GAO: After Equifax Breach, KBA No Longer EffectiveNew Report Calls for Other Methods of Authentication at Federal Agencies
Some federal agencies inappropriately continue to rely on knowledge-based authentication to prevent fraud and abuse even though this method is no longer trustworthy because so much personal information that's been breached is readily available to fraudsters, a new U.S. Government Accountability Office report notes.
The report singles out the U.S. Postal Service, the Social Security Administration, the Department of Veterans Affairs and the Centers for Medicare and Medicaid Services for continuing to use knowledge-based authentication.
The GAO, however, points out that two other agencies it examined, the General Services Administration and the Internal Revenue Service, have adopted new methods of verifying identity.
The report suggests that government agencies should drop knowledge-based authentication and use other forms of identification that include, for example, asking for submission of a picture of a driver's license via a cellphone, which could be compared to other documents on file with the government.
As part of its recommendations, the GAO is asking the Office of Management and Budget, which has oversight over all the federal government's IT practices, to require agencies to adopt new identification methods being developed by the National Institute of Standards and Technology.
"Until NIST provides additional guidance to help agencies move away from knowledge-based verification methods and OMB requires agencies to report on their progress, federal agencies will likely continue to struggle to strengthen their identify proofing processes," according to the GAO report.
In the report, all of agencies that GAO examined agreed with the findings, except the Centers for Medicare and Medicaid Services, which believes that alternatives to current knowledge-based authentication are not feasible for those that the agency serves.
"Several officials cited reasons for not adopting alternative methods, including high costs and implementation challenges for certain segments of the public," according to the GAO. "For example, mobile device verification may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud."
Post Equifax Breach World
For years, a number of federal agencies had relied on knowledge-based authentication, posing questions to verify the identity of those asking for or receiving federal services and benefits. Agencies could verify the accuracy of the answers to those questions through credit reporting agencies, such as Equifax, Experian and TransUnion.
But the 2017 breach of Equifax exposed data on 148 million Americans, which could enable fraudsters to impersonate individuals seeking government assistance because they would have access to personal data (see: Congressional Report Rips Equifax for Weak Security).
The Equifax breach began with a failure to patch a vulnerability in the Apache Struts open source web application framework that allowed attackers to find their way into the network and steal personal data.
A recent report released the U.S. Senate Permanent Subcommittee on Investigation found that Equifax failed to follow its own cybersecurity policies, including those prescribing how and when to patch critical software vulnerabilities (see: Congressional Report Rips Equifax for Weak Security).
These reports into what happened at Equifax are reflected in the GAO's conclusion that older methods of identity management on the federal level need to be rethought.
"Given recent breaches of sensitive personal information, these agencies face risks because fraudsters may be able to obtain and use an individual's personal information to answer knowledge-based verification questions and successfully impersonate that individual to fraudulently obtain federal benefits and services," the GAO report states.
More Work Ahead
The GAO report makes three recommendations for improving identify management at federal agencies:
- Agencies should develop better methods to remotely identify people and discard older, knowledge-based verification methods;
- NIST should offer more technical guidance for agencies looking to adopt new identification methods;
- OMB should require federal agencies to provide updates on their progress toward adopting new identity management methods and standards.
Even if federal agencies implement new forms of authentication, including biometrics, the governments' large pool of data would still be a target for attackers, says Steve Durbin, the managing director of the Information Security Forum.
"The problem is that with any data lake of high value information, criminals know where to go to get the crown jewels. The answer may not be to remove a reliance on the credit agencies but to ensure that they are protecting the personal data in a manner that is appropriate for all concerned," Durbin says.