16
Aug 16

SSA: Ixnay on txt msg reqmnt 4 e-acct, sry

The U.S. Social Security Administration says it is reversing a newly enacted policy that required a cell phone number from all Americans who wished to manage their retirement benefits at ssa.gov. The move comes after a policy rollout marred by technical difficulties and criticism that the new requirement did little to prevent identity thieves from siphoning benefits from Americans who hadn’t yet created accounts at ssa.gov for themselves.

In an announcement last month, the SSA said all new and existing ‘my Social Security’ account holders would need to provide a cell phone number. The SSA said the numbers would be used to send recipients an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

But sometime in the past few days, apparently, the SSA decided to rescind the cell phone rule.

“We removed the requirement to use a cell phone to access your account,” the agency noted in a message posted to its mySocial Security portal. “While it’s not mandatory, we encourage those of you who have a text capable cell phone to take advantage of this optional extra security. We continue to pursue more options beyond cell phone texting.”

Hopefully, those options will include using the U.S. Mail to send Americans a one-time code that needs to be entered at the SSA’s Web site to complete the sign-up process. I should note that the SSA is already mailing out paper letters via snail mail to Americans who’ve signed up for an SSA account online; they’re just not using that mailing to securely complete the signup and authentication process.

Here’s a redacted letter that a friend of mine received and shared the other day after signing up for an account online. It merely explains what the agency already explained about the texting policy via its Web site.

A letter that the Social Security Administration sends out via the U.S. Mail for every American who signs up to manage their benefits at ssa.gov.

A letter that the Social Security Administration sends out via the U.S. Mail for every American who signs up to manage their benefits at ssa.gov.

The SSA does still offer the text message feature as part of what it calls “extra security” options. These extra options by the way do include the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, crooks won’t go through the more rigorous signup process — they’ll choose the option that requires less information. That means it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

What else does the SSA require to prove you’re you? Assuming you can buy or supply the above personal data, the agency relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

In September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control. Unfortunately, because the SSA’s new security features are optional, they do little to block crooks from hijacking SSA benefit payments from retirees.

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that Americans can avoid becoming victims of this scam.

In addition to the SSA’s optional security measures, Americans can further block ID thieves by placing a security freeze on their credit files with the major credit bureaus. Readers who have taken my ceaseless advice to freeze their credit will need to temporarily thaw the freeze in order to complete the process of creating an account at ssa.gov. Looked at another way, having a freeze in place blocks ID thieves from fraudulently creating an account in your name and potentially diverting your government benefits.

Alternatively, citizens can block online access to their Social Security account. Instructions for doing that are here.

Tags: , , , , , ,

56 comments

  1. One thing it seemed as though SSA never considered is the hundreds of thousands of American citizens overseas, people who are highly likely to need to use web access. International SMS can be notoriously flaky about arriving, so requiring its use for this group is really…user-hostile.

    wg

    • Agreed. As one of them it would be nice if their system accepted an overseas mobile number. If Amazon, Apple, Dropbox, Norton, etc can support this, so can SSA.

      • Wow! Did not mean to start a lengthy thread. I was just trying to find out where on this planet SMS is not working, since I travel all over and have not found it flaky anywhere yet.

        And yes, I am 67 and qualify as a senior. Ability to pay for cell service is a valid concern, but not related how well SMS works overseas. Don’t think the iMessage delivery holds up, as we have Android users and even a few Windows phones. No problem with SMS thus far.

        So if there are areas where SMS is flakey, would greatly hearing where they are.

    • Hi Wendy:

      Just curious: Where overseas have you found SMS to be flaky? I am an underwater photographer who travels globally, and have found SMS works flawlessly almost everywhere.

      I have an unlocked iPhone 6 with ATT’s international plan. Have used it in Japan, China, Singapore, Vietnam, Philippines, Oman, Egypt, Jordan, Cyprus, Turkey, Greece, Italy, Austria, UK, Canada, and Mexico the past 18 months without incident. I don’t even switch SIM cards any more.

      Dan

      • @Dan Clements: Flakiness aside, many of us older expats either can’t afford or choose not to have an international cellphone plan, and the SSA won’t send texts to foreign phone numbers. Because I lack such a plan, I won’t be able to sign up for the “extra security” options.

        Wendy Grossman is right: there are hundreds of thousands of us expats, and many if not most of us are seniors. We seniors are also the group most likely to be victimized by scammers. So while it’s nice that the SSA no longer requires “extra security,” it would be even nicer if they could allow everybody to choose it.

