GAO Urges Federal Agencies to Strengthen ID Verification Steps after Equifax Breach
The Government Accountability Office (GAO) has published a report highlighting the vulnerabilities in certain online identity verification processes. The watchdog is urging agencies to change their verification strategies for applicants seeking federal benefits.
Many online application forms use knowledge-based identity verification. This includes information gathered from credit reporting agencies. The questions are multiple choice, and designed to confirm the applicant’s identity. For example, the question may say, “Which auto lender did you apply for a loan through in 2014?” followed by a list of potential lenders.
As GAO pointed out, “data stolen in recent breaches, such as the 2017 Equifax breach, could be used fraudulently to respond to knowledge-based verification questions.” Someone who had access to the leaked Equifax information could use that data to apply for Social Security, Medicare, Medicaid, and other federal programs.
As an alternative, GAO suggests having applicants send ID verification by phone. Federal agencies could request a photo of a driver’s license or other ID, then compare the image to the file. The agencies could also use phone records to verify that a specific person is associated with a specific phone number. The watchdog did note that “these methods may have limitations in cost, convenience, and technological maturity, and they may not be viable for all segments of the public.”