Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is The US Social Security Site Still Vulnerable To Identity Theft? (krebsonsecurity.com)

Posted by EditorDavid on from the two-factor-impersonation dept.

Slashdot reader DERoss writes: Effective 1 August, the U.S. Social Security Administration (SSA) requires users who want to access their SSA accounts to use two-factor authentication. This involves receiving a "security" code via a cell phone text message. This creates two problems. First of all, many seniors who depend on the Social Security benefits to pay their living costs do not have cell phones [or] are not knowledgeable about texting.

More important, cell phone texting is NOT secure. Text messages can be hacked, intercepted, and spoofed. Seniors' accounts might easily be less secure now than they were before 1 August... This is not because of any law passed by Congress. This is a regulatory decision made by top administrators at SSA.
In addition, Krebs on Security reports that the new system "does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are" and "does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven't yet created accounts for themselves." Users are only more secure after they create an account on the social security site -- and Krebs also notes that ironically, the National Institute for Standards and Technology already appears to be deprecating the use of SMS-based two-factor authentication.

23 of 46 comments (clear)

  1. Google Voice by duckintheface · · Score: 4, Informative

    I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number. The text message appears in my Gmail inbox and I can reply to it as I would to an email.

    Ok, maybe folks who don't have a cell phone also don't have a computer. So there needs to be an option of letting SS that you want online services to be blocked for security purposes.

    --
    "He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
    1. Re:Google Voice by starless · · Score: 1

      I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number.

      I mainly use Google Voice, but I find that some companies send text messages that can't be received on my GV number.
      Instead I have to use my "real" cell number.
      (Also, I can't send text messages internationally via GV, only receive them.)

      Since Google Voice development seems to be rather stalled, I suspect things are not going to improve.

    2. Re:Google Voice by Anonymous Coward · · Score: 1

      I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number

      Yes, but... Try signing up for Google Voice if you don't have a cell phone. Google does the same thing the SSA is being called out for, here - you can't enroll in Google Voice without a mobile number for Google to text a confirmation code to! You must have created your account before you had your carrier disable text messaging.

    3. Re:Google Voice by duckintheface · · Score: 2

      I logged into my SS account and received the text message via my Google Voice number before I posted. So yes, it works.

      --
      "He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
    4. Re:Google Voice by duckintheface · · Score: 2

      No, you just have to have some other number in order to sign up for a google voice number. It could be a friend's cell number or a POTS number, or a VOIP number. They do this to prevent someone from hogging a huge quantity of Google Voice numbers.

      The verification can be by text or it can be verbal. They robocall your phone and tell you verbally the two digit code to enter into your computer.

      --
      "He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
    5. Re:Google Voice by duckintheface · · Score: 1

      You mean as opposed to giving the information to my Verizon cell phone carrier? Yes.

      --
      "He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
    6. Re:Google Voice by duckintheface · · Score: 1

      My cell phone is an 8 year old Motorola flip phone. But even if I had a new iPhone or Android, I wouldn't be able to run my favorite version of Linux on it. Also, for anyone signing up for Social Security, a cell phone has a screen and keyboard that are too small and too limited in performance. And too expensive.

      --
      "He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
  2. Security by Lando · · Score: 1

    It does appear to be a bit more secure than what they had in the past, but since without text service it will lock out some people from using the service. With their password protocols requiring a new password every 6 months and requiring alpha-numeric and special key combinations it virtually guarantees that the password will have to be written down, so I guess by using this text requirement makes a bit of sense compared to just letting anyone in that happens across your password. I'm wondering though how will you be able to change numbers if you get a new phone.

    --
    /* TODO: Spawn child process, interest child in technology, have child write a new sig */
  3. A ridiculous approach. by uncqual · · Score: 1

    The requirement for a cell phone w/text service is an absurd requirement. It may be a fine default, but there should be alternatives (other than VOIP based text services with their inherent security problems).

    Some people live in areas where they have broadband (at least DSL) but, due to the terrain, there is no cell coverage at a significant percentage of the homes. To use the SSA's online service, these people are likely to end up at their local coffee house using the public WiFi to access their SSA account -- not a great idea.

    --
    Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
  4. Re:Screw Them by Anonymous Coward · · Score: 1

    A lot of people are full of excuses for why they "can't" do something. The dead giveaway is they insist on help from someone else before they've made even a token effort to do for themselves. It's just an unwillingness to learn and try new things, even when the "new things" (like SMS) aren't really new at all and are widely used by many others.

    Many of the Boomers and older folk enjoy being helpless. Not consciously, but nonetheless they do. "I can't do this" is a roundabout way to say "you should serve me". Anyone who has ever worked retail for extra money knows that older folks can't read the big brightly lit sign right in front of them (which would answer their own question) but they can spot a nametag, a thousand yards away, in the dark.

  5. Idiots by Anonymous Coward · · Score: 1

    Should we be surprised that these overpaid bureaucrats are idiots?

    But, you see, they actually are not idiots. Because their goal is not to safeguard YOUR interest, but rather THEIR OWN interests. They did not do this to make the SS site more secure. They did it to cover their own asses. Now, when people or the site are hacked, they can say "We conformed to the highest industry standards" even if they didn't.

