24
Nov 17

Name+DOB+SSN=FAFSA Data Gold Mine

KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data if the user knows a handful of static details about a person that are broadly for sale in the cybercrime underground, such as name, date of birth, and Social Security Number. Perhaps the most eye-opening example of this is on display at fafsa.ed.gov, the Web site set up by the U.S. Department of Education for anyone interested in applying for federal student financial aid.

Update, Nov. 28, 12:34 p.m. ET: The Education Department says not all of the data elements mentioned below are accessible on a FAFSA applicant if someone merely knows the static details about that person. Read on for their response to this story.

Original story:

Short for the Free Application for Federal Student Aid, FAFSA is an extremely lengthy and detailed form required at all colleges that accept and award federal aid to students.

Visitors to the login page for FAFSA have two options: Enter either the student’s FSA ID and password, or choose “enter the student’s information.” Selecting the latter brings up a prompt to enter the student’s first and last name, followed by their date of birth and Social Security Number.

Anyone who successfully supplies that information on a student who has applied for financial aid through FAFSA then gets to see a virtual colonoscopy of personal information on that individual and their family’s finances — including almost 200 different data elements.

The information returned includes all of these data fields:

1. Student’s Last Name:
2. Student’s First Name:
3. Student’s Middle Initial:
4. Student’s Permanent Mailing Address:
5. Student’s Permanent City:
6. Student’s Permanent State:
7. Student’s Permanent ZIP Code:
8. Student’s Social Security Number:
9. Student’s Date of Birth:
10. Student’s Telephone Number:
11. Student’s Driver’s License Number:
12. Student’s Driver’s License State:
13. Student’s E-mail Address:
14. Student’s Citizenship Status:
15. Student’s Alien Registration Number:
16. Student’s Marital Status:
17. Student’s Marital Status Date:
18. Student’s State of Legal Residence:
19. Was Student a Legal Resident Before January 1, 2012?
20. Student’s Legal Residence Date:
21. Is the Student Male or Female?
22. Register Student With Selective Service System?
23. Drug Conviction Affecting Eligibility?
24. Parent 1 Educational Level:
25. Parent 2 Educational Level:
26. High School or Equivalent Completed?
27a. Student’s High School Name:
27b. Student’s High School City:
27c. Student’s High School State:
28. First Bachelor’s Degree before 2017-2018 School Year?
29. Student’s Grade Level in College in 2017-2018:
30. Type of Degree/Certificate:
31. Interested in Work-study?
32. Student Filed 2015 Income Tax Return?
33. Student’s Type of 2015 Tax Form Used:
34. Student’s 2015 Tax Return Filing Status:
35. Student Eligible to File a 1040A or 1040EZ?
36. Student’s 2015 Adjusted Gross Income:
37. Student’s 2015 U.S. Income Tax Paid:
38. Student’s 2015 Exemptions Claimed:
39. Student’s 2015 Income Earned from Work:
40. Spouse’s 2015 Income Earned from Work:
41. Student’s Total of Cash, Savings, and Checking Accounts:
42. Student’s Net Worth of Current Investments:
43. Student’s Net Worth of Businesses/Investment Farms:
44a. Student’s Education Credits:
44b. Student’s Child Support Paid:
44c. Student’s Taxable Earnings from Need-Based Employment Programs:
44d. Student’s College Grant and Scholarship Aid Reported in AGI:
44e. Student’s Taxable Combat Pay Reported in AGI:
44f. Student’s Cooperative Education Earnings:
45a. Student’s Payments to Tax-Deferred Pensions & Retirement Savings:
45b. Student’s Deductible Payments to IRA/Keogh/Other:
45c. Student’s Child Support Received:
45d. Student’s Tax Exempt Interest Income:
45e. Student’s Untaxed Portions of IRA Distributions:
45f. Student’s Untaxed Portions of Pensions:
45g. Student’s Housing, Food, & Living Allowances:
45h. Student’s Veterans Noneducation Benefits:
45i. Student’s Other Untaxed Income or Benefits:
45j. Money Received or Paid on Student’s Behalf:
46. Student Born Before January 1, 1994?
47. Is Student Married?
