01
Aug 16

Social Security Administration Now Requires Two-Factor Authentication

The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov. Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.

ssasiteThe SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

The SSA noted it was making the change to comply with an executive order for federal agencies to provide more secure authentication for their online services.

“People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number,” the agency said. “The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account. We expect to provide additional options in the future, dependent upon requirements of national guidelines currently being revised.”

Although the SSA’s policy change provides additional proof that the person signing in is the same individual who established multi-factor authentication in the the first place, it does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are.

The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

In September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control. Unfortunately, because the SSA’s new security features are optional, they do little to block crooks from hijacking SSA benefit payments from retirees.

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that Americans can avoid becoming victims of this scam.

To recap: Once you establish and verify your account and start getting texted codes to login, from then on you will be more secure. If you have not signed up already, these new security options do not make it any more difficult for someone else to sign up as you.

Considering that many senior citizens are still wary of text messages and likely have never sent or received one, it’s not clear that these optional security measures will go over well. I would like to see the SSA make it mandatory to receive a one-time code via the U.S. Mail to finalize the creation of all new accounts, whether or not users opt for “extra security.” Perhaps the agency will require this in the future, but it’s mystifying to me why it doesn’t already do this by default.

In addition to the SSA’s optional security measures, Americans can further block ID thieves by placing a security freeze on their credit files with the major credit bureaus. Readers who have taken my ceaseless advice to freeze their credit will need to temporarily thaw the freeze in order to complete the process of creating an account at ssa.gov. Looked at another way, having a freeze in place blocks ID thieves from fraudulently creating an account in your name and potentially diverting your government benefits.

Alternatively, citizens can block online access to their Social Security account. Instructions for doing that are here.

The SSA’s new text messaging system is apparently experiencing some technical difficulties at the moment, at least for Verizon Wireless customers. The SSA posted this message on its site over the weekend: “We are working to fix a problem that is preventing Verizon wireless customers from receiving the cell phone security code.  Verizon wireless customers are unable to access their personal my Social Security account at this time.”

Update, 1:00 p.m. ET: For the record, I requested comment from the SSA about why they did not apparently contact all users by U.S. mail to verify their identities. I received the following response:

“The Social Security Administration protects the information entrusted to us and has strengthened the online registration process by making identity verification and authentication more stringent.  We cannot provide more details publicly as we don’t want to draw a roadmap for criminals.”

Also, as one reader already pointed out in the comments below, the SSA’s adoption of 2-factor SMS authentication comes as the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.

Update, Aug. 11, 2016: A source who helped me test some things for this story by signing up at the SSA’s portal said he received a snail mail letter the other day notifying him that someone signed up an account in his name online. So, the SSA is mailing letters if you sign up online, but they don’t take that opportunity to deliver a special code to securely complete the sign up. Go figure.

ssnletter

Tags: , , ,

145 comments

  1. Diane Wilkinson Trefethen

    If SSA doesn’t change this and fast, millions of SS recipients’ benefits will be at risk.

    1) @74, I’m savvy enough but a plain vanilla cell phone is much less expensive (about 50% less) than a smart phone,
    2) Some packages don’t include text,
    3) Two or three attempts to comply and the average senior will just quit. No access = no ability to sound the alert if something is wrong.

    I also agree with all the above negative comments. This new set of requirements is SO stupid, SO dangerous, the reasons for them must be either 1) to enable the theft of our benefits or 2) allow Republicans to muck things up so as to prove SSA incompetent so they can privatize SS and Wall Street can make a fortune off us while depleting our accounts.

  2. The SSA has taken it upon themselves to block all access to my account without my having taken any action. This apparently was in response to my recent experience with someone having fraudulently filed 2015 taxes on my behalf earlier this year.
    I didn’t think the agencies talked to one another but, in this case, I’m happy they did. When I tried to open a MySSA.gov account, as advised by the IRS, I was informed that I would have to physically come into a local SSA branch and present at least 2 forms of approved identification before I could open an online account.
    Brian – I would say this is even better than requiring a pin be sent via USPS to prevent fraudulent SSA accounts being opened.

