The Social Security Administration and the U.S. Postal Service are among government agencies using an outdated identity verification method that makes citizens vulnerable to fraud if their online data is stolen in cyber breaches, according to a new Government Accountability Office report released Friday.
The Centers for Medicare and Medicaid Services, the Department of Veterans Affairs, the Social Security Administration and the U.S. Postal Service are using an older verification method that relies on questions generated by credit rating agencies, according to the report. This method was deemed outdated in 2017, after the Equifax breach and others compromised the data used to answer those questions, according to the GAO.
The report, Data Protection: Federal Agencies Need to Strengthen Online Identity Verification Processes, found that these four federal entities give individuals access to their online portals with questions on information found in their credit files.
In all, the GAO looked at six federal agencies’ practices for identity verification.
The Internal Revenue Service and General Services Administration had ceased to use what is seen as faulty knowledge-based verification, the GAO found. However, CMS, the VA, SSA and USPS still do to varying extents.
In recent data breaches such as the 2017 Equifax breach, the knowledge-based information submitted in response to the offered questions proving identity could be fraudulently used.
Indeed, it is this post-breach risk that, in 2017, caused the National Institute of Standards and Technology to issue guidance that basically prohibits federal agencies from using knowledge-based verification for their more sensitive applications, the GAO report noted.
“Until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identify fraud,” the report stated.