Slashdot Mirror
Is The US Social Security Site Still Vulnerable To Identity Theft? (krebsonsecurity.com)
Slashdot reader DERoss writes: Effective 1 August, the U.S. Social Security Administration (SSA) requires users who want to access their SSA accounts to use two-factor authentication. This involves receiving a "security" code via a cell phone text message. This creates two problems. First of all, many seniors who depend on the Social Security benefits to pay their living costs do not have cell phones [or] are not knowledgeable about texting.
More important, cell phone texting is NOT secure. Text messages can be hacked, intercepted, and spoofed. Seniors' accounts might easily be less secure now than they were before 1 August... This is not because of any law passed by Congress. This is a regulatory decision made by top administrators at SSA.
In addition, Krebs on Security reports that the new system "does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are" and "does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven't yet created accounts for themselves." Users are only more secure after they create an account on the social security site -- and Krebs also notes that ironically, the National Institute for Standards and Technology already appears to be deprecating the use of SMS-based two-factor authentication.
More important, cell phone texting is NOT secure. Text messages can be hacked, intercepted, and spoofed. Seniors' accounts might easily be less secure now than they were before 1 August... This is not because of any law passed by Congress. This is a regulatory decision made by top administrators at SSA.
In addition, Krebs on Security reports that the new system "does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are" and "does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven't yet created accounts for themselves." Users are only more secure after they create an account on the social security site -- and Krebs also notes that ironically, the National Institute for Standards and Technology already appears to be deprecating the use of SMS-based two-factor authentication.
I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number. The text message appears in my Gmail inbox and I can reply to it as I would to an email.
Ok, maybe folks who don't have a cell phone also don't have a computer. So there needs to be an option of letting SS that you want online services to be blocked for security purposes.
"He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
Fully agree with potential problems of requiring a cell phone: not all people that use the system will have access to cell phones or text messages, for example. There's also the question of how to update your cell phone number in the system if it changes. Krebs seems to be focused on the creation of accounts, which allows you to register a phone number and lock others out (which gets back to that updating your number thing); that seems to be a potentially big problem, considering how many security breaches have leaked our SSNs and what not. If all I need is a name and SSN to initially register and get benefits, then the system needs a better way of verifying identity before allowing to apply.
But I don't understand the text message security complaint that is "more important". Two factor auth means I need *two* things. Even if someone were to intercept the text message (which I believe is difficult, requiring special equipment and proximity to the victim, but feel free to correct me), the point of the system is that nothing can be done with that text without also knowing the password. And if someone knows your password and text messages, then no system is going to prevent an intruder. I understand that NIST is working to update the recommendation (which is a good idea), but I feel like its more safe than not using 2FA (it at least requires attackers to do much more work!), and I'm sure when the NIST guidelines are finalized, other agencies will begin the move to the new recommendation too. It seems a mountain out of a molehill. Am I missing something?
I'm a 43 year old white male who is tired of seeing people being lazy and such... I'm just tired of the complaining.
Oh the irony!
“He’s not deformed, he’s just drunk!”