Tuesday, August 30, 2016

The tangled road toward securing Social Security accounts

Everywhere you look this week, you see talk about Facebook's "people you may know" algorithms creepy sentience suggesting that patients of a certain psychiatrist friend one another, and of an investment firm that took out a short sale position (basically a bet that the stock would fall in value) in a medical devices firm, then profited when they published news that the firm's devices had serious and easy-to-exploit flaws.

I'm not going to talk about either of those events in this post.

In late July, the US Social Security Administration made a significant change to "my Social Security," the online portal for accessing and managing benefits. In order to improve the security of the site, the government agency began to require two-factor authentication via a code sent by text message. In order to log in, you had to have both your password, as well as a phone to receive the text message on.

As I have written before, SMS- or text message-based two-factor authentication is a controversial topic in the security world. It is becoming easier and easier for malicious actors to defeat this particular form of protection, whether by compromising your phone or by setting up fake "cell phone towers" to intercept messages meant for you.

Ironically, the Social Security Administration made this change at the same time as another government organization - the National Institute of Standards and Technology (NIST) published a recommendation to stop relying on SMS-based two-factor in favor of newer and more secure techniques.

And naturally the information security world went nuts, some praising the SSA, others mocking their choice of authentication technology.

Two weeks later, the SSA reversed course, removing the mandated second factor. As they discovered, many of their account holders don't have cell phones, or don't use text messaging, and thus were unable to access their accounts at all.

And naturally, the information security world again went nuts, this time scorning the administration for turning off this feature.

As an aside, Troy Hunt is one of the smartest security folks I know, and his tongue-in-cheek tweet sparked considerable and lively discussion - click on the image to follow the thread in Twitter.

My purpose in writing this post is to make one point: security is complicated. It involves protecting information - but if the users of that information cannot get to that information, security has become a blocker rather than a benefit. Security has to take into account the capabilities of its users, and the importance of the information. It is a balancing act.

In this case, the SSA made the right decision in reversing course. Those willing and able to add multi-factor authentication to their accounts can still do so. Those without that ability, can still access their accounts. And the administration states they are working on an alternative second factor - one that hopefully will make security professionals happy too - to be rolled out in about six months.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.