For Americans, the Social Security number (SSN) has long been considered one of the most private pieces of personally identifiable information. With it, you can unlock an infinite number of doors; behind each is a bank account, a trove of medical records, your cellphone call history, and a bevy of other intimate details about your life. Essentially, it is the most important password you own. And though experts that warn you should change your passwords often, those nine digits will never change.
The truth is that your SSN is in no way secure. It is maintained in countless databases by corporations and government agencies whose concerns over your security is negligently lax at best. Equifax, which lost control over potentially half of the country’s SSNs this year alone, is but one example. Odds are that your nine digits specifically are already in the hands of some unauthorized persons—who may or may not choose to maliciously target you at some point now or in the future.
A new report by security blogger Brian Krebs reveals that the US Department of Education’s FAFSA website (short for “Free Application for Federal Student Aid”) will grant access to an abundance of personal information to anyone with the right SSN and date of birth—information which can be purchased by criminals on the dark net for roughly the cost of a small cup of Starbucks coffee.
The Federal Student Aid office, which says it employees more than 1,300 federal workers, provides more than $120 billion in federal grants and loans each year to more than 13 million students. It is also a goldmine for identity theft.
For a criminal with access to a large database of SSNs, the FAFSA websites offers access to nearly 200 other pieces of personal data on any target with a federal student loan. Worse, the website will even cough up access to the SSNs and birthdates of the target’s relatives. The security flaw here lies in the Education Department’s presumption that a SSN is secure form of authentication.
Students logging into the FAFSA website are offered two methods for proving they are who they say they are: The first is a username and password combination—the latter of which must be changed every 18 months—collectively known as a FSA ID. While the website accepts phone numbers to help recover passwords, it does not offer two-factor authentication as a means to secure a FAFSA account. The second method for logging in requires four pieces of information, which are in no way secure given the abundance of data breaches we’ve experienced over the past year alone: a first and last name, a date of birth, and a SSN.
Successfully logging into the website grants the user (authorized or not) access to a vast amount of personal data: addresses, phone numbers, driver’s license numbers, citizenship status, high school name, year of graduation, income tax information, current savings and checking account information, dependents, child support payments, whether the student is a veteran, whether they are an emancipated minor, whether they’ve been homeless, married, or in foster care. (See the full list in Kreb’s blog.)
And the worst part is that the website also surrenders the SSNs and dates of birth for one parent or both of any student who has applied for federal student aid. It’s a veritable gold mine for any dedicated identity thief.
Thankfully, the Social Security Administration itself is currently looking into the possibility of adding what’s called (U2F) to its own website. The technology is similar to Two-Factor Authentication (2FA), which utilizes a password plus a second piece of information, typically a six-digit code sent directly to a user’s cellphone via SMS for one-time use. But in lieu of a code sent via text message, U2F uses an physical security token—typically a USB keychain dongle—to authenticate the user.
To defeat U2F, an attacker would require a user’s password and physical access to the USB device, which is why U2F is often referred to as “unphishable,” meaning the account holder cannot be tricked by phone or email into relinquishing access. Two months ago, the US Department of Veterans Affairs introduced U2F, allowing your “90-year-old grandma” to access her veteran’s benefits without having to remember “seven different passwords,” as one US official put it.
The Education Department could voluntarily fix its authentication problem—and for bonus points supplement its website with U2F—or the Department of Homeland Security, which is charged with enforcing security standards throughout the federal government, could force them to fix it. Only time will tell.
Gizmodo has reached out to the the Department of Education with questions about whether it intends to revise its security practices, but so far we’ve received no response.
Got a tip about an insecure government website? Email firstname.lastname@example.org.