01
Aug 16

Social Security Administration Now Requires Two-Factor Authentication

The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov. Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.

ssasiteThe SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

The SSA noted it was making the change to comply with an executive order for federal agencies to provide more secure authentication for their online services.

“People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number,” the agency said. “The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account. We expect to provide additional options in the future, dependent upon requirements of national guidelines currently being revised.”

Although the SSA’s policy change provides additional proof that the person signing in is the same individual who established multi-factor authentication in the the first place, it does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are.

The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

In September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control. Unfortunately, because the SSA’s new security features are optional, they do little to block crooks from hijacking SSA benefit payments from retirees.

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that Americans can avoid becoming victims of this scam.

To recap: Once you establish and verify your account and start getting texted codes to login, from then on you will be more secure. If you have not signed up already, these new security options do not make it any more difficult for someone else to sign up as you.

Considering that many senior citizens are still wary of text messages and likely have never sent or received one, it’s not clear that these optional security measures will go over well. I would like to see the SSA make it mandatory to receive a one-time code via the U.S. Mail to finalize the creation of all new accounts, whether or not users opt for “extra security.” Perhaps the agency will require this in the future, but it’s mystifying to me why it doesn’t already do this by default.

In addition to the SSA’s optional security measures, Americans can further block ID thieves by placing a security freeze on their credit files with the major credit bureaus. Readers who have taken my ceaseless advice to freeze their credit will need to temporarily thaw the freeze in order to complete the process of creating an account at ssa.gov. Looked at another way, having a freeze in place blocks ID thieves from fraudulently creating an account in your name and potentially diverting your government benefits.

Alternatively, citizens can block online access to their Social Security account. Instructions for doing that are here.

The SSA’s new text messaging system is apparently experiencing some technical difficulties at the moment, at least for Verizon Wireless customers. The SSA posted this message on its site over the weekend: “We are working to fix a problem that is preventing Verizon wireless customers from receiving the cell phone security code.  Verizon wireless customers are unable to access their personal my Social Security account at this time.”

Update, 1:00 p.m. ET: For the record, I requested comment from the SSA about why they did not apparently contact all users by U.S. mail to verify their identities. I received the following response:

“The Social Security Administration protects the information entrusted to us and has strengthened the online registration process by making identity verification and authentication more stringent.  We cannot provide more details publicly as we don’t want to draw a roadmap for criminals.”

Also, as one reader already pointed out in the comments below, the SSA’s adoption of 2-factor SMS authentication comes as the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.

Update, Aug. 11, 2016: A source who helped me test some things for this story by signing up at the SSA’s portal said he received a snail mail letter the other day notifying him that someone signed up an account in his name online. So, the SSA is mailing letters if you sign up online, but they don’t take that opportunity to deliver a special code to securely complete the sign up. Go figure.

ssnletter

Tags: , , ,

145 comments

  1. But if you try it out it says:

    We’re sorry…

    We cannot process your request at this time. Please try again later.
    If you need immediate assistance: please contact us.

  2. So, it’s the myIRS issue, part Deux?

    Sounds like further justification for CISO oversight across cabinet departments.

  3. PS – For someone many years from retirement or otherwise planning to collect SS benefits – is there a good reason NOT to just block electronic access?

  4. William Schubert

    Thought I’d test the system. I established an account long ago to block anyone else from doing it. Tried to sign in and got stopped. It did not recognize my cell number as a cell phone. Full stop.

    When I have a few hours I’ll call them and find out what is the problem. It still does what I want. No one else can get in either so I’m good with it.

    • I just tried, and it said it couldn’t process my request.

    • Don’t bother, I called and they could not troubleshoot the problem and simply directed me to my local SS office. When I called there it simply stated ‘There are no agents available, call again at a later time’

      My cell is with Verizon, so apparently they have not resolved the issue with Verizon texts.

    • Yes I tried 5 times nothing back, called and the CSM told me Verizon was having issues, called Verizon who that CSM laughed so not sure why we are being told this.. I just think that their I.T person doesn’t think of just how many people will be doing this..

