NIST, SSA, Two-factor authentication

Archived From: Finance
  • Page :
  • 1
  • Text Only
Voting History
rated:
In the thread on chip & sign cards, stanolshefski posted a link to a news item about NIST proposing a ban on two-factor authentication using SMS. Coincidentally, beginning this month, the Social Security Administration is requiring SMS two-factor authentication to get online access to your SS account. I recently got an email from Fidelity indicating they would be increasing the use of SMS two-factor, and I am sure it's becoming more widespread in other banks and financial institutions.

NIST Says SMS-Based Two-Factor Authentication Isn't Secure 

I never liked SMS authentication anyway, but what's next?

Member Summary
Most Recent Posts
Note: This policy has now been cancelled by the Social Security Administration

"The U.S. Social Security Administration s... (more)

oppidum (Aug. 20, 2016 @ 11:24p) |

Just got this email.

samko (Sep. 08, 2016 @ 4:40p) |

Hilariously I went to look at their update but the website for their inter-generational Ponzi scheme actually shuts down... (more)

brettdoyle (Sep. 08, 2016 @ 11:51p) |

Staff Summary
  • Also categorized in:
Thanks for visiting FatWallet.com. Join for free to remove this ad.

Standard MFA authentication:

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en

NIST, however, is wrong. SMS auth is not secure against nation states or a *really* determined attacker. It is extremely unlikely that you are a Target for either of the two.
 

UncaMikey said:   I never liked SMS authentication anyway, but what's next?
  Hopefully they ban the security-hole-creating "Security Questions" that is pretty standard practice for reducing CS overhead at consumer FIs now.  One can dream anyways....

IMO, SMS is better than security questions.  But cell phone theft is not uncommon.  (And you steal the phone and see what FIs have SMS's in history or just try the largest FIs, and it's not hard to break into the accounts if you move faster than the person who owns the cell phone does to realize the phone is missing and report it stolen and change the phone # with all the companies with which they do business.  This SMS failure has nothing to do with the underlying technology, but just with the way FIs use the phones to access the accounts.

I just logged into ssa yesterday and got this and it left me scratching my head and wondering what the point is.  They text a code to a phone number that you specify right then, and then enter the code.  How is this more secure? 

bluegreenturtle said:   I just logged into ssa yesterday and got this and it left me scratching my head and wondering what the point is.  They text a code to a phone number that you specify right then, and then enter the code.  How is this more secure? 
  I am guessing they check whether the phone is registered in your name.
This happened to me yesterday with a bank. I gave a prepaid phone number and they couldnt verify it. Had to go a different route to authenticate.

The problem with SSA is that there is no alternative -- they make it very clear that you cannot access your SS account without a SMS text to a cell phone. No exceptions, no workarounds, which strikes me as odd.

There is so much confusion on this within the government. The FBI allows email in addition to SMS for 2-factor.

IMO, the whole NIST thing is overblown. What they are really saying is that anyone can create a VOIP account to receive SMS.

What's not said is that SMS is still a good way to do 2FA IF the phone is verified and secured.

ZenNUTS said:   IMO, the whole NIST thing is overblown. What they are really saying is that anyone can create a VOIP account to receive SMS.

What's not said is that SMS is still a good way to do 2FA IF the phone is verified and secured.
 

  SIM Swap Fraud


burgerwars said:   
ZenNUTS said:   IMO, the whole NIST thing is overblown. What they are really saying is that anyone can create a VOIP account to receive SMS.

What's not said is that SMS is still a good way to do 2FA IF the phone is verified and secured.

  SIM Swap Fraud

  Interesting.  

I go through he process in my mind and I don't think it will work against, say RSA since you need the password in order to download the app but some others, say google-mail, that would work.

fwuser12 said:   
bluegreenturtle said:   I just logged into ssa yesterday and got this and it left me scratching my head and wondering what the point is.  They text a code to a phone number that you specify right then, and then enter the code.  How is this more secure? 
 

  I am guessing they check whether the phone is registered in your name.

 

Nope.  When you log in, you enter the cell phone number, they text you, you enter the code, you're in.  I had entered my cell number a few weeks ago, thinking that must be a one time thing, and that next time I log in, it wouldn't ask me for the cell number.  Wrong!  It went through the same silly routine today.

And it isn't verifying the owner of the phone; I just logged into my wife's account (providing my own cell number - again), and it let me right in.  Ridiculous.   

burgerwars said:   
ZenNUTS said:   IMO, the whole NIST thing is overblown. What they are really saying is that anyone can create a VOIP account to receive SMS.

What's not said is that SMS is still a good way to do 2FA IF the phone is verified and secured.

