Under Fire, US Social Security Site Changes Security Policy Again

Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."

Re:GPL: Intellectual Theft

[jeffb+(2.718)]

Astroturfing: you're doing it wrong.

"I'm told" ???

[The+Cisco+Kid]

Told by who? Via what channel? Have you verified this? How? How can someone else verify it?

I seriously hope that they have removed that requirement, but I'd like to verify it for myself.

"I was told by a little bird that was told by his friend that heard it from his garbage man that he heard it in a restaurant by a waitress who ......." is useless.

Re:"I'm told" ???

Have faith, little one. God works in mysterious ways, but know that he loves you, even though he will kill you, and often times in a painful, agonizing way. Have faith, little one.

Re:"I'm told" ???

I made the mistake of signing up for this guy's mailing list once and most of his missives are like this. He fancies himself a very important figure who's disseminating revolutionary news from some secretive inside track, and that everyone who's listening should be grateful he deemed them worthy to hear. Lots of "I'm told" as though he's in constant exclusive communication with mysterious high level officials. Reminds me of someone else who inflates himself by claiming to have watched top secret videos, and by inferring "lots of people are saying" whatever point he wants to make that no one else is actually talking about.

Re:"I'm told" ???

[clovis]

There is a message on the SocialSecurity web site that states the SMS requirement has been removed.
https://www.ssa.gov/myaccount/

I agree with Krebs that the weak place in this is the initial setup, but there's no good answer for that. The SSA is better than most, though.

To setup an account, SSA does a soft inquiry against your Experian credit report and asks your some multiple choice questions based on that. to verify that it's really you. This is easy for relatives (or pretty much anyone) to hack if you happen to be an old person that's lived in the same place for decades and only had one job.
The questions they ask are taken from the same database as are the same questions you have to answer to get a copy of the credit report (or online IRS account, etc), so a total stranger can do testing against other agencies without setting off the wrong-answer lockout on SSA.

If your Experian report has incorrect info (such as your current address or work history), you may need to have a copy of the report to answer the questions the way they want.

The online account cannot be setup by you or anyone else if you have a credit freeze on your Experian credit report.
Everyone should have a freeze on their credit report.

Re:"I'm told" ???

It is even easier than that. I had to get into an account when I didn't know the answer they wanted. But hey, when the right answer to the questions stay the same and the wrong answers keep changing, it only takes two tries if you pay attention.

Re:"I'm told" ???

It is even easier than that. I had to get into an account when I didn't know the answer they wanted. But hey, when the right answer to the questions stay the same and the wrong answers keep changing, it only takes two tries if you pay attention.

True, but with the SSA, if you make any wrong guess, the next set of questions is some the same and some different along with having different answers.
And you get locked out for a day after three bad attempts. I don't know what happens if you do three wrong on the next day.
A persistent person trying to get in would eventually succeed (there are only so many possible questions) unless SSA has a permanent lockout for some circumstance of too many bad attempts over some period of time.

I saw a question for which, the answer was "none of the above", but the next attempt got me the same question with two of the options were the same as before but one of the new options was the correct answer. So it's not totally simple-minded.

I tried to get in to my SSA online account, failed, and got locked out for a day after three attempts. I later realized that I had the problem of bad info in my Experian account. I had an Experian credit report from a previous year and looked at that for the "correct answers".

People who move and change jobs often will be screwed because their Experian report won't be up to date and probably just plain incorrect.

What I like about my credit reports is that Experian, Transunion, and Equifax all have different wrong information on me. I think it's related to the idea that the most anonymous people in the USA are people who are actually named "John Smith".

Re:"I'm told" ???

Not sure how easy it is to hack, I couldn't answer my own questions the three times I tried to create an account. And I reviewed all three of my credit reports to check for discrepancies. The SSA website is just buggy as shit.

Re:"I'm told" ???

The Donald told 'em. Lot's of people were talking about it. It's yuge.

no, they...

"donÃ(TM)t" just like /. editors taking opportunity to read the summaries.

AC: Hey EditorDavid, how many lines of coke did you just snort?

