January 26, 2018

KrebsOnSecurity has long warned readers to plant your own flag at the my Social Security online portal of the U.S. Social Security Administration (SSA) — even if you are not yet drawing benefits from the agency — because identity thieves have been registering accounts in peoples’ names and siphoning retirement and/or disability funds. This is the story of a Midwest couple that took all the right precautions and still got hit by ID thieves who impersonated them to the SSA directly over the phone.

In mid-December 2017 this author heard from Ed Eckenstein, a longtime reader in Oklahoma whose wife Ruth had just received a snail mail letter from the SSA about successfully applying to withdraw benefits. The letter confirmed she’d requested a one-time transfer of more than $11,000 from her SSA account. The couple said they were perplexed because both previously had taken my advice and registered accounts with MySocialSecurity, even though Ruth had not yet chosen to start receiving SSA benefits.

The fraudulent one-time payment that scammers tried to siphon from Ruth Eckenstein’s Social Security account.

Sure enough, when Ruth logged into her MySocialSecurity account online, there was a pending $11,665 withdrawal destined to be deposited into a Green Dot prepaid debit card account (funds deposited onto a Green Dot card can be spent like cash at any store that accepts credit or debit cards). The $11,655 amount was available for a one-time transfer because it was intended to retroactively cover monthly retirement payments back to her 65th birthday.

The letter the Eckensteins received from the SSA indicated that the benefits had been requested over the phone, meaning the crook(s) had called the SSA pretending to be Ruth and supplied them with enough information about her to enroll her to begin receiving benefits. Ed said he and his wife immediately called the SSA to notify them of fraudulent enrollment and pending withdrawal, and they were instructed to appear in person at an SSA office in Oklahoma City.

The SSA ultimately put a hold on the fraudulent $11,665 transfer, but Ed said it took more than four hours at the SSA office to sort it all out. Mr. Eckenstein said the agency also informed them that the thieves had signed his wife up for disability payments. In addition, her profile at the SSA had been changed to include a phone number in the 786 area code (Miami, Fla.).

“They didn’t change the physical address perhaps thinking that would trigger a letter to be sent to us,” Ed explained.

Thankfully, the SSA sent a letter anyway. Ed said many additional hours spent researching the matter with SSA personnel revealed that in order to open the claim on Ruth’s retirement benefits, the thieves had to supply the SSA with a short list of static identifiers about her, including her birthday, place of birth, mother’s maiden name, current address and phone number.

Unfortunately, most (if not all) of this data is available on a broad swath of the American populace for free online (think Zillow, Ancestry.com, Facebook, etc.) or else for sale in the cybercrime underground for about the cost of a latte at Starbucks.

The Eckensteins thought the matter had been resolved until Jan. 14, when Ruth received a 1099 form from the SSA indicating they’d reported to the IRS that she had in fact received an $11,665 payment.

“We’ve emailed our tax guy for guidance on how to deal with this on our taxes,” Mr. Eckenstein wrote in an email to KrebsOnSecurity. “My wife logged into SSA portal and there was a note indicating that corrected/updated 1099s would be available at the end of the month. She’s not sure whether that message was specific to her or whether everyone’s seeing that.”

NOT SMALL IF IT HAPPENS TO YOU

Identity thieves have been exploiting authentication weaknesses to divert retirement account funds almost since the SSA launched its portal eight years ago. But the crime really picked up in 2013, around the same time KrebsOnSecurity first began warning readers to register their own accounts at the MySSA portal. That uptick coincided with a move by the U.S. Treasury to start requiring that all beneficiaries receive payments through direct deposit (though the SSA says paper checks are still available to some beneficiaries under limited circumstances).

More than 34 million Americans now conduct business with the Social Security Administration (SSA) online. A story this week from Reuters says the SSA doesn’t track data on the prevalence of identity theft. Nevertheless, the agency assured the news outlet that its anti-fraud efforts have made the problem “very rare.”

But Reuters notes that a 2015 investigation by the SSA’s Office of Inspector General investigation identified more than 30,000 suspicious MySSA registrations, and more than 58,000 allegations of fraud related to MySSA accounts from February 2013 to February 2016.

“Those figures are small in the context of overall MySSA activity – but it will not seem small if it happens to you,” writes Mark Miller for Reuters.

The SSA has not yet responded to a request for comment.