  3. Just tried to access my account and it took forever to send a text code, I gave up after 10 minutes, so I hit resend code and then the code comes through. When I tried to enter the code, it wouldn’t let me, instead it locked me out for 24 hours! What a horrible login process, the worst ever. They outta hire google to set up this function, maybe it would actually work.

    • Social Insecurity? I love your comments Gigi. Anything the gov’t does in cybersecurity will not be done well. But then calling the SSA by phone is efficient also. There you only have to wait online for 2 hours and 15 minutes to have them make up some reason for why their system is not working. Actually, it will never protect your or work. That’s the nature of gov’t.

  4. Even though many of the critisism is valid, it is only fair to also refer to the official statement of SSA on this. They acknowledge many of the issues, but also have some good reasons not do implement the ‘best’ solution right away:

    https://www.ssa.gov/myaccount/MoreInformationAboutMFA.html

    Basicly they legally have to do something *now*, but are not capable of doing the best thing today yet. Still a step forwards I think.

  5. This 2-factor system at SocSec has been in existence for many years, but not mandatory. The mandatory just started. You’d think they would have known long ago that their process to send Text Msgs to Verizon was defective. Each carrier’s msg portal is unique, thus each requires specific coding.

    I guess it’s just another example of the incompetence of Gov’t managers.

  6. While all this info is greatly appreciated trying to make cyber-security experts out of old codgers like me is really a waste of time. I don’t know a 2FA from a hole in the ground.

    What I see happening is that the policy wonks are either putting in systems that can be busted by a 10-year-old or ones that don’t work. They are letting the perfect become the enemy of the good. I’m on Verizon and I’d rather have a less secure 2nd authentication leg than no 2nd leg at all!

    So, while we are waiting for the perfect answer how about using SMS AND requiring direct deposit into a bank account opened in person and with ID and a fingerprint. Then the card problem goes away because the money makes a stop at a bank.

    Problem basically solved until the perfect system comes along.

  7. What about elderly folks who simply can’t afford a cellphone?

    • You think the SSA really cares whether on older person has a cellphone? That would require that they think and they don’t. None of their solutions are well thought out or timely. Your code could easily be delivered by other devices such as your landline or e-mail address but then again the SSA would actually have to put some thought into their solution and they don’t. They could care less. I own a landline, not a cellphone. Now i’ll be frozen out. However, at least my account with SSA has been setup so the cyberthieves can’t setup an addt’l account using the same ss#.

  8. What if you don’t have a cell phone. Not everyone has the money to spend for those things. And before you start screaming about the “free” phones, trust me, they are not worth free. All they are is a pain, and not a single person can help because they don’t speak English.

    • Linda it’s 2016 cell phones are cheap af. 92% of the us owns one you’re out of luck obviously. Go buy a cell phone

      • “Go buy a cell phone”

        No. I don’t want one. I don’t want the coming Mark of The Beast implant either.

      • millennialsRdumb

        Thanks for confirming that millennials are all selfish, ignorant bleeps.

        Linda, Jitterbug (greatcallDOTcom) has cheap phones designed for adults, not e-children. Texting is included on some plans.

        • In some cases it is much cheaper to use a cell than a landline. I hardly use a phone so its about $8/mth for a cell vs $20+ last time I checked, probably closer to $30 now.

  9. I just set up an account at SS and it worked with T-Mobile.
    First text with security code never made it for some reason.

    Had them send another.

    Second text made it, but I had to re-enter after getting the “We cannot process your request at this time. Please try again later.”

    I didn’t give up and it finally processed.
    Site seems to be a little buggy or maybe they’re getting swamped at the moment.

    • T-mobile user here. Had a similar experience.