  SIM Swap Fraud

  Reading that article, it's not indicating any problem with the sim's at all.  It says it's the security questions, which create the security hole.  Obviously if you get the cell provider to de-activate a phone and activate a new one, then you have control of that phone number for receiving texts.  The article should instead be focused on the security questions themselves as very bad practice instead of making up an issue with SIM cards.  Most FIs also directly use "security questions" for account recovery and could still be attacked directly even if they didn't use SMS's for alternate account verification.

"“Before SIM swaps are authorised, many mobile providers verify the identity of the caller using security questions, a process that’s certainly not foolproof,” said James Miller, Managing Director at Foursys. “Some answers may have unwittingly been shared online by Target victims, let alone by someone in their social networks. How many people name their pet, favourite restaurant or primary school on social media sites? Scouring social media profiles, can prove very useful indeed to a criminal wanting to conduct fraud.”"

"“Security questions based on supposedly secret information are far too easy for criminals to defeat, given the huge amounts of data about ourselves available online”, said John Hawes, Chief of Operations at Virus Bulletin. “Any system which still uses this out-dated mechanism really needs to rethink its approach. In the interim, Foursys’s recommendation to fabricate falsehoods for the security questions is a smart one.”"

Why they would title the article "SIM Swap fraud" rather than going after the actual security hole that they mention in the article and applies to all other account types and instances where a SIM is not even tangentially involved, is unknown.

dcwilbur said:   
And it isn't verifying the owner of the phone; I just logged into my wife's account (providing my own cell number - again), and it let me right in.  Ridiculous.   


It's just verifying that the phone number matches that setup inside the account. If you impersonate the account owner and get the entity to change the phone number, it ends up in the same result -- Then they just login with the other phone number they set up for the account. And it's much more likely to be successful doing so, because the account owner is less likely to quickly notice that the phone number set in their account is different than to notice that their cell phone is deactivated.
  

dcwilbur said:   Nope.  When you log in, you enter the cell phone number, they text you, you enter the code, you're in.  I had entered my cell number a few weeks ago, thinking that must be a one time thing, and that next time I log in, it wouldn't ask me for the cell number.  Wrong!  It went through the same silly routine today.

And it isn't verifying the owner of the phone; I just logged into my wife's account (providing my own cell number - again), and it let me right in.  Ridiculous.   

  That certainly is screwed up. Facade of security which only causes inconvenience.

At least the bank was trying to verify ownership (at least that is what they told) but it failed and they did provide an alternative. None of which is true for SSA (based on the CNN article and your experience).

Bend3r said:   
dcwilbur said:   
And it isn't verifying the owner of the phone; I just logged into my wife's account (providing my own cell number - again), and it let me right in.  Ridiculous.   


It's just verifying that the phone number matches that setup inside the account. If you impersonate the account owner and get the entity to change the phone number, it ends up in the same result -- Then they just login with the other phone number they set up for the account. And it's much more likely to be successful doing so, because the account owner is less likely to quickly notice that the phone number set in their account is different than to notice that their cell phone is deactivated.
  

Neither of these accounts previously had cell phone data in the profile.  They weren't verifying against anything. 

nm

fwuser12 said:   
bluegreenturtle said:   I just logged into ssa yesterday and got this and it left me scratching my head and wondering what the point is.  They text a code to a phone number that you specify right then, and then enter the code.  How is this more secure? 
  I am guessing they check whether the phone is registered in your name.
This happened to me yesterday with a bank. I gave a prepaid phone number and they couldnt verify it. Had to go a different route to authenticate.

  

I have a prepaid phone...even if they were verifying something that's a terrible way to conduct this sort of security - there are literally hundreds of thousands of people with phones registered in other people's names for totally legitimate reasons. 

I just used a spare Google Voice number I have a GV setup that does nothing but forward SMS to email for these kinds of situations (works with Vanguard and I assume I'll be using it for Fidelity one day when they get there 2FA system working with text messages).  Registered the same GV number to mine and DWs account no problem.  There is nothing tying the GV number to anything related to me, on purpose.  It's setup in a state half a country away from me.  I noticed when I logged in the next time, it asks do you still have phone number XXX-XXX-XXXX or do you need to register a new one.  I haven't tried to see what happens if I tell it I need to register a new one or not, I assume it'll just take it, send the security code to the new number, maybe after asking me some security questions about what address did I live at 20 years ago or something.  I agree, it's a total BS way of doing 2FA and in no way increases general security of the SSA site.  But so much of government security is like that.  Each agency has a box to check on the NIST compliance list, they implemented 2FA, they check the box and move on to the next thing, to hell with is it more secure or does it make things work better or not there are boxes to check.

UncaMikey said:   The problem with SSA is that there is no alternative -- they make it very clear that you cannot access your SS account without a SMS text to a cell phone. No exceptions, no workarounds, which strikes me as odd.
  This is where I am affected. I have no cell service where I live so I don't have a cell phone. So I am locked out of my account because of this? 

