Social Security Administration’s Second Attempt at 2FA Fails Federal Government’s Own Standards, Not Secure

Tuesday, June 06, 2017

Alexandre Cagnoni

50a3c69a961fe8acf7b68c430ab8c592

The Social Security Administration (SSA) recently instituted its latest precautions to identify threats and protect citizens’ information by making two-factor authentication mandatory for all users. This basic security layer is invariably better than nothing, but it places the burden on the customer to ensure their account is secure, while the organization should ultimately be responsible for protecting users.

 

In July 2016, the SSA announced they would implement multifactor authentication. This year, the effort soon evolved into sending one-time and time-sensitive passwords to the users by two methods, email or cell phone. These latest “options” neglected to address the fact that seniors are less likely to have access to a smartphone or email account than any other demographic group. Ironically, the decision to switch to multifactor authentication came in the same month in which the National Institute of Standards and Technology (NIST) warned that these SMS-based channels can be compromised by hackers.

 

The SSA portal was launched in 2012, and fraudsters have regularly manipulated the system to create fake accounts, divert money and reroute SSA benefits payments.  The agency has failed to secure the process of opening accounts, which requires basic information that can be bought and sold on underground information exchanges. The multifactor authentication system signed into effect in September 2014 has made seniors extremely vulnerable to new hacking techniques such as social engineering scams, stealing SIM card data, or rerouting the verification signals.

 

Those who are registered in the SSA system would most likely acknowledge that they feel safe because of all the orders and authentication methods that have been put in effect. The agency’s additional method of authentication involves the use of a third party to verify the name, address, birth date, and Social Security number. If the user provides the correct answers, they are verified and can access their account, but hackers conquered simplistic information like this years ago and this has morphed into huge illicit businesses that trade in personal information.

 

Beyond these initial security enhancements, the administration has proposed additional measures. Users can elect an option that provides a “better” way to verify their information, but this is NOT the default option and is unlikely to be implemented by those who aren’t aware of the current risks. That third option, it turns out, is not that appealing after all, as it mails a passcode to the registrant via the United States Postal Service, which can then be entered on the website, followed by a series of other questions that must be answered correctly. This is far from ideal solution because it still requires the user to initiate the extra measures, and could be intercepted in route.

 

When the Social Security Administration continues to rack up losses in the information war, it will hopefully seek to implement solutions that proactively protect the entire organization and its users. Yet again, it’s the perfect scenario that would benefit from the low cost and high level of security that push technology and other options offer compared to the highly vulnerable SMS-based systems of yesteryear. 

 

About the author: Alexandre Cagnoni is CEO of McLean, Virginia-based Datablink (www.datablink.com), a global provider of advanced authentication and transaction signing solutions.

Possibly Related Articles:
30237
Infosec Island Policy Breaches
NIST SSA 2FA two-factor authentication
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.