Saturday, August 6, 2016

My Social Security is Less Secure - Sam Says So


    I have been a recipient for more than 2 years and during that time, I submitted an application for MFV. The Social Security Administration (SSA) asked for documents beyond the Administration’s legal right for increased security for access to my personal account. On 30 JUL 16, SSA announced that they were instituting Multi-Factor Authentication for My Social Security accounts and the SSA no longer required the documents.
     Now the SSA says, "We removed the requirement to use a cell phone to access your account. While it’s not mandatory, we encourage those of you who have a text capable cell phone to take advantage of this optional extra security."
     The resultant is SSA has returned the requirement for the documents they are not legally empowered to require.  
     Previously, SSA implemented 2FA just requiring a phone SMS capable:
     -[They] “implemented mandatory MFA to comply with Executive Order 13681, which requires federal agencies to provide more secure authentication for their online services.
     -“We [SSA] are committed to using the best technologies and standards available to protect our customers’ data. MFA is just one of the ways we deliver on our promise to protect information and access to it.
     -“Now, all new and current my Social Security account holders will need to provide a cell phone number able to receive text messages.
     -“People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number.
     -“The text message option has been a feature in my Social Security since its launch in May 2012…
     -“We are limited to text messages for the initial MFA implementation due to technical and resource constraints. We may consider adding additional options in the future.
     All right, since the SSA admits, “We are limited to text messages…”, they are misleading the people they service with several falsehoods:
     1.They are not providing Multi-Factor Verification; merely 2-Factor Authorization (2FA).
     2.SSA has provided 2FA from May 2012 however; I am again prevented using it without providing documents for which they have no legal authority to require
     3.I will not contend with the SSA's requirements and close the My Social Security account for security reasons.
     It does not stop there:  The Social Security Administration also requires one to change the password to My Social Security, twice in a year. However, they only remind folks about their account and where to view it, once a year. Several studies, with one of the latest being:
https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf and it describes the requirement to change the password periodically as a bad security procedure.

No comments:

Post a Comment