From Robert J. Samuelson, a columnist for the Washington Post:
I got hacked. It was scary. ...
My encounter with bad stuff began a few weeks ago when I received a letter from the Social Security Administration via “snail mail.” By itself, this was neither alarming nor threatening. If you’re 65 or over (I am 73), you receive regular notices from Social Security and its first cousin, Medicare.
The letter looked authentic — and was. “Thank you for using Social Security’s online services,” it said. “On June 28, 2019, you successfully created an online account with the Social Security Administration.” This, too, seemed innocuous, except for one troubling detail: I didn’t create an online account with the Social Security. ... I decided to call the 800 number in the letter. (The 800 number seemed legitimate, because the same number appeared on many SSA websites.)
The wait was about an hour. I was repeatedly tempted to hang up. I’m glad I didn’t. The woman who answered was courteous and helpful. Yes, my personal data had been altered so that my monthly benefit would be diverted to someone else’s account ...
The existing approach to creating reliable identification numbers (say, Social Security cards or driver’s licenses) is known as “knowledge-based verification” (KBV). To prove you are who you say you are, you’re asked questions to which, presumably, only you know the answers: for example, your birth date, home address or Social Security number.
But the KBV “model has fallen apart online,” asserts the Better Identity Coalition, a group searching for more accurate approaches. KBV is hobbled because data breaches have made a lot of “secret” information widely available to cybercriminals. ...
Against this backdrop, I surmised that the SSA must be swamped with complaints like mine: benefits that were digitally hijacked. Wrong. Their number peaked at about 12,000 in 2013. For the first half of 2018, that number was down to about 200, estimates the Office of the Inspector General. Compared with the roughly 63 million Social Security recipients, that’s virtually nothing. ...
3 comments:
Since they're mailing the letter after someone creates an account anyway, why not print on the letter a verification code that then must be entered to activate the online account? Or do this when someone tries to change the banking information. I would guess that most people (especially retirees) seldom change their banking information, and that's where the money is for the crooks, so I think that should be difficult.
1. Social security’s advice for several years now has been to create a mySSA account proactively so this is much less likely. It’s harder to breach the security once the account exists. Samuelson is a
sophisticated informed person, but even a person like that has yet to heed SSA’s advice. That should give SSA pause.
2. Samuelson is not going to lose any money. The diversion is detected he get a replacement check.
3. It’s possible the perpetrators left enough evidence to give themselves up depending on where the payments were to be diverted
4. 12:36 seems to have an excellent suggestion send a snail mail verification form to anyone who sets up an account before any action can be taken. Do not allow change of address or bank unless letter to the the last known address verifies. Low tech. Not fool proof, but much more secure.
Many direct deposit changes are requested after the person has closed their old account and opened a new one. The delay in confirming the new account would mean these people would all be missing their next check. I don't know the numbers of people that change direct deposit online but the occasional fraud may be more efficient than a delay that could mean many people don't get their money when they should.
Post a Comment