10
May 17

SSA.GOV To Require Stronger Authentication

The U.S. Social Security Administration will soon require Americans to use stronger authentication when accessing their accounts at ssa.gov. As part of the change, SSA will require all users to enter a username and password in addition to a one-time security code sent their email or phone. In this post, we’ll parse this a bit more and look at some additional security options for SSA users.

The SSA recently updated its portal with the following message:

The Social Security Administration's message to Americans regarding the new login changes coming in July 2017.

The Social Security Administration’s message to Americans regarding the new login
changes coming in July 2017.

I read that to mean even though an email address is required to sign up at ssa.gov, the SSA also is treating email as a second authentication factor. But the above statement seemed open to interpretation, so I put my questions to the SSA: Here’s what SSA’s press office came back with:

“Beginning June 10, 2017, we will require all my Social Security account holders (both new and returning) to use a stronger authentication method to create an account or access their account. In addition to entering the username and password, people must select either of the following options to receive a one-time use security code:

A text message; or
An email.

During registration and each subsequent login, customers will receive a new, one-time use security code by text message or email – depending on their choice.

The combination of the username, password, and one-time use security code will provide access to their personal my Social Security account.”

ANALYSIS

The idea that one can reset the password using the same email account that will receive the one-time code seems to lessen the value of this requirement as a security measure.

Notice the SSA isn’t referring to its new security scheme as “two-factor authentication,” which requires the user to supply something he knows and something he is or has.

The former is usually a password or PIN; “something he is” most often refers to biometric components (fingerprint, iris scan); whereas the “something he has” factor generally refers to the output of one-time code from a key-fob or mobile app like Google authenticator or Duo [full disclosure: Duo is a longtime advertiser on this blog].

The move comes almost a year after the SSA enacted and then rescinded a requirement that all Americans who wish to manage their retirement benefits at ssa.gov provide a mobile phone number.

Less than two weeks after that new requirement went into effect last year, the SSA reversed itself and did away with the requirement. The policy was reversed following a rollout marred by technical difficulties and criticism that the new requirement did little to prevent identity thieves from siphoning benefits from Americans who hadn’t yet created accounts at ssa.gov for themselves.

SIGN UP AT SSA BEFORE SOMEONE DOES IT FOR YOU

In September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control.

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that Americans can avoid becoming victims of this scam.

So what else beyond the basic measures being enacted in June 2017 does the SSA offer Americans concerned about someone hijacking their SSA account online?

The SSA offers a set of options that it calls “extra security.” These extra options by the way include the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, crooks won’t go through the more rigorous signup process — they’ll choose the option that requires less information. That means it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

What else does the SSA require to prove you’re you when creating a new account at my Social Security? Assuming you can buy or supply the above personal data, the agency relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax.

In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

In addition to the SSA’s optional security measures, Americans can further block ID thieves by placing a security freeze on their credit files with the major credit bureaus. Readers who have taken my ceaseless advice to freeze their credit will need to temporarily thaw the freeze in order to complete the process of creating an account at ssa.gov.

Looked at another way, having a freeze in place blocks ID thieves from fraudulently creating an account in your name and potentially diverting your government benefits.

Alternatively, citizens can block online access to their Social Security account. Instructions for doing that are here.

Tags: , , , ,

57 comments

  1. IRS iTunes Card

    It’s total B.S. that “ssa.gov” doesn’t use Google Authenticator or Authy during the login process

  2. Wow! Half-SSAed two-factor security!

  3. Also of note, they require password rotation every 6 months, for a system that I might check once a year.

    Thankfully password managers exist.

  4. Why don’t they hire you to consult on a strategy. This blows my mind, they should have a security expert on speed dial.

  5. AnotherOneOfThose

    I guess we can add this to the list where we adopted “Chip and Pin” without the “Pin”.

  6. I will be retiring next year and collecting social security while traveling and possibly relocating to Europe. A text message would be useless to those US citizen collecting social security and living outside the US. Depending on which country in Europe I’m in I will be swapping SIM cards. Although I agree the email solution is weak at best, I understand why and wish there was another manner of MFA.

    • There are services that will allow you to generate a phone number in order to receive text messages and you can chose which country you want that number to be in.

    • MAYBE you could get a “free” US VOIP account and phone number now; Google voice, Text now – if used enough they don’t seem to cancel yet. (I use one for routine marketing texts that I don’t want my phone swamped with i.e. Netflix free movie credit etc.) Though additionally beyond clear text messages; safety depends on how obvious the SSA identifies themselves as the sender in case of traffic being sniffed or the like.

