If you are a taxpayer in the Land of the Free, you may have recently received a love letter from the Social Security Administration that went something like this:
“Dear [Medieval serf paying into an insolvent pension fund]:”
(OK I added that part myself)
“Starting in August 2016, Social Security is adding a new step to protect your privacy. . .”
Whoa. Full stop. I love it already.
My dear Uncle Sam, who spends hundreds of billions of taxpayer dollars to spy on absolutely friggin’ everybody, is suddenly interested in protecting my privacy.
“This new requirement is the result of an executive order for federal agencies to provide more secure authentication for their online services.”
This part is hilarious. The US government has been hacked so many times over the last several years that it is the laughing stock of global cybersecurity.
Hackers have stolen 5.6 million government employee fingerprints, tens of millions of social security numbers, and financial and medical records from 19.7 million people who had been subjected to a government background check.
And those are just a few of the data breaches that we know about, and only over the last couple of years.
The US government is a veritable goldmine for identity thieves.
Social Security and Date of Birth data can sell for $30 on the black market. Stolen health records go for $10 to $50 each, and bank details can fetch up to $300.
So you can see why the Social Security Administration, which has SSN/DOB data for 300+ million Americans, not to mention emails addresses, physical mail addresses, health records and bank details for tens of millions more, may be the single most valuable repository of information in the world.
All that data is worth tens of billions of dollars at current black market rates. To put that in perspective, Google values its own data and intellectual property at $8.7 billion.
So now the Social Security Administration, under order from Barack Obama, is on a mission to fix its cybersecurity by implementing something called multi-factor authentication (MFA).
MFA is a security standard that requires a user to have at least two pieces of evidence to validate (or authenticate) that you are who you claim to be.
Different factors of authentication include things that you know (like a PIN code or password), things that you are (like a fingerprint or voice recognition), and things that you have (like a keycard that you swipe in a card reader).
The idea is that you have at least two of these factors to validate your identity.
Many banks, for example, issue security tokens that constantly refresh a special code.
So in order to log in, you have to enter your password (something you know) AND type in the special code from your security token (something you have).
This makes it much harder for your account to be breached.
Multi-factor authentication has been the industry standard for a long time. The FDIC has been pushing banks in this direction since at least 2005.
Even Facebook and Gmail have had MFA for several years.
So finally the US government is getting on board with the 21st century. Well done.
But as you can imagine, they managed to find a way to screw it up.
The Social Security Administration has started including mobile phones in their MFA platform.
So now when you log in, in addition to your password (something you know), they’ll send a special code via text message to your mobile phone (something you have).
That sounds great– though this does provide the Social Security Administration with even more of your personal data that will be compromised in a security breach.
Furthermore, if you don’t comply, or you don’t have a mobile phone, or if you’re living outside of the United States without a US phone number, “you will not be able to access your My Social Security Account.”
This is a great reminder of how governments operate.
They can (and will) change the terms of the deal at ANY time of their choosing without any regard for how it might affect you.
And of course, they’ll always tell you that it’s for your own safety and security…