Pages

Jun 23, 2019

Social Security Online System Vulnerable

     From ZDNet:
The 2017 Equifax security breach has thrown a wrench in the process used by US government agencies to verify the identity of US citizens applying for various benefits via its online portals.
This process, called online identity verification or remote identity proofing, relied on data provided by credit reporting agencies (CRAs) like Equifax, as a proof of the applicant's identity. ... 
In 2017, the National Institute of Standards and Technology (NIST) reacted to this hack by issuing guidance to government agencies, with recommendations on replacing the CRA-based online identity proofing with other solutions like sending an SMS to a user's phone, or having the user send/upload a scan of a physical ID to the government agency, as a proof of identity. ... 

But a report from the US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress, has found that only two of six of the government agencies they tested had followed the NIST guidance. 
GAO found that the Centers for Medicare and Medicaid Services (CMS), the Social Security Administration (SSA), the US Postal Service (USPS), and the Department of Veterans Affairs (VA) were still relying on the old CRA databases for online identity verification. ... 
The agencies who were part of the GAO inquiry said that one of the reasons they haven't migrated to a new system yet, as per the NIST guidance, is because of "high costs and implementation challenges for certain segments of the public," which the agencies fear might prevent certain US citizens from being able to use their online portals. ... 

The Social Security Administration (SSA) and the United States Postal Service (USPS) intend to reduce or eliminate their use of knowledge-based verification some time in the future but do not yet have specific plans for doing so. ..

2 comments:

  1. A big part of this is that without a suitable replacement, people must come to an already over crowded field office to register for their online account. My son gets SSI and after multiple failures to get an account set up, compete with useless error messages, a trip to the field office (and a half hour wait) got it done. Was told the useless error really just meant "this person isn't in our files, he's outside the credit system, cannot find anything to use to authenticate him". Which isn't surprising for a person born disabled. He's never had nor will have credit.

    ReplyDelete
  2. Here, let me fix this headline. All Online Systems Are Vulnerable

    You have already been "hacked." Someone has your DOB, SSN, address, phone and email. Your phone tracks you, listens to your conversations and background music and television shows you are watching.

    The only people I know that have privacy are the homeless people that people walk by, they get the same level of attention as a discarded McDonalds wrapper.

    ReplyDelete