        • gtodon: If you are an older ex-pat with limited funds, then you should be utilizing services of your nearest United States Consulate. You must also remember the majority of the population assessing the Social Security on-line functions are within the Continental United States. To be functional and successful a program or service does not need to serve all of it’s potential customers, but simply the majority of it’s potential costumers. I also highly suspect I am within your own demographic age group.

          • @Eaglewerks: U.S. consulates are useful for many things, but they are no help at all in providing much of the information available on ssa.gov. As for your notion that “a successful program or service” only needs to serve “simply the majority of it’s [sic] potential customers,” are you serious? If only 50-percent-plus-one of eligible retirees received their Social Security benefits, you’d call that a success? In any case, the complaint here is that the SSA has created a difficulty for expatriate citizens that is hardly necessary. As Wendy Grossman stated, there are hundreds of thousands of us, and it would be a simple fix to make ssa.gov accessible to people with foreign phone numbers.

            • gtodon, I truly understand your situation. There is no easy answer for you, primarily because of your chosen location. Were you within most of the Continental United States you would also be qualified to receive a free cell telephone that would be able to process texts and various styles of security messages.

              Concerning how a program is deemed successful can be determined by a number of different methodologies. A common methodology used is exampled below:

              To be functional and successful a program or service does not need to serve all of it’s potential customers, but simply the majority of it’s potential costumers.
              A GENERAL GUIDELINE EXAMPLE:
              Potential Customer = approx. 65% of Possible Customer
              Successful Majority = approx. 65% of Potential Customer
              example:
              Possible Customer: 100
              Potential Customers: 65
              Successful Majority: 42 Customers Served

      • You may not be receiving SMS text messages but instead iMessages. SMS messages are best effort to the receiving device but will be undeliverable if the receiving phone is off or out of service range. IMessages can be queued and received when you return to service or connect wifi.

        • I get perfect SMS coverage the world over, getting all SMS codes etc within seconds of them being sent no matter where I am. If your phone can connect to any carrier to get voice calls and data, it can get SMS.

          Nothing to do with iMessage etc – getting SMS globally has worked since SMS first came out, long before of the existence of iMessage, and still works now – amazingly it even works if you don’t have an apple phone!

    • I don´t know your recent experiences about international SMS arriving, but we do send out text messages to customers around the globe (yes, we do allow international numbers) as part of our 2FA strategy.

      The cases where there are consistent delivery problems are few and far between. More like hearsay.

      And yes, we have been mailing out activation codes to verify sign-up from day one. How any institution can not do that nowadays boggles the mind.

      • @Christoph: Who is “we”? Are you with the SSA? At least two commenters here, including me, have stated that the SSA won’t send messages to overseas phone numbers. If you’re disputing that, kindly tell us exactly how we can get the SSA to send messages to our phones.

        • Well, gtodon, then you could have inferred from my text that I am not with the SSA.

          I am with another institution that provides 2FA login/authentication to it´s clients and was referring to the rumoured SMS delivery problems.

          That the SSA does not allow non-US phone numbers may be a risk decision, ignorance about the number of users abroad, US-centricism or just a dumb choice/lack of thinking somewhere down the line. You´d have to aks them about the WHY.

          • Well, Cristoph, you could have been clear in your initial post who the “we” referred to. When you write things like “we do send out text messages” and “we have been mailing out,” it’s not very helpful unless we know what you mean by “we.”

    • I am wondering is your area has “rogue cellular network transceivers” in it that interfere with some cellular signals.

    • When I last checked non-US residents were not allowed to create a my Social Security account. I’d double check today, 21aug, however that particular page is down for maintenance. When I first checked, about 2 years ago, I emailed SSA to make sure that was true and told yes.
      As far as those saying ‘just contact the local consulate, that is not so easy, as few offer that service. From the Netherlands, I must use the office in Ireland. BTW, you are not even allowed to take a mobile phone into a some consulates!
      And as far as spotty SMS, I have encounter that even IN the US. West Virginia is a good example and I am sure there are many more.

  2. Brian – FYI: I’m not sure where the glitch may have occurred, but I received 4 copies of the notice for this new posting, 3 of which had the same time stamp and the 4th with a time stamp 10 minutes later.

  3. Thank you so much for this article. Wonderful information and very thoughtful to have the option for blocking online access as well.
    I know you cannot post it publically, but I wonder which option a security expert choose? Do most security experts add their cellphone or go the snail mail route?