  6. I don't understand the text security angle by mx+b · · Score: 2

    Fully agree with potential problems of requiring a cell phone: not all people that use the system will have access to cell phones or text messages, for example. There's also the question of how to update your cell phone number in the system if it changes. Krebs seems to be focused on the creation of accounts, which allows you to register a phone number and lock others out (which gets back to that updating your number thing); that seems to be a potentially big problem, considering how many security breaches have leaked our SSNs and what not. If all I need is a name and SSN to initially register and get benefits, then the system needs a better way of verifying identity before allowing to apply.

    But I don't understand the text message security complaint that is "more important". Two factor auth means I need *two* things. Even if someone were to intercept the text message (which I believe is difficult, requiring special equipment and proximity to the victim, but feel free to correct me), the point of the system is that nothing can be done with that text without also knowing the password. And if someone knows your password and text messages, then no system is going to prevent an intruder. I understand that NIST is working to update the recommendation (which is a good idea), but I feel like its more safe than not using 2FA (it at least requires attackers to do much more work!), and I'm sure when the NIST guidelines are finalized, other agencies will begin the move to the new recommendation too. It seems a mountain out of a molehill. Am I missing something?

    1. Re:I don't understand the text security angle by radarskiy · · Score: 1

      The problem is that texts are not addressed to your phone or even your SIM card but to your number. The security of SMS 2FA is limited by the security of getting a new SIM for a given number which is just a small amount of social engineering. You may not even notice right away that your number has been redirected.

    2. Re:I don't understand the text security angle by CAOgdin · · Score: 1

      Only an A.C. can make this claim. Fully one third of people DON'T want or need a cellphone, and of those, about half can't afford it. Further, as others have noted, many people don't even KNOW HOW to enable SMS on their cellphone. This is gubmint bureaucracy at it's worst: MY WAY OR THE HIGHWAY system design. They can use email, and anyone who access My SSA through the internet has an email address...or can get one, free.

  7. Re:It's a scam by uncqual · · Score: 1

    Yes, but had he lived to be 105 he would have taken out far more than he put in. Social Security is really a forced purchase of an inflation adjusted life annuity with a strong politically progressive component baked in.

    The politically progressive part is that those who contribute the least get back more benefit per dollar contributed than those that contribute the most. The first dollar (and all the dollars put in by by low paid workers or those who work only a few years) result in a benefit payment SIX TIMES higher than the last dollar put in just before hitting the cap for highly paid workers who approach the cap for most of their career. And all contributions past the "highest 35 years of earnings" returns NOTHING in benefits.

    --
    Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
  8. Re:Screw Them by fustakrakich · · Score: 2

    I'm a 43 year old white male who is tired of seeing people being lazy and such... I'm just tired of the complaining.

    Oh the irony!

    --
    “He’s not deformed, he’s just drunk!”
  9. There's nothing to steal by ronmon · · Score: 1

    If they break into mine all they can do is deposit.

    Bring it on, bitches.

  10. If there is one vulnerability, there are two by phantomfive · · Score: 1

    Vulnerabilities never come alone.

    --
    "First they came for the slanderers and i said nothing."
  11. Re:It's a scam by BlueStrat · · Score: 1

    It's an insurance plan, not a savings vehicle.

    That's not how it was sold to the people.

    Now it's not even a plausible insurance plan, it's a blatantly-obvious Ponzi scheme that's on course for a collapse.

    If you're under 50, you would be wise to not count on any Social Security retirement benefits or health coverage being around when you get older. All that money the SSA takes from your paychecks will simply be gone. It's a tax with a cool story bro.

    Strat

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  12. Re:Screw Them by DERoss · · Score: 1

    I consider myself an expert in modern technology. For 40+ years, I was a software specialist. For 30+ of those years, I tested software used by the military to operate their earth-orbiting space satellites. I do not have a cell phone, not because I do not understand them but because I have no need for one.

    However, the big deal is that cell phone text messages are very insecure. The Social Security Administration's form of two-factor authentication will not enhance users' security. Wait until some Social Security recipient -- relying on the asserted but false enhanced security of the SSA's two-factor authentication -- discovers that a hacker has redirected the direct deposit of his monthly benefit payment into a hacker's back account.

  13. Yes. by h8sg8s · · Score: 1

    "Is The US Social Security Site Still Vulnerable To Identity Theft?" The answer is almost certainly, yes. But is it vulnerable to the *same* threat as last time, and the answer, again, is probably yes.

    --
    Organization? You must be joking..
  14. Re:It's a scam by 93+Escort+Wagon · · Score: 1

    You're not paying in funds which you'll eventually collect - your current payments support those people who are currently receiving benefits. Then, when you're old, you're receiving payments thanks to the taxes being paid by then-current generation of workers.

    It may seem a bit confusing, since your eligibility is at least somewhat based on your having paid into the system - but in the end it's an entitlement program, and what you will eventually get out of it is (loosely) based on what the government projects it will be pulling in at the time.

    --
    #DeleteChrome
  15. Braindead SSA by CAOgdin · · Score: 1

    I've tried to address this issue with SSA: One-third of Americans have no cellphone service. That's all SSA will allow!

    Most banks do this with an eMail account: If they're uncertain (e.g., you've been offline for a long time), they'll send you a random string of digits you must provide back on the login page, so they know you're YOU.

    But, the SSA decided that if you don't have a cellphone, you don't deserve access to My SSA at all.

    My guess: The contractor they engaged to implement the recently mandated two-factor authentication made a side deal with AT&T or Verizon to get extra money by only implementing something from which they financially benefit!

    Please write to SSA and tell them this is not a way to treat citizens...they MUST implement the email option in their two-factor authentication, in my opinion.