Slashdot Mirror
Under Fire, US Social Security Site Changes Security Policy Again (vortex.com)
Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."
There is a message on the SocialSecurity web site that states the SMS requirement has been removed.
https://www.ssa.gov/myaccount/
I agree with Krebs that the weak place in this is the initial setup, but there's no good answer for that. The SSA is better than most, though.
To setup an account, SSA does a soft inquiry against your Experian credit report and asks your some multiple choice questions based on that. to verify that it's really you. This is easy for relatives (or pretty much anyone) to hack if you happen to be an old person that's lived in the same place for decades and only had one job.
The questions they ask are taken from the same database as are the same questions you have to answer to get a copy of the credit report (or online IRS account, etc), so a total stranger can do testing against other agencies without setting off the wrong-answer lockout on SSA.
If your Experian report has incorrect info (such as your current address or work history), you may need to have a copy of the report to answer the questions the way they want.
The online account cannot be setup by you or anyone else if you have a credit freeze on your Experian credit report.
Everyone should have a freeze on their credit report.