Jan 9, 2018

What's The Alternative?

     From Salon:
Nearly five months after an unprecedented security breach at the credit rating firm Equifax exposed Social Security numbers and other data, making some 147 million Americans vulnerable to potential identity theft and fraud attacks, the Social Security Administration continues to use an identity security system devised by Equifax for the MySocialSecurity online portal.
Equifax was awarded a no-bid $10 million contract back in early 2016, as the company boasted at the time, “to help the SSA manage risk and mitigate fraud for the mySocialSecurity system, a personalized portal for customers to access some of SSA’s services such as the online statement.”  ...
[Social Security] Press officer Mark Hinkle would only tell Salon that “Equifax is not, and has never been, responsible for the authentication of mySocialSecurity users, or building, maintaining or supporting any of Social Security’s platforms.” 
That response suggests that, in fact, all the financially strapped SSA actually got from Equifax for its $10 million was a bunch of security questions to ask those trying to prove their identity before accessing the online customer portal.... Based on the questions actually found on the site, it would appear that Equifax offered a duplicate version of the questions it uses for its own flawed and hacked customer access security system for use by the SSA’s MySocialSecurity Portal, and no doubt the IRS’ online portal too. ...
     The Social Security Administration has been under enormous pressure to move its operations online. There are Congressional hearings where members of Congress seem incredulous that the agency even has field offices. The Government Accountability Office (GAO) keeps pressing to move everything online. If Uber can do it, why can't Social Security? This is based upon a naive belief that Social Security's operations are relatively simple which they might be if the agency only had to take retirement claims. However, many of Social Security's operations -- like disability, survivor and SSI claims -- are way too complicated to be handled online. It's sort of like insisting that a funeral parlor move all its operations online. Sorry, but there's that pesky body you have to deal with somehow as well as bereaved relatives who demandTLC.
     The EquiFax situation isn't as dire as this article suggests. EquiFax isn't getting any data from Social Security. It all goes in one direction from EquiFax to Social Security. =
     I can't say whether the authentication process Social Security is using is adequate but I don't know what the alternative would be other than to give up on online services. That would be fine with me as long as Congress gives Social Security adequate resources but that's not going to happen.

7 comments:

Anonymous said...

If you do not have a credit history, you cannot sign up my an account online, you must go to the office to set one up. They don't (or didn't, maybe that's changed) tell you that, just error you out. The obvious reason is that if you lack credit (as many young adults who are disabled do), Equifax doesn't even know you exist. But if you do have credit history, Equifax can come up with the challenge questions. That's what they are paid to do and nothing more. The rest of the authentication is done at and by SSA. Security experts can and do argue over whether it is set at the right level and if the mechanisms are solid and shouldn't be beaten. But,simply having an account doesn't mean much without things to do online. That gets to the crux of the online paradigm and program complexity. How many real people would define and answer a question about income in a way that matches up with the SSI definition of income? None. Bad answers, bad decisions. Means people not getting something they should and others getting something they shouldn't. The only way to make SSA claims filing Uber-like is to legislatively roll back on the complexity. And that ain't happening, because it would cost money or cut people served.

Anonymous said...

'My Social Security Account' is so secure that I can't get into it anymore, but it was helpful when I was trying to get my retirement.

Anonymous said...

Nothing is secure, and nothing is private.

You want private? The only people I know that have privacy are the homeless. They are so private you don't even look at them. They have an identity no one wants to steal.

Anonymous said...

Congress only pushes SSA to put its operations online until the first constituents complain about lack of internet access or know-how or complain when a field office is closed. A service problem that SSA faces, unlike the private sector, is that SSA must appease all the people, and Congress, and thus has to provide online, telephone, regular mail, and face-to-face service. There is no ability to tell the public that this is the way it will be, take it or leave it. Nor perhaps should there be such an authority.

Anonymous said...

Social Security is not like Uber, for one thing Social Security is closer to be solvent than Uber.
https://nypost.com/2017/12/25/why-ubers-investors-may-lose-their-lunch/

Members of Congress believe the only Social Security offices that should exist are the one in Baltimore (maybe) and the local offices in their district or state. The rest are waste.
Just as they believe USPS should close unprofitable post offices unless the office is in their district or state.

Anonymous said...

I spent over 40 years at SSA. When I attempted to set up a MySSA account, I was failed. Went to my local office and all they did was reset it and told me to go home and try again. Failed again. Went back to the FO and go the same response plus they said they couldn't help me in any other way. Was too aggravated to tell them to read POMS.

This time I printed every screen. Finally figured out that they (Equifax) think I still own a 1981 car that I replaced in 1989 or 1990. And there was a question about a license tag number that I might have had back in the 1980s - maybe on my spouse's car? - but I am not sure. I cannot even remember the current tag! What the h--- do they want!!! Since I am GPO'd anyway, it is not worth the aggravation of dealing with the FO.

I am just glad that I don't actually need the access since they don't pay me anything and I have to pay directly for my Medicare because of the GPO!

Tim said...

I have to use 2 devices to log in. If I don't, it want to keep sending as code to email. So, you need a 2nd device to check the email. Seems to be set up for a computer instead of a phone or tablet. Therefore, it is inflexible. Just like the rest of the government!