    Also, if you add your cellphone, then later for some reason, get a new cellphone number, can you change the cellphone number on the social security or go back to snail mail statements?

  4. Thanks for the update.

    FWIW, I did receive a timely email message from the Social Security Administration announcing the requirement for multifactor authentication to access a my Social Security account; silence from the SSA (thus far) regarding MFA reverting to optional, but moments ago, I successfully logged onto the relevant website. What is (still) required is that one’s password be changed / updated every 6 months.

    There’s an interesting intersection of demographics here. On the one hand, Brian’s (IMHO excellent) advice that anyone who’s eligible should register an online account broadly affects just about everyone earning income from a US employer; on the other hand, Social Security recipients (and they’re the folks likely to actively use this online account) are a much narrower slice of the population. (Think: Abe Simpson.)

    Multifactor authentication enhances security. Requiring that account holders use text messages sent to yuppie fones is a poor one-size-fits-all solution.

    Mentioned amongst comments in the earlier post on this subject: almost a decade ago, long preceding the popularity of text messages, Treasury Direct (a transaction account with the US Treasury Dept) implemented MFA including a step requiring online entry of letters and / or numbers printed on a credit-card-sized card uniquely issued to each account holder. This may not be best practice today, but it’s an example of security that doesn’t require that users buy and drink someone else’s Kool-Aid.

    Brian’s earlier post (and some good comments to that post) noted the SSA was requiring MFA to comply with an executive order. That order still stands. It’ll be interesting to see SSA’s new (and one hopes) improved version.

    • Yuppie Phones?

      The old Nokias and Motorolas from the mid-1990s have been able to receive SMS text messages, doesn´t take any Yuppie Phone to to that.

  5. The SSA botched the un-requirement, too.
    We set up the cell phone second factor after the SSA began requiring it (despite that, in my case, as I live overseas, it meant getting a Google Voice number to be able to receive the SMS messages, as I don’t keep a US cellphone here in Spain!) .. and after the SSA backed-out its botched implementation … they DISABLED the cellphone second factor that I’d set up on my account as well as that my wife set up on her account!

    • I’m in the same boat and see others complaining, too. Now you’re really in trouble because SSA is requiring a US mailing address and they will mail a code that allows users to turn on 2FA.

      Mark
      August 16, 2016 at 4:04 pm

      One must have a US mailing address to sign up at ssa.gov, which means that anyone that isn’t in the country is an open invitation to spoof the retirement account.

  6. An alternative option if your credit is frozen:
    I visited a social security office to obtain an access code and then set up my ssa.gov site online. They told me if I went in person I would not have to thaw my credit freeze.
    Thanks for sharing your wealth of knowledge!

    • Thank you for that tidbit. Very useful. My SSA account has been hacked at least twice and I am leery.

  7. I signed up for the cell phone option several months ago, and it looks like there’s a new verification option which would have been nice to have then:
    The last eight digits of your Visa, MasterCard, or Discover credit card;
    (They couldn’t get this because my credit reports are frozen)
    Information from your W2 tax form;
    (I’m retired, no W2)
    Information from a 1040 Schedule SE (self-employment) tax form;
    (Same as above, I’m retired)
    or Your direct deposit amount, if you receive Social Security benefits.
    This would have been nice. Instead I had to drive an hour to the nearest SS office and sit in the lobby for an hour waiting for a two minute interview and my magic number. I already had an online account, but couldn’t increase the security of it online and they were unable to do anything over the phone. That still wouldn’t work for someone who froze their reports, is not working and not collecting SS benefits yet though.

  8. How would blocking online access to one’s S.S. account, to prevent criminal access, affect the tax payer when their tax preparer e-files a tax return? Would they first have to contact SSA to lift the block before their tax form could be submitted?

  9. One must have a US mailing address to sign up at ssa.gov, which means that anyone that isn’t in the country is an open invitation to spoof the retirement account.

  10. This is probably also related to NIST recently declaring SMS 2FA too insecure to be useful for… really anything.

    “If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

  11. Fraudsters work like thos:

    Fraudsters carding forums such as verified.cv and else is basecly run by secret service! Russia working together with usa. Itsfact! Organized crime works like this, goverment funding organised crime groups with knowledge and equipments to commit crime everytime when world ruling class elite need to place new law or order they contact with criminals secretly who will do crime .agains regular slave citizen. Its simple! So world works like this scheme, problem.reaction.solution very good example was zeus malware it was complitely invented by goverment himself and bankers. Why i reveal this here?? Couse i dont have to be afraid abput nothing couse nobody not gona belive me anyways,lol so usa people good luck and take note that soon there will be no more suche things like tax return or retirement money!