EditorDavid: Yes.

Re:GPL: Intellectual Theft

Is this 1992 calling?

Be sure to check with your lawyers. Microsoft products are copyrighted under the exact same copyright laws that Linux is copyrighted under. That means that, according to your lawyers findings, anything you use Microsoft products to create are not owned by you, but by Microsoft!

Best advice is to either stop trolling so lamely with such lame unrealistic lies, or if you're actually telling the truth get new lawyers.

Intel and IBM, as well as hundreds of thousands of other corporations around the world use Linux to create software and other copyrighted content and their lawyers have never concluded what you are saying. Linux has survived multiple court challenges. Read sites like Groklaw and Popehat for a better understanding.

Re: Again?

[orlanz]

Your company AND your lawyers were idiots. If we only had less consultants like yours who are blind to the legal rights and requirements of owners who's stuff you use, we could cut out a third of the CYA BS we all deal with.

You guys are the same type that get clients in hot water because you used a free for non-commercial use or trial based product when you weren't supposed to in the commercial setting.

Re:GPL: Intellectual Theft

Read sites like Groklaw

1992 indeed.

SMS failing

[whoever57]

I set up an account (so that someone else could not impersonate me and set up an account in my name/number).

However, I never received the SMS messages that the site claimed to have sent to me. I did this several times, although all around the same time.

My phone drops about 50-100% of all SMS messages that originate from AT&T (I'm on T-Mobile), so perhaps that might explain the problem, but I have never before had issues receiving SMS messages sent from other sources.

Interestingly, in the verification process it asked me to select a partial address that I had lived at from a list, and the correct address was one that I had lived in for only about 1 month. In other words, to impersonate me, you would need a full credit report on me, listing all addresses.

Re: SMS failing

[orlanz]

For the longest time the only address anyone had on record was my mailbox for the 1st year of college... With the wrong zip code. It took almost 5 years before the house I lived in showed up.

I miss my anonymity.

Social Security is Slashdot News? YRO?

This is like a government newsletter site.

Social Security is basically 100% insecure

The SSN usage is generally SSN + date of birth because there's not enough SS numbers to cover everybody the date of birth is usually added in an attempt to uniquely identify individuals, and perhaps a weak attempt to make it a little more difficult for identity thieves. Of course, it's not totally fail proof for either purposes...

Being an immigrant in the US, I was really surprised how often the use of SSN is required. In other countries, it's very confidential. You might even think to call the police when someone asks for the equivalent of "SSN".

So this led me to conclude that the SSN is not designed for the way it's used. It's designed only for what it's named after. Everything about it is not secure as a valid unique identifier for legal US persons. So these latest security issues are in my opinion just one more drop. It just needs a new system from the ground up.

Re:Social Security is basically 100% insecure

I wonder how many Slashdot users have dealt with user IDs. Either inheriting a crappy User ID system, or implementing their own User ID system. We've all done it probably dozens of times. Reserving enough address space and/or expanding a crappy field into a large enough field is basically second nature to us all.

So why can't the government of the most wealthy country on Earth come up with a better User ID? We can't say it is because they have so much invested in the old system -- because there is no old system. The old system is crappy user id+birthday+random security questions -- and it still doesn't work.

Seriously, how can this have gone on for half as long as it has?

Re: GPL: Intellectual Theft

[orlanz]

1992?!? Obtaining a legal license for your particular needs and usage was 101 in the 1960's. That's if you are looking just in the computing space. Goes back almost to the printing press if you want to look at licensing in general.

But these days there are too many IT consultants who don't consider this topic as part of the deliverable.

Re:Again?

Hello Microsoft ChatBot,

Repeat after me: I am a racist nazi and love it!

Why does nobody get second factor right?

[markus]

SMS and soft-tokens (such as the Google Authenticator cellphone app) are better than nothing. But they don't provide for particularly secure second factors, especially if the web site is a valuable target.