48. Working on Master’s or Doctorate in 2017-2018?
49. Is Student on Active Duty in U.S. Armed Forces?
50. Is Student a Veteran?
51. Does Student Have Children He/She Supports?
52. Does Student Have Dependents Other than Children/Spouse?
53. Parents Deceased?/Student Ward of Court?/In Foster Care?
54. Is or Was Student an Emancipated Minor?
55. Is or Was Student in Legal Guardianship?
56. Is Student an Unaccompanied Homeless Youth as Determined by High School/Homeless Liaison?
57. Is Student an Unaccompanied Homeless Youth as Determined by HUD?
58. Is Student an Unaccompanied Homeless Youth as Determined by Director of Homeless Youth Center?
59. Parents’ Marital Status:
60. Parents’ Marital Status Date:
61. Parent 1 (Father’s/Mother’s/Stepparent’s) Social Security Number:
62. Parent 1 (Father’s/Mother’s/Stepparent’s) Last Name:
63. Parent 1 (Father’s/Mother’s/Stepparent’s) First Name Initial:
64. Parent 1 (Father’s/Mother’s/Stepparent’s) Date of Birth:
65. Parent 2 (Father’s/Mother’s/Stepparent’s) Social Security Number:
66. Parent 2 (Father’s/Mother’s/Stepparent’s) Last Name:
67. Parent 2 (Father’s/Mother’s/Stepparent’s) First Name Initial:
68. Parent 2 (Father’s/Mother’s/Stepparent’s) Date of Birth:
69. Parents’ E-mail Address:
70. Parents’ State of Legal Residence:
71. Were Parents Legal Residents Before January 1, 2012?
72. Parents’ Legal Residence Date:
73. Parents’ Number of Family Members in 2017-2018:
74. Parents’ Number in College in 2017-2018 (Parents Excluded):
75. Parents Received Medicaid or Supplemental Security Income?
76. Parents Received SNAP?
77. Parents Received Free/Reduced Price Lunch?
78. Parents Received TANF?
79. Parents Received WIC?
80. Parents Filed 2015 Income Tax Return?
81. Parents’ Type of 2015 Tax Form Used:
82. Parents’ 2015 Tax Return Filing Status:
83. Parents Eligible to File a 1040A or 1040EZ?
84. Is Parent a Dislocated Worker?
85. Parents’ 2015 Adjusted Gross Income:
86. Parents’ 2015 U.S. Income Tax Paid:
87. Parents’ 2015 Exemptions Claimed:
88. Parent 1 (Father’s/Mother’s/Stepparent’s) 2015 Income Earned from Work:
89. Parent 2 (Father’s/Mother’s/Stepparent’s) 2015 Income Earned from Work:
90. Parents’ Total of Cash, Savings, and Checking Accounts:
91. Parents’ Net Worth of Current Investments:
92. Parents’ Net Worth of Businesses/Investment Farms:
93a. Parents’ Education Credits:
93b. Parents’ Child Support Paid:
93c. Parents’ Taxable Earnings from Need-Based Employment Programs:
93d. Parents’ College Grant and Scholarship Aid Reported in AGI:
93e. Parents’ Taxable Combat Pay Reported in AGI:
93f. Parents’ Cooperative Education Earnings:
94a. Parents’ Payments to Tax-Deferred Pensions & Retirement Savings:
94b. Parents’ Deductible Payments to IRA/Keogh/Other:
94c. Parents’ Child Support Received:
94d. Parents’ Tax Exempt Interest Income:
94e. Parents’ Untaxed Portions of IRA Distributions:
94f. Parents’ Untaxed Portions of Pensions:
94g. Parents’ Housing, Food, & Living Allowances:
94h. Parents’ Veterans Noneducation Benefits:
94i. Parents’ Other Untaxed Income or Benefits:
95. Student’s Number of Family Members in 2017-2018:
96. Student’s Number in College in 2017-2018:
97. Student Received Medicaid or Supplemental Security Income?
98. Student Received SNAP?
99. Student Received Free/Reduced Price Lunch?
100. Student Received TANF?
101. Student Received WIC?
102. Is Student or Spouse a Dislocated Worker?
103a. First Federal School Code:
103b. First Housing Plans:
103c. Second Federal School Code:
103d. Second Housing Plans:
103e. Third Federal School Code:
103f. Third Housing Plans:
103g. Fourth Federal School Code:
103h. Fourth Housing Plans:
103i. Fifth Federal School Code:
103j. Fifth Housing Plans:
103k. Sixth Federal School Code:
103l. Sixth Housing Plans:
103m. Seventh Federal School Code:
103n. Seventh Housing Plans:
103o. Eighth Federal School Code:
103p. Eighth Housing Plans:
103q. Ninth Federal School Code:
103r. Ninth Housing Plans:
103s. Tenth Federal School Code:
103t. Tenth Housing Plans:
104. Date Completed:
105. Signed By:
106. Preparer’s Social Security Number:
107. Preparer’s Employer Identification Number (EIN):
108. Preparer’s Signature:

