More than 34 million Americans
now conduct business with the Social Security Administration (SSA) online - and
with that shift comes an increased risk of identity theft.
For many, a MySSA account now is
the only way to obtain an estimate of future benefits, since the agency no
longer regularly mails annual benefit statements. MySSA also offers the
convenience of handling routine paperwork online, and the ability to update the
address on file for your account or start or change direct deposit of benefits.
The SSA receives more than half
of all retirement and disability benefit applications via the internet,
according to a report last year by the U.S. Government Accountability Office
(GAO). That is up from negligible numbers a decade ago.
The shift is part of a broader
technology modernization drive at the SSA, but it also is an attempt to cope
with rising demand for its services during a time of relentless cuts to its
administrative budget by Congress.
The SSA’s operating budget has
been cut 11 percent from 2010 to 2017 in inflation-adjusted terms. At the same
time, the demand for the SSA services from the public has been hitting record
highs as the baby boom generation ages into retirement.
But in an age of hacking and
identity theft, moving Social Security online also increases risk - and it is
difficult to imagine a hacking target more attractive than the SSA.
The agency houses sensitive data
on nearly every American - living and dead - including medical and financial
records. The risks include not only theft of sensitive identity data, but also
actual benefits. Nearly all Social Security benefits now are paid
electronically, and thieves can redirect electronic payments to their own
accounts.
How significant is the risk of
identity theft and fraud related to MySSA accounts? The Social Security
Administration (SSA) says it does not track data on the prevalence of identity
theft, but last fall it advised the public in a blog post that the best way to
avoid problems is to create an account to “take away the risk of someone else
trying to create one in your name, even if they obtain your Social Security
number.”
The worry is that cyber thieves
could claim accounts and file for benefits. “If you don’t plant your flag
someone might do it for you,” said Brian Krebs, a cyberspace security
researcher and writer.
STRONGER PROTECTIONS
An SSA representative said the
agency’s anti-fraud efforts have made the problem “very rare.” And SSA has been
strengthening security on its website. Starting last June, it beefed up the
authentication methods required to create or access a MySSA account, including
the addition of security codes sent by text or email. The SSA also performs
anti-fraud data analytics against MySSA transactions to identify suspicious
activity and take action.
In a 2016 audit of agency
technology, the SSA’s Office of the Inspector General (OIG) reported problems
with unauthorized changes to mailing addresses and direct deposit bank
information beginning in 2013, after the agency enhanced MySSA to permit people
to change this information online.
An OIG investigation conducted
with the Internal Revenue Service and the Federal Bureau of Investigation led
to the conviction in 2014 of a Miami man for creating more than 900 fraudulent
MySSA accounts, and redirecting roughly $700,000 in benefit payments to bank
accounts he controlled.
In 2015, the SSA identified more
than 30,000 suspicious MySSA registrations, according to the OIG. The OIG -
which maintains a hotline for consumer complaints related to Social Security -
also says it received more than 58,000 allegations of fraud related to MySSA
accounts from February 2013 to February 2016.
Those figures are small in the
context of overall MySSA activity - but it will not seem small if it happens to
you. And this level of hacking is worrisome in an era of increased cybertheft.
Concerns have intensified in the
wake of last year's Equifax Inc hack, which exposed the Social Security
numbers, birth dates and addresses of millions of Americans. But the
problems pre-date Equifax. In 2014, a data breach involving a subsidiary
of Experian Plc exposed the Social Security numbers of some 200 million people
to potential criminal activity.
If you have not set up your MySSA
account, it is a good idea to do so - especially if you are eligible for
benefits or will be soon.
Check to make sure that your
personal information - such as date of birth and mailing address - are correct.
For current beneficiaries, if you notice that a monthly payment has not
arrived, you should notify the SSA immediately via the agency’s toll-free line
(1-800-772-1213) or at your local field office. In most cases, the SSA will
make you whole if the theft is reported quickly.
Another option is to use the
SSA’s “Block Electronic Access” feature - especially if you have had to deal
with a security breach. This blocks any automatic telephone or online access to
your Social Security record - including by you. You can restore access by
contacting Social Security and providing proof of your identity.