Online services have made nearly all transactions relatively simple—but they also need to be secure.
For example, in 2012, SSA implemented my Social Security, an internet portal that allows people to create a personal online account to access their Social Security information. In January 2013, SSA enhanced my Social Security to allow beneficiaries to change their direct deposit bank information. The innovation was helpful for SSA and beneficiaries alike; however, soon after SSA added the direct deposit function, the agency began to receive reports of misdirected benefits due to unauthorized direct deposit changes in my Social Security.
When a beneficiary’s direct deposit information is changed online, SSA notifies the beneficiary acknowledging the change. If the beneficiary did not authorize the change and contacts SSA about the issue, the agency works to correct the information in time to prevent misdirected benefits. However, if the unauthorized change goes unnoticed, beneficiaries can lose several months of benefits, and the losses can add up.
Specifically, in a September 2015 report, our auditors estimated that about $20 million in benefits owed to about 12,000 beneficiaries was misdirected in 2013 because of unauthorized direct deposit changes in my Social Security.
To address this issue, SSA said it would strengthen controls over my Social Security accounts to address fraud and improve service to beneficiaries. SSA previously reported that it:
- strengthened the my Social Security registration process;
- provided my Social Security account fraud awareness training to employees;
- established a fraud analysis team to investigate potential fraud;
- and established a my Social Security help desk for public users’ technical questions.
Our auditors followed-up on this issue in a recent report, and they estimated the amount of misdirected benefit payments from 2014 to 2016 was considerably less than it was in 2013.
According to their review, they estimated that $10.9 million in benefit payments owed to about 7,200 beneficiaries was misdirected over a three-year period because of unauthorized direct deposit changes in my Social Security. See the chart below for more information.
In the recent three-year period, the number of beneficiaries affected and the estimated misdirected benefit payments considerably reduced; for 2016, our auditors estimated that just $700,000 owed to about 550 beneficiaries was misdirected.
Recently, SSA added a new safeguard for users of my Social Security, offering a two-factor authentication process. Since June 2017, users can choose either a mobile phone number or an email address to receive the one-time, second-factor authentication code every time they log into their account.
People who suspect their account has been compromised also have the option to block all electronic access to their accounts. If you select this option, no one, including you, will be able to see or change your personal information on the internet or through SSA’s automated telephone service.