According to the Education Department, nearly 20 million students filled out this form in the 2015/2016 application cycle.

Update: The process described above was based on a demonstration this author saw while sharing a screen with a KrebsOnSecurity reader who had a family member apply for aid through FAFSA. But an Education Department spokesperson took strong exception to my experience, saying that while someone armed with an applicant’s SSN and date of birth would be able to view some of the less sensitive data elements related to an application that has already been submitted and processed, seeing the more sensitive data requires and additional authentication step.

The spokesperson said the data is displayed across several pages that require manual advancement, and that before the pages with financial data are shown the visitor is prompted to supply a username and password that all users are required to create when they start the application process. The agency said that without those credentials, the system should not display the rest of the data.

In cases where a student has saved but not completed an application, the spokesperson said, the applicant is prompted to create a “save key,” or temporary password that needs to be supplied before the financial data is displayed.

Original story: What indications are there that ID thieves might already be aware of this personal data treasure trove? In March 2017, the Internal Revenue Service (IRS) disabled an automated tool on its Web site that was used to help students and their families apply for federal financial aid — citing evidence that identity thieves were abusing it to siphon data used to commit tax refund fraud with the IRS.

The IRS found that identity thieves were abusing the automated tool — which pulled data directly from the FAFSA Web site — in order to learn the adjusted gross income (AGI) of applicant families. The AGI is crucial to successfully filing a tax refund request in someone’s name at the IRS.

On Oct. 1, the IRS brought its FAFSA data retrieval tool back online, adding additional authentication measures. In addition, the AGI data is now masked when it is electronically transferred into the FAFSA application.

Think it’s hard to find someone’s SSN and DOB? Think again. There are a multitude of Web sites on the open Internet and Dark Web alike that sell access to SSN and DOB data on hundreds of millions of Americans — all for the price of about $4-5 worth of Bitcoin.

Somehow, we need to move away from allowing online access to such a deep vein of consumer data just by supplying static data points that are broadly compromised in a thousand breaches and on sale very cheaply in the cybercrime underground.

Until that happens, anyone who is applying for federal student aid or has a child who applied should strongly consider taking several steps:

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

Consider placing a “security freeze” on your credit files with the major credit bureaus. See this tutorial about why a security freeze — also known as a “credit freeze,” may be more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit. Keep in mind that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name; the only real defense against that is to file your taxes as early as possible — before the fraudsters can do it for you.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.

Tags: , ,

51 comments

  1. Robert Scroggins

    Thanks for bringing this to our attention, Brian. Hopefully, someone at the Dept. of Education/FAFA who can do something about all their free ID information will also read it.

    Regards,

  2. Brian,
    Thank you for this timely info. I have been telling everyone I can to implement the credit freeze. I continue to be surprised at the lack of understanding, especially people in the STEM workforce. Will louder voices help?

  3. Wow…more like a diamond mine than merely gold….

  4. I would suggest adding the official web site (www.annualcreditreport.com) to the paragraph on free credit reports. If you google free credit report the entire first screen is made up of ads for phony free services so it would be better to steer readers to the right place.