      I’m looking but haven’t found a safer trick for these yet….Pity Signal, Wickr or Proton email couldn’t be used. Otherwise I use Authy, simply because you can also lock the app, Google Authenticator is wide open if the phone is open.

    • Kathy: ever heard of a dual-SIM-phone? Several Europeans travel around the globe using a dual-SIM-phone. SIM1 is their normal SIM (with broadband switched off, but calls and SMSs coming through) and SIM2 a local cheap SIM with mobile broadband access.

    • Sign up for Google Voice. It’s free, you get a US based phone number that you can use from anywhere in the world. It sends+receives SMS, and can accept voicemail.

      Also, Google won’t charge you for making outbound calls from it to numbers in the US and Canada. (It does require Internet access, and whomever is your provider is of course going to charge you for data transfer, but voice data is generally fairly small relative to any reasonable plan — cellular/cable/POTS/DSL/Fiber.)

      This isn’t perfect. In theory someone could try to hijack your phone number, but I don’t think that’s terribly likely, and you can use Google Authenticator to protect the account.

  7. Robert.Walter

    As an overseas resident I find it frustrating that it is not possible to use 2FA on many sites offering it because the online tool can’t handle an overseas number.

    Further, even if the tool could take an overseas phone number, the confirming letter can only be mailed to a US address. Rather pathetic me thinks.

    • Robert.walter

      Ps I should mention that I’ve given this feedback to the SSA a couple of time directly. I don’t know what the problem is but they don’t seem to take this issue into account.

      The SSA site was far ahead of the irs site by offering 2FA several years ago but they haven’t improved in it; this makes all expats more vulnerable than average.

    • Actually, it’s not an inconvenience. Ever tried the local overseas embassy? They are not usually in every town. But, you can get messages, to other government agencies there. Or thru them. And for SSA, I would be rather meet in person. Ever read of lost data, copied data, or lost identities? Try proving you are an American. Especially overseas. Ever heard of compromised phone systems? Never? Or compromised email systems. Never? But, compromised mail system can be investigated by federal authorities and the bad guy jailed. In any country. Two factor is compromisable, and not chargeable yet. It is more secure then not. But is it you, doing the request? Or the crook?

      • Technically, those are called Consulates as opposed to Embassies. In general, each foreign country assigns a single Embassy per Country (the UN and certain other entities also count as countries for which there may be additional affiliated embassies).

    • The next time you visit the US, get a prepaid SIM (the cheapest you can find), and use it to sign up for Google Voice (see above).

      https://support.google.com/voice/answer/115061?hl=en

      Once you have your Google Voice number, you should disassociate the prepaid number and you can terminate that account.

  8. Good one!! Well done. But all who complain about breach…who is to blame ?? Im sure you yourself..dont visit unknown websites.
    I lived in usa 20 years and never happwned any theft.
    I could say usa banks online and others are 100% safe i trust them. And im careful myself im sure those victims are shady themselfes.

    .

  9. Does having a security freeze through the credit bureaus affect the KBA questions? For example (not to get off topic), I tried the Informed Delivery with the USPS but it was denied multiple times even though I answered the questions correctly. I can only assume this might have been due to the freeze.

    • Yes, I speak from personal experience. A security freeze on Equifax prevented me from creating an account with SSA, with Medicare, and with the IRS.

      • Thanks for the reply and confirmation, Larry! I figured as much as I had the same problems signing up for the USPS informed delivery (but for good reasons, that being the security freeze works!)

        For what it’s worth, it allows you to do it three times (with 72 hours in between each failed try). After that, you must do in person verification at select post offices. Truth be told, I don’t care that much to get it as I don’t care to get an email of the junk mail I get every day anyway.

    • I’m also on multiple attempts to answer the USPS Informed Delivery KBA questions correctly. The truth doesn’t work. The problem is they have bad data. I have to keep guessing which bad values they have.

  10. My credit is frozen so I can’t sign up.

    Is there any compelling reason to go to the trouble to thaw my credit just to sign up to this site, since criminals can’t sign up either? My SS benefits are many, many years away.

    • Steve Mazzella

      I’ve asked myself the same question Larry; the SSA has informed me that I could register in person for this service as well – Maybe when I’m in the neighborhood.

    • mine as well…none unless you need to get into the ssa website for some reason. Had a freeze for a few years now and works great

    • Yes, if you sign up you can see your earnings records and check to see if they are correct. If not get them fixed now. Your future benefits will be calculated from your earnings records at SS.