  5. Oh, the irony! The NIST has recently said they will ban the use of SMS for 2 factor authentication codes as it is not secure. https://tech.slashdot.org/story/16/07/25/233215/nist-prepares-to-ban-sms-based-two-factor-authentication

    • You beat me to it. Example #1,369,435 of the government not living up to its own cybersecurity recommendations.

    • You might want to put all the pieces together before you decide you know it all: the article you linked specifies why NIST is advising away from *low scrutiny SMS based 2FA, which is that it can be intercepted if it leads to a VOIP service. Given that the SSA is currently experiencing provider-specific issues (Verizon Wireless being unable to forward 2FA keys) it is highly likely that they are ALREADY compliant with the *future* NIST guidelines which allows SMS 2FA in cases where the number is validated to lead directly to a cellphone.

      • It’s still funny because this is stated directly after.

        “OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”

        So good job SSA. Staying one step behind.

  6. Typical… when trying to enter the cell number they require.

    “We’re sorry…

    We cannot process your request at this time. Please try again later.”

    • Same here – hey at least the crook can’t do it either. At least as long as they try it with a Verizon network – 😉

    • I just setup my 2 factor auth, cell number. It gave me this same error> msg that said to try later and I got in OK about 5 minutes later. Seems a bit buggy though.

  7. Tried to block my SSN and got this nice error message.

    https://www.ssa.gov/admin/error.htm

    Sweet!

  8. Requiring a US cell-phone number doesn’t help those of us who are American citizens and are – whether on vacation, for a month, or long-term – overseas. Some financial institutions offer to call a US # – which we have in our apartment – and recite the code to be input by the customer/client. Others allow sending the code via e-mail. A third option – which Google allows, I think – is to send the code to a cell phone, even if it is not a US number.

    • I second Eric’s comment. As a permant US ex-pat (living in Spain, yes, you can start hating me now 🙂 ) I am disenfranchised by this ill-conceived mandatory security mechanism by the US SSA.

      The right way to do such things is to integrate with multiple second factors (of which SMS would be only one, and not the preferred one), above all TOTP solutions like Google Authenticator (for being cheap, easy, and common to anyone with any kind of smartphone), and best-of-breed solutions like FIDO Alliance tokens (YubiKey for example).

      I have ALL of those things … but not a US mobile phone. So I’m S.O.L. Thanks, “my” government…

      I’m looking for a virtual SMS receiver phone number, and am talking with three companies (one of which is actually in the US, the others are outside), but it seems somewhat likely that Virtual SMS phone numbers might not be able to successfully receive codes from the US SSA, so this might be a dead-end (in addition to being an administrative burden and cost that no US person should ever have to suffer to do business with his or her own government!)

    • American phones work fine overseas as well, so unless you are permanently there you can use your US phone.

      In addition some banks started using little credit card sized cards that provide a offline generated key-code as well. E.g. Bank of America does.

  9. I know at lot of older people that still only use a landline. I’m not sure why the government could not set this up like Gmail using voice also. We spend so much money and yet stay so behind in some things. Sometimes I just shake my head. Common sense and middle ground is becoming a distant voice…

    • According to Pew Research, only 27% of seniors have a cell phone–and I’m one of the 73% that don’t have a cell phone, so I was furious when I received the email from SS this weekend. I followed Brian’s advice to set up an online account as a precautionary measure, and now I won’t be able to access the account.
      Every other entity offers you an option of phone or email for a temporary code. My bank just sends me an email with a temp code if I’m using a browser other than the one I normally use to check my balances. Plenty of seniors have a PC or laptop; we’re fans of email, not texting. We are also the ones most at risk from hackers. A 35-year old can only check benefits (unless s/he is disabled), but seniors are the group which actually receives deposits.
      I don’t even know where to go to complain. I intend to call my senators, congressmen, and SS, as well, but I honestly don’t know who has authority to make SS come up with a more rational plan.

      • I agree totally with all your observations and am equally befuddled and angry. I also don’t agree with not allowing other options like Chase Bank does which work fine (call my landline or send me an e-mail with the code). But then one has to realize that we are talking about the ss administration which still puts your ss# on your medicare card to help the thieves steal your # and then make it nearly impossible to get a new one. Or the gov’t like the IRS which uses 1980 aged computer equipment and programs to make fraud easier for the thieves. The gov’t is only good at inefficiency and redundancy. They are ALWAYS behind the times on cybersecurity and ALWAYS will be. Isn’t that why we pay our taxes?

