Slashdot Mirror
Under Fire, US Social Security Site Changes Security Policy Again (vortex.com)
Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."
I wonder how many Slashdot users have dealt with user IDs. Either inheriting a crappy User ID system, or implementing their own User ID system. We've all done it probably dozens of times. Reserving enough address space and/or expanding a crappy field into a large enough field is basically second nature to us all.
So why can't the government of the most wealthy country on Earth come up with a better User ID? We can't say it is because they have so much invested in the old system -- because there is no old system. The old system is crappy user id+birthday+random security questions -- and it still doesn't work.
Seriously, how can this have gone on for half as long as it has?