Tuesday, August 30, 2016

The tangled road toward securing Social Security accounts


Everywhere you look this week, you see talk about Facebook's "people you may know" algorithms creepy sentience suggesting that patients of a certain psychiatrist friend one another, and of an investment firm that took out a short sale position (basically a bet that the stock would fall in value) in a medical devices firm, then profited when they published news that the firm's devices had serious and easy-to-exploit flaws.

I'm not going to talk about either of those events in this post.

In late July, the US Social Security Administration made a significant change to "my Social Security," the online portal for accessing and managing benefits. In order to improve the security of the site, the government agency began to require two-factor authentication via a code sent by text message. In order to log in, you had to have both your password, as well as a phone to receive the text message on.


As I have written before, SMS- or text message-based two-factor authentication is a controversial topic in the security world. It is becoming easier and easier for malicious actors to defeat this particular form of protection, whether by compromising your phone or by setting up fake "cell phone towers" to intercept messages meant for you.

Ironically, the Social Security Administration made this change at the same time as another government organization - the National Institute of Standards and Technology (NIST) published a recommendation to stop relying on SMS-based two-factor in favor of newer and more secure techniques.

And naturally the information security world went nuts, some praising the SSA, others mocking their choice of authentication technology.

Two weeks later, the SSA reversed course, removing the mandated second factor. As they discovered, many of their account holders don't have cell phones, or don't use text messaging, and thus were unable to access their accounts at all.

And naturally, the information security world again went nuts, this time scorning the administration for turning off this feature.


As an aside, Troy Hunt is one of the smartest security folks I know, and his tongue-in-cheek tweet sparked considerable and lively discussion - click on the image to follow the thread in Twitter.

My purpose in writing this post is to make one point: security is complicated. It involves protecting information - but if the users of that information cannot get to that information, security has become a blocker rather than a benefit. Security has to take into account the capabilities of its users, and the importance of the information. It is a balancing act.

In this case, the SSA made the right decision in reversing course. Those willing and able to add multi-factor authentication to their accounts can still do so. Those without that ability, can still access their accounts. And the administration states they are working on an alternative second factor - one that hopefully will make security professionals happy too - to be rolled out in about six months.