Ed and Ruth’s experience notwithstanding, it’s still a good idea to set up a MySSA account — particularly if you or your spouse will be eligible to withdraw benefits soon. The agency has been trying to beef up online authentication for citizens logging into its MySSA portal. Last summer the SSA began requiring all users to enter a username and password in addition to a one-time security code sent their email or phone, although as previously reported here that authentication process could be far more robust.

The Reuters story reminds readers to periodically use the MySSA portal to make sure that your personal information – such as date of birth and mailing address – are correct. “For current beneficiaries, if you notice that a monthly payment has not arrived, you should notify the SSA immediately via the agency’s toll-free line (1-800-772-1213) or at your local field office,” Miller advised. “In most cases, the SSA will make you whole if the theft is reported quickly.”

Another option is to use the SSA’s “Block Electronic Access” feature, which blocks any automatic telephone or online access to your Social Security record – including by you (although it’s unclear if blocking access this way would have stopped ID thieves who manage to speak with a live SSA representative). To restore electronic access, you’ll need to contact the Social Security Administration and provide proof of your identity.


86 thoughts on “Registered at SSA.GOV? Good for You, But Keep Your Guard Up

  1. Columbus_viaLA

    While attempting a monthly log in to my SSA account recently, I found myself unable to via post 56 (aka Quantum) Firefox. I kept getting a “server error, try again later” message. Lowering the NoScript “shields” changed nothing.

    I “tried again later” over the course of 10 days, and gave up. Then I tried IE-11 (my non-default browser) and got in.

    The problem may be two-fold: a combination of Firefox 57-58 architecture issues, along with Kaspersky internet security issues. I have the SSA portal set to open in a secure browser, per a Kaspersky security option. That is how it finally opened in IE-11.

    After a bit of tweaking and troubleshooting with Firefox, I was able to get the “opening in a secure browser” message–inside a regular browser tab–but the secure window never opened. The wheel just spun indefinitely.

    This is the second government website that I have found to be incompatible with Firefow post-56 versions (the other is an Ohio county site). I have to use IE-11 for both, against my preference.

    Anyone else run into this or a similar issue with Firefox Quantum and/or Kaspersky?

    1. Adam

      If you are interested in security why would you use Kaspersky as your anti-virus? Considering Kaspersky’s connections to Putin and the Russian government that is taking a big risk. Of course you can chose to believe their denials that they act as a front or funnel information to the FSB but can you really trust them?

      1. Columbus_viaLA

        Oh, please! Are you that gullible?

        My own government is exponentially more of a threat to my security and freedom than anybody or anything that is Russian.

    2. Beeker25

      I use the MS Edge not IE. Sometimes websites are set up to use certain browsers. It is more to the website hosting company used by the agencies or businesses.

  2. Sycho

    Columbus_viaLA – My suggestion would be to try Pale Moon when logging into sites like that. While I use Firefox for some sites, Pale Moon is my de facto browser as I typically don’t run into problems like what you’re experiencing.

    You can import your Firefox profile (including any bookmarks, passwords, extensions and settings) into Pale Moon by copying the Mozilla folder located in C:\Users\\AppData\Roaming to another folder, renaming “Mozilla” to “Moonchild Productions” then copying that folder back into C:\Users\\AppData\Roaming.

    Please note that not all of your Firefox extensions will work with Pale Moon (with exception to the NoScript extension).

    HTH

    1. Sycho

      One folder was omitted from my reply to your query, most likely due to the brackets I used for the “user_name” folder…

      C:\Users\User_Name\AppData\Roaming

      1. Columbus_viaLA

        Thanks for the suggestion. I’ve never heard of Pale Moon, but I will now look into it. I never liked IE, and it is now at a dead end, which is one of many reasons I keep such high security shields.

        1. Levin in SE AZ

          I never have heard of Pale Moon either, but this is why I keep a copy of Chromium around. When I have this problem with a site (one of my banks didn’t work with Firefox for about six months) I can try Chromium, or failing that go to my Mac and try Firefox and Safari there. “Compatibility” and “Interoperability” are still only goals.

  3. LastMatthew

    I have noticed you don’t monetize your page, don’t waste your traffic,
    you can earn extra cash every month because you’ve got high quality content.
    If you want to know how to make extra money, search
    for: Mertiso’s tips best adsense alternative

  4. Ken Robb

    Sadly most financial services firms als0 rely on the same validating information that is readily available via the Equifax breach or other sources as mentioned above. It is increasingly frustrating to see such weak validation and it’s impact on people who can least afford it.

