!

Most banks do this with an eMail account: If they're uncertain (e.g., you've been offline for a long time), they'll send you a random string of digits you must provide back on the login page, so they know you're YOU.

But, the SSA decided that if you don't have a cellphone, you don't deserve access to My SSA at all.

My guess: The contractor they engaged to implement the recently mandated two-factor authentication made a side deal with AT&T or Verizon to get extra money by only implementing something from which they financially benefit!

Please write to SSA and tell them this is not a way to treat citizens...they MUST implement the email option in their two-factor authentication, in my opinion.