The U.S. Department of Education recently switched the online version of the FAFSA (Free Application for Federal Student Aid) from the FSA PIN to the FSA ID to “comply with new security requirements and industry best practices.” Although this change improves security by allowing students and parents to authenticate themselves without providing personally identifiable information (PII) each time, FAFSA on the Web continues to suffer from several serious security flaws.
Setting up a FSA ID requires the consumer to provide answers to four challenge questions and to provide a significant date in the consumer’s life. Contrary to popular belief, increasing the number of options for accessing a consumer’s FSA ID does not increase security – it weakens it. Four challenge questions provide weaker security than two challenge questions, because they provide four opportunities to bypass the consumer’s password.
The first two challenge questions are drawn from a fixed set of nine questions:
- What was the name of your elementary school?
- What is the nickname of your youngest sibling?
- What city were you born in?
- Who was your first boss?
- What was the name of your first pet?
- What was your high school’s mascot?
- What is the name of the hospital you were born in?
- What color was your first car?
- What is your mother’s maiden name?
This makes it easier for a hacker to compromise security, since the hacker needs only nine pieces of personally identifiable information to bypass the consumer’s password. Even if the hacker can obtain the answer to only one of the nine questions, the hacker can still compromise the security of one ninth of the accounts.
While the significant date in the consumer’s life, effectively an 8 digit PIN, is an improvement over the 4-digit FSA PIN, by describing it as “a significant date in your life,” the U.S. Department of Education biases the selection of PINs to dates in the last century. Also, by referring to it as “a significant date in your life,” the U.S. Department of Education biases the selection of PINs to birthdays and anniversaries. Most people will choose their own birthday, which is not blocked by the Challenge Question tool. It would have been better to describe the date as just an 8-digit PIN.
Once a hacker has compromised security, he or she can click on “Edit My Challenge Questions” and check the “Show Text” box next to each question to obtain the answers to the other challenge questions.
Although the U.S. Department of Education uses Secure Sockets Layer (SSL) to encrypt the connection between the consumer’s web browser and the U.S. Department of Education servers, the U.S. Department of Education has not adopted other basic security measures. For example, the U.S. Department of Education does not track and automatically block unusual access patterns, such as multiple accesses from the same IP addresses for unrelated consumers. The U.S. Department of Education also does not use Recaptcha to prevent accesses from “bots.”
Hopefully, the U.S. Department of Education will soon close these security holes in FAFSA on the Web. The fixes are easy to implement.
In the meantime, there are several workarounds that consumers can use to improve the security of their FSA IDs:
- When providing an answer to a Challenge Question, ignore the question. Instead, create a second password consisting of a random collection of numbers and letters, including uppercase and lowercase letters, and use that as the answer. That will prevent a hacker from guessing the answer based on the question. Be sure to record this second password for later reference.
- Treat the answer to the significant date question as though it were an 8-digit PIN and do not use a date or other easy-to-guess numeric sequence.
- Close the web browser after using it, to clear the cache.