    1. meh

      What is frustrating is that there is no accountability, and since our own government props up these crooks nobody else to turn to that could change the situation. Same problems with student loans, the healthcare system, and many other areas of modern life.

  5. Mike

    You cannot create a my Social Security account online if you have a security freeze, fraud alert, or both on your credit report. You first must ask the credit bureau to remove the freeze or alert. I just tried and received a message that the account cannot be created at this time because I have placed a freeze & fraud alert on my credit due to Equifax breach. See link below

    https://faq.ssa.gov/link/portal/34011/34019/Article/3871/Can-I-create-a-my-Social-Security-account-if-I-have-a-security-freeze-or-a-fraud-alert-on-my-credit-report

    1. Mike

      Thanks for this note! I was getting an error: “We cannot create an account for the Social Security number you entered.” upon attempting to create an account which had me a little worried until I seen your post.

      Brian can you post a little update blurb at the bottom since not everyone reads the comments.

  6. John McGing

    Just a technical point – there is no such thing as a social security disability benefit after age 65. At age 65, disability becomes retirement. And getting such a disability benefit is actually not simply done over the phone like a retirement claim could be, because it requires someone mailing in some forms and a decent amount of documentation about what the disability is and the doctors to get contacted. Plus it takes months (if you are lucky, years if you are not). So the comment that the crooks had signed someone up for disability “too” really doesn’t make sense. If they had, then there exists a lot of paper that could be useful if the SSA IG or the police want to investigate. I kind of doubt scammers would play that because it literally gains them nothing.

    1. JOhn McGing

      Meant to say that you can create an account without a credit history or a frozen one if you go into the office. A disabled relative without any credit kept bouncing but he called and was told to come in and they did it all there. He has no credit still but his account works fine.

    2. Jeanette

      actually, now it is 66 or 67, your “full retirement age” is no longer 65.

  7. SteveH

    You can definitely sign up for a MySSA account while you have credit freezes in place, without requiring you to lift the freezes. However, doing so requires that you sign up in person at an SSA office.

    1. Loren

      not true!! if you have a freeze in place with the credit bureaus, and you go in in person (because you can’t sign up online), they tell you you MUST remove the freeze to create an account online!

      if someone has actual experience otherwise, please let me know. The agent even called over a supervisor.

  8. Me

    You don’t have to create an SSA account to block others from signing up. You can block all electronic access through the SSA.GOV website instead.

  9. Candy Tuft

    I received a notification from Social Security last week that someone had tried to apply for benefits in my name on line and requesting that I call a gentlemen at Social Security. He told me that the applicant did not give all the correct information and so they were suspicious. He also said the letter I received was not a usual occurrence. He said they were freezing my on line account and I would have to apply for benefits in person when that time comes. He also said that they are not an enforcement agency and gave me the number for the Inspector General. After being freaked out for a few days, I realized I am not sure what happened with my on line account, so I just tried to make one. After trying to sign up, I got a message that electronic access to my account has been suspended. Good! It also provided a phone number which turned out to be the Help Desk for tech problems. However, the very nice woman at the Help Desk told me that although electronic access to my account has been suspended, someone could still go on line and apply for benefits in my name! Not sure where that leaves me. Except she was able to see into my account and tell me that nobody was getting benefits. Perhaps I have to call periodically to confirm that. Or take the benefits NOW, even though I am only 66, just to make sure that nobody else gets them Any suggestions?

  10. Mattblum

    Just before the news of the Equifax breach broke, I got a letter from the SSA thanking me for registering for SS on line. As I hadn’t, this was a red flag. I first called the SSA and told them that I had NOT registered yet. I spend a fair amount of time over the course of a couple of calls establishing that I was indeed myself and got the new registration shut down. I then was called into my local office and spent hours waiting before I got it resolved. I then went home, signed up for my social security on line and proceeded to freeze my credit accounts.

    So far so good. Glad the person who signed up for my benefits was incompetent. Otherwise, I’d have been a very unhappy fellow when my time actually rolls around. That welcome letter saved me from a lot of future pain.

    1. Candy Tuft

      Thanks Mattblum for letting us know your experience. You and I are in the same spot now. The only problem is that we still have the fear of someone applying for benefits in our name. I was told by the gentleman at Social Security that I would have to apply in person. But the woman at the Help Desk said that someone could still apply on line! You would think that freezing our accounts would put the kibosh on someone applying on line in our names.

Comments are closed.