The 2017 Equifax security breach has thrown a wrench in the process used by US government agencies to verify the identity of US citizens applying for various benefits via its online portals.
This process, called online identity verification or remote identity proofing, relied on data provided by credit reporting agencies (CRAs) like Equifax, as a proof of the applicant's identity.
Government systems or workers would verify data provided by a US citizen against a private CRA database, like the one maintained by Equifax, or they'd ask citizens questions about data that was present in their Equifax credit report.
But the 2017 Equifax hack, during which hackers stole details about the identities of 145.5 million US citizens, has made this process inaccurate and untrustworthy, as hackers and other online groups could also be in the possession of the same data, and not only the US citizen.
In 2017, the National Institute of Standards and Technology (NIST) reacted to this hack by issuing guidance to government agencies, with recommendations on replacing the CRA-based online identity proofing with other solutions like sending an SMS to a user's phone, or having the user send/upload a scan of a physical ID to the government agency, as a proof of identity.
But a report from the US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress, has found that only two of six of the government agencies they tested had followed the NIST guidance.
GAO found that the Centers for Medicare and Medicaid Services (CMS), the Social Security Administration (SSA), the US Postal Service (USPS), and the Department of Veterans Affairs (VA) were still relying on the old CRA databases for online identity verification.
This means that any hacker calling or filing benefits with these agencies -- and in possession of data from the Equifax breach -- could verify themselves as the US citizen they were trying to pose.
The agencies who were part of the GAO inquiry said that one of the reasons they haven't migrated to a new system yet, as per the NIST guidance, is because of "high costs and implementation challenges for certain segments of the public," which the agencies fear might prevent certain US citizens from being able to use their online portals.
Right now, GAO doesn't fault these agencies and also doesn't see a way out of this stalemate, besides NIST issuing new guidance with better advice.
"Until NIST provides additional guidance to help agencies move away from knowledge-based verification methods and OMB [Office of Management and Budget] requires agencies to report on their progress, federal agencies will likely continue to struggle to strengthen their identify proofing processes," GAO officials said.
For now, there have not been any cases of fraud that have been tied to the Equifax hack, and it's still unclear who stole the Equifax data, and where that data even is.
Results of the GAO report:
- The General Services Administration (GSA) and the Internal Revenue Service (IRS) recently developed and began using alternative methods for remote identity proofing for their Login.gov and Get Transcript services that do not rely on knowledge-based verification.
- The Department of Veterans Affairs (VA) has implemented alternative methods for part of its identity proofing process but still relies on knowledge-based verification for some individuals.
- The Social Security Administration (SSA) and the United States Postal Service (USPS) intend to reduce or eliminate their use of knowledge-based verification some time in the future but do not yet have specific plans for doing so.
The Centers for Medicare and Medicaid Services (CMS) has no plans to reduce or eliminate knowledge-based verification for remote identity proofing.