For Americans , the Social Security number ( SSN ) has long been considered one of the most private small-arm of in person identifiable entropy . With it , you could unlock an infinite routine of doors ; behind each is a savings bank account , a trove of aesculapian record , your cellphone call history , and a bevy of other intimate details about your liveliness . Essentially , it is the most important word you own . And though experts that warn you should change your passwords often , those nine digits will never change .
[ Update 12/18 10:30am : After this clause was issue Brian Krebs issued an “ update ” to his original post which appear to shrink back most of his claims about the FAFSA website . We ’ve add up a chastening to the bottom of this article . ]
The the true is that your SSN is in no mode secure . It is maintained in innumerous databases by corporations and governance agencies whose concerns over your security is negligently lax at intimately . Equifax , which fall behind control over potentially half of the state ’s SSNs this year alone , is but one object lesson . betting odds are that your nine digits specifically are already in the hands of some unauthorized persons — who may or may not choose to maliciously target you at some pointedness now or in the future .
A unexampled composition by certificate blogger Brian Krebs reveals that the US Department of Education ’s FAFSA website ( short for “ Free program for Federal Student assistance ” ) will grant access to an abundance of personal information to anyone with the right SSN and date of birth — selective information which can be buy by malefactor on the dark net for roughly the toll of a diminished cup of Starbucks coffee .
The Federal Student Aid office , which says it employees more than 1,300 federal worker , provide more than $ 120 billion in federal Ulysses S. Grant and loans each class to more than 13 million students . It is also a goldmine for identity thieving .
For a malefactor with access to a expectant database of SSNs , the FAFSA websites offer access to nearly 200 other pieces of personal data on any target with a Union student loanword . Worse , the internet site will even cough up access to the SSNs and birthdates of the fair game ’s relatives . The security defect here lie in the Education Department ’s precondition that a SSN is secure bod of authentication .
Students log into the FAFSA web site are tender two methods for proving they are who they say they are : The first is a username and countersign combination — the latter of which must be deepen every 18 month — collectively known as a FSA ID . While the website accept phone numbers to facilitate recover countersign , it does not offer two - factor authentication as a means to secure a FAFSA account . The second method for access requires four opus of information , which are in no means impregnable given the teemingness of information breaches we ’ve see over the retiring year alone : a first and last name , a particular date of birth , and a SSN .
Successfully log into the website accord the substance abuser ( authorize or not ) approach to a vast amount of personal data point : addresses , phone telephone number , driver ’s permission numbers , citizenship status , high school name , yr of graduation , income revenue enhancement data , current savings and checking business relationship data , dependents , child support defrayal , whether the educatee is a veteran , whether they are an emancipated pocket-sized , whether they ’ve been stateless , marital , or in surrogate care . ( See thefull listin Kreb ’s web log . )
And the defective part is that the web site also surrenders the SSNs and dates of parentage for one parent or both of any pupil who has applied for federal student help . It ’s a veritable Au mine for any consecrated identity operator stealer .
gratefully , the Social Security Administration itself iscurrently look intothe possibility of adding what ’s scream ( U2F ) to its own website . The engineering is similar toTwo - constituent Authentication(2FA ) , which utilizes a watchword plus a second firearm of information , typically a six - digit code sent directly to a user ’s cellphone via SMS for one - time consumption . But in place of a code mail via text content , U2F uses an strong-arm security measures token — typically a USB keychain dongle — to authenticate the user .
To kill U2F , an aggressor would ask a drug user ’s password and physical accession to the USB equipment , which is why U2F is often referred to as “ unphishable , ” mean the report holder can not be play a trick on by phone or e-mail into relinquishing access . Two months ago , the US Department of Veterans Affairs introduced U2F , allow your “ 90 - twelvemonth - old grandma ” to get at her ex-serviceman ’s benefits without take to remember “ seven different watchword , ” asone US official put it .
The Education Department could voluntarily repair its hallmark job — and for bonus points add on its web site with U2F — or the Department of Homeland Security , which is charged with enforcing security criterion throughout the federal governing , could storm them to gear up it . Only time will tell .
Gizmodo has reached out to the the Department of Education with questions about whether it mean to retool its security department exercise , but so far we ’ve received no response .
[ Krebs on protection ]
Correction : In an update to his post — which is arguably a chastisement to most of his original claims — Brian Krebs detail a conversation with an Education Department spokesperson whom he claims “ took strong elision ” his portrait of the site ’s exposure . ( Krebs uncover his experience was based on a presentment conducted by one of his readers who had a family member apply for student aid through the FAFSA site . ) Specifically , the ED spokesperson posit that the data is spread over multiple Page and that some of the the most sore point , such as the fiscal information , can not be added or reviewed without the instauration of a watchword .
A ED spokesperson severalise Gizmodo that the Social Security numbers of students ’ parents is also inaccessible without a password . Moreover , any program program that were take off but never complete can not be accessed without a impermanent password , or what the site refers to as a “ save paint . ”
A salmagundi of personal information , include link information such home address , can be accessed by way of the substance describe above . This dataset is comparable to the kinds of personal information you ’d find in a leak voter disk ; however , it stands to reason that if a malicious political party has a target ’s SSN , they likely already have access code to other canonic contact information as well , therefore the threat posed by the FAFSA land site under most circumstances is probably minimal .
Got a peak about an insecure government website ? Email[email protected ] .
PrivacySecurityStudents
Daily Newsletter
Get the right tech , science , and culture newsworthiness in your inbox day by day .
News from the future , extradite to your present .
You May Also Like
