Social Security to Try Two-Factor Authentication AgainOne-Time Passcodes Will Be Sent Over Phone, Email
The U.S. Social Security Administration has come up with a revised plan to implement strong authentication after a previous effort was scrapped amid criticism.
As of June 10, those logging into their "my Social Security" account will be required to turn on multifactor authentication, according to a notice sent by email over the weekend. The security control requires a time-sensitive passcode in addition to a username and password.
"You will be able to choose either your cell phone or your email address as your second identification method," the notice says. "Using two ways to identify you when you log on will help better protect your account from unauthorized use and potential identity fraud."
In July 2016, the Social Security Administration announced it would implement multifactor authentication to comply with Executive Order 13681. The order, signed by President Barack Obama in October 2014, required government agencies to strengthen security in order to prevent fraud.
But the agency's original plan for multifactor authentication, which involved sending one-time passcodes via SMS, came under immediate fire. It required all users to have a mobile phone, a questionable requirement for an agency that distributes retirement benefits to seniors. Absent a mobile device, the agency offered no other options for online account access. At the time, it said: "People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number."
Additionally, a user had to have a mobile phone with a U.S. number, excluding expats and at least 500,000 benefit recipients living outside the country.
Codes Over Email
The new plan increases accessibility. But it still assumes that users have an email account, which some seniors may not have. And relying on email as a second security control may cause a groan.
If a hacker has obtained the username and password for someone's Social Security account, it's possible that their email account has already been compromised, especially if the same password has been reused.
The agency's move to multifactor last July also came around the same time as a warning from the National Institute of Standards and Technology. The agency, which advises the government on technology issues, said it was deprecating out-of-band authentication over SMS or voice. That was due to the variety of ways that the mobile channel can be compromised, through device swapping, changes to SIM cards and social engineering ploys aimed at porting numbers to other devices.
NIST's position has proved prescient. Hackers recently fraudulently manipulated a worldwide network that's used by telecommunications companies to route calls and SMSes to wherever a mobile phone is in the world. The fraudsters first phished victims in Germany and tricked them into setting up online money transfers. By manipulating the SS7 signaling protocol, the one-time passcodes (called mTANs in Germany) sent to users' mobile phones were diverted to devices controlled by the attackers, enabling them to steal funds (see Bank Account Hackers Used SS7 to Intercept Security Codes).
Insecure Account Registration
The Social Security Administration's account portal has attracted criminal attention ever since it was launched in 2012.
Fraudsters quickly found out they could create accounts for those who had not yet registered. They then used the portal to divert benefits payments from direct deposit account to prepaid debit cards, according to a September 2013 blog by security writer Brian Krebs.
The agency still doesn't appear to have strengthened the controls around creating an online account. The process simply involves supplying a full name, address, birth date and Social Security number.
The agency uses a third-party identity services provider to verify that the supplied information is correct. But underground data markets are awash in such basic information, so it's not hard to get it right.
Krebs wrote in a September 2016 blog that the Social Security Administration does offer a more secure way for accounts to be verified. But users have to elect that option, and strangely, it's not the default.
The so-called "extra security" involves mailing a passcode to a registrant. After that code is entered on the website, users are also asked other questions, such as the last eight digits of payment cards, information from tax forms or Social Security direct deposit figures.
Those who don't realize the danger of fraud are unlikely to try to make it more difficult for themselves to register for an online account. The onus should be on the service provider to ensure they're properly verifying a customer, and that's where it appears the Social Security Administration is failing. And this problem comes well before integrity questions involving multifactor authentication.