Bamboozled September 1, 2016: Social Security steps back from new online security protection

We usually applaud when companies and government agencies take steps to protect against hacks and identity theft.

These steps often require consumers to participate, but we’d argue the mild inconvenience is well worth the extra protections.

The Social Security Administration (SSA) came up with what appeared to be a great idea to guard consumer information.

But there was a pretty big hitch.

Seems that consumers who don’t have cell phones, or those who cannot text, couldn’t use the safety feature. In fact, without a textable cell phone, consumers couldn’t log in at all.

Bamboozled learned about the issue from reader Ronald Weinger of Berkeley Heights.

“This is supposed to be a security feature,” he said. “Since when should a government security feature require a person to purchase a service from a private corporation?”

That’s a great question. Before we get to the answer, let’s review how access to Social Security statements have changed in recent years.

It used to be that workers would receive annual benefits statements in the mail. The statements would show how benefits were accumulating each year, and how much the worker’s benefit might be at retirement age.

But effective April 2011, SSA suspended the mailing of all statements because of budgetary constraints, said SSA spokesman John Shallman.

The move resulted in savings of approximately $30 million for the remainder of April 2011, he said.

Tips on how to keep your information safe from unsolicited phone calls.

In February 2012, SSA began mailing the statements again, but only to those age 60 and over who were not yet receiving benefits.

Then starting May 1, 2012, all workers age 18 and older were able to get their statements online. It only required you to sign up and create a login and a password.

Then in September 2014, SSA started to send statements every five years to workers as young as 25, as long as they were not already receiving benefits or if they didn’t have an online account.

Then on July 30, 2016, the new SSA security measure for online accounts kicked in.

The upgraded security required what’s called multifactor authentication. You not only had to have the login and password, but when you logged in, the site would text you a special code needed to access your account.

Those without cell phones or texting abilities were without online access, and they complained.

SSA took action fast.

A spokesman sent Bamboozled the text of an email that would be going out to accountholders this week and next.

It said it added the multifactor authentication to be in compliance with a presidential executive order to improve the security of consumer financial transactions. SSA said it “implemented the improvements aggressively because we have a fundamental responsibility to protect the public’s personal information.”

But, it learned, multifactor authentication inconvenienced or restricted access for some accountholders.

“We’re listening to your concerns and are responding by temporarily rolling back this mandate,” the letter says.

So once again users can access their accounts with just the login name and password, though the text message option is available — but not required — for those who want to use it.

SSA is developing alternatives to increase security, it said, but it didn’t detail what those alternatives would be.


We asked for suggestions from security experts.

Options could include using an automated message to a land line (home) phone, email message and/or challenge questions, said Drew Procaccino, an associate professor in Rider University’s Department of Information Systems & Global Supply Chain Management.

But, he said, if SSA uses challenge questions, it should carefully consider the nature of the questions to make sure thieves can’t easily find that information somewhere online.

Recent research by his colleague Alan Sumutka, an associate professor of accounting at Rider,  suggests the responses to such questions are often easily obtained through simple online research, Procaccino said.

That’s why old addresses and phone numbers that can be found in public records, and pet and high school names, which can be found on social media, don’t make the best challenge questions.

“Taxpayers should carefully consider if they want to respond accurately,” he said. “If a given response could be determined by a resourceful thief, a fictitious response is in order.”

A Kenilworth woman battles for the refund of a fraudulent charge made on her Direct Express card, a debit card on which she receives Social Security benefits.

The effectiveness of multifactor authentication is worth a conversation.

The security of two-factor authentication (2FA), a subset of multifactor authentication (MFA), is dependent on two items: upon something you know, such as a password, and something you have, such as an ATM card or a fingerprint, said Mitch Feather of Creative Associates, a Madison-based cybersecurity and infrastructure consulting firm.

“The concept is that if an unauthorized individual had just one of those in his or her possession, then he/she won’t be able to access your 2FA-protected account,” Feather said.

But, he said, if the scammer has both of those items in their possession, the security of 2FA fails.

One solution is to replace the one of those factors with what is known as a one-time password (OTP), Feather said.

But it can be a challenge to get the OTP in someone’s possession.

Feather said the most common and cost-effective approaches uses text messaging, a telephone call or email.

“One of the inherent flaws of this approach is the smart phone: if a person loses the smart phone where he/she receives the text message or phone call or email, then the unauthorized individual now is better equipped to circumvent 2FA security,” Feather said.

Another option is using a biometric factor, such as a fingerprint, retinal scan, facial recognition software or even voice print analysis.

Of course, not everyone has this technology and it’s a lot more costly than sending a one-time code via text or email.

Before you hand over your Social Security number, make sure the requester has a good reason for needing it.

The challenge for SSA is to find ways to increase security but with a reasonable cost.

Feather said SSA could move to a three-factor authentication system: something you know (password), something you have (one-time password) and something you are (voice print analysis).

He said for the voice print analysis, the user would speak a defined phrase that the system would analyze and authenticate.

Feather had a message to “all of the critics, armchair hackers, and spy movie aficionados” who ask: “What if the person cannot speak?”

Feather said a designated caretaker could always do the authentication. And, he said, if you’re worried that someone could record and play back your voice, there are strategies to defeat such hacks.

We’ll let you know what SSA comes up with next.

In the meantime, if you don’t have online access to your SSA account, you can do what millions of people did before the advent of the internet: Call SSA at (800) 772-1213 or visit one of the 1,231 local Social Security offices nationwide.

Have you been Bamboozled? Reach Karin Price Mueller Follow her on Twitter @KPMueller. FindBamboozled on Facebook. Mueller is also the founder of Stay informed and sign up for’s weekly e-newsletter.