US GAO Reports Government Agencies Still Using Verification Method Weakened by Equifax Database-Breach
Nearly two years after the Equifax database hacking, the US Government Accountability Office (US GAO) released a report last Friday naming government agencies still using the Knowledge-Base Authentication method in running their online operations. The revelation by the government watchdog serves as a warning to people transacting online with agencies like the Social Security Administration, the US Postal Service, the Centers for Medicare and Medicaid Services, and the Veterans Affairs that their accounts and their benefits, are vulnerable to cyber attacks.
The US GAO is concerned that the Equifax database breach in 2017 resulted to the exposure of personal identifying information belonging to more than 148 million Equifax credit report users.
Knowledge-Base verification is the second stage security measure used by a website when authenticating users intending to replace a forgotten password. Usually the verification requires giving answers to security questions about personal information known only to the account holder. If supplied correctly, a change in password will be allowed to grant access to whoever initiated the password change. .
Breached personal information providing details about credit-cards, Social Security Number, Driver’s License, date of birth, email addresses and phone numbers, can be used by cyber criminals in surreptitiously accessing benefits and other privileges provided by the aforementioned government agencies. Considering that account passwords can easily be replaced by using Knowledge Base authentication approach, rendered weak as a result of the Equifax database hacking that made massive personal information available to cyber criminals. . .
That is why immediately after the Equifax credit report data-hacking transpired in 2017, the National Institute of Standards and Technology (NIST) recommended the discontinuance of Knowledge Base Authentication as second-level method of verifying the identity of online account holders. .
However, the US GAO noted that the 2017 NIST notification did not include guidelines for directing government agencies on how to implement alternative methods of remote identity proofing, such as in-person verification, or through the use of user mobile devices when checking in.
Actions Taken by Government Agencies Cited in the US GAO Report
The U.S. Department of Commerce agreed to the GAO’s recommendation, and has committed in behalf of the NIST, the Social Security Administration, the US Postal Service, and Veterans Affairs that steps will be taken to improve the security in their remote identity verification processes.
The Center for Medicare and Medicaid Services (CMS), through the Department of Health, disagreed with the GAO recommendation. According to the CMS, the alternative methods recommended are not feasible practices as far as the citizens availing CMS services are concerned.
In response, GAO underpinned the reasons for their recommendation, suggesting that the CMS may consider other alternative methods other than those recommended by GAO in the report.