Is The US Social Security Site Still Vulnerable To Identity Theft?

Slashdot reader DERoss writes: Effective 1 August, the U.S. Social Security Administration (SSA) requires users who want to access their SSA accounts to use two-factor authentication. This involves receiving a "security" code via a cell phone text message. This creates two problems. First of all, many seniors who depend on the Social Security benefits to pay their living costs do not have cell phones [or] are not knowledgeable about texting.

More important, cell phone texting is NOT secure. Text messages can be hacked, intercepted, and spoofed. Seniors' accounts might easily be less secure now than they were before 1 August... This is not because of any law passed by Congress. This is a regulatory decision made by top administrators at SSA.
In addition, Krebs on Security reports that the new system "does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are" and "does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven't yet created accounts for themselves." Users are only more secure after they create an account on the social security site -- and Krebs also notes that ironically, the National Institute for Standards and Technology already appears to be deprecating the use of SMS-based two-factor authentication.

Google Voice

[duckintheface]

I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number. The text message appears in my Gmail inbox and I can reply to it as I would to an email.

Ok, maybe folks who don't have a cell phone also don't have a computer. So there needs to be an option of letting SS that you want online services to be blocked for security purposes.

Re:

[duckintheface]

You mean as opposed to giving the information to my Verizon cell phone carrier? Yes.

Re:

[starless]

I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number.

I mainly use Google Voice, but I find that some companies send text messages that can't be received on my GV number.
Instead I have to use my "real" cell number.
(Also, I can't send text messages internationally via GV, only receive them.)

Since Google Voice development seems to be rather stalled, I suspect things are not going to improve.

Re:

[duckintheface]

I logged into my SS account and received the text message via my Google Voice number before I posted. So yes, it works.

Re:

[Anonymous Coward]

I don't have text messaging on my cell phone (I specifically had it disabled by the carrier). But I can still receive text messages on my computer by using a Google Voice number

Yes, but... Try signing up for Google Voice if you don't have a cell phone. Google does the same thing the SSA is being called out for, here - you can't enroll in Google Voice without a mobile number for Google to text a confirmation code to! You must have created your account before you had your carrier disable text messaging.

Re:

[duckintheface]

No, you just have to have some other number in order to sign up for a google voice number. It could be a friend's cell number or a POTS number, or a VOIP number. They do this to prevent someone from hogging a huge quantity of Google Voice numbers.

The verification can be by text or it can be verbal. They robocall your phone and tell you verbally the two digit code to enter into your computer.

Re:

[duckintheface]

My cell phone is an 8 year old Motorola flip phone. But even if I had a new iPhone or Android, I wouldn't be able to run my favorite version of Linux on it. Also, for anyone signing up for Social Security, a cell phone has a screen and keyboard that are too small and too limited in performance. And too expensive.

Re:

[Anonymous Coward]

A lot of people are full of excuses for why they "can't" do something. The dead giveaway is they insist on help from someone else before they've made even a token effort to do for themselves. It's just an unwillingness to learn and try new things, even when the "new things" (like SMS) aren't really new at all and are widely used by many others.

Many of the Boomers and older folk enjoy being helpless. Not consciously, but nonetheless they do. "I can't do this" is a roundabout way to say "you should serve

Re:

[fustakrakich]

I'm a 43 year old white male who is tired of seeing people being lazy and such... I'm just tired of the complaining.

Oh the irony!

Re:

[DERoss]

I consider myself an expert in modern technology. For 40+ years, I was a software specialist. For 30+ of those years, I tested software used by the military to operate their earth-orbiting space satellites. I do not have a cell phone, not because I do not understand them but because I have no need for one.

However, the big deal is that cell phone text messages are very insecure. The Social Security Administration's form of two-factor authentication will not enhance users' security. Wait until some Socia

Security

[Lando]

It does appear to be a bit more secure than what they had in the past, but since without text service it will lock out some people from using the service. With their password protocols requiring a new password every 6 months and requiring alpha-numeric and special key combinations it virtually guarantees that the password will have to be written down, so I guess by using this text requirement makes a bit of sense compared to just letting anyone in that happens across your password. I'm wondering though ho

Re:

[BlueStrat]

It's an insurance plan, not a savings vehicle.

That's not how it was sold to the people.

Now it's not even a plausible insurance plan, it's a blatantly-obvious Ponzi scheme that's on course for a collapse.

If you're under 50, you would be wise to not count on any Social Security retirement benefits or health coverage being around when you get older. All that money the SSA takes from your paychecks will simply be gone. It's a tax with a cool story bro.

