Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Crime Encryption Security The Almighty Buck United States

Under Fire, US Social Security Site Changes Security Policy Again (vortex.com) 37

Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."
This discussion has been archived. No new comments can be posted.

Under Fire, US Social Security Site Changes Security Policy Again

Comments Filter:
  • by The Cisco Kid ( 31490 ) on Sunday August 14, 2016 @01:03PM (#52700371)

    Told by who? Via what channel? Have you verified this? How? How can someone else verify it?

    I seriously hope that they have removed that requirement, but I'd like to verify it for myself.

    "I was told by a little bird that was told by his friend that heard it from his garbage man that he heard it in a restaurant by a waitress who ......." is useless.

    • Re:"I'm told" ??? (Score:5, Informative)

      by clovis ( 4684 ) on Sunday August 14, 2016 @04:10PM (#52701149)

      There is a message on the SocialSecurity web site that states the SMS requirement has been removed.
      https://www.ssa.gov/myaccount/ [ssa.gov]

      I agree with Krebs that the weak place in this is the initial setup, but there's no good answer for that. The SSA is better than most, though.

      To setup an account, SSA does a soft inquiry against your Experian credit report and asks your some multiple choice questions based on that. to verify that it's really you. This is easy for relatives (or pretty much anyone) to hack if you happen to be an old person that's lived in the same place for decades and only had one job.
      The questions they ask are taken from the same database as are the same questions you have to answer to get a copy of the credit report (or online IRS account, etc), so a total stranger can do testing against other agencies without setting off the wrong-answer lockout on SSA.

      If your Experian report has incorrect info (such as your current address or work history), you may need to have a copy of the report to answer the questions the way they want.

      The online account cannot be setup by you or anyone else if you have a credit freeze on your Experian credit report.
      Everyone should have a freeze on their credit report.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        It is even easier than that. I had to get into an account when I didn't know the answer they wanted. But hey, when the right answer to the questions stay the same and the wrong answers keep changing, it only takes two tries if you pay attention.

  • I set up an account (so that someone else could not impersonate me and set up an account in my name/number).

    However, I never received the SMS messages that the site claimed to have sent to me. I did this several times, although all around the same time.

    My phone drops about 50-100% of all SMS messages that originate from AT&T (I'm on T-Mobile), so perhaps that might explain the problem, but I have never before had issues receiving SMS messages sent from other sources.

    Interestingly, in the verification p

    • For the longest time the only address anyone had on record was my mailbox for the 1st year of college... With the wrong zip code. It took almost 5 years before the house I lived in showed up.

      I miss my anonymity.

  • by markus ( 2264 ) on Sunday August 14, 2016 @02:13PM (#52700675) Homepage

    SMS and soft-tokens (such as the Google Authenticator cellphone app) are better than nothing. But they don't provide for particularly secure second factors, especially if the web site is a valuable target.

    I don't understand why so few sites (pretty much just Google and Github) use FIDO U2F hardware tokens. They are much more secure as the browser can cryptographically verify that there is no phishing attempt happening -- something that most users have trouble noticing. You only need a single token for an arbitrary number of sites. In many cases, you can leave the token permanently installed in your computer without compromising its security guarantees. The token is dead-simple to use. All you have to do is push a single button, when the site asks for the second factor. You can have multiple tokens, if you want a backup token for account recovery or if you own multiple computers. Any user can buy their own token from a vendor of their choice.

    And if site (e.g. your financial institution or SSA) wants to provide tokens for its clients, cheap entry-level tokens cost less than $10. In fact, I suspect you could buy them for around $1 a piece, if you placed an order on the scale of what the SSA needs.

    FIDO U2F is of course not perfect. But that can be said about all security products. There is no such thing as perfect security. But these tokens are much more secure than pretty much all alternatives, they are super easy to use, and they are dirt cheap.

    • by 93 Escort Wagon ( 326346 ) on Sunday August 14, 2016 @03:05PM (#52700931)

      The main issue I've run into with all of this is the lack of interoperability - one bank I deal with actually used to offer hardware tokens, albeit from a company I didn't know; my web host supports Google Authenticator; a different bank supports a different soft token; etc. As two-factor authentication gains traction, the annoyance / confusion factor grows.

      So I can see why SMS "two-factor" has gained steam. Almost everyone has access to it, and it's Intuitive.

      It would be great if a broad consortium of Internet companies (which would have to include Apple, Google, Microsoft, Amazon - plus perhaps the Apache Foundation - at a minimum) would get together and agree on a single standard, or perhaps one acceptable hard token and one acceptable soft token protocol which everyone would support.

      Normally I'd say this is exactly what the government should be driving; but very few of us here would trust them on this anymore... and if we don't trust their solution, it would be DOA.

    • by clovis ( 4684 )

      As for hardware tokens, they would offer optimal security compared to SMS messaging. But people with SSA accounts setup likely may go for years, if not decades, without needing to logon until they're senior citizens.
      I cannot imagine hardware tokens being a good idea for a group of people of whom many may not even know where their teeth are.

  • Cell = no way (Score:4, Interesting)

    by markdavis ( 642305 ) on Sunday August 14, 2016 @06:58PM (#52701695)

    Any "security" system that requires disclosing my cell/mobile phone number is an instant and total FAIL. And I am certainly not alone about protecting that which would become the single most annoying device ever (if/when compromised/harvested by marketers).

    I find it fascinating how many business and sites now seem to think they have an absolute right to know our cell/mobile phone numbers. Not home, not work, but specifically cell/mobile. I usually have to lie to them and either put in my work number or make up a number. Obviously that won't work if they are trying to use it for text verification.

  • by arobatino ( 46791 ) on Sunday August 14, 2016 @07:20PM (#52701757)

    There is an undocumented 20-character limit on password length. Any longer password meeting all stated requirements is rejected (repeating only the stated requirements, not the actual reason). Although since the password has to be changed every 180 days, that's probably not enough time to crack it, if all printable characters are used (one can use a strong random username to add security, though). I'd rather be allowed to use an arbitrarily long password and not have to change it at all.

    • Oh, and you have to give strong random answers to the required "security" questions too, otherwise that's a workaround.

  • She'll be happy she didn't pay for a cell she doesn't need.

  • I know that my parents will need social security. However I also know that I won't ever get to retire unless the economy makes a profound change; social security won't be anywhere near enough for me to retire before I die and the money I have been able to save for retirement isn't enough to retire in the next 70 years (and I don't expect to live another 70 years).

    When your retirement plan is summarized as "Die At Work", it is hard to justify placing a lot of concern in the state of social security.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...