The challenge of keeping hackers from ripping off the government
The federal government has long struggled with protecting its massive amounts of data safe from hackers. It's not always been successful, with huge security breaches at the Office of Personnel Management and other agencies exposing sensitive personal information on millions of citizens. The problem has been made even greater by security failures in the private sector, including one at Equifax that exposed more than 100 million individual's information to hackers.
This last item has rasied serious questions about the government's ability to screen and propoerly identify people who apply online for federal assistance programs -- including programs like Meicadi and Social Security. Are these real people in need, or hackers trying to rip off the government?
According to the Goverment Accountability Office, Uncle Sam still has a lot of work to do separating the hackers from the real people:
Remote identity proofing is the process federal agencies and other entities use to verify that the individuals who apply online for benefits and services are who they claim to be. To perform remote identity proofing, agencies that GAO reviewed rely on consumer reporting agencies (CRAs) to conduct a procedure known as knowledge-based verification. This type of verification involves asking applicants seeking federal benefits or services personal questions derived from information found in their credit files, with the assumption that only the true owner of the identity would know the answers. If the applicant responds correctly, their identity is considered to be verified. For example, the Social Security Administration (SSA) uses this technique to verify the identities of individuals seeking access to the “My Social Security” service, which allows them to check the status of benefit applications, request a replacement Social Security or Medicare card, and request other services.
However, data stolen in recent breaches, such as the 2017 Equifax breach, could be used fraudulently to respond to knowledge-based verification questions. The risk that an attacker could obtain and use an individual's personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications. Alternative methods are available that provide stronger security. However, these methods may have limitations in cost, convenience, and technological maturity, and they may not be viable for all segments of the public.
You can read the entire GAO report here.