CHICAGO (Reuters) - More than 34 million Americans now conduct business with the Social Security Administration (SSA) online - and with that shift comes an increased risk of identity theft.
For many, a MySSA account now is the only way to obtain an estimate of future benefits, since the agency no longer regularly mails annual benefit statements. MySSA also offers the convenience of handling routine paperwork online, and the ability to update the address on file for your account or start or change direct deposit of benefits.
The SSA receives more than half of all retirement and disability benefit applications via the internet, according to a report last year by the U.S. Government Accountability Office (GAO). That is up from negligible numbers a decade ago.
The shift is part of a broader technology modernization drive at the SSA, but it also is an attempt to cope with rising demand for its services during a time of relentless cuts to its administrative budget by Congress.
The SSA’s operating budget has been cut 11 percent from 2010 to 2017 in inflation-adjusted terms. At the same time, the demand for the SSA services from the public has been hitting record highs as the baby boom generation ages into retirement.
But in an age of hacking and identity theft, moving Social Security online also increases risk - and it is difficult to imagine a hacking target more attractive than the SSA.
The agency houses sensitive data on nearly every American - living and dead - including medical and financial records. The risks include not only theft of sensitive identity data, but also actual benefits. Nearly all Social Security benefits now are paid electronically, and thieves can redirect electronic payments to their own accounts.
How significant is the risk of identity theft and fraud related to MySSA accounts? The Social Security Administration (SSA) says it does not track data on the prevalence of identity theft, but last fall it advised the public in a blog post that the best way to avoid problems is to create an account to “take away the risk of someone else trying to create one in your name, even if they obtain your Social Security number.”
The worry is that cyber thieves could claim accounts and file for benefits. “If you don’t plant your flag someone might do it for you,” said Brian Krebs, a cyberspace security researcher and writer.
An SSA representative said the agency’s anti-fraud efforts have made the problem “very rare.” And SSA has been strengthening security on its website. Starting last June, it beefed up the authentication methods required to create or access a MySSA account, including the addition of security codes sent by text or email. The SSA also performs anti-fraud data analytics against MySSA transactions to identify suspicious activity and take action.
In a 2016 audit of agency technology, the SSA’s Office of the Inspector General (OIG) reported problems with unauthorized changes to mailing addresses and direct deposit bank information beginning in 2013, after the agency enhanced MySSA to permit people to change this information online.
An OIG investigation conducted with the Internal Revenue Service and the Federal Bureau of Investigation led to the conviction in 2014 of a Miami man for creating more than 900 fraudulent MySSA accounts, and redirecting roughly $700,000 in benefit payments to bank accounts he controlled.
In 2015, the SSA identified more than 30,000 suspicious MySSA registrations, according to the OIG. The OIG - which maintains a hotline for consumer complaints related to Social Security - also says it received more than 58,000 allegations of fraud related to MySSA accounts from February 2013 to February 2016.
Those figures are small in the context of overall MySSA activity - but it will not seem small if it happens to you. And this level of hacking is worrisome in an era of increased cybertheft.
Concerns have intensified in the wake of last year's Equifax Inc hack, which exposed the Social Security numbers, birth dates and addresses of millions of Americans. But the problems pre-date Equifax. In 2014, a data breach involving a subsidiary of Experian Plc exposed the Social Security numbers of some 200 million people to potential criminal activity (reut.rs/2rBZCPm).
If you have not set up your MySSA account, it is a good idea to do so - especially if you are eligible for benefits or will be soon. (bit.ly/20nvsaI)
Check to make sure that your personal information - such as date of birth and mailing address - are correct. For current beneficiaries, if you notice that a monthly payment has not arrived, you should notify the SSA immediately via the agency’s toll-free line (1-800-772-1213) or at your local field office. In most cases, the SSA will make you whole if the theft is reported quickly.
Another option is to use the SSA’s “Block Electronic Access” feature - especially if you have had to deal with a security breach (bit.ly/2BP6t8P). This blocks any automatic telephone or online access to your Social Security record - including by you. You can restore access by contacting Social Security and providing proof of your identity.
(The opinions expressed here are those of the author, a columnist for Reuters.)
Editing by Matthew Lewis