Step up Social Security number protection, OIG says

The Social Security Administration should do more to protect against identity theft by increasing security controls on Social Security numbers and programs, according to two new federal audits.

One of the audits targeted the millions of SSN printouts distributed by the agency each year, which have much looser security controls than Social Security cards.

The second audit recommended tighter security for the SSA’s online iClaim process, which allows applicants to file claims for benefits.

While the number of replacement cards dropped from 12 million a year to 11 million a year between 2004 and 2009, the number of printouts increased from 5 million a year to 7 million a year during that period, the Dec. 13 audit from the Office of Inspector General said.

The identity authentication requirements for the SSN printouts are less stringent than for the cards, the inspector general wrote. Also, the cards have security features to protect their integrity, while the printouts have none.

The inspector general also noted there were more instances in which people were requesting more than 10 printouts per day, or per year, and more known cases of fraud involving printouts.

“We continue to believe the agency should strengthen its controls for issuing SSN printouts,” the report states. “We found an increase in the (1) number of SSN printouts SSA issued, (2) volume of numberholders obtaining more than 10 SSN printouts in a day and a year, and (3) occurrences of fraud involving SSN printouts.”

The report made six recommendations, including advising SSA to set limits on the number of printouts that can be issued to a single person per day or per year. SSA officials agreed with five of the recommendations.

However, agency officials disputed the recommendation that field officers obtain management approval in order to issue printouts to people with insufficient or nonexistent identity documents.

“SSA disagreed with this recommendation and stated that it does not believe management review of every request involving insufficient or nonexistent documentation would be cost effective, in light of its other planned enhancements,” agency officials said.

The second audit, issued on Dec. 7, was not released in full, because it contained “restricted information.” A summary was published on the SSA’s inspector general’s website.

The summary noted that the inspector general made seven recommendations to strengthen the integrity of the iClaim online claim application process, which is currently being used by about 1.2 million applicants per year.

“We made seven recommendations to enhance the integrity of the iClaim application and ensure appropriate actions are taken for completed applications,” the summary states. “This report contains restricted information for official use. Distribution is limited to authorized officials.”

The SSA has been strongly promoting iClaim as the preferred means for baby boomers to apply for retirement benefits, with a goal of 50 percent of applications to be filed through iClaim by 2013.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader comments

Fri, May 16, 2014

its something gong on you may not have heard. peoples ssn have come up as nonexistent on credit checks and to prove that that number in infact yours you must get a print out and provide it for each company you do business with so if you move in a place activate utilities get a phone line cable internet etc. you need a print out for each company. so within a day you could run through 5 required documents in a day and for all the trouble you might get a "copy for next time" just incase. the ss office and the credit check companies have a major issues and the bandaid over the issue is the "printout" so fixing the problem of limited printouts turns into the bigger problem of activation of service for the millions of people running into this in their normal non fraudulent lives...

Wed, Dec 28, 2011 Gary Stoneburner

Suggest that protecting SSAN is much like trying to close the proverbial barn door after the animals have already escaped. The SSAN was intended as an identifier, not an authenticator. Suggest that protecting against identify theft would be MUCH better served by requiring that knowledge of a SSAN never be used as any part of authentication. Again, the SSAN is useful as an identifier and lousy as an authenticator.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above