August 1, 2016

The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov. Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.

ssasiteThe SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

The SSA noted it was making the change to comply with an executive order for federal agencies to provide more secure authentication for their online services.

“People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number,” the agency said. “The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account. We expect to provide additional options in the future, dependent upon requirements of national guidelines currently being revised.”

Although the SSA’s policy change provides additional proof that the person signing in is the same individual who established multi-factor authentication in the the first place, it does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are.

The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

In September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control. Unfortunately, because the SSA’s new security features are optional, they do little to block crooks from hijacking SSA benefit payments from retirees.

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that Americans can avoid becoming victims of this scam.

To recap: Once you establish and verify your account and start getting texted codes to login, from then on you will be more secure. If you have not signed up already, these new security options do not make it any more difficult for someone else to sign up as you.

Considering that many senior citizens are still wary of text messages and likely have never sent or received one, it’s not clear that these optional security measures will go over well. I would like to see the SSA make it mandatory to receive a one-time code via the U.S. Mail to finalize the creation of all new accounts, whether or not users opt for “extra security.” Perhaps the agency will require this in the future, but it’s mystifying to me why it doesn’t already do this by default.

In addition to the SSA’s optional security measures, Americans can further block ID thieves by placing a security freeze on their credit files with the major credit bureaus. Readers who have taken my ceaseless advice to freeze their credit will need to temporarily thaw the freeze in order to complete the process of creating an account at ssa.gov. Looked at another way, having a freeze in place blocks ID thieves from fraudulently creating an account in your name and potentially diverting your government benefits.

Alternatively, citizens can block online access to their Social Security account. Instructions for doing that are here.

The SSA’s new text messaging system is apparently experiencing some technical difficulties at the moment, at least for Verizon Wireless customers. The SSA posted this message on its site over the weekend: “We are working to fix a problem that is preventing Verizon wireless customers from receiving the cell phone security code.  Verizon wireless customers are unable to access their personal my Social Security account at this time.”

Update, 1:00 p.m. ET: For the record, I requested comment from the SSA about why they did not apparently contact all users by U.S. mail to verify their identities. I received the following response:

“The Social Security Administration protects the information entrusted to us and has strengthened the online registration process by making identity verification and authentication more stringent.  We cannot provide more details publicly as we don’t want to draw a roadmap for criminals.”

Also, as one reader already pointed out in the comments below, the SSA’s adoption of 2-factor SMS authentication comes as the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.

Update, Aug. 11, 2016: A source who helped me test some things for this story by signing up at the SSA’s portal said he received a snail mail letter the other day notifying him that someone signed up an account in his name online. So, the SSA is mailing letters if you sign up online, but they don’t take that opportunity to deliver a special code to securely complete the sign up. Go figure.

ssnletter


145 thoughts on “Social Security Administration Now Requires Two-Factor Authentication

  1. PTC

    The SSA should give users the option to receive the 8-digit code through email. Some banks are already doing this.

    1. Christopher

      Do you use the same password for email, Facebook, AND your bank account? If not, good job. Problem is, a lot of (otherwise intelligent) people use the same password for everything.

      Someone clicks a link in FB, which jacks their account info, uses that to reverse engineer everything else, and now they’re in the SSA. Email isn’t considered secure, simply because of human nature. Text messages aren’t perfect either, but they seem to be a better compromise.

      Still, I think the SSA’s cheaping out here, as they could make it text or call (and as the article said, they’re reviewing additional options, so this might be added later), so that home phones work.

      1. Barry Graham

        People are not unintelligent for using the same password for all accounts. Anyone who expects people with hundreds of accounts to memorize a different password for each is dreaming. That’s why it’s so important and good to provide second level authentication. I don’t understand your comment about not allowing authentication by text messaging. As I understand it, that’s exactly what they are doing and that’s the whole point of this article!

        1. Bruce

          I have hundreds of accounts, and use a different password for each. Keeping an offline password manager really isn’t that difficult.

          If you don’t trust password managers, there are a number of other fully offline techniques that manh people use.

    2. Hmmmm

      They shouldn’t make it an option – it should be a universal requirement. Otherwise it only secures accounts for people who have already created one!

  2. Phoenix

    It would make more sense to email the code like Treasury Direct does.

  3. Ricki

    67 yo unretired smartphone user here. I set up online access a few weeks ago and opted for TFA. Being a full fledged KrebsHead I have a block on my credit. Here are some tips as a result of my experiences:
    1. Unblock Equifax for ~3 business days because the SSA will not or can not access Equifax on the same day you unblock it.
    2. The SSA help line was quite able and helpful to me. They have a feature where you can schedule a call back and they met their predicted callback time frame.
    3. You can not use your employer provided phone because SSA verifies the phone’s billing address matches your home address.
    4. You do not need a “smartphone” in order to text, really cheap flip phones can text too.

    1. LS

      Those are some excellent additional points, thanks for sharing! I can see this being a problem if there are people using a family plan for their cell phone service too.