I avoid two-factor auth when I can. It does seem better than 'security questions', but then so is 'nothing, just a password'. But I don't have a personal cell phone. I've had one provided by my employer for years, but try to avoid using it for avoidable personal stuff.

Two-factor authentication that ASKS you to provide the second contact information ad-hoc is just stupid. It can be tracked, but literally cannot provide any extra security unless the secondary contact has been previously associated with and confirmed for the account owner. I'm not a security specialist, but it really kills me how widespread ignorant and at best ineffective security practices are. It's like a child mimicking what they see someone do without really understanding what it's supposed to do, why some details are vital, or even what the details are.

prosperity said:   
UncaMikey said:   The problem with SSA is that there is no alternative -- they make it very clear that you cannot access your SS account without a SMS text to a cell phone. No exceptions, no workarounds, which strikes me as odd.
  This is where I am affected. I have no cell service where I live so I don't have a cell phone. So I am locked out of my account because of this? 

I read SSA's solution for this:  Visit your local S.S. office and talk with someone in person.  Customer service at it's best.

-- edit
Not to actually have access to your account, but every time you want the details you have to visit the office.

quaters said:   
prosperity said:   
UncaMikey said:   The problem with SSA is that there is no alternative -- they make it very clear that you cannot access your SS account without a SMS text to a cell phone. No exceptions, no workarounds, which strikes me as odd.
  This is where I am affected. I have no cell service where I live so I don't have a cell phone. So I am locked out of my account because of this? 

I read SSA's solution for this:  Visit your local S.S. office and talk with someone in person.  Customer service at it's best.

-- edit
Not to actually have access to your account, but every time you want the details you have to visit the office.

I think they call it the SSA Full Employment Act.  

Article from Brian Krebs' site, August 1, 2016

http://krebsonsecurity.com/2016/08/social-security-administratio... 

"The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov. Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.

The SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

The SSA noted it was making the change to comply with an executive order for federal agencies to provide more secure authentication for their online services.

“People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number,” the agency said. “The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account. We expect to provide additional options in the future, dependent upon requirements of national guidelines currently being revised.”

Although the SSA’s policy change provides additional proof that the person signing in is the same individual who established multi-factor authentication in the the first place, it does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are.

The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:
◾The last eight digits of your Visa, MasterCard, or Discover credit card;
◾Information from your W2 tax form;
◾Information from a 1040 Schedule SE (self-employment) tax form; or
◾Your direct deposit amount, if you receive Social Security benefits.

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the Target ’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

In September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control. Unfortunately, because the SSA’s new security features are optional, they do little to block crooks from hijacking SSA benefit payments from retirees.

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that Americans can avoid becoming victims of this scam.

To recap: Once you establish and verify your account and start getting texted codes to login, from then on you will be more secure.
If you have not signed up already, these new security options do not make it any more difficult for someone else to sign up as you.


Considering that many senior citizens are still wary of text messages and likely have never sent or received one, it’s not clear that these optional security measures will go over well. I would like to see the SSA make it mandatory to receive a one-time code via the U.S. Mail to finalize the creation of all new accounts, whether or not users opt for “extra security.” Perhaps the agency will require this in the future, but it’s mystifying to me why it doesn’t already do this by default.

In addition to the SSA’s optional security measures, Americans can further block ID thieves by placing a security freeze on their credit files with the major credit bureaus. Readers who have taken my ceaseless advice to freeze their credit will need to temporarily thaw the freeze in order to complete the process of creating an account at ssa.gov. Looked at another way, having a freeze in place blocks ID thieves from fraudulently creating an account in your name and potentially diverting your government benefits.

Alternatively, citizens can block online access to their Social Security account. Instructions for doing that are here.  (https://secure.ssa.gov/acu/IPS_INTR/blockaccess )

The SSA’s new text messaging system is apparently experiencing some technical difficulties at the moment, at least for Verizon Wireless customers. The SSA posted this message on its site over the weekend: “We are working to fix a problem that is preventing Verizon wireless customers from receiving the cell phone security code.  Verizon wireless customers are unable to access their personal my Social Security account at this time.”

Update, 1:00 p.m. ET: For the record, I requested comment from the SSA about why they did not apparently contact all users by U.S. mail to verify their identities. I received the following response: “The Social Security Administration protects the information entrusted to us and has strengthened the online registration process by making identity verification and authentication more stringent.  We cannot provide more details publicly as we don’t want to draw a roadmap for criminals.”

Also, as one reader already pointed out in the comments below, the SSA’s adoption of 2-factor SMS authentication comes as the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication."