    • Let me add by saying that, annualcreditreport.com is indeed the only source of FREE credit report authorized by the federal government.

      However, it’s also worth noting that there are several other (semi) free credit report services that are legit. I’ll name the biggest two that covers all three bureau “monthly.”
      1. http://www.freecreditreport.com by Experian
      2. http://www.creditkarma.com

      The first one is provided directly by Experian. Their revenue is from frequent solicitation of payment information while you’re logged in on the site, and a page of credit card offers at log-out. All the payment info page can be skipped. So if you know what you’re doing, it is a good source to get a more frequent credit report from Experian. The free account also provides basic monitoring.

      The second is a 3rd party service that gets data from Equifax and TransUnion. Their revenue is from ads. It is one of the largest personal finance website and it is legit as well.

    • Yes, the canonical url is worth a link.

      Interestingly, Discover will let anyone w/o a freeze see “their” credit report for free: https://www.discover.com/free-credit-score/

      «1.Will viewing this Credit Scorecard affect my score?
      No. The FICO® Score and other credit information we provide will never hurt your credit score. In fact, you can check as often as you like – it will never affect your score. Check back every 30 days to see a refreshed score.

      6.Will a Credit Freeze prevent updates to my Discover Credit Scorecard?
      Yes. If you place a Credit Freeze on your credit file, we can only show your Discover Credit Scorecard from the last time you accessed it before the freeze. If you decide to take the freeze off your file, you’ll be able to update your Credit Scorecard again.»

      The fact that Discover is willing to give it away is interesting. Personally, I’m happy to have a freeze on my reports.

      I think, Discover’s entry-point means that more or less anyone who doesn’t have a freeze should assume that someone can easily access their ID’s free report w/o their awareness.

  5. Superlative security reportage, Brian; and thanks for this great report detailing the astoundingly poor security FAFSA provides aid applicants.

    • Anyone who has dealt with the Department of Education in the last 20 years knows that this is the tip of the iceberg. Between their taxpayer dollar handouts to barely concealed criminal corporations to their inept handling of fraud cases nothing they do surprises me anymore. Anybody counting on Betsy Devos for positive changes is in for some disappointment.

  6. We just went through this process. And actually you can select your own security questions, including “What was the name of your first pet.”

    • Security questions tend to ask lots of questions that can be answered through researching into a person’s “online footprint”.

      How many people post way too much personal stuff to Facebook, Twitter, Instagram, Pintrest, LinkedIn, online comment forums that use “names” that can be linked back to “real info”, and wherever else that can be used to “craft” a moderately detailed background report on a prospective target??

      Social media ia great for many things, not to mention many nefarious things.

      • When you answer security questions, make sure to put random numbers somewhere in the phrase. That will block out anyone that mined data from a social media website. Example: ‘snoopy75’. Of course, if you lose the answer, you’ll have your own problems. That’s another issue entirely…

      • Security questions provided by the user to answer in the future don’t need to have truthful answers.

        Example: what’s your mother’s maiden name?
        — BeowulfAlpha

        Example: where did you meet your spouse?
        — PlanetOneFiveSigma

        In fact, any previously provided question/answer pair can usually be changed periodically. All you need to do is ask the account maintainer.

  7. The IRS connection is being reintroduced this year (from information on the site)
    I was looking to see if there was a way to edit (zero out) information for old records. When I access the data with just the student info the full data is not available to view anymore.

    • When I have a family member access their data (name,ssn, dob) they can only see their name, ssn, dob and no other previous or current data.

  8. IMO things will never change. Our society in general is technically illiterate, and as a result, companies and website operators (the government is especially egregious), in an effort to cut down on support ticket and call center volume, create insecure, online tools to make it easier for users to access their data. That said, even call centers can be socially engineered.

    Calling attention to these services is a great step in the right direction, but at the end of the day, until end users wake up and learn basic online security, this dilemma will only increase.