      I’m a bit concerned because of the type of T-mobile plan I have, I can not receive text messages from the IRS to secure the get transcript service. Wonder if this will mean the same problem for SSA.

      • Contact T-Mobile and let them know about the issue. They should be able to enable “premium messaging,” so you can get those codes. Once done, you can have them disable it if needed.

        It’s disabled to avoid getting charged for “premium” services like daily weather, horoscopes, and crap that you can get for free online, but also hinders legitimate things. My company sends messages via short-codes and we have the most difficulty with T-Mobile & Sprint.

        • Why are government agencies using “Premium messaging” for this purpose?

          That’s ridiculous!

          • twinmustangranchdressing

            “Premium messaging” is just the term (used by the industry or just T-Mobile) for text messages sent by a computer or whatever rather than a human.

  10. Does anyone know if this will work before I spend 2 hours on hold for SSA help?

    My parents do not have cell phones. I already have an SSA account myself and am about to add my (non-VZW) cell for the 2FA. Will the SSA allow more than one account to use the same cell phone number for 2FA?

    I would be VERY surprised if the answer is “yes” (it seems like a violation of the “spirit” of 2FA), but figured someone may have already tried.

    • Not sure if it would even work, but they definitely discourage using your phone number to set up your parents account. Here is what the sign up page says:

      https://secure.ssa.gov/RIL/SiView.do

      You can only create an account using your own personal information and for your own exclusive use.

      You cannot create an account on behalf of another person or using another person’s information or identity, even if you have that person’s written permission.

      For example, you cannot create an account for another person:

      With whom you have a business relationship,
      For whom you are a representative payee, or
      For whom you are an appointed representative.

      Unauthorized use of this service may subject you to criminal or civil penalties, or both.

      • Mike,

        I wasn’t talking about accessing the account on their behalf. We just want THEM to be able to without having access to a text-enabled cellphone for the 2FA.

        About every other year, they misplace their 1099-SSA and need to get a copy on-line.

    • When I signed up, the SSA verified that my cell phone billing address matched my address, preventing me from using my employer provided cell phone. So I used my spouse’s phone.

      YMMV

  11. “We cannot provide more details publicly as we don’t want to draw a roadmap for criminals.” Security through obscurity! Another great paradigm that’s sure to thwart the bad guys.

  12. SSA will not create an account for me. I am assuming this is because I have a freeze on my credit bureaus, per prior suggestions from Brian. This is what I am assuming anyway.

  13. A Google Voice number can be used to receive (and send) text messages. Received messages can be forwarded to email. I tested it today at the SSA site and it worked, which is fortunate since I don’t have a cell phone.

    BTW, it would have been nice if the SSA could have fixed their password requirements before imposing this. They have a 20-character limit, which is unnecessary if the password is hashed (and it would be horrible if it’s not). Worse, the site doesn’t mention it, only that the password must be AT LEAST 8 characters (and some special character requirements). A 21-character password meeting all stated requirements is rejected. Reduce to 20 characters and it works.

  14. I remembered my password and security questions, but the SSN site claimed they were wrong. They sent me a temporary password, to be reset after I logged in … but I couldn’t log in, because after I provided my cell phone number, I got “We cannot process your request at this time. Please try again later.”

  15. Treasury Direct currently sends out a one time passcode via email, which kind of makes sense since a person logging into his account might happen to be sitting in front of a computer. I don’t know SSA couldn’t use the same system, unless they want to sell mobile phones.

  16. Isn’t offering 2FA by sending people a code to their phone the same as saying WEP is a suitable form of security for your router. An outdated practice. It’s really easy to spoof someones number or even ring up the phone company and make them believe you are Mr Smith when you are not, change your phone number and send the code to their phone. This has been happening to alot of high profile people on Youtube, Instagram and Twitter.

