PIN Security Vulnerabilities

This report highlighted security vulnerabilities associated with the Federal student aid Personal Identification Number (PIN) Registration System (PIN system) that were identified through various OIG investigations. Vulnerabilities identified included inadequate PIN recovery mechanisms that have the potential to allow unauthorized users to access FSA’s student loan Web sites and databases and obtain sensitive personal information contained in the PIN system; students sharing their PINs with Internet-based loan servicers that provide an opportunity for bad actors at a company to change and misuse the students’ personal data; and third-party FAFSA preparers managing student PINs without identifying themselves on the FAFSA, controlling student PIN accounts, and receiving electronic correspondence from FSA that is intended for the student. We recommended that FSA make specific improvements to its PIN system to ensure personal information stored on its databases and Web sites is adequately protected. We also suggested that the Department consider developing a capability to enable students to permit companies providing loan-related services read-only access to relevant areas of their accounts that do not contain sensitive personal information, and that it create preparer-specific access accounts that would allow a student to authorize a preparer to access and modify only certain sections of the FAFSA.