  12. Or you could use Google Voice and send the text to Google Voice – which will certainly be abused by scammers (as it already is)

  13. The few senior citizens I know who have a cell phone keep it in their car for emergencies. This would be like requiring teenagers to have a slide rule to register to vote.

    • What does the summer heat do to the batteries in those cell phones where you live ? Can’t do that where I am in Texas, the inside temperature can get to 150 sometimes.

    • Not this old-timer, Larry! When I get into the car the phone stays behind-I’ts my quiet time and I don’t want to be communicable! Otherwise, my Android is in my hand, and we both have great fun in disrupting traffic while chasing PokemonGo….

  14. Text messaging (SMS) is not a strong way to do second-factor authentication because of big problems with SS7 . Maybe it’s better than nothing?

    NIST is a pretty heavy-weight Govt institution, and they say don’t use SMS in their new “Digital Authentication Guideline”

    https://pages.nist.gov/800-63-3/sp800-63b.html

    In section 5.1.3.2. they say:
    “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.

  15. Both my husband and I froze our credit records last year. A few months ago we went to the Social Security office on another matter, and I asked about how to sign up online (because I had gone to the Equifax site and not only couldn’t figure out where to unfreeze it, I realized I didn’t know what specific inquirer to tell them to permit acdess: Social Security Administration? SSA? FICA?

    Anybody know?

  16. Aha. I just found the Unfreeze link in my history. But I still need to know the right term to permit SSA to have access.

    • I couldn’t determine which entity to unblock so I unblocked everyone. But just for two or three days, figuring that credit hackers are just not going to be that well coordinated.

      One item to note, the SSA could not access my credit report the same day I unblocked.

  17. It’s not about SIGNING UP for account access, it’s EVERY BLEEPING TIME you try to log in to check you status that you would be required, at your expense, to recieve this mysterious coded text to log on at all — every time. That isn’t solved by mailing something in US Mail days or weeks later. I do not own a cell phone and never ever plan to, nor would I ever waste my time with “texting” or pay for such a ridiculous service even if I did have a cell phone. There are DOZENS of ways to make a secure multilayered access. My banks all do, with a rotating variety of “secret questions” that have to be entered in addition to the user name and password: the questions change every time I log on and have been preselected by me. Get it wrong, I don’t get in. Wrong 3 times and lockout, I have to call and speak to a human to verify who I am. Even Craigslist has an authentication system that involves, variously, either email confirmation (the 8 digit code could easily be sent to one’s email) or actual phone verification (their robot calls my land line and speaks the 8 digit code). Lots of ways exist that don’t require seniors to waste money on something they would never use — unlike the 12 year olds this is aimed at, we actually TALK to each other.

  18. Vladimir Jirasek

    As a security consultant I see the website owner dilemma: short of requiring certificates, there is no viable way to have people registered and securely auth eto ate to websites! Any system which uses passwords with or without any 2nd factor is suspect only to man in the middle attack.
    We desperately need a system that does not use passwords! Unfortunately, that is some year away.
    The fact is that identity and access management is hardest domain in cyber security. Consider even middle size organisations who struggle with managing their users, access credentials and privileges. A country with 200+m people managing their SSN must be nightmare.
    Interestingly, the US government started an initiative for seamless identity issuance and access back in 2019 (http://www.nist.gov/nstic/) but has not gone too far yet.

  19. Why not offer an offline dynamic 2FA option like Google Authenticator? Solves the issue of not being able to receive SMS, and runs on the most modest of devices.

    • Social Security is a generational thing. It is that way. It has always been that way. It will always be that way. This is a matter of fact that is not going to change without destroying it completely. This means that it is long term. It needs to be looked at as long term.

      Twenty years ago, Google didn’t even exist. The world might not have Google twenty years from now. Technology changes at such a rapid pace that what we actually end up with in the next twenty years is likely to be so radically different. It’s hard to conceive what might come to pass.

      Considering how important Social Security has become, I would not want to see the whole thing vanish from all existence just because a company like Google or some cellular service provider goes belly up.