  17. This is not a good thing. It might seem to some people like it’s good but that is only on the surface. Very few people hold on to these things for very long. Twenty years from now (if this actually holds up), it will be pretty much impossible to access the system. There are plenty of people (particularly young people) that go through five cell phones a year. Going through five different phone numbers a year. The phone number used for this will end up so long gone and given to a dozen other people by the time it really is needed. This whole thing is so convoluted that it isn’t even going to matter of the money is available or not. This isn’t even to mention that it is all dependent on what ever it is that the cell carriers do and what cellphone makers do. Much less whatever level of hacking might take place.

    2FA! HAH! Whatever……….
    Such ridiculousness that none of it is worth it. Wake up and smell to coffee brewing in the real world. Where teenagers leave their phones in their pants to get run through the washing machine. Where even adults get tired of high cell bills and BS from customer service that they switch to a new provider and are forced into another phone number.

    Do any of you really think that anyone will actually keep up with any of this information through the years to keep the SSA constantly up to date? It would have to be FORCED by all the cell providers. That in itself will open up an entirely new set of problems.

    • I’ve actually had my phone number for the last 14 years and changed providers. They just transfer the number across to new provider. Also have not met one teenager who has left their phone in their jeans and gone through the wash. They’re too attached to their phones to let it go out of sight for more than a min.

      Although i do see a change in phone numbers with the popularity of google voice, whatsapp,skype, facebook messenger, these services which allow you to make calls and you only need a data plan or wifi service.

    • I’ve had my phone number for last 14 years and changed providers. They just transfer the number across. Teenagers are glued to their phone and won’t let it out of sight for more than a min so cant say i have heard of phones going through the wash.

      Although will be interesting with phone numbers as with the popularity of skype, whatsapp, facebook messenger, services that allow you to make phone calls, you just need a good data plan or wifi service and don’t really need a phone number.

  18. No cell phone here.

  19. We don’t have a cell phone.

    -And- we are planning to retire abroad within the next year, so all of our business transactions will have to be done online.

    From all of the ruckus I’ve seen on expat forums today, none of these authentication methods work from abroad. It has to be a US 10 digit cell phone number and the google voice mail option (whatever that is) is also unavailable abroad.

    This is a fiasco for retirees outside the country.

    • For retirees abroad, I’ve heard many of the embassies actually help with this and function basically as SSA offices overseas for Americans abroad. Here is a link.

      https://www.ssa.gov/foreign/foreign.htm

    • Google Voice works fine from abroad, as long as you start the sign up process using a US phone number. Get a prepaid cell phone for one month and use it to sign up. Once you have your Google Voice phone number, you can discard the cell phone account.

      You can then use Google Hangouts or hangouts.google.com to make/receive calls.

      • Don’t even need a cell to start the process. Have a home phone? Set up G-Voice, and when it asks to verify a code, tell it to call you instead of texting you. You get a call from a robot, get the 6 digit code, and you’re done. Cancel your home phone, move abroad, and follow timeless’ procedure.

    • You are right. The only way I can transfer funds from my US bank when I am abroad is to use my son’s cell phone number. I call him to see if he can accept a cell phone message from the bank, then I do the transaction using his cell phone number, and he calls or emails me with the number so I can complete the transaction. Fortunately, my bank allows two different cell phone numbers to be on file. What a hassle.

  20. Treasury Direct sends a one time password via
    email whenever you log into your TD account.
    This seems to work fine.

  21. Dosent work I tried 4 times it’s gives a passcode that’s it

  22. I don’t have a cell phone and don’t want to get one. Besides the expense, there is the harmful radiation that they emit. I suspect that top SSA officials have been bribed by the cell phone companies to compel people in this way to obtain cell phones they don’t want.

  23. “The Social Security Administration protects the information entrusted to us and has strengthened the online registration process by making identity verification and authentication more stringent. We cannot provide more details publicly as we don’t want to draw a roadmap for criminals.”

    But the crooks that are good at social engineering methods will eventually get this information. Some will open a trouble ticket and get tidbits of how this process works. It’s only a matter of time before it is understood.

