Participant security- identity theft

[Guest Lex]

A client has raised concerns regarding the use of the ssn as an ID (along with a PIN) over the web to access participant accounts. The concern is primarily that a person could intercept the web transmission to steal the ssn- not for purposes of taking 401k account money, but for the purpose of identity theft.

Do any of your RK firms use an ID other than ssn for web access?

My experience is the ssn is a standard industry practice.

[Steve72]

California recently enacted a law that would make such use of the SSN illegal. ERISA pre-emption is, of course, an issue.

Other states (including PA) and Congress have similar bills pending, with varying liklihoods of eventual passage.

Not much of an answer to your question, but I thought I'd pass it on.

[Demosthenes]

At the very least, your web site should be using Secure Socket Layer (SSL) 3.0 and 128-bit encryption with a trusted certificate from a vendor like VeriSign. If that's in place, the SSN is not vulnerable since it's never transmitted in the clear.

Nothing is unbeatable, but SSL and 128 bit encryption means that the data is vulnerable only to the most sophisticated of crackers. Believe me, anyone with that kind of decryption horsepower can find an easier way of snagging SSNs.

The bigger risk is the guy who types his account id and password in at his computer at work and then walks off for a coffee.

As to the CA law, my understanding is that it excludes the encrypted transmission of SSN data as an account ID.

[RCK]

I think that the bigger risk right now is the organizations that offer to "sweep" all your financial information into one place for you. So you give them the account number and PIN for each of your accounts (401k, IRA, mutual funds, mortgage, bank accounts), and they send that information to a third party, who goes out every night and "scrapes" the data from each of your accounts, returns it to your provider, who shows it all in one place for your convenience.

Scary? absolutely.

Do people do it? yes.

As plan sponsor, can I stop it? nope.

RCK

[Demosthenes]

Ah, the joys of data aggregation!

I agree that handing off all of your accounts and PINs is putting all of the proverbial eggs in one basket. Unfortunately, aggregation is a fact of life and it is not going to go away. Furthermore, you, as the Plan Sponsor, should be aware of a couple of points.

1) There is a cost to aggregation. Every time a site gets scraped, it consumes bandwidth, CPUs etc. Servers have a limited capacity and given enough aggregation aggravation your provider is going to have to add hardware to deal with the traffic. That will translate into higher costs.

If you think this is insignificant, some aggregators allow a user to set up a 15 minute refresh. That means that 24x7, the aggregator is attempting to refresh that data 4 times an hour. Ask your provider to give you a breakdown of hits to the site by participant over a 7 or 30 day span. If you see an account getting 600 - 700 hits in a weeks time from a single participant you're being aggregated.

2) There are other ways to do this that don't have the kinds of impact scraping does on capacity. Lots of aggregators will set up an Extensible Markup Language (XML) transmission with a provider. Talk to your vendor about it and see if you can find a mutually compatible aggregation service. It's cleaner than scraping, consumes less resources, and it's accuracy is greater than scraping.

It's also a really nice feature for participant's who do pay attention to their finances and that can be of added benefit to your company when your looking to attract and retain talent.

3) Finally, both Quicken and Money have aggregation features that can be set up on a PC or Mac. Accounts and PINs stay on the desktop, transmissions are encrypted both ways, and most end users will limit the download to a once a day. If the cost isn't too great hand out copies at the company party!

[Guest Dharmesh]

Although the SSN/PIN combination has been used for a long time, the emerging trend is for participant websites to allow participants to select their own UserName / Password. The technology for this is relatively straight-forward.

Identify theft is evidently the #1 white collar crime and will get increased visibility over the next couple of years.

Although SSL and other forms of data encryption can reduce the risk, the reality is that most current implementations only encrypt data to and from the client browser (over the Internet). The SSN is rarely encrypted when stored within internal computer systems.

I believe that most retirement websites will start providing an alternative to the SSN/PIN method of authentication over the next couple of years.

Dharmesh Shah

Pyramid Digital Solutions