Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Government Cellphones Crime Databases Privacy Security

Is The US Social Security Site Still Vulnerable To Identity Theft? (krebsonsecurity.com) 46

Slashdot reader DERoss writes: Effective 1 August, the U.S. Social Security Administration (SSA) requires users who want to access their SSA accounts to use two-factor authentication. This involves receiving a "security" code via a cell phone text message. This creates two problems. First of all, many seniors who depend on the Social Security benefits to pay their living costs do not have cell phones [or] are not knowledgeable about texting.

More important, cell phone texting is NOT secure. Text messages can be hacked, intercepted, and spoofed. Seniors' accounts might easily be less secure now than they were before 1 August... This is not because of any law passed by Congress. This is a regulatory decision made by top administrators at SSA.

In addition, Krebs on Security reports that the new system "does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are" and "does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven't yet created accounts for themselves." Users are only more secure after they create an account on the social security site -- and Krebs also notes that ironically, the National Institute for Standards and Technology already appears to be deprecating the use of SMS-based two-factor authentication.
This discussion has been archived. No new comments can be posted.

Is The US Social Security Site Still Vulnerable To Identity Theft?

Comments Filter:
  • It does appear to be a bit more secure than what they had in the past, but since without text service it will lock out some people from using the service. With their password protocols requiring a new password every 6 months and requiring alpha-numeric and special key combinations it virtually guarantees that the password will have to be written down, so I guess by using this text requirement makes a bit of sense compared to just letting anyone in that happens across your password. I'm wondering though ho

  • The US seems unable to insure information. One hears of action by the US government that are offensive in nature, such as alleged hacks of state actors or in defeating encryption. What is being done about infosec defense? The most encouraging thing I've heard in the business community is from Bank of America where CEO Brian T. Moynihan said, "The only place in the company that doesn’t have a budget constraint is. . ." cyber. He further notes they spend > $400M for this purpose. Anyhow, the vibe is
  • The requirement for a cell phone w/text service is an absurd requirement. It may be a fine default, but there should be alternatives (other than VOIP based text services with their inherent security problems).

    Some people live in areas where they have broadband (at least DSL) but, due to the terrain, there is no cell coverage at a significant percentage of the homes. To use the SSA's online service, these people are likely to end up at their local coffee house using the public WiFi to access their SSA accoun

  • by Anonymous Coward

    Should we be surprised that these overpaid bureaucrats are idiots?

    But, you see, they actually are not idiots. Because their goal is not to safeguard YOUR interest, but rather THEIR OWN interests. They did not do this to make the SS site more secure. They did it to cover their own asses. Now, when people or the site are hacked, they can say "We conformed to the highest industry standards" even if they didn't.

  • by mx+b ( 2078162 ) on Saturday August 06, 2016 @01:43PM (#52656397)

    Fully agree with potential problems of requiring a cell phone: not all people that use the system will have access to cell phones or text messages, for example. There's also the question of how to update your cell phone number in the system if it changes. Krebs seems to be focused on the creation of accounts, which allows you to register a phone number and lock others out (which gets back to that updating your number thing); that seems to be a potentially big problem, considering how many security breaches have leaked our SSNs and what not. If all I need is a name and SSN to initially register and get benefits, then the system needs a better way of verifying identity before allowing to apply.

    But I don't understand the text message security complaint that is "more important". Two factor auth means I need *two* things. Even if someone were to intercept the text message (which I believe is difficult, requiring special equipment and proximity to the victim, but feel free to correct me), the point of the system is that nothing can be done with that text without also knowing the password. And if someone knows your password and text messages, then no system is going to prevent an intruder. I understand that NIST is working to update the recommendation (which is a good idea), but I feel like its more safe than not using 2FA (it at least requires attackers to do much more work!), and I'm sure when the NIST guidelines are finalized, other agencies will begin the move to the new recommendation too. It seems a mountain out of a molehill. Am I missing something?

    • The problem is that texts are not addressed to your phone or even your SIM card but to your number. The security of SMS 2FA is limited by the security of getting a new SIM for a given number which is just a small amount of social engineering. You may not even notice right away that your number has been redirected.

  • If they break into mine all they can do is deposit.

    Bring it on, bitches.

  • Vulnerabilities never come alone.
  • by h8sg8s ( 559966 )

    "Is The US Social Security Site Still Vulnerable To Identity Theft?" The answer is almost certainly, yes. But is it vulnerable to the *same* threat as last time, and the answer, again, is probably yes.

  • I've tried to address this issue with SSA: One-third of Americans have no cellphone service. That's all SSA will allow!

    Most banks do this with an eMail account: If they're uncertain (e.g., you've been offline for a long time), they'll send you a random string of digits you must provide back on the login page, so they know you're YOU.

    But, the SSA decided that if you don't have a cellphone, you don't deserve access to My SSA at all.

    My guess: The contractor they engaged to implement the recently mandated t

Order and simplification are the first steps toward mastery of a subject -- the actual enemy is the unknown. -- Thomas Mann

Working...