Eliminate Outdated Identity Proofing, Says GAO
According to the report, the Postal Service, Department of Veteran Affairs, Social Security Administration and the Centers for Medicare and Medicaid Services use outdated tactics to verify citizens’ data over the phone.
Of the six agencies GAO interviewed, only two have eliminated the use of knowledge-based verification methods. The remaining four government agencies rely on “consumer reporting agencies (CRAs) to conduct a procedure known as knowledge-based verification,” the report said. That is, individuals are asked questions based on information available in their credit reports.
As a result, any fraudster could potentially use information available from the 2017 Equifax breach or the latest hack of the week to answer security questions and start collecting social security checks of vulnerable Americans or embezzle veterans’ healthcare benefits.
“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications,” the report said.
In addition to cost, agencies noted additional challenges to implementation, which include “mobile device verification[, which] may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” the report stated.
Beyond recommending that the agencies discontinue the practice of knowledge-based verification, the GAO also recommended that the NIST augment its technical guidance to include implementation guidance and assist agencies in adopting more security authentication processes.
“It’s unfortunate that data breaches have become a part of our modern lives. But this report shows most of the damage isn’t done in the initial breach. In fact, most of the real damage comes from account takeovers by social engineering contact center agents long after the breach. Here’s the reality – hackers aren’t going away. The solution is to de-weaponize personal information. Stop relying on it for authentication,” said Pat Cox, VP and GM at Neustar.
“Identity interrogation and knowledge-based authentication, where citizens verify their identity by demonstrating knowledge of personal information, as basic as address or date of birth – information which could have been gleaned from dozens of recent data breaches – isn’t stopping identity theft."
Source: Information Security Magazine