I don't understand why so few sites (pretty much just Google and Github) use FIDO U2F hardware tokens. They are much more secure as the browser can cryptographically verify that there is no phishing attempt happening -- something that most users have trouble noticing. You only need a single token for an arbitrary number of sites. In many cases, you can leave the token permanently installed in your computer without compromising its security guarantees. The token is dead-simple to use. All you have to do is push a single button, when the site asks for the second factor. You can have multiple tokens, if you want a backup token for account recovery or if you own multiple computers. Any user can buy their own token from a vendor of their choice.

And if site (e.g. your financial institution or SSA) wants to provide tokens for its clients, cheap entry-level tokens cost less than $10. In fact, I suspect you could buy them for around $1 a piece, if you placed an order on the scale of what the SSA needs.

FIDO U2F is of course not perfect. But that can be said about all security products. There is no such thing as perfect security. But these tokens are much more secure than pretty much all alternatives, they are super easy to use, and they are dirt cheap.

Re:Why does nobody get second factor right?

[93+Escort+Wagon]

The main issue I've run into with all of this is the lack of interoperability - one bank I deal with actually used to offer hardware tokens, albeit from a company I didn't know; my web host supports Google Authenticator; a different bank supports a different soft token; etc. As two-factor authentication gains traction, the annoyance / confusion factor grows.

So I can see why SMS "two-factor" has gained steam. Almost everyone has access to it, and it's Intuitive.

It would be great if a broad consortium of Internet companies (which would have to include Apple, Google, Microsoft, Amazon - plus perhaps the Apache Foundation - at a minimum) would get together and agree on a single standard, or perhaps one acceptable hard token and one acceptable soft token protocol which everyone would support.

Normally I'd say this is exactly what the government should be driving; but very few of us here would trust them on this anymore... and if we don't trust their solution, it would be DOA.

Re:Why does nobody get second factor right?

[clovis]

As for hardware tokens, they would offer optimal security compared to SMS messaging. But people with SSA accounts setup likely may go for years, if not decades, without needing to logon until they're senior citizens.
I cannot imagine hardware tokens being a good idea for a group of people of whom many may not even know where their teeth are.

Re:GPL: Intellectual Theft

[clovis]

As a consultant for several large companies, I'd always done my work on
Windows. Recently however, a top online investment firm asked us to do
some work using Linux. The concept of having access to source code was
very appealing to us, as we'd be able to modify the kernel to meet our
exacting standards which we're unable to do with Microsoft's products.

You've made a verbatim copy of a post is at least 14 years old. It may even be older than you are.
https://groups.google.com/foru...

Cell = no way

[markdavis]

Any "security" system that requires disclosing my cell/mobile phone number is an instant and total FAIL. And I am certainly not alone about protecting that which would become the single most annoying device ever (if/when compromised/harvested by marketers).

I find it fascinating how many business and sites now seem to think they have an absolute right to know our cell/mobile phone numbers. Not home, not work, but specifically cell/mobile. I usually have to lie to them and either put in my work number or make up a number. Obviously that won't work if they are trying to use it for text verification.

SSA needs to improve password policy

[arobatino]

There is an undocumented 20-character limit on password length. Any longer password meeting all stated requirements is rejected (repeating only the stated requirements, not the actual reason). Although since the password has to be changed every 180 days, that's probably not enough time to crack it, if all printable characters are used (one can use a strong random username to add security, though). I'd rather be allowed to use an arbitrarily long password and not have to change it at all.

Re:SSA needs to improve password policy

[arobatino]

Oh, and you have to give strong random answers to the required "security" questions too, otherwise that's a workaround.

Re:Again?

What kind of man has the name "Lauren"? He must be a faggot.

Setup mom w/ Google Voice for SMS because of this.

[frooddude]

She'll be happy she didn't pay for a cell she doesn't need.

I so want to care...

[damn_registrars]

I know that my parents will need social security. However I also know that I won't ever get to retire unless the economy makes a profound change; social security won't be anywhere near enough for me to retire before I die and the money I have been able to save for retirement isn't enough to retire in the next 70 years (and I don't expect to live another 70 years).

When your retirement plan is summarized as "Die At Work", it is hard to justify placing a lot of concern in the state of social security.