WASHINGTON – I got hacked. It was scary.
In this age of cybereverything, we all live in dread that we’re going to be attacked by the internet. Nearly everyone seems vulnerable. The internet is changing how we work, play, socialize, shop – and what we love and fear.
Your data is for sale. If there is a saving grace, it is this: We assume that “bad stuff” always happens to somebody else. Well, not always.
My encounter with bad stuff began a few weeks ago when I received a letter from the Social Security Administration, via “snail mail.” By itself, this was neither alarming nor threatening. If you’re 65 or over (I am 73), you receive regular notices from Social Security and its first cousin, Medicare.
The letter looked authentic – and was. “Thank you for using Social Security’s online services,” it said. “On June 28, 2019, you successfully created an online account with the Social Security Administration.” This, too, seemed innocuous, except for one troubling detail: I DIDN’T CREATE AN ONLINE ACCOUNT WITH THE SOCIAL SECURITY ADMINISTRATION.
True, I already receive my monthly Social Security benefit through electronic deposit into my bank. But that had been going on for years. It was the only contact I desired with the Social Security Administration. Perhaps SSA was quietly expanding its bureaucratic reach. Or not. I decided to call the 800 number in the letter. (The 800 number seemed legitimate, because the same number appeared on many SSA sites.)
The wait was about an hour. I was tempted to hang up. I’m glad I didn’t. The woman who answered was courteous and helpful. Yes, my personal data had been altered, so that my monthly benefit would be diverted to someone else’s bank account, not mine. She reinstated the correct address and put a “block” on the account, meaning that unless I visited an SSA office, my personal information could not be changed.
“You will continue to receive your monthly payments,” the SSA promised. That’s reassuring, if true. (Note: Anyone familiar with my policy views knows that I favor benefit cuts for the affluent elderly. Accepting benefits now may seem hypocritical. Not so. I would gladly cut mine as part of an overall program.)
Just how my personal data was altered remains a mystery to me and, perhaps, to the SSA. “It’s hard to know how identity thieves obtain personal information used to commit this type of fraud,” said SSA Inspector General Gail Ennis in an email.
We do know some things, however.
The existing approach to creating reliable identification numbers (say, Social Security cards or driver’s licenses) is known as “knowledge-based verification.” To prove you are who you say you are, you’re asked questions to which, presumably, only you know the answers: for example, your birth date, home address or Social Security number.
But the KBV “model has fallen apart online,” asserts The Better Identity Coalition, a group searching for more accurate approaches. KBV is hobbled because data breaches have made a lot of “secret” information widely available to cybercriminals on the internet.
The number of reported data breaches – hostile penetrations of computer networks – has soared from 421 in 2011 to 1,579 in 2017, according to the Identity Theft Resource Center. Each breach in turn may contain data on millions of people. The breach in 2017 of Equifax, a major credit bureau, is widely regarded as a bonanza for cyber-thieves, because it contained personal data on more than 147 million people.
Against this backdrop, I surmised that the SSA must be swamped with complaints like mine: benefits that were digitally hijacked. Wrong. Their number peaked at about 12,000 in 2013. For the first half of 2018, that number was down to about 200, estimates the OIG’s office. Compared with the roughly 63 million Social Security recipients, that’s virtually nothing.
One explanation is that some transfers are done more securely through electronic networks than by checks, which can be stolen in the mail or lost. In 2013, the Treasury required that virtually all benefits be paid electronically.
Another safeguard, which was important in my case, was the requirement that recipients receive by mail any notice of a change in address. If the change is legitimate, it’s routine. But if the address change is bogus, as it was for me, then the beneficiary can contact the SSA before any serious fraud takes place.
So, be forewarned. This is the internet’s new normal. It expands our choices but compromises our freedom. It encloses society in a permanent cocoon of suspicion. There’s no escaping its grasping tentacles.
Robert Samuelson is a columnist for The Washington Post.