      • I Totally agree with you. I have Looked and Looked for a place to complain and I cannot find any site that will allow me to complain. It appears SS can do what they want to do and we have no rights.

    • Diane Wilkinson Trefethen

      @D – When a government makes a few mistakes, all of the same type, and then stops, it’s a pretty good guess that said government is working on behalf of it citizenry. However, when that government keeps making those mistakes, those mistakes always hurt the vast majority of its citizenry, and certain select groups of citizens are never touched by said mistakes, it’s very hard to dismiss the possibility that the problems are intentional. And profitable for that select group.

  10. Wow!!! That is going to be effective – not!!!!

  11. I received an email about that yesterday. At least now I know what email address I used when I signed up.

  12. My personal opinion as a user of their website, their head of IT should go into a different line of work. They seem oblivious to the fact that the majority of their customers are probably not comfortable with technology. That they will require an EIGHT digit code is a good example. Four digits would be sufficient. More digits will increase the likelihood of keying errors and frustration, leading to people giving up on it.

  13. An obviously well-designed and tested security feature. The second contractor always gets it right…..

  14. Brian,

    If I already have freezes on my credit reports at the 4 credit reporting agencies, then do you suggest I still go onto SSA and set up the 2-factor authentication? If so, is the process instantaneous so I can set the unfreeze to last a day, or does it take longer on the backside for them to finalize the 2-factor authentication?

    • I’m not sure what goal you are looking for, but I assume you need to know that the Social Security Administration does not care what your credit worthiness is, and does not report to credit agencies, so I’m not sure why you would see a connection with the two. It is more important to protect you future with the SSA than worry about the credit agencies. Any thing you can do to make hijacking your SSA account difficult for criminals is a good thing; even more important that your IRS account.

      Despite what Life-lock and a lot of other similar businesses make people believe, they can’t protect the consumer against all identity fraud; and neither can the credit reporting agencies.

  15. Well, I just tried to set-up an account so I could lock out someone else from setting one up.

    Looks like their multi-level authentication needs some work. When I entered my mobile number and clicked on the send text, I received an error message stating “This function not available at this time. Try again later.” I did receive an email stating the account had been established.

    Oh well!

  16. I just tried to sign up and after entering all my information I got this message.

    “We cannot process your request at this time. Please try again later.”

    So it is either broken… likely, or they are trying to fix it now that your post is live… less likely.

    I hope they fix it and get it right. Mailing something to my house is a fine requirement in my opinion. I do not need instant access to the site. In fact I did not even know I could create an account on their site until today. I just don’t want someone else to get access to my information/data and yes, money.

  17. Why a cell number? Not everyone has a cell phone. Besides, just because a cell number is given who says its a legit phone number to me and not to someone saying they are me? All transactions should be done in person with an 3 IDs, a utility bill, finger print, facial recognition, DNA, 2 references and a 10 day waiting period. Otherwise someone is always going to scam the system.

    • > just because a cell number is given who says its a legit phone number to me

      That’s the point of the article – Brian is saying this idea of security is false, if you personally haven’t created an account yet.

      > All transactions should be done in person with …

      I know you were kidding here, but that would certainly cut down on the fraud! 😛

  18. Richard Belles

    I just tried to access my social security account and as mentioned, I had to enter my cell phone number to receive a text message. Guess what? I entered my cell number and never got the text to enter into the website!! I tried three times!

  19. Like Grayslady (1 Aug. 2016) I’m one of the 73% of those age 65+ who do not own a smart phone. (Pew Research Center Factank April 29, 2015). As a result of the new Social Security login requirements it’s likely that the great majority of seniors currently using the “My Social Security website” will no longer be able to do so. With an important election comming up it’s likely that the anger generated will be directed at the current administration. Makes me wonder if there’s some political manipulation going on here.

    • As usual – another totally incompetent government agency!

      • It’s been said that we should feel grateful for not ever getting our monies-worth from our government(s); If we did we would REALLY be in trouble!

