SSA's move to 2FA not enough, say experts

Account holders must now provide a cell phone number, but SMS is inadequate for verification, say experts.
Account holders must now provide a cell phone number, but SMS is inadequate for verification, say experts.

The Social Security Administration (SSA) has instituted new security measures for Americans logging into their accounts, but the step may do little to thwart cyberthieves creating false identities to steal benefits.

Security researcher and journalist Brian Krebs, writing on his blog, said the SSA's just-issued requirement that account holders provide a cell phone number to authenticate transactions does not address the issue of identity theft by miscreants who create online accounts masquerading as citizens who have yet to create their own accounts.

To access their personal "my Social Security" portal, account holders are now required to provide their username, password as well as a one-time, eight-digit code sent via a text message to their cell phone. The step was taken to comply with an executive order for federal agencies to upgrade authentication procedures.

Although Krebs agreed that the new step would help authenticate that the person logging in is the actual individual who created the account, he said "it does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are."

Further, while other authentication procedures are available, Krebs argued that creating an account – for an individual who has not yet created one – is still a "relatively easy" process. All a bad actor would need is the target's name, date of birth, Social Security number, residential address and phone number, Krebs said. And, unfortunately, this sort of data is readily available on underground markets.

The takeaway: As it's possible to create only one "my Social Security" account per Social Security number, register for an account and get verified with the texted codes, said Krebs. That way, there's less chance that someone else will be able to create an account in your name. 

Still, he'd prefer a one-time code be sent via postal mail.

Also detracting from this initiative, as SC reported last week, the National Institute for Standards and Technology (NIST) issued guidelines that called for the phasing out of two-factor SMS authentication.

Other experts also point to the inadequacy of SMS as a verification method.

"The Social Security Administration has good intentions, but consumers should expect more of the financial safety net of the United States," Marc Boroditsky, VP of Authy, a Twilio service, told SCMagazine. "Their approach to 2FA relies chiefly on outdated methods like SMS and security questions, which history has shown can be breached or socially engineered relatively easily."

Push notification authentication would have been a more reliable, more secure solution – and ultimately a better user experience, Boroditsky said, adding that for consumers who may not have smartphones, even voice is more reliable than SMS for delivering an authentication code.

"This is still better than nothing, but that can't be the standard to which we hold ourselves moving forward."

Two-factor authentication is not going away any time soon, Brian Czarny, SVP at TeleSign said in a email to SCMagazine.com. "Passwords are too easy to crack and additional layers of security are vital."

NIST's comments are directed at government agencies – not at consumers – and there's a major gap between their intention and public perception, Czarny argued. "For any person that stores information within apps and online accounts, 2FA is an important and easy way to implement a layer of security that will exponentially increase the security of your data. Consider it like a lock on your front door – locks can be broken, but you shouldn't leave the door wide open just because there's a chance someone could get in."

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS