If a person loses their ID card or driver’s license, they may – depending on their state’s regulations – have to go to the Secretary of State’s office or the Department of Motor Vehicles and stand in line with a handful of important documents proving their identity to replace it.
That is, until COVID-19.
As states closed their government buildings at the start of the coronavirus pandemic, government agencies were forced to consider the unpreparedness of their antiquated systems to deliver digitized services during a once-in-a-lifetime pandemic requiring the public to s shelter in place. Simultaneously, the public and private sectors have faced cyberattacks that have left valuable and sensitive information in the hands of threat actors.
So how do the government agencies that administer public benefits prevent fraud and protect valuable personal data? This question was the subject of the “Future of Identity Fraud Roundtable”, an online panel organized on June 17 by Socure and Venable. During the discussion, experts weighed in on the unique challenges government agencies face when verifying people’s identities, government assistance, and preventing synthetic identity fraud, in which cybercriminals combine real information with fabricated information to create a false identity.
“I think almost every state and government entity is looking to provide good quality digital experiences for our constituents,” Arizona State CIO JR Sloan said during the panel. “During the pandemic phase…it was a public safety issue. We needed to be able to provide contactless experiences.”
Estimates of the number of frauds that have occurred during the coronavirus pandemic vary. An academic paper published by researchers at the University of Texas – Austin found $64.2 billion in potentially misreported loans. A higher estimate from the Small Business Administration (SBA) identified at least $78.1 billion in potentially fraudulent loans and grants. Excluding data on coronavirus fraud cases reported by the Justice Department, the Secret Service reportedly said nearly $100 billion was stolen from coronavirus relief programs for businesses and individuals , a conclusion he reached using his own cases and data from the US Department of Labor and the SBA.
Over the past two years, federal government agencies’ public interest programs have been attacked by cybercriminals from other countries, as well as domestic cybercriminals using synthetic identities to intercept benefits intended for the American public, said Jordan Burris, Senior Director of Product Market Strategy. in Socure.
Cybercriminals have shared information and digital guides on using stolen personal information to apply for government benefits, said Linda Miller, director of advisory services at Grant Thornton and former deputy executive director of the US Pandemic Response Accountability Committee, during of the panel.
“The game has completely changed. And it’s not going to go back,” Miller said during the panel. “They will only become more sophisticated and skilled as the government continues to be challenged to deal effectively with this problem.”
Barriers to digital switchover
Unlike the private sector, government agencies must serve the public, which often means reaching people who don’t have addresses or bank accounts, Miller said. Verifying the identity of these vulnerable groups could prove more difficult, as there are fewer data points available for the government to cross-check, she explained.
While government agencies can use some basic indicators, like a foreign IP address, to screen out fraudsters, there’s no single solution for agencies to manage populations of people who are harder to authenticate, she said. declared.
“These issues about how to solve this identity verification problem in a way that will ensure fairness among many different types of groups who need government benefits, will not create a ton of additional problems for voters and sell to citizens as they try to access their benefits,” Miller said. “What we need to think about is using data in smarter ways and meeting people where they are found in terms of the amount of data we have on an individual.”
While sharing data between government agencies can allow them to easily verify the identity of benefit claimants, one of the challenges government agencies face is regulating what data they can and cannot share between them, Burris said. For certain information to be shared — including a social security number, tax ID, alien registration numbers, or passport numbers — permission to share data among various government agencies could require Congress to pass federal laws authorizing it.
Recent Advances in Data Policy
Although regulations currently prohibit government agencies from sharing certain personal information, there are proposals to change agency processes that could allow them to test data sharing safely, said Suzette Kent, CEO of Kent Advisory Services. and former US CIO, during the panel. Such proposals could allow, for example, the military to share and retrieve data on veterans or retirees following a disaster, Kent said.
“We need to look at what information agencies are allowed to collect, and how they can use it, and make sure that information is appropriate [for] for the type of things we do,” Kent said. “It may require law, policy, technology, and engagement with the particular group of citizens you serve.
A recent example of biometric authentication gone wrong was the IRS’ attempt to implement facial recognition technology to verify the identity of people opening new accounts online. The agency announced on Feb. 7 that it had dropped plans to use a third-party facial recognition company to authenticate new accounts.
Remote biometric identity verification raised privacy, access and fairness issues, which drew immediate backlash, Miller said. As government agencies attempt to use this technology, they are also required to comply with the National Institute of Standards and Technology’s “highest level of identity clearance.” But it has become clear that many federal and state government agencies are unprepared to deal with the many complexities of NIST compliance and other emerging issues, she said.
Regardless of the remote authentication tool, government agencies must maintain public trust and be transparent about how they use biometric technologies, Burris said.
Failing to maintain public trust “erodes the ability to leverage innovation to combat what we see from a fraud perspective,” Burris said. “I would say any vendor working in this space, again, needs to be transparent with their practices, so we don’t have that erosion.”