  4. Bill Ehrich

    Simply blocking all electronic access seems easiest if it rally works.

  5. Sam

    Brian I’m thinking should instead be .

    Fee free to delete this comment after correction to pre-empt the eventual anachronism.

    1. Sam

      Wow, okay I won’t use angle brackets when posting, then. Anyway, it’s reading:

      The SSA does offer other “extra security” options, such as the sending users a special code

      But probably should be:

      The SSA does offer other “extra security” options, such as sending users a special code

      And while this tip is indeed ‘fee’ free what I was really trying to write is that you can ‘feel’ free to remove my comments if you make the correction so that they don’t look odd pointing out an error that doesn’t exist.

      Thanks.

  6. Mike

    This is really annoying. I live overseas, and my mobile number is not 10 digits, so I haven’t been able to enter it into their stupid system. And then to add insult to injury, they have a FAQ page that says “What if I am overseas?” and the answer is simply that they can text you anyway. How can they text me if my mobile number is 11 digits and the system insists that I enter 10 digits?

  7. Mark in CA

    If I recall correctly, Mike, you can’t even access the SSA web site from outside the US without using a VPN to make it think you are in the US. As for the mobile phone number, get a US Google Voice number, which can then forward all texts to your smartphone wherever you are via Wi-Fi or standard data link.

    1. Gelon

      Google Voice is also only available to people in the US. And there are many of us who live outside the US, who don’t have 10-digit cell numbers, and no other way to receive the code. US banks are doing this now as well, and making it difficult for us to access our accounts.

      But to your first point, I have accessed my SS account from a European network, no VPN involved, several times without any issues. I will be writing my congressman.

  8. travisdh1

    “The Social Security Administration protects the information entrusted to us and has strengthened the online registration process by making identity verification and authentication more stringent. We cannot provide more details publicly as we don’t want to draw a roadmap for criminals.”

    Such complete BS. Haven’t we learned that security through obscurity is no security at all? Are they not admitting that they KNOW their security doesn’t work?

  9. James Ramsey

    In order to go online, one must have a cell phone. I have one but a German cell phone has a digit sequence of 11 while a Stateside has a digit sequence of 10. You use this cell phone to have the SSA send you a text messaage code for access to your account. I live in Germany so I cannot access my account as a result of the digit discrepancy. SSA, when called, referred me to the American Embassy in Frankfurt, Germany. The agent there confirmed that one must have an American cell number to access his account. If not, you are out-of-luck. Perhaps the SSA will rectify this problem as there are many American ex-patriots living abroad that will soon be able to get SS. With the restriction I have stated, these ex-patriots will not be able to setup a SS account onlline.

  10. m jones

    There are those – like this family – who do NOT use text messages. Another example of mis-management in goofernment!

    1. Jack

      Same situation here. Tying this to a cell phone is just stupid. Obviously this was and idea by some greenhorn software developer who can’t image a life without a cell phone.

  11. Ron T

    Well, this ends the usefulness of the ssa.gov site, at least for me. I accessed it about once a year when planning for retirement, getting a current SS statement. I have no need of the ‘my Social Security’ cuteness, and am not going to buy in to this ridiculousness.

    BTW – the email from SSA was held up by two different spam filters before I released it (twice) and let it through. I’m sure many others may never have heard about the new “service!” .

  12. Erik

    For their next foray into multifactor authentication, the IRS will have you enter your social security number *twice*.

  13. Spike

    There’s a HUGE FAIL here that you missed. Their two-factor authentication system will only work with U.S. telephone numbers. Tens of thousands, maybe hundreds of thousands of Americans live outside of the U.S. and are dependent upon their Social Security benefits and will now be unable to use the web site.

  14. Clive

    It’s not only Verizon customers who are having problems. AT&T customers, as well. The telephone #: 1-855-533-8881, which the SSA Customer Service provides as an Help Desk to resolve the telephone issues, is a bogus #. The response, when there is an answer from that # is, they have no idea what you are talking about, as it relates to the SSA problems.

  15. Isaac

    There is an optional “3rd factor” security feature that mySS offers. Once you set up the sms cellphone requirement for 2 factor go over to the Security Features tab and there is another factor offered. You can use the last X digits of a credit card or other verifiable data for a 3rd factor required for login. Once that data has been verified you will receive a letter of how to finalize the 3rd factor activation.

    BTW, I activated my Verizon cell phone and it went through OK so they fixed that issue as of today.

  16. Matt

    Wait… but didn’t NIST just declare 2FA via SMS text messaging obsolete?

  17. Charles Weitzel

    I have no cell phone and do not intend to have one in the future!
    One mor damned BIG GOVERNMENT FORCING CITIZENS TO DO WHAT THEY REPEAT THEY!! THINK IS A GOOD IDEA PROBABLY DREAMED UP BY ANOTHER DAMNED LIFER BUREOCRAT!! REGULATING US TIL WE CANNOT EVEN REMEMBER WHAT IT WAS LIKE TO BE FREE OF BIG GOVERNMENT INTRUDING INTO OUR LIVES??

