We may be old, but we vote!
August 23, 2016 | In July, the Social Security Administration announced that as of August 1, a username and password would no longer be sufficient to log in to one's account on the Social Security website. Users would be required to provide a cell-phone number where they could receive an 8-digit code that would be required to complete the login.
Granted, there is a certain amount of fraud connected with Social Security, and the implementation of so-called "two-factor authentication" was in response to an executive order mandating that government websites augment their security. And shortly after implementing the security change, the Social Security Administration had to back away and reverse course. Various senators jumped into the fray to stick up for those who found this requirement impossible or an impossible hassle. Jeff Merkley (D-OR), Susan Collins (R-ME), and Claire McCaskill (D-MO) all wrote letters requesting an immediate rollback. There's an election coming up, and you do not want to piss-off old people!
This week the SSA capitulated:
Isn't that special!?
The first problem is that this change is a classic example of not understanding your users. The SSA insisted that their " research shows that an overwhelming majority of American adults have cellphones and use them for texting" (NYTimes, Aug 4, 2016). Yes, many older people do have cell phones — even this old person has one — but that does not mean we use them for text. Getting a code by text requires that you remember how to find the text after the phone beeps, eyesight good enough to see the tiny characters, and the ability to juggle the phone while trying to transfer the digits to a webpage. And ailments like rheumatism make that all the harder. According to Pew Research Center, only 30% of people over 65 use smartphones.
The second problem is that trying to verify the identity of the user seeking access is only a small part of the problem. A larger problem is that it does nothing about verifying the identify of a person establishing an account, and this is something subject to great fraud.
As Brian Krebs puts it,
Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.
Furthermore, creating an account at MySocialSecurity is not a trivial matter.
Consider the experience of James Heaton of the Tronvig Group. Both he and his wife attempted to create their own accounts but kept getting locked out. Part of the account creation process is having to answer a bunch of "challenge questions" drawn from your credit report. Heaton even Googled himself online to make sure he had the right answers to such trenchant questions as the model year of his first car. To no avail. He finally called after being locked out twice: "I am not me enough to access my social security data." The nice lady on the phone explained that it was all for "security. In this case apparently, to protect my data … from me."
There are no easy answers to the security problem. The proliferation of hackers, cyberspies, and fraudsters means that everyone has to be concerned that the right people are accessing data, that one's personal data doesn't fall into the wrong hands. But in too many arenas, security mania has gotten completely out of control. A little common sense would go a long way.
Last updated on Aug 23, 2016