The government may need to reevaluate its use of potentially vulnerable credit agencies.
A US federal watchdog warned the government against using credit agencies in order to verify identities, due to the high risk of hacking present in those agencies.
According to a report from the Government Accountability Office, many government departments are still making use of various credit agencies such as Experian, Equifax, and TransUnion for identity verification before a person can use available government services online.
However, these agencies have been breached before by hackers who gained access to millions of accounts. In the case of the Equifax breach of 2017, the hackers actually managed to access the financial data of 148 million customers without gaining the permission of said customers. Worse, a later investigation revealed that the breach was actually preventable if only Equifax was diligent in updating its security measures.
Currently, agencies such as the Social Service Administration, the US Postal Service, Veterans Affairs and Medicaid still use information from credit agencies to match the information supplied by a new user.
“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications,” the federal watchdog said.
To this, the named government agencies said that getting new verification systems are too expensive and may even “exclude certain demographics from the population.”
“Until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” the watchdog explained.