The Government Accountability Office is warning federal agencies including the U.S. Postal Service, the Social Security Administration, Veterans Affairs, and the Centers for Medicare and Medicaid Services in a report this week that they should stop relying on credit agencies to verify identities after a devastating hack of Equifax in 2017 that compromised the information of around 150 million Americans.
Those agencies currently check if an individual is who they say they are by asking users to provide personal information and then cross-check it with credit files provided by one of three major agencies: Equifax, Experian, and TransUnion. Per TechCrunch, the report notes that in 2017, the National Institute of Standards and Technology (NIST) issued guidance that “effectively prohibits agencies from using knowledge-based verification for sensitive applications” due to the possibility that malicious parties could have access to the Equifax data, or that even more such data could be compromised in the future.
Just two agencies, the General Services Administration and the Internal Revenue Service, have complied by developing their own alternative methods, the report says. The four aforementioned ones continue to rely at least in part on knowledge-based verification:
Two of the six agencies that GAO reviewed have eliminated knowledge-based verification. Specifically, the General Services Administration (GSA) and the Internal Revenue Service (IRS) recently developed and began using alternative methods for remote identity proofing for their Login.gov and Get Transcript services that do not rely on knowledge-based verification. One agency—the Department of Veterans Affairs (VA)—has implemented alternative methods for part of its identity proofing process but still relies on knowledge-based verification for some individuals. SSA and the United States Postal Service (USPS) intend to reduce or eliminate their use of knowledge-based verification sometime in the future but do not yet have specific plans for doing so. The Centers for Medicare and Medicaid Services (CMS) has no plans to reduce or eliminate knowledge-based verification for remote identity proofing.
Alternative methods recommended by the GAO include remote assessment of physical credentials—i.e., an image of a driver’s license or other documents—and verification using cell phone carrier records. While both of those methods do require someone have access to a phone, TechCrunch noted that the credit agency system requires a credit history, and in 2016 the Consumer Financial Protection Bureau estimated some 26 million people (roughly one in ten adults) lack such records on file with the three major credit rating companies.
“Several officials cited reasons for not adopting alternative methods, including high costs and implementation challenges for certain segments of the public,” the GAO report concluded. “... Until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud.”
Equifax, which could have prevented the breach by patching server software but did not and was later chastised by the House Oversight Committee for sheer incompetence, has finally started to face some consequences. Last month, Moody’s downgraded the company from a “stable” to a “negative” outlook in large part due to lawsuits, investigations, and fines estimated to have cost the company $690 million in Q1 2019 alone, as well as future costs that could add up to more than a billion by 2021. In January 2019, a federal judge in Atlanta refused to throw out two consolidated class actions against the company, meaning more payouts may be coming.