Strat

Re:

[uncqual]

Yes, but had he lived to be 105 he would have taken out far more than he put in. Social Security is really a forced purchase of an inflation adjusted life annuity with a strong politically progressive component baked in.

The politically progressive part is that those who contribute the least get back more benefit per dollar contributed than those that contribute the most. The first dollar (and all the dollars put in by by low paid workers or those who work only a few years) result in a benefit payment SIX TI

Re:

[93 Escort Wagon]

You're not paying in funds which you'll eventually collect - your current payments support those people who are currently receiving benefits. Then, when you're old, you're receiving payments thanks to the taxes being paid by then-current generation of workers.

It may seem a bit confusing, since your eligibility is at least somewhat based on your having paid into the system - but in the end it's an entitlement program, and what you will eventually get out of it is (loosely) based on what the government projec

Any end in sight?

[asjk]

The US seems unable to insure information. One hears of action by the US government that are offensive in nature, such as alleged hacks of state actors or in defeating encryption. What is being done about infosec defense? The most encouraging thing I've heard in the business community is from Bank of America where CEO Brian T. Moynihan said, "The only place in the company that doesn’t have a budget constraint is. . ." cyber. He further notes they spend > $400M for this purpose. Anyhow, the vibe is

A ridiculous approach.

[uncqual]

The requirement for a cell phone w/text service is an absurd requirement. It may be a fine default, but there should be alternatives (other than VOIP based text services with their inherent security problems).

Some people live in areas where they have broadband (at least DSL) but, due to the terrain, there is no cell coverage at a significant percentage of the homes. To use the SSA's online service, these people are likely to end up at their local coffee house using the public WiFi to access their SSA accoun

Idiots

[Anonymous Coward]

Should we be surprised that these overpaid bureaucrats are idiots?

But, you see, they actually are not idiots. Because their goal is not to safeguard YOUR interest, but rather THEIR OWN interests. They did not do this to make the SS site more secure. They did it to cover their own asses. Now, when people or the site are hacked, they can say "We conformed to the highest industry standards" even if they didn't.

I don't understand the text security angle

[mx+b]

Fully agree with potential problems of requiring a cell phone: not all people that use the system will have access to cell phones or text messages, for example. There's also the question of how to update your cell phone number in the system if it changes. Krebs seems to be focused on the creation of accounts, which allows you to register a phone number and lock others out (which gets back to that updating your number thing); that seems to be a potentially big problem, considering how many security breaches have leaked our SSNs and what not. If all I need is a name and SSN to initially register and get benefits, then the system needs a better way of verifying identity before allowing to apply.

But I don't understand the text message security complaint that is "more important". Two factor auth means I need *two* things. Even if someone were to intercept the text message (which I believe is difficult, requiring special equipment and proximity to the victim, but feel free to correct me), the point of the system is that nothing can be done with that text without also knowing the password. And if someone knows your password and text messages, then no system is going to prevent an intruder. I understand that NIST is working to update the recommendation (which is a good idea), but I feel like its more safe than not using 2FA (it at least requires attackers to do much more work!), and I'm sure when the NIST guidelines are finalized, other agencies will begin the move to the new recommendation too. It seems a mountain out of a molehill. Am I missing something?

Re:

[CAOgdin]

Only an A.C. can make this claim. Fully one third of people DON'T want or need a cellphone, and of those, about half can't afford it. Further, as others have noted, many people don't even KNOW HOW to enable SMS on their cellphone. This is gubmint bureaucracy at it's worst: MY WAY OR THE HIGHWAY system design. They can use email, and anyone who access My SSA through the internet has an email address...or can get one, free.

Re:

[radarskiy]

The problem is that texts are not addressed to your phone or even your SIM card but to your number. The security of SMS 2FA is limited by the security of getting a new SIM for a given number which is just a small amount of social engineering. You may not even notice right away that your number has been redirected.

There's nothing to steal

[ronmon]

If they break into mine all they can do is deposit.

Bring it on, bitches.

If there is one vulnerability, there are two

[phantomfive]

Vulnerabilities never come alone.

Yes.

[h8sg8s]

"Is The US Social Security Site Still Vulnerable To Identity Theft?" The answer is almost certainly, yes. But is it vulnerable to the *same* threat as last time, and the answer, again, is probably yes.

Braindead SSA

[CAOgdin]

I've tried to address this issue with SSA: One-third of Americans have no cellphone service. That's all SSA will allow!

Most banks do this with an eMail account: If they're uncertain (e.g., you've been offline for a long time), they'll send you a random string of digits you must provide back on the login page, so they know you're YOU.

But, the SSA decided that if you don't have a cellphone, you don't deserve access to My SSA at all.

My guess: The contractor they engaged to implement the recently mandated t