Posts Tagged: ssa.gov


10
May 17

SSA.GOV To Require Stronger Authentication

The U.S. Social Security Administration will soon require Americans to use stronger authentication when accessing their accounts at ssa.gov. As part of the change, SSA will require all users to enter a username and password in addition to a one-time security code sent their email or phone. In this post, we’ll parse this a bit more and look at some additional security options for SSA users.

The SSA recently updated its portal with the following message:

The Social Security Administration's message to Americans regarding the new login changes coming in July 2017.

The Social Security Administration’s message to Americans regarding the new login
changes coming in July 2017.

I read that to mean even though an email address is required to sign up at ssa.gov, the SSA also is treating email as a second authentication factor. But the above statement seemed open to interpretation, so I put my questions to the SSA: Here’s what SSA’s press office came back with:

“Beginning June 10, 2017, we will require all my Social Security account holders (both new and returning) to use a stronger authentication method to create an account or access their account. In addition to entering the username and password, people must select either of the following options to receive a one-time use security code:

A text message; or
An email.

During registration and each subsequent login, customers will receive a new, one-time use security code by text message or email – depending on their choice.

The combination of the username, password, and one-time use security code will provide access to their personal my Social Security account.”

ANALYSIS

The idea that one can reset the password using the same email account that will receive the one-time code seems to lessen the value of this requirement as a security measure.

Notice the SSA isn’t referring to its new security scheme as “two-factor authentication,” which requires the user to supply something he knows and something he is or has. Continue reading →


16
Aug 16

SSA: Ixnay on txt msg reqmnt 4 e-acct, sry

The U.S. Social Security Administration says it is reversing a newly enacted policy that required a cell phone number from all Americans who wished to manage their retirement benefits at ssa.gov. The move comes after a policy rollout marred by technical difficulties and criticism that the new requirement did little to prevent identity thieves from siphoning benefits from Americans who hadn’t yet created accounts at ssa.gov for themselves.

In an announcement last month, the SSA said all new and existing ‘my Social Security’ account holders would need to provide a cell phone number. The SSA said the numbers would be used to send recipients an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

But sometime in the past few days, apparently, the SSA decided to rescind the cell phone rule.

“We removed the requirement to use a cell phone to access your account,” the agency noted in a message posted to its mySocial Security portal. “While it’s not mandatory, we encourage those of you who have a text capable cell phone to take advantage of this optional extra security. We continue to pursue more options beyond cell phone texting.”

Hopefully, those options will include using the U.S. Mail to send Americans a one-time code that needs to be entered at the SSA’s Web site to complete the sign-up process. I should note that the SSA is already mailing out paper letters via snail mail to Americans who’ve signed up for an SSA account online; they’re just not using that mailing to securely complete the signup and authentication process.

Here’s a redacted letter that a friend of mine received and shared the other day after signing up for an account online. It merely explains what the agency already explained about the texting policy via its Web site.

A letter that the Social Security Administration sends out via the U.S. Mail for every American who signs up to manage their benefits at ssa.gov.

A letter that the Social Security Administration sends out via the U.S. Mail for every American who signs up to manage their benefits at ssa.gov.

The SSA does still offer the text message feature as part of what it calls “extra security” options. These extra options by the way do include the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, crooks won’t go through the more rigorous signup process — they’ll choose the option that requires less information. That means it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online. Continue reading →