September 18, 2013

If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that: The SSA and financial institutions say they are tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have that retiree’s benefits diverted to prepaid debit cards that the crooks control.

The SSA's "my Social Security" portal.

The SSA’s “my Social Security” portal.

Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program. The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal, which opened last year and allows individuals to create online accounts with the SSA to check their earnings and otherwise interact with the agency relative to their accounts.

Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General, said that for several years the agency was receiving about 50 such allegations a day, though those numbers have begun to decline. But thieves didn’t go away: They just changed tactics. The trouble really began earlier this year, when the Treasury started requiring that almost all beneficiaries receive payments through direct deposit (though the SSA says paper checks are still available to some beneficiaries under limited circumstances).

At the same time, the SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site. According to Lasher, as of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity. Lasher said while some of the complaints are the result of unsuccessful attempts to open an account fraudulently, some are indeed fraud.

“Social Security has already improved security over this online feature, and we continue to work with them to make additional improvements, while also investigating allegations we receive,” Lasher said. “While it’s an issue we’re taking very seriously, it’s important to keep in mind that about 62 million people receive some type of payment from SSA every month, so the likelihood of becoming a victim is very small, particularly if you’re careful about protecting your personal information.”

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam. Lasher said in the SSA’s systems, every record is tied to the SSN rather than a person’s name, since there are so many duplicate names.

“Of course, the one way to ensure that no one opens an account in your name is to open one yourself,” Lasher said. “Given the nature of other articles on your site, I think it’s important that I point out that there is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.”

SECRET BEST PRACTICES

Terry Maher, general counsel for the Network Branded Prepaid Card Association (NBPCA), said the SSA has begun asking verification questions of beneficiaries who use the my Social Security portal – such as the date and amount of last deposit — before allowing the transfer of payments to a different bank account.

Meanwhile, some banks with customers that have been burned by fraudulently diverted SSA payments are beginning to back away from managing SSA account payment changes for customers, Maher said. Increasingly, those banks are directing customers to make such changes at their local SSA office or at the SSA’s new portal. Maher said that’s because the government recently instituted a process for reclaiming funds that are fraudulently transferred to accounts that were not authorized by the beneficiary.

“Believe me, the banks and the prepaid card issuers and program managers are looking very closely at what their process is for this now because of the reclamation rights that the U.S. Treasury Department has,” Maher said, noting that although the U.S. government has always had the right to reclaim fraudulent transfers, it rarely ever exercised that option on Social Security payments. Now, that’s starting to change in a way that’s gotten the industry’s attention, he said.

“Some institutions have frankly decided that because of the difficulty of verifying people, they’ll refer them to the agency, while others are looking to out-of-wallet questions and Device ID solutions to better understand who they’re dealing with,” Maher said.  “The government is putting in place processes for doing that, and to make sure the incentives are there for the [financial] industry to make sure they know who they’re doing business with.”

The NBPCA’s Maher said the association has developed a set of best practices for the prepaid card industry to fight this and other growing forms of fraud involving government-to-consumer benefits. But he declined to discuss those best practices, saying it would give identity thieves and fraudsters ideas about how to get around them.

To get an idea of what those practices might entail, I reached out to Meta Payment Systems, a major prepaid card provider and whose card network was used in SSA fraud conducted against one SSA beneficiary who recently reached out to KrebsOnSecurity.

Brian Pulling, vice president of  Meta’s financial intelligence unit, said the company is seeing prepaid fraud “across virtually all types of government programs now,” and that fraud involving SSA payment diversions “seems to have kicked into high gear.”

Meta says its fraud department continuously reviews the volume of incoming automated clearing house (ACH) transfers on its prepaid platform for certain types of loads.

“Through these reviews, the fraud analysts look for certain red flags of fraud. The fraud analyst utilizes fraud industry tools to authenticate or verify information to either confirm or reject the transaction from the Social Security Administration,” the company said in a written statement. “If the ACH load is rejected due to fraud it is returned to the Social Security Administration promptly.”

WARNING SIGNS

Elaine Dodd, vice president of fraud training at the Oklahoma Bankers Association, said banks usually will alert customers if the beneficiary account for SSA payments is changed. But she said those communications typically are sent via snail mail, and that many customers will overlook such notices. One small member bank in Dodd’s state recently had complaints from two different customers whose SSA payments were diverted to prepaid accounts controlled by identity thieves.

“If we had one tiny little bank here that had two of these incidents in one day, that’s a lot,” Dodd said. “It tells me that this is a much bigger problem nationwide.”

Dodd said the pattern of fraud associated with these recent attacks on SSA beneficiaries mirrors the type of fraud being perpetrated in other types of government-to-consumer fraud, particularly tax return fraud.

“With the IRS fraud, the bad guys get people across a spectrum of ages, but with the SSA fraud, they get the elderly,” Dodd said. “To make matters worse, a lot of these victims are simply not connected to the Internet.”