      • I agree with the description of gov’t is totally incompetent in protecting our security. They still print your SS# on your Medicare card to make it easier to steal or to breach a medical facility and steal it from their records and they keep it in their database. The good news, you can wait 2 hours and 15 minutes on hold when you call the SS admistration for them to tell you that they don’t know why it isn’t working or to just go and buy a cellphone which the senior age bracket is still reluctant to do. Other online options to verify 2FA should be available like a code sent to your landline phone or to your e-mail address. However, that would require an thinking gov’t and our gov’t certainly is not a thinking gov’t. They are always behind the cybertheft field and always will be. Isn’t that why we pay our taxes so they can overspend and not do anything to protect us? They stink!

  20. Now its means you cant get your tax money back anymore. Thats why goverment himself allowed criminals to steal. Only reason just put up more security. Problem reaction and solution!

  21. The system is obviously not working. I have tried several times this morning and afternoon. I either get the “We cannot process your request at this time. Please try again later.” or it says it is sending a text message within 2 minutes but it never comes. I assume no one can get into their account at the moment.

  22. Heh. Just tried to register. Computer say, “No…” Hacked already?

  23. Something is better than nothing?

  24. “We cannot process your request at this time. Please try again later. ” — I’m on ATT. Guess I have to start all over another time.

  25. Thanks for the heads-up, and I just created a mySSA account. I note that the “extra security” cell phone number is not verified to be owned by me. I entered a cell number owned by my employer which is not associated with my name, and it worked just fine.

  26. I guess it never occurred to these cretins that SS recipients might be technology challenged or have quit trying to keep up with the latest com technology. The idea of phones used for talking and nothing else, is appealing to a large percentage of the elderly population. They have no use for music streaming or internet surfing much less texting, they just want to have access to a phone when away from home. This is the same incompetence we are used to from the Federal government. It is if you have to be incredible stupid or naive to be a Federal Employer in a management position. The more stupid you are the higher you can rise in government.

    • Thank you for pointing out some of the sociological issues that make this such a dumb decision by SS. There are two other rather basic issues that young, working people in these institutions often overlook: 1) elderly people have bad eye sight, and 2) elderly people typically live on a fixed income.

      One reason we prefer computers to “smart” phones is that, even with eyeglasses, it is difficult for us to read small print, especially sans serif fonts. Secondly, cell phone packages are outrageously expensive compared with landline packages. Retired people often can’t afford trendy tech gadgets, no matter how intriguing they may seem.

    • Incompetent. No other options allowed. The senior crowd owns the highest # of people that don’t use a cellphone. But leave it to the gov’t to come up with the most incompetent solutions that are never thought through well.

  27. Already had an account so I went to add my cell number. I’m on AT&T but got the “Please try again later” message.

    But I also got an SMS message with a code number, about 30 to 90 seconds after getting the “try again later” message on the web site.

    I tried three times and each code number came from a different phone number, with no other indication of the sender. Just “YOUR SECURITY CODE IS” followed by an 8 digit number (different each time). The sending phone numbers were:
    443-204-4058
    410-205-0855
    410-205-0857
    A quick Google shows these all as “AT&T Mobile” numbers which does not inspire confidence (though that info could easily be wrong or out of date).

    Hoping this is just standard government incompetence and not something more nefarious.

  28. Social Insecurity?

  29. I tried to get this working over the weekend for myself and my wife. After maybe 20 tries, I got my cell number acknowledged by SSA and received one code text. Since then, I haven’t been able to log on the SSA site at all. Never did receive another code. With my wife’s cell, never got it recorded on the SSA web site even though I tried 20 times.

    Everything the Government does is screwed up. The concept is bad since it doesn’t include email and automated voice calls like many banks do. Many seniors don’t have smart phones and why the Government doesn’t know this is incomprehensible! Good grief!!!!!

  30. I can’t believe they’re doing this! I don’t have text enabled and do NOT want it enabled.
    Plus, if they are going to give me a text msg code to logon with, it seems that the password becomes redundant.
    I gave them all the pertinent information about me to obtain the userid and password – the password is ‘secure’ according to them, so what’s the big deal with needing more security? Maybe we’re getting too many ‘executive orders’??