    • Mine are frozen too. I haven’t created an account (I won’t get SSA benefits anytime soon, and may never).

      The only reason I can see is that while they currently rely on KBA, that could change. If they change what the use, it’s possible that they will switch to something that isn’t blocked by credit freezes, and then someone else could create an account. By creating an account, you’re blocking that opportunistic hacker then too. (Or of course, if your credit freeze happens to be gone for some window and someone attacks during it — But hopefully you will never remove a freeze, just assign a limited thaw for a specific purpose.)

      OTOH, at some point, they may abandon the system entirely and open up a replacement system which wouldn’t be blocked based on current accounts. So, even creating an account today isn’t perfect protection against unpredictable changes in their system in the future.

  11. SSA has offices all over much like the post office. Why don’t they hand out yubikeys or code generation tokens to people who show up with proper ID (similar to what you need to get a passport).

  12. When sign up for an account on ssa.gov the super-long account password you give is silently truncated to 20 characters in length. There is no indication in the visible instructions that there is a maximum password length.

    When you log in to ssa.gov using your super-long password, only the first 20 characters are read. You have no clue that you are actually using a much weaker password than you think.

    If the passwords are hashed for storage, why is there such a short maximum plaintext password length?

    • So, SMS is really two things:
      1. A messaging system
      2. Something that can be transmitted over cellular networks

      SS7 is afaiu limited to cellular networks.

      It is possible to have a landline which can send/receive SMS messages.

      BT (England) offers this service [1] — I’ve never seen this in the US, but it’s an interesting thing.

      Note: some Canadian carriers will perform TTS on SMS to landline.

      Anyway….
      As people can see in various places here, I advocate Google Voice as a solution to this problem. Google Voice (not Project Fi) is not a cellular service, it’s effectively a VOIP system that is SMS capable.

      I’m naively assuming that since Google Voice isn’t tied to cellular, it wouldn’t be impacted by bugs in SS7, which means that a Google Voice number used for 2FA wouldn’t be vulnerable to the described attack.

      Note: it is possible to configure Google Voice to forward SMSs to other numbers, and those could be vulnerable to an attack on SS7, and it’s possible to forward Google Voice to an email account, and that email could be intercepted during transmission (or captured at rest). And of course, your Google account is a target for account takeovers, so you’ll want to secure that w/ 2FA (ideally not not SMS) and be sure you understand the account recovery system, as that is where an attacker will go when they want to bypass 2FA. [See @mat [2]).

      [1] http://bt.custhelp.com/app/answers/detail/a_id/8510/~/all-about-bt-text
      [2] https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

      • About Google Voice not being vulnerable to the SS7 weakness, SS7 is the protocol that enables cellular networks around the world to send/receive messages between networks. Google Voice can receive messages from other networks so it must also be vulnerable… because it also uses SS7.

        The two mobile protocols MAP and CAMEL operate *without* authentication… leaving them wide open to abuse.

        https://www.grc.com/sn/sn-556-notes.pdf

  13. Rebecca Davis

    Thanks for the info. I’ll note that the password reset questions are surprisingly generic and easily obtained via social media, etc. I included my answers in my password manager along with that password I’ll be needing to change in 6 months.

    • I never answer any security questions truthfully; I save them in my password manager as well.

      I just un-thawed my credit with Equifax for a one-day time period so I could create my SSA account some time ago. Unfortunately it costs $10 in my state but I figure why not be safe.

      I will definitely be choosing email validation for my SSA account. I avoid one-time text codes if at all possible.

  14. NIST has already banned the use of SMS in the government. Email phishing is one of the most common hacks. This just shows the intellect involved at the SSA. RSA has been hacked. The answer is a cryptographic device that can’t be hacked. There is one coming to the market. Stay tuned.

    Incidentally, I tried to alert Krebs about this new technology but received no response.

  15. I find it interesting that the government imposes so many regulations on companies to secure personal and financial data and then does not apply that same rigor to their own data stores and websites. All of the breaches of my data to this point in my life (and there have been 6) have been from the shoddy securing of my data by the US Government. We have some of our most sensitive data which can easily be exploited on government websites. Glad to see some progress here but these are baby steps compared to what needs to be done.

    • Andrew.m to Brad Regan

      And who gona cover the cost of this ?
      Goverment have tight budget..it’s easy to say but it”s not so easy to build all this utopian systems.

      • Fraud costs many orders of magnitude more than adding real two-factor to the SSN website, which is something that a single developer could do. It also actually hurts people.

