A federal watchdog says the government should stop relying on credit bureaus to verify the identity of people using government services.
In a report released this week, the Government Accountability Office said that several government departments still rely on credit bureaus (Equifax, Experian and TransUnion) to verify that a person is who they say they are before they can access their services online. .
Agencies such as the U.S. Postal Service, the Social Security Administration, Veterans Affairs, and the Centers for Medicare and Medicaid Services ask a new user several questions and compare their answers with the information in the credit file. of a person. The logic is that these credit files have information that only the person who subscribes to the services can know.
But after the Equifax breach in 2017, those responses are no longer safe, the watchdog said.
The Equifax breach resulted in the theft of 148 million consumers. Much of the consumer’s financial data had been collected without the explicit permission of those whose data it contained. An investigation later found the breach to be “totally preventable” if the credit bureau employed basic security measures.
“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based knowledge. “Verification of sensitive applications,” wrote the watchdog.
In response, the named agencies said the cost of the new verification systems is too high and may exclude certain demographics of the population.
Only Veterans Affairs implemented a new system, but it still relies on knowledge-based verification in some cases.
The other downside is that if you don’t have credit, it just doesn’t show up in these systems. You need a credit card or some type of loan to “appear” in the eyes of the credit bureaus. That is a major problem for the millions who do not have a credit file, such as foreigners working in the United States on a visa. In 2015, an estimated 26 million people were “invisible credit.”
“However, until these agencies take steps to eliminate the use of knowledge-based verification, the people they serve will continue to have an increased risk of identity fraud,” the regulator wrote.