Multiple government agencies are relying on a security measure that can be easily bypassed thanks to massive breaches like the Equifax hack, the US Government Accountability Office has found. In a report released Friday, the government watchdog group found that the US Postal Service, the Department of Veterans Affairs, the Social Security Administration and the Centers for Medicare and Medicaid Services have still been using "Knowledge-Based Verification" to make sure people who apply for benefits online are authentic.
This verification method asked applicants questions like their date of birth, Social Security numbers and addresses, assuming that only the applicant would have that information. But in Equifax's breach in 2017, that information had been stolen from 145.5 million Americans, rounding out to more than half the US population.
That exposed many federal agencies using Knowledge-Based Verification to widespread fraud, as potential attackers could use the stolen information to apply for benefits and get replacement Social Security cards, the GAO found.
In 2017, the National Institute of Standards and Technology started advising against that verification method.
Lawmakers asked the government watchdog to review how many federal agencies were still using the outdated verification method after the Equifax breach. While the IRS and the General Services Administration dropped Knowledge-Based Verification as a security measure, the GAO found four federal agencies that were still relying on it.
In letters to all four agencies, Sen. Elizabeth Warren (D-Mass.), Sen. Ron Wyden (D-Ore.) and Rep. Elijah Cummings (D-Md.) asking what steps they were taking to protect consumer privacy after Equifax's breach, and why they were still using an outdated verification system.
"It is troubling that almost two years after the massive 2017 Equifax data breach federal government agencies continue to use outdated identity-proofing methods that put citizens at increased risk of identity theft," the lawmakers said in a statement. "We need to do more to prevent these kinds of breaches, and the government needs to be better and smarter about protecting citizens."
A Veterans Affairs spokesman said the agency "appreciates the lawmakers' views and will respond to them directly." The Social Security Administration said it received the letter and will also respond to members of Congress. The other two agencies identified in the report didn't immediately respond to requests for comment.
The GAO's report found that there were several alternatives to Knowledge-Based Verification, like authentication in-person, or using mobile devices to check in. The USPS and SSA told the GAO they were looking into alternatives but didn't expect to implement it by the end of this year. The SSA is looking to implement a safer method by 2020.
CMS said it had no plans to remove the verification method, telling the GAO that its users prefer the insecure measure, despite the potential for fraud, according to the report.
VA implemented alternatives but only as a supplement to the outdated security measure, the report said.
Officials from those three organizations said that while NIST stopped recommending Knowledge-Based Verification, it did not provide any viable alternatives. The GAO recommended that NIST improve its recommendations for federal agencies, for government organizations to improve on its verification methods and for the Office of Management and Budget to require agencies to report on their progress.
"Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud," the GAO said in its report.
Originally published June 14, 6 a.m. PT.
Update, 8:18 a.m. PT: Adds response from the Department of Veterans Affairs; 8:38 a.m. PT: Adds response from the Social Security Administration.