Equifax’s 2017 security breach disrupted the process used by U.S. government agencies to verify the identity of U.S. citizens requesting various benefits through its online portals.
This process, known as online identity verification or remote identity verification, relied on data provided by credit reporting agencies (CRAs) like Equifax, as proof of the applicant’s identity.
Government systems or workers would check data provided by a U.S. citizen against a private CRA database, such as the one maintained by Equifax, or they would ask citizens questions about the data on their credit report. Equifax.
But the 2017 Equifax hack, in which hackers stole details of the identities of 145.5 million U.S. citizens, made that process inaccurate and unreliable, as hackers and other online groups could as well. be in possession of the same data, and not just the United States. citizen.
In 2017, the National Institute of Standards and Technology (NIST) responded to this hack by issuing guidance to government agencies, with recommendations on replacing CRA-based online identity verification with other solutions. such as sending an SMS to a user’s phone or the possibility of the user sending / uploading a scan of a physical ID to the government agency, as proof of ID.
Four of six U.S. government agencies still rely on credit rating agencies
Corn a report from the United States Government Accountability Office (GAO), a bipartisan government agency that provides audit, evaluation, and investigative services for Congress, found that only two of the six government agencies they tested had followed NIST guidelines.
The GAO found that the Centers for Medicare and Medicaid Services (CMS), Social Security Administration (SSA), US Postal Service (USPS), and Department of Veterans Affairs (VA) still relied on the old databases. CRA for online identity. verification.
This means that any hacker calling or depositing benefits with these agencies – and in possession of data of the Equifax breach – could verify themselves as the U.S. citizen they were trying to impersonate.
Agencies that were part of the GAO survey said one of the reasons they have not yet migrated to a new system, according to NIST guidelines, is due to “high costs and the challenges of setting up. implemented for certain segments of the public â, which agencies are concerned about preventing certain US citizens from being able to use their online portals.
At present, the GAO does not blame these agencies, nor does it see a way out of this impasse, in addition to NIST issuing new guidelines with better advice.
“Until NIST provides further guidance to help agencies move away from knowledge-based verification methods and OMB [Office of Management and Budget] requires agencies to report on their progress, federal agencies will likely continue to struggle to strengthen their identity verification processes, âGAO officials said.
So far, there have been no cases of fraud related to the Equifax hack, and it remains unclear who stole the data from Equifax, and even where that data is located.
GAO report results:
– The General Services Administration (GSA) and Internal Revenue Service (IRS) have recently developed and started using alternative remote identity verification methods for their Login.gov and Get Transcript services that do not rely on verification knowledge-based.
– The Department of Veterans Affairs (VA) has implemented alternative methods for part of its identity verification process, but still relies on knowledge-based verification for some people.
– The Social Security Administration (SSA) and United States Postal Service (USPS) intend to reduce or eliminate their use of knowledge-based verification in the future, but do not yet have specific plans to do it.
The Centers for Medicare and Medicaid Services (CMS) do not intend to reduce or eliminate knowledge-based verification for remote identity verification.