-----
Note:  One of the commenters there said it took Equifax 3 business days to unfreeze his credit before the SSA could access his Equifax account for confirmation purposes.

Another commenter recommended this recent article from Wired - https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/ 

And another quoted a recent Fortune article - "From a Fortune magazine article dated July 26, 2016 entitled “Time Is Running Out For This Popular Online Security Technique":  “…the U.S. National Institute of Standards and Technology (NIST) is now poised to ban the use of SMS-based two-factor authentication codes for services that plug into government IT systems.”

Another commenter wrote:  This is really annoying. I live overseas, and my mobile number is not 10 digits, so I haven’t been able to enter it into their stupid system. And then to add insult to injury, they have a FAQ page that says “What if I am overseas?” and the answer is simply that they can text you anyway. How can they text me if my mobile number is 11 digits and the system insists that I enter 10 digits?"

.
Well, there are 130+ comments under this blog post, so I won't do any more of a play-by-play about them, but often the Krebs comments sections provide additional useful info, so if this topic is a concern to you, I'd recommend skimming that comments section.

its nice to complain that only SS# and other things are necessary to set up the account... but what's your proposal for better protection? Require a blood sample sent in? SS#, personal information, and credit report questions are also standard for setting up new credit cards and bank accounts online.  This doesn't seem to be a unique problem associated with SSA... 

Bend3r said:   its nice to complain that only SS# and other things are necessary to set up the account... but what's your proposal for better protection? Require a blood sample sent in? SS#, personal information, and credit report questions are also standard for setting up new credit cards and bank accounts online.  This doesn't seem to be a unique problem associated with SSA... 
  SS could send out a VPN.  If that is too expensive, they could do what Treasury Direct did, mail you a 10 by 10 grid with letters and numbers.  Then they asked you to enter random grid locations, ie C8, E4 & A3.  However, Treasury Direct did away with that.  I do not know why. 

Bend3r said:   its nice to complain that only SS# and other things are necessary to set up the account... but what's your proposal for better protection? Require a blood sample sent in? SS#, personal information, and credit report questions are also standard for setting up new credit cards and bank accounts online....   
All that would be fine to set up the account.  It is the fact that you need to receive a code by text message every time you log in that people think is ridiculous and ineffective.  

Note: This policy has now been cancelled by the Social Security Administration

"The U.S. Social Security Administration says it is reversing a newly enacted policy that required a cell phone number from all Americans who wished to manage their retirement benefits at ssa.gov.

The move comes after a policy rollout marred by technical difficulties and criticism that the new requirement did little to prevent identity thieves from siphoning benefits from Americans who hadn’t yet created accounts at ssa.gov for themselves.

...sometime in the past few days, apparently, the SSA decided to rescind the cell phone rule.

“We removed the requirement to use a cell phone to access your account,” the agency noted in a message posted to its mySocial Security portal. “While it’s not mandatory, we encourage those of you who have a text capable cell phone to take advantage of this optional extra security. We continue to pursue more options beyond cell phone texting.” "

This is according to Brian Krebs. See more at: http://krebsonsecurity.com/2016/08/ssa-ixnay-on-txt-msg-reqmnt-4... 

Just got this email.
SSA said: On July 30, 2016, we began requiring you to sign into your my Social Security account using a one-time code sent via text message. We implemented this new layer of security, known as “multifactor authentication,” in compliance with a Presidential executive order to improve the security of consumer financial transactions. SSA implemented the improvements aggressively because we have a fundamental responsibility to protect the public’s personal information.

However, multifactor authentication inconvenienced or restricted access to some of our account holders. We’re listening to your concerns and are responding by temporarily rolling back this mandate.

As before July 30, you can now access your secure account using only your username and password. We highly recommend the extra security text message option, but it is not required. We’re developing an alternative authentication option, besides text messaging, that we’ll begin implementing within the next six months.

We strive to balance security and customer service options, and we want to ensure that our online services are both easy to use and secure. The my Social Security service has always featured a robust verification and authentication process, and it remains safe and secure.

We regret any inconvenience you may have experienced.

There is no requirement that you access your personal my Social Security account as a result of the steps we are taking. However, when you do access your account, we encourage you to sign up for the extra security text message option. You can access your account by visiting www.socialsecurity.gov/myaccount.


 

Hilariously I went to look at their update but the website for their inter-generational Ponzi scheme actually shuts down and actually has "service hours". You can't make this stuff up!

This service is shutting down for maintenance in 1 minute(s). View our service hours.


Please try again during our regular service hours (Eastern Time):

Service Hours
Monday-Friday
5:00 a.m. - 1:00 a.m.
Saturday
5:00 a.m. - 11:00 p.m.
Sunday
8:00 a.m. - 11:30 p.m.
Federal Holidays
Same hours as the day the holiday occurs.



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2016