A federal watchdog says the government should stop relying on the credit agencies to verify the identifies of those using government services.
In a report out this week, the the Government Accountability Office said several government departments still rely on the credit agencies — Equifax, Experian and TransUnion — to check if a person is who they say they are before they can access their services online.
Agencies like the U.S. Postal Service, the Social Security Administration, Veterans Affairs, and the Centers for Medicare and Medicaid Services ask several questions of a new user and match their answers to information held in an individual’s credit file. The logic is that these credit files have information only the person signing up for services can know.
But following the Equifax breach in 2017 those answers are no longer safe, the watchdog said.
The Equifax breach resulted in the theft of 148 million consumers. Much of the consumer financial data had been collected without the explicit permission of those whose data it held. An investigation later found the breach was “entirely preventable” had the credit agency employed basic security measures.
“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications,” wrote the watchdog.
In response, the named agencies said the cost of new verification systems are too high and may exclude certain demographics from the population.
Only Veterans Affairs implemented a new system but still relies on knowledge-based verification in some cases.
The other downside is that if you have no credit, you simply don’t show up in these systems. You need a credit card or some kind of loan in order to “appear” in the eyes of credit agencies. That’s a major problem for the millions who have no credit file, like foreign nationals working in the U.S. on a visa. In 2015, some 26 million people were estimated to be “credit invisible.”
“Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” wrote the watchdog.
Jessica spends 12 hours a day on the internet managing security for web assets and loves her macha tea