Multiple government agencies are relying on a security measure that can be easily bypassed thanks to massive breaches like the Equifax hack, the US Government Accountability Office has found.
The report that was released last week, says that federal government relies on commercial credit agencies to help verify the identities of people who apply for benefits online. This verification method asked applicants questions like their date of birth, Social Security numbers and addresses, assuming that only the applicant would have that information. But in Equifax’s breach in 2017, that information had been stolen from 145.5 million Americans, about half the US population.
That exposed many federal agencies using Knowledge-Based Verification to widespread fraud, as potential attackers could use the stolen information to apply for benefits and get replacement Social Security cards.
There are alternative methods to verify identity, such as comparing a photo of an ID card captured on a cell phone to documentation on file, but federal agencies have had issues with implementing them. For instance, not all applicants have cell phones.