Brian Krebs, Comment on SSA Portal, “Crooks Hijack Retirement.” Sept. 18, 2013
Crooks Hijack Retirement Funds Via SSA Portal
If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that: The SSA and financial institutions say they are tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have that retiree’s benefits diverted to prepaid debit cards that the crooks control.
The SSA’s “my Social Security” portal.
Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program. The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal, which opened last year and allows individuals to create online accounts with the SSA to check their earnings and otherwise interact with the agency relative to their accounts.
Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General, said that for several years the agency was receiving about 50 such allegations a day, though those numbers have begun to decline. But thieves didn’t go away: They just changed tactics. The trouble really began earlier this year, when the Treasury started requiring that almost all beneficiaries receive payments through direct deposit (though the SSA says paper checks are still available to some beneficiaries under limited circumstances).
At the same time, the SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site. According to Lasher, as of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity. Lasher said while some of the complaints are the result of unsuccessful attempts to open an account fraudulently, some are indeed fraud.
“Social Security has already improved security over this online feature, and we continue to work with them to make additional improvements, while also investigating allegations we receive,” Lasher said. “While it’s an issue we’re taking very seriously, it’s important to keep in mind that about 62 million people receive some type of payment from SSA every month, so the likelihood of becoming a victim is very small, particularly if you’re careful about protecting your personal information.”
Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam. Lasher said in the SSA’s systems, every record is tied to the SSN rather than a person’s name, since there are so many duplicate names.
“Of course, the one way to ensure that no one opens an account in your name is to open one yourself,” Lasher said. “Given the nature of other articles on your site, I think it’s important that I point out that there is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.”
SECRET BEST PRACTICES
Terry Maher, general counsel for the Network Branded Prepaid Card Association (NBPCA), said the SSA has begun asking verification questions of beneficiaries who use the my Social Security portal – such as the date and amount of last deposit — before allowing the transfer of payments to a different bank account.
Meanwhile, some banks with customers that have been burned by fraudulently diverted SSA payments are beginning to back away from managing SSA account payment changes for customers, Maher said. Increasingly, those banks are directing customers to make such changes at their local SSA office or at the SSA’s new portal. Maher said that’s because the government recently instituted a process for reclaiming funds that are fraudulently transferred to accounts that were not authorized by the beneficiary.
“Believe me, the banks and the prepaid card issuers and program managers are looking very closely at what their process is for this now because of the reclamation rights that the U.S. Treasury Department has,” Maher said, noting that although the U.S. government has always had the right to reclaim fraudulent transfers, it rarely ever exercised that option on Social Security payments. Now, that’s starting to change in a way that’s gotten the industry’s attention, he said.
“Some institutions have frankly decided that because of the difficulty of verifying people, they’ll refer them to the agency, while others are looking to out-of-wallet questions and Device ID solutions to better understand who they’re dealing with,” Maher said. ”The government is putting in place processes for doing that, and to make sure the incentives are there for the [financial] industry to make sure they know who they’re doing business with.”
The NBPCA’s Maher said the association has developed a set of best practices for the prepaid card industry to fight this and other growing forms of fraud involving government-to-consumer benefits. But he declined to discuss those best practices, saying it would give identity thieves and fraudsters ideas about how to get around them.
To get an idea of what those practices might entail, I reached out to Meta Payment Systems, a major prepaid card provider and whose card network was used in SSA fraud conducted against one SSA beneficiary who recently reached out to KrebsOnSecurity.
Brian Pulling, vice president of Meta’s financial intelligence unit, said the company is seeing prepaid fraud “across virtually all types of government programs now,” and that fraud involving SSA payment diversions “seems to have kicked into high gear.”
Meta says its fraud department continuously reviews the volume of incoming automated clearing house (ACH) transfers on its prepaid platform for certain types of loads.
“Through these reviews, the fraud analysts look for certain red flags of fraud. The fraud analyst utilizes fraud industry tools to authenticate or verify information to either confirm or reject the transaction from the Social Security Administration,” the company said in a written statement. “If the ACH load is rejected due to fraud it is returned to the Social Security Administration promptly.”
Elaine Dodd, vice president of fraud training at the Oklahoma Bankers Association, said banks usually will alert customers if the beneficiary account for SSA payments is changed. But she said those communications typically are sent via snail mail, and that many customers will overlook such notices. One small member bank in Dodd’s state recently had complaints from two different customers whose SSA payments were diverted to prepaid accounts controlled by identity thieves.
“If we had one tiny little bank here that had two of these incidents in one day, that’s a lot,” Dodd said. “It tells me that this is a much bigger problem nationwide.”
Dodd said the pattern of fraud associated with these recent attacks on SSA beneficiaries mirrors the type of fraud being perpetrated in other types of government-to-consumer fraud, particularly tax return fraud.
“With the IRS fraud, the bad guys get people across a spectrum of ages, but with the SSA fraud, they get the elderly,” Dodd said. “To make matters worse, a lot of these victims are simply not connected to the Internet.”
Creating a my Social Security account to prevent this type of fraud is a good safeguard, but it’s also important not to introduce new threats in the process. Namely, if you’re not sure about the safety and security of your computer (or the computer used by a loved one who may be worried about this), make sure you start with a clean system before entering all of that sensitive information online. If your friend or relative needs to take care of this, consider helping them set it up using a Live CD. This approach can let anyone enter information online safely, even from a machine on which the hard drive is already infected with malicious software.
Anyone interested in additional stats on SSA fraud should see the testimony that the agency gave to Congress in June 2013.