US GAO Reports Government Agencies Still Using Verification Method Weakened by Equifax Database-Breach

Nearly two years after the Equifax database hacking, the US Government Accountability Office (US GAO) released a report last Friday naming government agencies still using the Knowledge-Base Authentication method in running their online operations. The revelation by the government watchdog serves as a warning to people transacting online with agencies like the Social Security Administration, the US Postal Service, the Centers for Medicare and Medicaid Services, and the Veterans Affairs that their accounts and their benefits, are vulnerable to cyber attacks.

The US GAO is concerned that the Equifax database breach in 2017 resulted to the exposure of personal identifying information belonging to more than 148 million Equifax credit report users.

Knowledge-Base verification is the second stage security measure used by a website when authenticating users intending to replace a forgotten password. Usually the verification requires giving answers to security questions about personal information known only to the account holder. If supplied correctly, a change in password will be allowed to grant access to whoever initiated the password change. .

Breached personal information providing details about credit-cards, Social Security Number, Driver’s License, date of birth, email addresses and phone numbers, can be used by cyber criminals in surreptitiously accessing benefits and other privileges provided by the aforementioned government agencies. Considering that account passwords can easily be replaced by using Knowledge Base authentication approach, rendered weak as a result of the Equifax database hacking that made massive personal information available to cyber criminals. . .

That is why immediately after the Equifax credit report data-hacking transpired in 2017, the National Institute of Standards and Technology (NIST) recommended the discontinuance of Knowledge Base Authentication as second-level method of verifying the identity of online account holders. .

However, the US GAO noted that the 2017 NIST notification did not include guidelines for directing government agencies on how to implement alternative methods of remote identity proofing, such as in-person verification, or through the use of user mobile devices when checking in.

Actions Taken by Government Agencies Cited in the US GAO Report

.
The U.S. Department of Commerce agreed to the GAO’s recommendation, and has committed in behalf of the NIST, the Social Security Administration, the US Postal Service, and Veterans Affairs that steps will be taken to improve the security in their remote identity verification processes.

The Center for Medicare and Medicaid Services (CMS), through the Department of Health, disagreed with the GAO recommendation. According to the CMS, the alternative methods recommended are not feasible practices as far as the citizens availing CMS services are concerned.

In response, GAO underpinned the reasons for their recommendation, suggesting that the CMS may consider other alternative methods other than those recommended by GAO in the report.

Facebook
Tumblr
Twitter

  • Personal Loans or Student Loans?
    Student loans are famed for assisting students to get through with the high cost of their tuition fee as well as day to day living expenses while at school. However, this loan option is very limited. It cannot be used in covering bigger expenses such as buying a car and so forth. Depending on the […]
  • Estate and Trust Lawyers
    The field or branch of law that legal representatives are practicing is so broad and wide. In fact, even just in the practice of estates and trusts include tons of different things including estate and trust administration, estate planning, elder law, probate and many other things. With the presence of an estate and trust lawyer […]