    The initial PIN mailed to the address on file (not changed within the past 30 days) is a smart idea. Most seniors that are inching up in the years either use the cell phone very limited, or have burn phones that are lost, stolen or just misplaced. Having one time codes transmitted to a cell phone is no more secure than by email or other means.

    Why not offer the ability for seniors to sign up for a PIN subscription service that mails a new PIN every 6 months or so ?

    With security, comes some sort of bearable pain to withstand to make the effort work. People will revolt if the changes are too dramatic. People will revolt if they are told that they have to wait for their check because their account was hijacked and they have been feeding someone overseas. If the new process has more stringent rules and they aren’t bent unless absolutely necessary, then people will throw a mumble and comply.

  24. I’m stymied from another direction. I am an American citizen living abroad drawing Social Security benefits. The SSA site forms only recognize US residents. I tried to let them know but never received a response. Hanging around on the line for 2 hours is a lot more expensive for me. What do other ex-pats do?

    • For US Citizens living or traveling abroad that need access to their IRS information I would suggest you visit the local US consulate.

  25. William Lindley

    My mother neither has nor wants a cellphone. She is frantic that she cannot login today. Does SSA really think seniors have extra $thousands to spend? This needs to be rolled back immediately. What do we do?

    • Thousands? Prepaid flip phones for like $20 or less + ~$20/month service. Or there’s always Google Voice if your mom uses a computer.

      • When I used burn phones, I went to T-Mobile.

        I bought a 45 dollar basic phone, and bought 100 dollars of air time that gave bonus minutes.

        The nice feature about the $100 of air time was it did not expire for a year. So, if the phone had very limited use, its a cheap solution, some where around 145 bucks, which averages out to 12 bucks a month.

  26. This is just to keep people from collecting their earned SS. War on poor people and a favor to Clintons, er criminals.
    Always thought I wouldn’t collect, now I know it. F^#(

  27. Ah! Interesting, then the SSA must have finished updating all their computers to XP sp2. Now they can get video in the office. And receive faxes at their desk. Neat. Not saying Congress controls them, but.
    Now, if they had problems before, mistakes and such, from data in the data, from their paper records, imagine the proofs needed now, oh doggies..and at the speed of light. And no review? Oh!

  28. I have to admit that I’m sympathetic to the SSA in this, despite the vocal posts from folks overseas or who don’t have or want a cell phone. Brian has pointed out that the online process has gaps that can be exploited. OMB and NIST have standards for securing online portals that access sensitive information that frankly SSA should have been using years ago. So when they do take steps to improve the security (agreed, it’s not fool proof, but it’s still better) we get screams about cell phone company collusion and bias. If they don’t improve security, OMB may require it be suspended. Or the crooks will continue to use the gaps from the old setup to steal from people. If they do, people complain that it’s too hard, too costly, too discriminatory to people without phones, computers etc. Frankly, in a damned if you do and damned if you don’t scenario, I say keep the service, improve the security (even if its not perfect) and let those who find themselves at a disadvantage figure things out. What we shouldn’t do is tell organizations not to improve security for the majority of us because a small number of folks will find themselves unable to participate.

    • You know what NIST stands for, to MOST americans?

      Not
      Interested (in)
      Science (or)
      Technology

  29. NIST just deprecated 2FA via SMS in the draft of the next Digital Authentication Guideline.

    http://nc3.mobi/references/2016-info/#0729a

    Both SSA and NIST are in the executive branch. Maybe they should talk?

    Jonathan

  30. Just tried to register for a My Social Security account and when trying to type in my address, realized that the Address Line 1 field only accepts up to 21 or 22 characters? Seriously? I can’t fit my address in, so I had to abandon the process. Did they not test the form before going live with it? I submitted a comment, so hopefully they fix it assuming it’s not a character limit for the entire inner workings of SSA.