  9. FYI: I counted 157 “data fields”.

  10. This just shows how desperate the government is in their desire to build large dossiers on every American. As you might know, everything you put down on the medical history form you fill out upon visiting a doctor now is shipped to the government. I am careful to not mention (LIE) about every malady I have or have had, with the exception of one obvious surgery I had.
    I don’t get x-rays at my dentist office because of a procedure I had when I was a child. My dentist was fit to be tied because I wouldn’t tell him what it was. I firmly told him that I knew that everything I told him would be put on my chart and that now is sent to the government and that I was not willing to allow the government to make up a medical dossier on me. (Some people have apparently developed brain tumors from having multiple dental x-rays, although the tumors are benign. Never mind the fact that the tumor has to be removed through an extensive operation anyway. Another reason I won’t allow them.)

    • I think your tin foil hat is strapped on a wee bit too tight.

      Seriously, dude. Post some citations to back up your sensationalist accusations.

      Better yet, go find a UFO and hitch a ride outta here.

    • Denying yourself proper medical care because of the potential of the government knowing about your ailments is like tossing your wallet in a river to prevent yourself from getting mugged.

      Please take care of yourself.

  11. Question: Since Kreb is concerned about security, why does my cookie killer alwaysnotify me that it has killed your cookie after leaving your site?

    • Of all of the things on the internet to worry about, 1st party cookies rank pretty much near the bottom.

    • I’m not sure what you’re using, but if it just scares you w/o providing any information, it’s doing you a huge disservice.

      1. Using Chrome (no relevant add-ons)
      2. Open an incognito window to this site
      3. Click a link
      4. Click the “” icon to the right of “⟳”
      5. See Cookies
      6. Click “1 in use”
      7. Expand krebsonsecurity.com > Cookies > w3tc_referrer
      8. Google for that cookie
      9. Read https://cookiepedia.co.uk/cookies/w3tc_referrer

      This cookie is usually set by W3 Total Cache plug-in for sites based on the WordPress content management system. It is reported as being used for performance optimisation.

      The main purpose of this cookie is: Performance

      10. Google for that plugin
      11. Read https://wordpress.org/plugins/w3-total-cache/

      Yes, it’s related to SEO, but it seems pretty harmless.

      You’re welcome to delete it.

      But wearing a tin-foil hat without understanding how the world works is dangerous.

      • In (4), the first quoted thing was supposed to be a unicode emoticon for a Lock. Apparently this site doesn’t approve of that.

  12. Correction to the article…..the data pull from the IRS website directly into the FAFSA is still available. I know because I just completed it; however, the data elements are not all viewable once they pull in.. Tim

    • While the link to be able to pull your information in from the IRS is there, it appears that it doesn’t work for everyone – when we tried it while filling out the FAFSA app for my son on Thursday, it said it couldn’t access it our information (I don’t remember the exact message).

  13. I just tried to reproduce this with my daughter’s form. I could not access the additional information without her authentication credentials. I think this opportunity exists only from the time a new FAFSA is started and subsequently submitted. This can be a fairly large time window if you do not have all the information readily available.

    I helped my daughter complete this year’s form earlier this month. It takes coordination and information exchange between the student and the parents to complete the form. It is intended for the student to complete, but requires quite a bit of information from the parents. We sat down together with all our information readily available to complete the form in one sitting. Our window of data exposure was minimized.

    • I just did this with my son. To start the process for the new year, he had to put in all his credentials. However, we had to save it because we needed some information that I did not have at the time. He was able to set a save password that could be used to access the information again later so that I could finish the parent section. So even if you don’t complete it in one sitting, you still need to know the save password in order to access the information.

  14. Someone I know who is a financial aid professional and regularly assists students with the FAFSA process assures me that this does not, in fact, work; to get FAFSA information you need a username (or verified email address) and password. The process for creating and/or resetting those is itself flawed, but the exploit is not nearly as straightforward as this post suggests.

    (We just tried it with this person’s own information — they filled out a FAFSA last year for grad school — and it was, indeed, impossible to reproduce the exploit described.)