Creating a my Social Security account to prevent this type of fraud is a good safeguard, but it’s also important not to introduce new threats in the process. Namely, if you’re not sure about the safety and security of your computer (or the computer used by a loved one who may be worried about this), make sure you start with a clean system before entering all of that sensitive information online. If your friend or relative needs to take care of this, consider helping them set it up using a Live CD. This approach can let anyone enter information online safely, even from a machine on which the hard drive is already infected with malicious software.

Anyone interested in additional stats on SSA fraud should see the testimony that the agency gave to Congress in June 2013.


34 thoughts on “Crooks Hijack Retirement Funds Via SSA Portal

  1. ted

    This is going to happen more often as government agencies do business online. The Obamacare health exchanges are going to be a nightmare.

    1. notme

      What are you basing this statement on? Do you have knowledge of how the exchange is going to process PII? Seems like a comment based your opinion of Government agencies in general.

      Do you even know what the exchange will be providing to the folks who decide to use it?

      It is not a government benefit program, it is a mercantile based selection system which provides private health care offerings to people who decide to use it.

      It is not a mandatory system that requires everyone to register.

      Seems to be a great deal of confusion surrounding this hot political item

      1. SeymourB

        With groups on all sides spreading misinformation (if not outright lies), confusion and ignorance is inevitable.

  2. Neej

    Never thought that *not* having an account somewhere could be a risk but it seems it is.

    1. Haverknoll

      I heard that it’s actually a good idea to create Facebook account even if you don’t use it. This also prevents someone from acting like you.

      1. Maureen

        FaceBook allows for many accounts with the same name. Unless you have a very unusual name, chances are there are already several accounts with your name. Having a FB account will not prevent anyone from using your name and acting like you. It’s the information associated with the name – photos, birthdays, etc – that identify you on FB.

      2. timeless

        I’ve had a dozen people try to create a Facebook account for this email address.

        The only advice I’ve received to counter this really annoying process is to associate it with a Facebook account.

        Note that eventually people will start hacking existing mySSN accounts by relying on password resets and similar. Today since there are proportionally few claimed accounts, it’s cheaper to hack (socially engineer) the account creation side.

  3. Joel Mayer

    I have something to say on the subject of doing business with the Social Security Administration through a personal computer. Your anti-virus software might not flag all the trojans and spyware on your computer. I’m finding more spyware and more trojans using Malwarebytes than when I just use my anti-virus client. (Malwarebytes is free)

    Hope This Helps.

    1. SeymourB

      MB is great, but the real lesson to be learned is that you should rely on more than one program to provide protection. While miscreants may block themselves from being detected by one program, they often won’t block themselves from all programs.

      For decent performance you should only have one real-time scanner running and rely on the others for manual/scheduled scans.

      1. Neej

        Yeah tis good. Other than the IP blocking which seems to have about 50% of the internet marked as malicious 😉

      2. JCitizen

        You can have more than one real time engine going at the same time – it is just that they need to use different or overlapping technologies; the only way to know for sure is carefully examining the event viewer for errors. Needless to say using more than one AV or firewall is inadvisable unless you know what you are doing.

        Passive real time protection can be used as much as you like, and still help on the blended defense. I use Avast and MBAM together, because one is primarily an anti-virus(and greyware), and the other an anti-malware solution. I actually have several anti-malware running at the same time, but they all use different science, like host files – registry hacks – and browser blocking settings. I never have trouble with slow performance, errors, or CPU/RAM hogging. My clients have few problems, if they update their free stuff regularly.

  4. mlemac

    While I truly hate making it any easier for the government to intrude on my life, I guess this is important.

    And what is with the question about domestic abuse on the first page?

    What does that have to do with SS benefits?

    Thanks Brian once again for your important help.

    1. IA Eng

      Maybe the SSA uis more concerned about physical extortion of their hard earned money than making the site secure.

      One has to remember that the older folk may not be able to defend themselves and manipulation is poison for them. Some may have to unwilling to hand over their sole income to a vile relative, roommate or caregiver.

      Maybe that simple question will aid, somehow, in making the issue right, over time.

  5. D.

    I just passed the word on. Thanks as usual for keeping up with all this…

  6. Maureen

    Thanks, Brian. I’ve passed it on to friends with parents who are in the target group. Some of the them resist change, but it’s nice to have the information.

  7. Andrew Conway

    There have also been SMS phishing attacks aimed at users of Social Security Direct Express debit cards. We’ve seen them in low volumes for a couple of years, but they ramped up in April of this year. Here are some typical messages that were forwarded to 7726 (the GSMA’s Spam Reporting System).

    “[DirectExpress] Card:533248-XXXX.Attention Call:6269320082”
    “(Call: 18664279861) Contact US Direct Express. Your Attention is needed.”
    “Call: 810-360-4452. US Direct Express 533248XX Accnt Issue.”

