For Americans, the Social Security number (SSN) has long been considered one of the most private pieces of personally identifiable information. With it, you can unlock an infinite number of doors; behind each is a bank account, a trove of medical records, your cellphone call history, and a bevy of other intimate details about your life. Essentially, it is the most important password you own. And though experts that warn you should change your passwords often, those nine digits will never change.
[Update 12/18 10:30am: After this article was published Brian Krebs issued an “update” to his original post which appears to retract most of his claims about the FAFSA website. We’ve added a correction to the bottom of this article.]
The truth is that your SSN is in no way secure. It is maintained in countless databases by corporations and government agencies whose concerns over your security is negligently lax at best. Equifax, which lost control over potentially half of the country’s SSNs this year alone, is but one example. Odds are that your nine digits specifically are already in the hands of some unauthorized persons—who may or may not choose to maliciously target you at some point now or in the future.
A new report by security blogger Brian Krebs reveals that the US Department of Education’s FAFSA website (short for “Free Application for Federal Student Aid”) will grant access to an abundance of personal information to anyone with the right SSN and date of birth—information which can be purchased by criminals on the dark net for roughly the cost of a small cup of Starbucks coffee.
The Federal Student Aid office, which says it employees more than 1,300 federal workers, provides more than $120 billion in federal grants and loans each year to more than 13 million students. It is also a goldmine for identity theft.
For a criminal with access to a large database of SSNs, the FAFSA websites offers access to nearly 200 other pieces of personal data on any target with a federal student loan. Worse, the website will even cough up access to the SSNs and birthdates of the target’s relatives. The security flaw here lies in the Education Department’s presumption that a SSN is secure form of authentication.
Students logging into the FAFSA website are offered two methods for proving they are who they say they are: The first is a username and password combination—the latter of which must be changed every 18 months—collectively known as a FSA ID. While the website accepts phone numbers to help recover passwords, it does not offer two-factor authentication as a means to secure a FAFSA account. The second method for logging in requires four pieces of information, which are in no way secure given the abundance of data breaches we’ve experienced over the past year alone: a first and last name, a date of birth, and a SSN.
Successfully logging into the website grants the user (authorized or not) access to a vast amount of personal data: addresses, phone numbers, driver’s license numbers, citizenship status, high school name, year of graduation, income tax information, current savings and checking account information, dependents, child support payments, whether the student is a veteran, whether they are an emancipated minor, whether they’ve been homeless, married, or in foster care. (See the full list in Kreb’s blog.)
And the worst part is that the website also surrenders the SSNs and dates of birth for one parent or both of any student who has applied for federal student aid. It’s a veritable gold mine for any dedicated identity thief.
Thankfully, the Social Security Administration itself is currently looking into the possibility of adding what’s called (U2F) to its own website. The technology is similar to Two-Factor Authentication (2FA), which utilizes a password plus a second piece of information, typically a six-digit code sent directly to a user’s cellphone via SMS for one-time use. But in lieu of a code sent via text message, U2F uses an physical security token—typically a USB keychain dongle—to authenticate the user.
To defeat U2F, an attacker would require a user’s password and physical access to the USB device, which is why U2F is often referred to as “unphishable,” meaning the account holder cannot be tricked by phone or email into relinquishing access. Two months ago, the US Department of Veterans Affairs introduced U2F, allowing your “90-year-old grandma” to access her veteran’s benefits without having to remember “seven different passwords,” as one US official put it.
The Education Department could voluntarily fix its authentication problem—and for bonus points supplement its website with U2F—or the Department of Homeland Security, which is charged with enforcing security standards throughout the federal government, could force them to fix it. Only time will tell.
Gizmodo has reached out to the the Department of Education with questions about whether it intends to revise its security practices, but so far we’ve received no response.
Correction: In an update to his post—which is arguably a correction to most of his original claims—Brian Krebs details a conversation with an Education Department spokesperson whom he claims “took strong exception” his portrayal of the site’s vulnerability. (Krebs revealed his experience was based on a demonstration conducted by one of his readers who had a family member apply for student aid through the FAFSA website.) Specifically, the ED spokesperson stated that the data is spread over multiple pages and that some of the the most sensitive items, such as the financial information, cannot be added or reviewed without the creation of a password.
A ED spokesperson tells Gizmodo that the Social Security numbers of students’ parents is also inaccessible without a password. Moreover, any applications that were started but never completed cannot be accessed without a temporary password, or what the site refers to as a “save key.”
A variety of personal information, including contact information such home address, can be accessed by way of the means described above. This dataset is comparable to the kinds of personal information you’d find in a leaked voter record; however, it stands to reason that if a malicious party has a target’s SSN, they likely already have access to other basic contact information as well, therefore the threat posed by the FAFSA site under most circumstances is probably minimal.
Got a tip about an insecure government website? Email firstname.lastname@example.org.