        • Even 10-14 year old kid can build better website than this one.
          it means this is not permanent project it’s temporary.
          it seems to they will change this after new type of fraud wave have passed. Fraud works on 3 stages. First stage second stage.
          that will be 3.rd last stage i guess so. 2Factor stage is always last stage. 3 is holy number.

  16. Creating a simple, elegant way for the public to verify their identity, log in to federal government websites will be the first and foremost priority.

  17. The good thing about having a credit freeze, and not be able to set up an account with SSA, is that if you can’t set one up, nobody else can either.

    I followed Brian’s suggestion about 18 months ago. Recently we refinanced our home. All the loan documents were signed and sent to the title company. In transit Fedex lost them and could never determine where they were. Because I have a credit freeze, I never worried one minute. My wife, on the other hand, did not have any freeze on hers. She was hysterical. We immediately set up a fraud alert and froze her credit at the 3 credit reporting agencies. She learned her lesson the hard way. Never put off til tomorrow what you should do immediately.

  18. I did try to sign up on the ssa.gov website yesterday, and unless you have a credit report in front of you, or a much better memory than I have, you won’t be able to guess the questions quickly. I couldn’t actually remember which credit card account I opened in 1995, and I didn’t know how much my wife’s car payment is. One wrong guess and you’re locked out for 24 hours. It would take a very long time to guess you way through all of the questions.

  19. Your email subscription doesn’t work for new emails!

  20. Multi-factor authentication for on-line transactions isn’t something new to the US Government. “TreasuryDirect” is service offered by the US Dept of the Treasury that enables individuals to buy bills, notes, and / or bonds directly rather than through a broker.

    ‘Way back in the olden days — May 2007 — TreasuryDirect added an additional level of security for on-line transactions. It was / is a wallet-sized / credit-card-sized laminated Access Card mailed to the account owner. The Access Card has a 10-digit serial number and a 5 x 10 matrix — 5 rows and 10 columns. (Also a bar code, but I can’t read that.) Each box in the matrix has a letter or number in it, uniquely associated with the Access Card’s serial number.

    Logging onto TreasuryDirect involves providing a conventional account number and password. One is then presented with a short list of 10-digit serial numbers. Select the serial number associated with the account’s Access Card. (Presumably, if you select a serial number not associated with your account, you’re bounced off the site. Presumably. I’ve not done this.) From the Access Card, enter the requested information on the log-in page.

    Prolly not as secure as e.g.: Duo or other private-sector multi-factor identification, but it’s cheap and I’m unaware of any breaches.

    • Some Finnish banks used that system.

      What bothered me was that if I was in a semi public area to perform a task, anyone could record all of the codes at once, and thus they were all compromised.

      I don’t think this is a particularly great approach.

      I’d much rather a Yubikey or something similar.

  21. Mahendar Raina

    Also of note, they require password rotation every 6 months, for a system that I might check once a year.
    But This blog is really nice and quit good

  22. Charles James

    I don’t get it, why do companies insist on using the very data we are trying to protect as a means of verification such as opening/unfreezing our credit check accounts, etc.? Is it the only way because the company that hosts my retirement funds used a direct phone call, personal information verifications and then assigning a cell to receive by text the secondary one-time use code, etc.

  23. Quit good! Start bad!

  24. I have tried to set up a My SSA account but I had also previously frozen my credit files. The SSA, without access to a credit history for authorization, won’t allow me to do so. I guess that is a good thing until I actually start to collect.

  25. I noted several mentions of Google Voice in threads about ssa.gov and its newer security system. This system appears to be the same one that the IRS uses. It does not work for telephone numbers that are assigned to pre-paid plans; these are generally the ones you pay month-to-month rather than the 1 or 2 year contracts. I don’t know how they tell. The IRS pages mention that specifically.

  26. Nate Petersen

    As part of this, is the SSA also changing their *ridiculously* terrible password rules? The current rules include:

    – Must contain exactly 8 characters.
    – Must contain only letters and numbers.
    – Is not case sensitive.

  27. I have not attempted to sign up for a my social security account because I have a security freeze at the three bureaus and have read that it can’t be done while the freeze is in place. Still though, I don’t understand how having a security freeze on your credit file with Equifax would prevent a person from opening a my social security account because SSA is not actually obtaining the report but only a few questions and answers from Equifax.

  28. I must say it was hard to find your blog in google. You write interesting content but you should
    rank your page higher in search engines. If you don’t know how to do it search on youtube:
    how to rank a website Marcel’s way

Leave a comment