MyPay changes ramp up user security

Posted October 20, 2009
Defense Finance and Accounting Service News Release

10/20/2009 - CLEVELAND, OH — In an effort to increase the security of user information, myPay, the Web-based, pay-account management system operated by the Defense Finance and Accounting Service for all U.S. military personnel and many federal civilian employees, will implement a new access strategy this fall.

myPay allows many of the six million payroll customers of DFAS to access pay information and update such items as direct deposit account numbers, start or stop allotments, alter tax withholding amounts and retrieve tax forms.

The new upgrade will require users to establish new user names and passwords.

In the past, myPay account access used a user's Social Security number and a DFAS-provided PIN to establish a myPay permanent PIN. Later enhancements allowed the user to change their user name, known as a login ID, from their SSN to one of their own making. While the user names were masked (actual letters, numbers and symbols were not visible on the computer screen), more sophisticated "key logging" spyware could potentially provide this information to identity thieves should a user's computer become compromised.

This was also behind an earlier security upgrade, which required the use of a virtual keyboard when entering a PIN. The virtual keyboard uses mouse clicks rather than keyboard entry to enter a PIN and access a user's account.

According to myPay officials, customized login IDs and passwords will allow DFAS customers more flexibility and opportunities to increase the security of their personal information.

Login IDs, also known as user names, will require six to 129 alphanumeric characters that will be unique to one user only. Should a user attempt to create a login ID that has already been established, they will be informed to attempt another request using a different ID.

Login IDs must meet the following requirements:

• No less than six and no more than 129 characters.
• Cannot be nine numbers only (prohibits use of a SSN as a login ID).
• May contain alphabetic (letters) and/or numeric characters and may also contain the following special characters: @ (at sign), _ (underscore), - (dash), . (period), ‘ (apostrophe)

Rather than using a myPay PIN, the new security enhancement will require users to establish passwords to accompany their customized login IDs.

Passwords will be created by each user and must meet myPay standards:

• No less than eight and no more than 15 characters.
• May not include the last four numbers of the user's Social Security number.
• May not match the user's login ID.
• May not match any of the user's previous 10 passwords for myPay access.
• Must contain at least one letter and one number.
• Must contain at least one of 10 special characters.

Instructions for creating login IDs and passwords will be available on the myPay Web site to assist users. In addition, users can call the Customer Support Unit at 1-888-332-7411 or click the "Contact Us" link on the myPay home page for assistance.

Accounts with a Restricted Access PIN, which allows access to pay account information without the ability to make changes for persons authorized by the primary user, will also be prompted to establish a limited access ID and password using the same requirements. Use of the myPay interactive voice response system, which allows telephone access to certain pay information, may still be entered using the Social Security number and myPay PIN.

A virtual keyboard must still be used to enter a user's password.

While this security enhancement is intended to help keep users' information secure and prevent unauthorized access to pay accounts, myPay officials encourage all users to take appropriate actions to keep their login IDs and passwords private. This can include storing them in a lockable and secure place, memorizing them and destroying any written record, and not sharing them with anyone.