The Social Security Administration and the U.S. Postal Service are among government agencies using an outdated identity verification method that makes citizens vulnerable to fraud if their online data is stolen in cyber breaches, according to a new Government Accountability Office report released Friday.
The Centers for Medicare and Medicaid Services, the Department of Veterans Affairs, the Social Security Administration and the U.S. Postal Service are using an older verification method that relies on questions generated by credit rating agencies, according to the report. This method was deemed outdated in 2017, after the Equifax breach and others compromised the data used to answer those questions, according to the GAO.
The report, Data Protection: Federal Agencies Need to Strengthen Online Identity Verification Processes, found that these four federal entities give individuals access to their online portals with questions on information found in their credit files.
In all, the GAO looked at six federal agencies’ practices for identity verification.
The Internal Revenue Service and General Services Administration had ceased to use what is seen as faulty knowledge-based verification, the GAO found. However, CMS, the VA, SSA and USPS still do to varying extents.
In recent data breaches such as the 2017 Equifax breach, the knowledge-based information submitted in response to the offered questions proving identity could be fraudulently used.
Indeed, it is this post-breach risk that, in 2017, caused the National Institute of Standards and Technology to issue guidance that basically prohibits federal agencies from using knowledge-based verification for their more sensitive applications, the GAO report noted.
“Until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identify fraud,” the report stated.
Sen. Elizabeth Warren, D-Mass., a member of the Senate Banking Committee and presidential candidate; Rep. Elijah Cummings, D-Md., chairman of the House Committee on Oversight and Reform; and Sen. Ron Wyden, D-Ore., released the report, dated May 2019.
The General Services Administration and the Internal Revenue Service have started using “alternative methods for remote identity proofing for their Login.gov and Get Transcript services that do not rely on knowledge-based verification,” the GAO report stated.
However, even though the VA has started using alternative methods, it still depends on the old knowledge-based verification for some people, the report said.
The GAO wants the practices improved and wants progress reports from the CMS, USPS, VA and SSA mandated by the Office of Management and Budget.
Warren, Wyden and Cummings have already written multiple times to the heads of the agencies using outdated methods asking them why they hadn’t updated their online portal entry methods and when and how they intend to do so, according to a statement they issued.
In addition, Warren and Cummings reintroduced the Data Breach Prevention and Compensation Act with Sen. Mark Warner, D-Va., and Sen. Raja Krishnamoorthi, D-Ill., on citizens’ data and agency accountability. The bill, unveiled in early May, uses some of the GAO reports’ findings.
“It is troubling that almost two years after the massive 2017 Equifax data breach federal government agencies continue to use outdated identity-proofing methods that put citizens at increased risk of identity theft,” the lawmakers stated. “We need to do more to prevent these kinds of breaches, and the government needs to be better and smarter about protecting citizens.”
— Check out GAO Calls for Tougher Rules on Consumer Reporting Agencies on ThinkAdvisor.