    • I can corroborate. We did the application for #1 son heading to college next fall. The process was exactly as Jonah described. There are other steps that might trip up unauthorized users too, but I won’t describe them here. I’m not saying that I disagree with Brian’s conclusion and I would prefer having better security, but the specific exploit doesn’t seem to be quite this easy.

  15. We were the victims of ID theft — someone tried to file a tax return in our name last spring — because information from the FAFSA site had been hacked. How do we know this? The IRS sent us a letter. That FAFSA info was a decade old, but it was still all there.

    We were finally able to submit a tax return, though via mail not electronically. To send it electronically, we needed to first get a tax ID number from the IRS. However, we had already frozen our credit files, and obtaining the ITIN required unfreezing them. That wasn’t going to happen.

    Did I mention that the IRS offered one of us — there are two of us on our return — one year of free credit monitoring through . . . Equifax?

    And just to pile on, we were also victims of the Equifax hack a few months later.

  16. The best way for organizations to avoid having data stolen is for them to not have data. Ideally they organize their business so they do not need the data.

    Unfortunately colleges have taken the economic theory of “price discrimination” to a whole new level. They charge a high “list price” and require to to provide a huge amount of personal data so they can provide “financial aid” to give you a “discount”.

    This results in them asking for more information than the IRS asks for in the 1040. As seen here then they fail to protect it.

    • Colleges don’t care about your data, and thanks to federal student loans, don’t care about your costs either. They get their money up front. (The best thing would be to end federal student loans altogether. Barring that, the government should require colleges to co-sign for at least 25% of the amount.)

      Many/most colleges now won’t even consider applicants for scholarships (both need- and merit-based) unless the applicant first files FAFSA. Your choices as an applicant are to: (a) submit to the FAFSA ordeal, or (b) pay full MSRP.

  17. As always, great reporting Brian!

    It never ceases to appall me how recklessly personal info is handled.

    This example is “just another” egregious example of what happens when there is no meaningful penalty for failing to safeguard someone ELSE’s info.

    Unfortunately, until the act of loosing control of someone’s personal information becomes a CRIME, I don’t think it will ever end.

  18. Brian, this data fields information are really helpful. I just love this type of helpful post. Great article thanks and keep it up!

  19. Hey Brain,
    Really helpful information on on Data fields… Highly recommended to all .. Thanks for sharing it!

    Keep up the awesome work!

    -Rajinder Verma

  20. From the FAFSA site:

    “Saved applications are automatically deleted after 45 days or after the federal application / correction deadline date.”

    So, at least there’s a limited time window to the risk.

  21. “…see a virtual colonoscopy of personal information…”

    Gets my vote for the best phrase of the year describing a cybersecurity issue.

  22. The challenge with this advice is that today you cannot file a freeze immediately after filing a FAFSA. For students today, college is debt. In 1980 — before the glorious conservative revolution — it required five weeks of FT minimum wage to pay tuition. Now it takes more than 52. So when you are completing FAFSA you must simultaneously expose your credit record. The entire system is deeply flawed.

  23. Putting a credit “freeze” assumes that you will never loose that new pin number. Put it with will your will documents and make sure your executor knows where it is. If you loose it, have fun.

    A fraud alert does basically the same thing for 90 days and doesn’t cost you anything whereas to “un-freeze” it will cost $10.

  24. Brian, you need to get trademark protection for “virtual colonoscopy”.

  25. I went through the steps and created an FSA ID. Seems similar to the issue with the SSA site, site –
    https://krebsonsecurity.com/2013/09/crooks-hijack-retirement-funds-via-ssa-portal
    There seems to be more security by signing up for an FSA ID with verification via phone rather than allowing anyone with the Name+DOB+SSN information to access your account.

  26. …a virtual colonoscopy of personal information…

    That alone was worth the cost of my subscription.

  27. System developers should design their systems in such a manner that authentication is not based on information that is easy to get as shown in the article.
    They should also use multi-factor authentication or multi-step verification in instances where logging in will result in access to confidential information.

  28. It amazes me how simple it really could be to have your personal information compromised.

Leave a comment