Federal, State Agencies’ Aid Programs Face Synthetic Identity Fraud

If a person loses their state ID or driver’s license, they may – depending on the rules of their state – have to take a trip to the State Secretary or Department of Motor Vehicles and wait in line with a handful of essential documents proving their identity to replace it.

That is, until COVID-19.

As states shut down their government buildings in the early stages of the coronavirus pandemic, government agencies were forced to reckon with how unprepared their outdated systems were to provide digitized services during a once-in-a-lifetime pandemic that requires the public to shelter in place. At the same time, the public and private sectors faced cyberattacks, leaving valuable, sensitive information in the hands of threatening actors.

So how do public authorities that manage public services prevent fraud and protect valuable personal data? That question was the subject of the “Future of Identity Fraud Roundtable,” an online panel hosted by Socure and Venable on June 17. During the discussion, experts weighed in on the unique challenges that government agencies face in verifying people’s identities, providing public assistance and preventing synthetic identity fraud, where cybercriminals combine real information with fabricated information to build a false identity.

“I think pretty much every state and government entity is looking to deliver good quality digital experiences to our constituents,” JR Sloan, CIO of the State of Arizona, said during the panel. “During the pandemic … this was a matter of public safety. We needed to be able to deliver experiences without touch.”

Estimates of the amount of fraud that occurred during the coronavirus pandemic vary. An academic paper published by researchers at the University of Texas – Austin found $ 64.2 billion of potentially misreported loans. A higher estimate from the Small Business Administration (SBA) identified at least $ 78.1 billion in potentially fraudulent loans and grants. Excluding data on coronavirus fraud cases brought by the Department of Justice, the Secret Service reportedly said that nearly $ 100 billion had been stolen from corona utilities for businesses and individuals, a conclusion it reached using its own cases and data from the U.S. Department of Labor and the SBA.

Over the past two years, federal government agencies’ public benefit programs have been under attack from cybercriminals in other countries, as well as domestic cybercriminals who use synthetic identities to intercept benefits intended for the U.S. public, says Jordan Burris, senior director of product market strategy. at Socure.

Cybercriminals have shared information and digital guides on using stolen personal information to apply for public services, said Linda Miller, principal of advisory services at Grant Thornton and former deputy director of the U.S. Pandemic Response Accountability Committee, during the panel.

“The game has completely changed. And it’s not going to change back,” Miller said during the panel. “They will only become more and more sophisticated and skilled as the government continues to be challenged to deal effectively with this problem.”

Obstacles to becoming digital

Unlike the private sector, public authorities have to serve the public, which often involves reaching people who do not have addresses or bank accounts, Miller said. It may prove more difficult to confirm the identity of these vulnerable groups because there are fewer data points available for the government to cross-check, she explained.

While government agencies can use some basic indicators, such as a foreign IP address, to sort out scammers, there is no uniform solution for agencies to manage populations of people that are harder to authenticate, she said.

“These problems of how to solve this identity security problem in a way that will ensure justice across a lot of different types of groups that need public benefits will not create a ton more problems for voters and sell to citizens when they trying to access their benefits, “Miller said. “What we need to think about is using data in a smarter way and meeting people where they are in relation to how much data we have about a person.”

Although sharing data between government agencies could allow them to easily verify the identity of benefit applicants, one challenge government agencies face is the rules of what data they may and may not share with each other, Burris said. For some pieces of information to be shared – including a Social Security number, a taxpayer identification number, alien registration numbers or passport numbers – permission to share data between different public authorities may require Congress to pass federal laws that allow it.

Recent advances in data policy

Although rules currently prevent public authorities from sharing certain personal information, there are proposals to change the agency’s processes that could allow them to test secure data sharing, said Suzette Kent, CEO of Kent Advisory Services and former U.S. CIO, during the panel . Such proposals could allow, for example, the military to share and recover veteran or retirement data after a disaster, Kent said.

“We need to look at which information agencies are allowed to collect and how they can use it, and make sure these things fit [for] purpose for the type of thing we do, “Kent said.” It may require law, policy, technology and commitment with the particular set of citizens you serve. “

A recent example of biometric authentication going wrong was the IRS’s attempt to implement face recognition technology to verify the identity of individuals opening new online accounts. The agency announced on February 7 that it was abandoning its plans to use a third-party face recognition company to authenticate new accounts.

With remote control of biometric identity came problems around privacy, access and justice, which were met with immediate setbacks, Miller said. As state authorities attempt to use this technology, they are also required to comply with the National Institute of Standards and Technology’s “highest level of identity authorization.” But it has become clear that many federal and state authorities are not ready to address the many complexities of NIST compliance and the other issues that arise, she said.

Regardless of the remote authentication tool, public authorities need to maintain public trust and be transparent about how they use biometric technologies, Burris said.

Failure to maintain public confidence “erodes the ability to leverage innovation to combat what we see from a fraudulent point of view,” Burris said. “I would say that any supplier working in this space, again, needs to be transparent with practice so that we do not have that erosion.”


Leave a Reply

Your email address will not be published.