    1. Turing Test

      Nobody is forcing you to get a cell phone or forcing you to use the SSA website.

      You don’t need a cell phone, I added my free Google Voice number to my account without any issues.

      Your outrage is misplaced.

      1. Robert Anderson

        Google voice didn’t work for me, neither did a prepaid cell phone.

  18. David

    Okay, this is a good start. They need to clean house, though. The SSA says there are over 6 million people in the country more than 100 years old. They have no plans to fix this. Some people are receiving benefits, and some are paying into an SSA account.

    1. Turing Test

      There are not over 6 million people in the US who are at least 100 years old David.

      There are closer to 60,000

  19. KT

    From a Fortune magazine article dates July 26, 2016 entitled “Time Is Running Out For This Popular Online Security Technique” …

    “…the U.S. National Institute of Standards and Technology (NIST) is now poised to ban the use of SMS-based two-factor authentication codes for services that plug into government IT systems.”

  20. null

    What is the ongoing advantage of using their website ? I will be applying for retirement benefits within several months. Their office is not that far away and since I have to show them my birth certificate and I have my credit reports frozen, I figured I just call for an appointment and then visit. But unless I am moving (unlikely) or changing banks accounts (even more unlikely), why would I use their website ? The more websites with my info, the greater the risk.

  21. David

    The SSA says that most Americans have cellphones, so this requirement should be no burden. But where are the statistics on ownership (and use!) of text-enabled cellphones by Social Security recipients (the disabled and those of us 62+)? Penetration of text-enabled (and users of such ) cellphones in this population has to be much (vastly?) lower than in the age 18-62 general population. Many older SS recipients use computers and email but do not use text-enabled phones. We must now buy one to access our My Social Security accounts (and, to add insult to injury) at our expense for expensive text messages. This is simply a new tax on the elderly, many of whom cannot possibly afford it. And this is now small matter. Have you ever been the victim of identity theft and therefore had to change your SS direct deposit account immediately? Have you ever moved, suddenly, due to a natural disaster and had to change your account address with the SSA? Have you ever been to a SSA office and experienced the awful wait times? How about trying to make change to your SS account on the phone?! This requirement is just nuts for many (most?) SS recipients. AARP, Congress where are you on this issue?!

    1. null

      Just because it causes problems for some doesn’t mean they shouldn’t do it. If they can fairly easily decrease the risk of fraud to something like 90% of people then they should do it. It is not like people need to use the site all the time or that there are no other alternatives to getting the work done.

      Decisions about computer software should Not be driven by the exceptions; it should be driven the most amount of work done for most amount of people in the best way possible.

      Increasing security almost always involves more work. Web security is almost completely out of control. They have to do something.

  22. Philip Franklin

    This more of a faq rather than a comment for Mr. Krepson; I hope you could answer this: Prior to requesting the electronic block option offered by SSA, I used the new text message security measure
    a few times and each time I logged into SSA website, the agency texted a new and different one time code and I noticed a phone number with the text (that had the code) and these phone numbers would, like the access code be different each time and from different states but with one similar factor: whenever I called these numbers, I would get the same message saying “the voicemail has not been set up.” What do these different phone numbers mean and please tell me they are not hackers trying the access logins to the SSA website?

  23. Aurelio

    Check out their policies for updating the cell phone number once you have provided it. Its precious! You need to have the old and new cell phone numbers at hand, the old to log in to change it, the new one to set it up. Both have to be able to receive text messages.

    I guess if you have to foresight to change your account you will just have to set it up to some friend’s number for a day or two until you can get your “next” number and then have that friend send you the code so you can update to your own phone. Someone should really try these things out before implementing them….

  24. Robert Wayne Boling

    What a great idea, except that when my ID was stolen and used, they signed me up for ConsumerInfo.com credit monitoring, so they had access to my credit reports. When I found out I was a victim and put a fraud alert out, they contacted my landline provider and convinced them to put call forwarding on my line and opened accounts using the info in my credit reports to answer the security questions when Discover and Xoom called. Being silly thinking my credit reports were safeguarded, I put my landline number in it as I didn’t think it would be healthy for anyone to enter my home to enter the call forwarding code, who knew the provider used contractors on the weekend and they were more than happy to do it for them and sign “me” up for a new 2 year contract.

  25. Dawn

    My mother has a cell phone but does not have a text plan as she doesn’t understand texting nor does she have a need for it. Don’t want to have to now pay extra for a new phone and plan with text. Can I use my cell phone number on her account? Or could my sister who has Power of Attorney?

  26. Linda k

    Does anyone know who the vendor was that implemented the MFA? They probably told the SS that there was a big issue getting this done but they moved forward with the change anyway. I read today that the change is being rolled back. The Change Manager in me is weeping.

Comments are closed.