Slashdot Mirror

← Back to Stories (view on slashdot.org)

Under Fire, US Social Security Site Changes Security Policy Again (vortex.com)

Posted by EditorDavid on from the trends-with-benefits dept.

Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."

14 of 37 comments (clear)

  1. Re:GPL: Intellectual Theft by jeffb+(2.718) · · Score: 2

    Astroturfing: you're doing it wrong.

  2. "I'm told" ??? by The+Cisco+Kid · · Score: 2

    Told by who? Via what channel? Have you verified this? How? How can someone else verify it?

    I seriously hope that they have removed that requirement, but I'd like to verify it for myself.

    "I was told by a little bird that was told by his friend that heard it from his garbage man that he heard it in a restaurant by a waitress who ......." is useless.

    1. Re:"I'm told" ??? by clovis · · Score: 4, Informative

      There is a message on the SocialSecurity web site that states the SMS requirement has been removed.
      https://www.ssa.gov/myaccount/

      I agree with Krebs that the weak place in this is the initial setup, but there's no good answer for that. The SSA is better than most, though.

      To setup an account, SSA does a soft inquiry against your Experian credit report and asks your some multiple choice questions based on that. to verify that it's really you. This is easy for relatives (or pretty much anyone) to hack if you happen to be an old person that's lived in the same place for decades and only had one job.
      The questions they ask are taken from the same database as are the same questions you have to answer to get a copy of the credit report (or online IRS account, etc), so a total stranger can do testing against other agencies without setting off the wrong-answer lockout on SSA.

      If your Experian report has incorrect info (such as your current address or work history), you may need to have a copy of the report to answer the questions the way they want.

      The online account cannot be setup by you or anyone else if you have a credit freeze on your Experian credit report.
      Everyone should have a freeze on their credit report.

    2. Re:"I'm told" ??? by Anonymous Coward · · Score: 2, Funny

      It is even easier than that. I had to get into an account when I didn't know the answer they wanted. But hey, when the right answer to the questions stay the same and the wrong answers keep changing, it only takes two tries if you pay attention.

  3. Re: Again? by orlanz · · Score: 2

    Your company AND your lawyers were idiots. If we only had less consultants like yours who are blind to the legal rights and requirements of owners who's stuff you use, we could cut out a third of the CYA BS we all deal with.

    You guys are the same type that get clients in hot water because you used a free for non-commercial use or trial based product when you weren't supposed to in the commercial setting.

  4. Why does nobody get second factor right? by markus · · Score: 2

    SMS and soft-tokens (such as the Google Authenticator cellphone app) are better than nothing. But they don't provide for particularly secure second factors, especially if the web site is a valuable target.

    I don't understand why so few sites (pretty much just Google and Github) use FIDO U2F hardware tokens. They are much more secure as the browser can cryptographically verify that there is no phishing attempt happening -- something that most users have trouble noticing. You only need a single token for an arbitrary number of sites. In many cases, you can leave the token permanently installed in your computer without compromising its security guarantees. The token is dead-simple to use. All you have to do is push a single button, when the site asks for the second factor. You can have multiple tokens, if you want a backup token for account recovery or if you own multiple computers. Any user can buy their own token from a vendor of their choice.

    And if site (e.g. your financial institution or SSA) wants to provide tokens for its clients, cheap entry-level tokens cost less than $10. In fact, I suspect you could buy them for around $1 a piece, if you placed an order on the scale of what the SSA needs.

    FIDO U2F is of course not perfect. But that can be said about all security products. There is no such thing as perfect security. But these tokens are much more secure than pretty much all alternatives, they are super easy to use, and they are dirt cheap.

    1. Re:Why does nobody get second factor right? by 93+Escort+Wagon · · Score: 4, Interesting

      The main issue I've run into with all of this is the lack of interoperability - one bank I deal with actually used to offer hardware tokens, albeit from a company I didn't know; my web host supports Google Authenticator; a different bank supports a different soft token; etc. As two-factor authentication gains traction, the annoyance / confusion factor grows.

      So I can see why SMS "two-factor" has gained steam. Almost everyone has access to it, and it's Intuitive.

      It would be great if a broad consortium of Internet companies (which would have to include Apple, Google, Microsoft, Amazon - plus perhaps the Apache Foundation - at a minimum) would get together and agree on a single standard, or perhaps one acceptable hard token and one acceptable soft token protocol which everyone would support.

      Normally I'd say this is exactly what the government should be driving; but very few of us here would trust them on this anymore... and if we don't trust their solution, it would be DOA.

      --
      #DeleteChrome
    2. Re:Why does nobody get second factor right? by clovis · · Score: 2

      As for hardware tokens, they would offer optimal security compared to SMS messaging. But people with SSA accounts setup likely may go for years, if not decades, without needing to logon until they're senior citizens.
      I cannot imagine hardware tokens being a good idea for a group of people of whom many may not even know where their teeth are.

  5. Re:Social Security is basically 100% insecure by Anonymous Coward · · Score: 5, Interesting

    I wonder how many Slashdot users have dealt with user IDs. Either inheriting a crappy User ID system, or implementing their own User ID system. We've all done it probably dozens of times. Reserving enough address space and/or expanding a crappy field into a large enough field is basically second nature to us all.

    So why can't the government of the most wealthy country on Earth come up with a better User ID? We can't say it is because they have so much invested in the old system -- because there is no old system. The old system is crappy user id+birthday+random security questions -- and it still doesn't work.

    Seriously, how can this have gone on for half as long as it has?

  6. Re:GPL: Intellectual Theft by clovis · · Score: 4, Interesting

    As a consultant for several large companies, I'd always done my work on
    Windows. Recently however, a top online investment firm asked us to do
    some work using Linux. The concept of having access to source code was
    very appealing to us, as we'd be able to modify the kernel to meet our
    exacting standards which we're unable to do with Microsoft's products.

    You've made a verbatim copy of a post is at least 14 years old. It may even be older than you are.
    https://groups.google.com/foru...

  7. Cell = no way by markdavis · · Score: 3, Interesting

    Any "security" system that requires disclosing my cell/mobile phone number is an instant and total FAIL. And I am certainly not alone about protecting that which would become the single most annoying device ever (if/when compromised/harvested by marketers).

    I find it fascinating how many business and sites now seem to think they have an absolute right to know our cell/mobile phone numbers. Not home, not work, but specifically cell/mobile. I usually have to lie to them and either put in my work number or make up a number. Obviously that won't work if they are trying to use it for text verification.

  8. SSA needs to improve password policy by arobatino · · Score: 2

    There is an undocumented 20-character limit on password length. Any longer password meeting all stated requirements is rejected (repeating only the stated requirements, not the actual reason). Although since the password has to be changed every 180 days, that's probably not enough time to crack it, if all printable characters are used (one can use a strong random username to add security, though). I'd rather be allowed to use an arbitrarily long password and not have to change it at all.

    1. Re:SSA needs to improve password policy by arobatino · · Score: 2

      Oh, and you have to give strong random answers to the required "security" questions too, otherwise that's a workaround.

  9. Setup mom w/ Google Voice for SMS because of this. by frooddude · · Score: 2

    She'll be happy she didn't pay for a cell she doesn't need.