GAO: Post-Equifax, Agencies Must Tighten Online ID Proofing

After the massive Equifax data breach, a federal watchdog is warning the government against relying on credit agencies to verify the identifies of individuals using its services.

A report from the Government Accountability Office (GAO) said several government departments still rely on the three major credit agencies — Equifax, Experian and TransUnion — to verify a person’s identity before they can access their services online. Agencies like the U.S. Postal Service, the Social Security Administration, Veterans Affairs, and the Centers for Medicare and Medicaid Services, for example, ask questions of a new user and match their answers to information held in an individual’s credit file.

“However, data stolen in recent breaches such as the 2017 Equifax breach could be used fraudulently to respond to knowledge-based verification questions,” GAO wrote. “The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications.”

“There are alternative methods to verify identity, such as comparing a photo of an ID card captured on a cell phone to documentation on file, but federal agencies have had issues with implementing them. For instance, not all applicants have cell phones,” the watchdog explained.

But GAO added that two of the six agencies that the watchdog reviewed have eliminated knowledge-based verification. The General Services Administration (GSA) and the Internal Revenue Service (IRS) recently developed and began using alternative methods for remote identity proofing, while the Department of Veterans Affairs (VA) implemented alternative methods for part of its identity proofing process, but still relies on knowledge-based verification for some individuals.

In addition, SSA and the United States Postal Service (USPS) are planning to reduce or eliminate their use of knowledge-based verification in the future. However, the Centers for Medicare and Medicaid Services (CMS) has no plans to reduce or eliminate knowledge-based verification.

The named agencies have said that implementing a new verification systems is too expensive and may exclude certain demographics.

“Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” wrote the watchdog.