informa

Cybersecurity In-Depth

6 min read
article

Federal, State Agencies' Aid Programs Face Synthetic Identity Fraud

Balancing public service with fraud prevention requires rule revisions and public trust.

If a person loses their state ID or their driver's license, they may — depending on the regulations of their state — need to take a trip to the Secretary of State's office or Department of Motor Vehicles and wait in line with a handful of significant documents proving their identity in order to replace it.

That is, until COVID-19.

As states closed their government buildings in the early stages of the coronavirus pandemic, government agencies were forced to reckon with how unprepared their antiquated systems were to provide digitized services during a pandemic requiring the public to shelter in place. Simultaneously, the public and the private sector faced cyberattacks that left valuable, sensitive information in the hands of threat actors.

So how do government agencies administering public benefits prevent fraud and protect valuable personal data? That question was the subject of "Future of Identity Fraud Roundtable," an online panel hosted on June 17 by Socure and Venable. During the discussion, experts weighed in on the unique challenges government agencies face when verifying people's identities, providing government assistance, and preventing synthetic identity fraud, in which cybercriminals combine real information with fabricated information to build a fake identity

"I think pretty much every state and government entity is seeking to deliver good, quality digital experiences to our constituents," said J.R. Sloan, CIO for the State of Arizona, during the panel. "During the pandemic phase ... this was a public safety issue. We needed to be able to deliver no-touch experiences."

Estimates on just how much fraud occurred during the pandemic vary. An academic paper published by researchers at the University of Texas — Austin found $64.2 billion worth of potentially misreported loans. A higher estimate from the Small Business Administration (SBA) identified at least $78.1 billion in possibly fraudulent loans and grants. Excluding data on coronavirus fraud cases brought by the Justice Department, the Secret Service reportedly said that nearly $100 billion had been stolen from coronavirus relief programs for businesses and individuals, a conclusion it reached using its own cases and data from the US Department of Labor and the SBA.

Over the past two years, federal government agencies' public benefit programs have been under attack from cybercriminals in other countries, as well as domestic cybercriminals using synthetic identities to intercept benefits meant for the American public, said Jordan Burris, senior director for product market strategy at Socure.

Cybercriminals have been sharing information and digital guides on using stolen personal information to apply for government benefits, said Linda Miller, principal of advisor services at Grant Thornton and former deputy executive director of the US Pandemic Response Accountability Committee, during the panel.

"The game has completely changed. And it's not going to change back," Miller said during the panel. "They're only going to get more and more sophisticated and more skilled as the government continues to be challenged to effectively deal with this problem."

Hurdles to Going Digital

Unlike the private sector, government agencies have to serve the public, which often entails reaching people who don't have addresses or bank accounts, Miller said. Verifying the identities of these vulnerable groups could prove to be harder because there are fewer data points available for the government to cross-check, she explained.

While government agencies can use some basic indicators, such as a foreign IP address, to screen out fraudsters, there is no one-size-fits-all solution for agencies to manage populations of people who are harder to authenticate, she said.

"These problems around how do we solve this identity proofing problem in a way that is going to ensure equity across a lot of different types of groups that need government benefits is not going to create a ton more problems for the constituents and sell to the citizens as they're trying to get access to their benefits," Miller said. "What we need to think about is using data in a smarter way and meeting people where they are in terms of how much data do we have on an individual."

Though sharing data between government agencies could allow them to verify benefit applicants' identities easily, government agencies are challenged by regulations for what data they can and cannot share with each other, Burris said. For some pieces of information to be shared — including a Social Security number, a taxpayer identification number, alien registration numbers, or passport numbers — permission to share data among various government agencies could require Congress to pass federal laws allowing it.

Recent Progress in Data Policy

Though regulations currently bar government agencies from sharing certain personal information, there are proposals to change agency processes that could allow them to test safe data sharing, said Suzette Kent, CEO of Kent Advisory Services and former US CIO, during the panel. Such proposals could allow, for example, military to share and recover veteran or retirement data following a disaster, Kent said.

"We have to look at what information agencies are authorized to gather and how they may use it, and ensure that those things are fit [for] purpose for the types of things that we're doing," Kent said. "That may require law, policy, technology, and engagement with the particular citizen set that you're serving."

A recent example of biometric authentication gone wrong was the IRS' attempt to implement facial recognition technology for verifying the identities of people opening new online accounts. The agency announced on Feb. 7 that it abandoned its plans to use a third-party facial recognition company for authenticating new accounts.

With remote biometric identity proofing came issues around privacy, access, and equity, which was met with immediate backlash, Miller said. As government agencies try to use this technology, they're also required to comply with the National Institute of Standards and Technology's "highest level of identity authorization." But it has become clear that many federal and state government agencies aren't ready to address the numerous complexities of NIST compliance and other issues that emerge, she said.

Regardless of the remote authentication tool, government agencies need to maintain public trust and be transparent about how they're using biometric technologies, Burris said.

Failing to maintain public trust "erodes the ability to leverage innovation in order to combat what we're seeing from a fraud standpoint," Burris said. "I would say any vendor working in this space, again, needs to be transparent with practices, so that we don't have that erosion."