Reducing costs and efficiently serving customers online is an objective of most organizations. This is also true for most federal agencies, but since the first website was created, federal agencies have faced the constant challenge of verifying the identities of their online users. Large-scale breaches have put citizens’ personally identifiable information (PII) up for sale on the dark web, increasing the challenges of identity verification. How can you be certain who is accessing a website and transacting business?  

Identity verification and the GAO reports

In June 2018, the Government Accountability Office (GAO) published a report entitled, “Identity Theft – IRS Needs to Strengthen Taxpayer Authentication Efforts”. As noted in the report, “In May 2015, [the] IRS temporarily suspended its Get Transcript service after fraudsters used personal information obtained from sources outside IRS to pose as legitimate taxpayers and access tax return information from up to 724,000 accounts.” This breach is highlighted by GAO along with the 2015 Office of Personnel Management (OPM) breach that affected over 22 million current and former employees and contractors as well as the 2018 Equifax breach that affected 145 million Americans.

GAO also highlighted that the IRS estimates there were attempts to steal at least $12.2 billion through identity theft (IDT) tax refund fraud in 2016. However, it estimates that it prevented the theft of at least $10.5 billion of that amount. That means that at least $1.6 billion was paid out to fraudsters. I’ll repeat, $1.6 billion in taxpayer dollars paid to criminals.  

The sheer volume of PII available to fraudsters warrants alternative approaches to the common practices of verifying identities online. Knowledge-based verification (KBV) typically challenges online users with questions from their credit report that only they should know. Today, there is a strong likelihood that fraudsters know that information, too.

Challenges in verifying identities securely are not limited to the IRS. The reality is most federal agencies do not have high confidence in the persons interfacing with them online. This garnered the attention of Congress and tasked GAO to examine online identity verification processes deployed at six federal agencies that routinely interface with citizens online, including the Centers for Medicare and Medicaid Services (CMS), General Services Administration (GSA), IRS, SSA, USPS and the Department of Veterans Affairs (VA).

Some agencies not moving off knowledge-based verification

In May 2019, GAO released “Data Protection – Federal Agencies Need to Strengthen Online Identity Verification Processes.” The good news is that some, including the IRS, no longer exclusively rely on KBV, while surprisingly, others including CMS have no plans to move on. GAO reported that, “Several officials cited reasons for not adopting alternative methods, including high costs and implementation challenges for certain segments of the public. For example, mobile device verification may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud.”