    Since all Direct Express cards begin with the same string of numbers, the spammers can include this to make their texts seem legitimate.

    Andrew Conway, Research Analyst, Cloudmark Inc.

  8. The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore/PRISM

    Interesting article

  9. William Hayen

    When I signed up for social security, I used the SSA website and was frustrated that it only allowed an all numeric password. When are they going to get realistic and allow for alphanumeric special character upper & lower case components of the password.

    1. IA Eng

      It depends on the age of the individual who is creating these accounts, I guess. I think it would be easier to remember some numbers than trying to remember what password you have entered in.

      But the crooks know that the elderly will probably use their SSN, Phone Number, House Number, DOB or combinations of those to come up with a numbered password.

      I think the lockout should be set to 10 tries, that seems like a fair amount for the elder-folk. Those that are on SSA – at least the vast majority, are probably on the fringe when computers were coming online, so its tough to tell whether they have much skills on the PC. So keeping it simple for them may be the right way.

      Just make it the requirement 11 or more numbers, so they cannot simply enter thier phone number in and think they are safe.

  10. Mr Fraud man

    After this article SSA fraud will rise 5000 % guarantied , all thanks to Brian 🙂 He always brings new ideas to the masses .Respect .

    Some times i think he actually doing this for criminals .I mean who needs all this details !! it like a manual how to steal from SSA . sweet .That must why they love you so much .. this website is a gold mine for a criminals …

    1. meh

      Yes it is much better to not cover it and let the issue persist because they don’t feel it merits enough attention to fix it… Security through obscurity eh?

    2. QHoster

      He is actually educating how people not to fall for any scam / fraud online. The master-minds in the online crime a way ahead of Mr. Krebs. Also it is showing a real example of a working scam.

  11. John

    Today I tried to access http://www.ssa.gov/myaccount and setup an account, and was informed that it could not do it. I also tried logging in with my original name and the number – again no luck. Have they shut this down? I am 68 and use direct deposit.

      1. John

        Thanks Brian. Really enjoy your column. Still doesn’t work for me…. Sure don’t want to sit on the phone. There is certainly nothing weird about me.
        John

        1. John

          Brian, I suspect my problem is because I have credit checking blocked. This is becoming so common, they should pass on the error. And make it known up front.
          Now I have to go pay to unblock, if only I knew WHICH credit site they use!
          John

          1. JCitizen

            I went there too, but used an independent link in another search. Despite having a previous account they acted like they never heard of me. I had them send my a temporary code in my email so I could recover the account. After answering some pointed questions and redoing my security questions, I had success.

            I think they assume it is safer to just blow away the old account links and start over to be completely safe. I can’t really blame them. I was impressed with how they refuse all but the most secure passwords now.They have definitely ramped up security over there, compared with where they were two years ago.

            1. doug

              Same with me. Login doesn’t work, no account found. I used it initially to set up deposit accounts but that was 3 years ago now. Looks like they just blew the accounts away. I do not have my credit files locked. Could be that not using it for some period of time gets it removed. All payments have been regular as clockwork.

    1. Deborah S

      I had the same thing happen to me. When I contacted SSA about it they said Experian has a fraud hold on my credit report, which tells us a couple of things, good things I think. One is that SSA is cross-refing new account creation attempts with the credit bureaus, and another is that the credit bureaus are actively policing the reports in their custody and placing fraud alerts on some or all of them. I still need to look into that and decide if I want Experian to lift the fraud alert so I can create an SSA online account. After reading this article I think I’d better get on that right away.

  12. Richard Steven Hack

    I just went to the portal – and it’s only open from 5AM to 1AM Eastern Time. Well, it’s 12:20 AM Pacific Time here, gov. It’s a WEB SITE. Stay open 24 hours!

    I’m also waiting to see what sort of “verification questions” they use, since it’s almost trivial for anyone with a social media presence to have given out most of those answers already, for hackers to slurp up and use.

    1. Deborah S

      Simple solution: DON’T post those kinds of things on your social media account, and/or DON’T use question/responses that are about the information you have posted. I sometimes make up fantasy responses (and record them so I know later what they are), for websites who don’t offer anything but the most common sort of verification questions.

  13. Toni Caval

    I’ve found that one cannot register if one does not have a US mailing address. Having read the foregoing comments, I assume that’s because there is no record of me at the credit checking bureaux. Why should I, and others in the same situation, be left exposed?

  14. Jerry Leichter

    And in the always-on-top-of-things-when-it-comes-to-security department: The link bandied about for this service is http://www.ssa.gov. Since this is a site at which you’ll be entering important personal information, it’s prudent to connect to it using https. But … https://www.ssa.gov produces and “invalid certificate” error, because it serves up a certificate for http://www.socialsecurity.gov.

    There are a number of ways to fix this, and I won’t attempt to advise on the best approach. But it’s clear that the administrators of the Social Security site need to work a bit harder in setting it up.

    — Jerry

Comments are closed.