      I’m asking for a definition of “runs on the most modest of devices”. Particularly when there is absolutely nothing that we currently have that accurately fits that description when our grandparents were teenagers paying SS taxes through their jobs. Atleast for maybe land line telephones (and even that is disappearing).

      • Fwiw, Google Authenticator is actually a protocol, other systems also implement it.

        But no, you probably won’t be able to run any of them on a candy bar phone. OTOH, I think some networks are dropping support for the radio bands supported by such phones.

        Yes, Google might be gone in 20 years. The SSA does indeed have a huge problem space as you note. SMS could also be gone then.

        But, you know what will probably also not be accurate for many SSA accounts in 20 years? Postal addresses. I don’t want to look up the average number of years someone maintains a given fixed address, but my average is under 5. And while we think about SSA as being for retirees, unfortunately accounts can be created for anyone who has ever worked in the USA including college students who won’t need benefits for 45-50 years – people who will likely move 10 times between now and when they actually need to use this account.

        Phone number portability has been around for at least 15 years, which means that my peers have had 1/3 as many phone numbers as residential addresses, and every 5 years that fraction becomes more significant.

        None of these systems work well on large people and time scales.

        Not even email addresses (I’m currently being forced to abandon my vanity addresses because my provider’s forwarding service doesn’t do enough signing; the address I use for this name has changed ~5 times as well).

      • *Like* Google Authenticator – emphasis on ‘like’ rather than advocating that specific product. Basically any good software token generator.

        I’m thinking in terms of low cost, availability outside potential network issues, increased security (doesn’t rely on a mobile number which can be ported), and future-proofing: Landline phones are slowly disappearing, candy-bar mobiles are disappearing, and many online tasks are beginning to expect smartphone ownership as the standard. A lightweight token generator will run on the cheapest smartphone you can find, with no compromise to security – then in 30 years when phones are all wristbands made of graphene or whatever, a software token generator can be ported across without any need to overhaul the underlying support systems.

  20. Unbelievable, I signed up for extra security a couple of weeks before it was a requirement. Today I sign into my SSA account…with no extra security step.

    They freaking canceled me out of extra security. Maybe they will cancel my $10 to lift the Equifax block?

  21. @Eaglewerks: U.S. consulates are useful for many things, but they are no help at all in providing much of the information available on ssa.gov. As for your notion that “a successful program or service” only needs to serve “simply the majority of it’s [sic] potential customers,” are you serious? If only 50-percent-plus-one of eligible retirees received their Social Security benefits, you’d call that a success? In any case, the complaint here is that the SSA has created a difficulty for expatriate citizens that is hardly necessary. As Wendy Grossman stated, there are hundreds of thousands of us, and it would be a simple fix to make ssa.gov accessible to people with foreign phone numbers.

  22. NIST has declared the end of SMS 2 part Authentication.
    https://pages.nist.gov/800-63-3/sp800-63b.html

  23. I just signed up for SMS 2FA regardless.

    Also, it’s amusing that “secure.ssa.gov” (where the login page is, etc) gets a C with Qualys SSL Labs, while the main “ssa.gov” site gets a superb A+.

    https://dev.ssllabs.com/ssltest/analyze.html?viaform=on&d=ssa.gov&hideResults=on
    https://dev.ssllabs.com/ssltest/analyze.html?viaform=on&d=secure.ssa.gov&hideResults=on

  24. Thanks for the update, Brian. I called my congressman (who just happens to be on the House SS Subcommittee), both my senators and Sen. Sherrod Brown (on the Senate SS Subcommittee) after receiving the SS email regarding text message authentication. Only Brown’s aide knew about the issue, and he said Brown’s phone had been ringing off the hook all that morning with angry calls about the new requirement. Still, that didn’t guarantee any action–just knowledge of citizen concerns.
    Since I only set up the online account to make certain no one else did (pretending to be me), I will use the lockdown method. I wasn’t even aware that lockdown was an option, so thanks for that piece of information, as well.

  25. My employer uses the “Duo” 2-factor authentication service for login to our company resources. It is very flexible. You can configure it to use a hardware token to generate the codes; google authenticator or Duo’s own authenticator on your smart phone; SMS text messages; or computer generated voice calls to your telephone (land line or cell) that tell you to press a number to continue. You can even have multiple methods, so you can have a backup. This would be far more flexible and apply to more people (almost everyone has some kind of voice phone). Why doesn’t our SSA just sign up for this or a similar commercial service? It would probably be cheaper than the taxes we pay to support all the bureaucrats who create inferior solutions.