The government is playing a dangerous game with personal data, according to a federal watchdog. By depending on credit agencies for “knowledge-based verification”, the government runs a significant risk of exposing the information of those using government services.
This week, the Government Accountability Office issued a report about this troubling reliance. The U.S. Postal Service, the Social Security Administration, Veterans Affairs and the Centers for Medicare and Medicaid Services all use credit agencies such as Equifax, Experian and TransUnion to authenticate users for online services.
The report cites the massive (and preventable) Equifax breach in 2017 as a prime example of why governments should not let their guard down. The infamous hack that compromised nearly 150 million Americans’ data set off a heightened demand for cybersecurity firms and more scrutiny for substandard security.
“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications.”
“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications,” said the watchdog.
Two of the six agencies - the General Services Administration (GSA) and the Internal Revenue Service (IRS) - that GAO reviewed have already started offering alternatives to knowledge-based verification. Veterans Affairs is the only one to start a new system altogether. Alternative verification systems, however, are typically expensive and sometimes not inclusive. “For example, mobile device verification may not always be viable because not all applicants possess mobile devices that can be used to verify their identities,” per the report.