Unfortunately, when government agencies offer entitlements, benefits or loans, there seems to be a lineup of fraudsters poised to steal them. In today’s evolving environment, stimulus benefits will be up for grabs. As well, when you consider Social Security, Veteran’s disability, student loans and grants, supplemental income, nutrition assistance, unemployment, Medicare, Medicaid or Affordable Care — it’s clear no program is safe and no tax refund out of bounds.
This issue is more concerning given the number of data breaches over the past decade. In 2019 alone, according to the Identity Theft Resource Center, there were 1,473 data breaches exposing 869.7 million consumer records. That number represents breaches across five industry sectors including government and includes both sensitive PII records as well as non-sensitive records like user names and passwords. What’s more, 76,000 people reported they were victims of a Social Security impersonation scam.
These breaches put confidential personal information into the hands of the wrong people, resulting in various forms of online fraud risks to agencies and their users. The third iteration of NIST’s Special Publication 800-63 has strengthened guidance and subsequent access controls to address these problems.
In the meantime, agencies still experience account takeover fraud (ATO) which occurs when the wrong person gains access to the user account belonging to another. The diversion and theft of benefits, refunds and/or payments is invariably the result.
Agencies are vulnerable to identity theft fraud
Agencies have been working since before the 1980 Paperwork Reduction Act to make self-service a more viable option. In recent years, higher online expectations have caused user experience programs to consider friction mitigation when offering services. The goal being an easier process for qualified, “true” constituents to apply for and receive services, benefits and entitlements.
The resulting complexity and sophistication of nefarious persons and syndicates, coupled with easy access to exploitable personal data, has challenged agencies. Today’s fraudsters have easy access to downloadable exploits and step-by-step instructions that can result in ATO perpetrated by:
Credential cracking – Discover and use a victim’s legitimate credentials by trying to login to a user’s account through various methods
Credential stuffing – An automated process that attempts to hack many different website accounts with known username and password
Social engineering – Use limited personal information to extract more details about the constituent from call center staff or reset an account’s password
SIM Swap – Gain access to a mobile phone via SIM card data purchased on the dark web
Three key ways to combat account takeover
Improved access controls will help mitigate these risks while protecting constituents and agencies. Here are three approaches to consider:
Improve identity proofing during account setup
Enrollment is an opportune time for agencies to link the user device to an online account. Account to device linking allows identity managers to recognize when something is different (e.g., a new device). Often this isn’t an issue as we all have multiple devices, so confirmation of the true user at this point is helpful.
Of course, each time a new device is recognized, there’s an opportunity to look into the device family and its related usage pattern to identify nefarious activity or reputational concerns. Enrollment code transmission to a known device is critical in this process as it completes the binding of the human user to electronic user accounts.
Use multifactor authentication for account logon and critical account changes
While agencies try to limit barriers for citizens using online tools, call centers or offices, there are more efficient ways to protect a user account from fraud. Multifactor authentication (MFA) at logon is an effective means of protecting online accounts because it revalidates the human user/electronic user account relationship. It can also protect the most at-risk account changes — password reset, change of address, direct deposit and the like.
There are many options allowing users to tailor MFA to their own preferences using vectors from mobile devices to basic landlines.
Omni-channel user account protection
We know fraudsters will continue to use a range of techniques from social engineering to spear-phishing to gain access to user accounts. However, agencies can help protect constituents by making adjustments to their authentication processes.
Call center risks have increased as modern identity stacks do a better job of protecting account security. Mitigation is critical in these environments — and fortunately, technology enabling call centers to vet identity in real time is available. Capabilities include one-time passcodes to known user devices which allows interrogation of the device to uncover additional risk signals. Other options include knowledge-based questions that call center representatives are trained to deliver verbally and listen for responses indicative of nefarious activity.
To prevent account access using phishing, a password change request could compare the user name to the device identity to determine if the combination is previously known. If the device isn’t recognized, it could be checked for reputational risks like associations with fraud risks. It could also trigger further identity proofing requirements, such as a one-time-passcode that associates that device with the user’s account.
No matter where your risks exist, an effective risk management evaluation will uncover them, and an access security program can be designed that is best suited for your organization and user base.
To learn more about how TransUnion’s identity solutions can help your agency, please contact me directly.