Identity used to be the one thing that belonged to each of us exclusively. Personal information, like Social Security numbers, was enough to confirm identity — an essential process when it comes to major life transactions like banking and government services.
The global upsurge in online activity and availability of personally identifiable information (PII) on the web combined with the increasingly sophisticated techniques of identity thieves has driven exponential growth in identity theft and synthetic identities, making it critical for private and public entities to employ more effective digital identity authentication tools to verify that online users are who they say they are.
For government agencies, identity fraud can lead to substantial costs and impact potential revenues such as expected tax payments and fees, as well as cause disruption of vital operations and a damaging loss of public trust.
The impact on citizens is significant as well. Fraudulent claims can cause a redirect or delay of critical social resources and entitlement payments that qualified recipients rely on to access housing, medical care and food. Fraudulent employment filings can make it appear someone is underreporting income and negatively impact their tax liability. False tax return filings may cause victims to go through a lengthy paper filing and affidavit process that delays refunds by many months.
The IRS estimates that 2016 saw an attempted $12.2 billion in identity theft tax refund fraud, but it averted roughly $10.6 billion in invalid refund payments. The agency also reported that its Return Review Program — the IRS’s primary pre-refund tool for detecting and preventing the issuance of invalid refunds — prevented more than $6.51 billion in invalid refunds between January 2015 and November 2017. Beyond individuals, fraudulent corporate returns are an ongoing problem, stemming from business identity theft intended to scam federal, state or local tax authorities or obtain credit from banks or vendors.
A user’s digital identity is harder to validate and easier to falsify. Or, they create well-rounded synthetic identities that stand up to scrutiny through multiple accounts and could be more likely to pass cursory background checks.
Along with stealing legitimate PII and login credentials, criminals create digital identities that look real by:
• Combining real Social Security numbers (often belonging to children, the elderly or the homeless) with other information that appears valid, such as an address or government-issued ID number.
• Merging real information from several people into a new persona.
• Fabricating an entirely new “person” using a false Social Security number.
So what can government agencies do to protect themselves — and by extension, the public— from this kind of fraud? Further, how can they accomplish this in a way that provides a frictionless experience similar to what is offered by the private sector — a smooth and intuitive process that allows citizens easy access to their information and to government services?
There’s a small cross-section of bad actors intent on defrauding government agencies, but the majority of people are conducting legitimate activities to get the service they need, whether submitting a benefits claim, requesting a permit or filing their taxes. Government agencies can offer a frictionless experience while effectively validating identity.
It starts with a different mindset about security and identity. Today, the concern is proving that the person initiating the transaction is actually who they say they are, and has a valid reason for the interaction.
Many state and local agencies still lean on single-factor authentication such as login credentials, according to a Government Research Council study. Unfortunately, login credentials are easily stolen through outright theft of user databases, phishing scams and insider security leaks. Biometrics has been touted as a solution, but synthetic fingerprint technology has been developed that could render this path less reliable.
I believe the answer is in a multilayer, multifactor approach. Government agencies should consider implementing, at a minimum, a two-factor verification process. Most common to consumers is a cellphone-based SMS push notification in which the user receives a code via text message to enter at the point of login.
Single sign-on (SSO) is also a reliable approach that can help prevent the friction that gets between authorized users and data. Public-facing sites and applications can make use of these same techniques to make it easier for private citizens to access services across government. Agencies can also look at cloud-based SSO tools to lower risk and, again, reduce the friction that layers of security can add to transactions.
True authentication can go much further, connecting online behavior patterns and activity with automated, AI-based tools that can provide real-time analysis of hundreds of elements. geolocation, device ID, IP addresses, profiles generated from publicly available records, biometrics and behavioral information.
Government agencies must train staff to be vigilant about their own behaviors, such as not clicking on links in scam emails and locking their devices. They also need to be trained in how to identify and respond to suspicious activity among the people they’re serving, and how to distinguish between individual cases of fraud versus mass fraud that must be elevated to the special investigations unit. Training needs to be backed by ongoing reinforcement to remind internal users of the threats, the risks, and the ways things can go very wrong, or right.
Of course, newer technologies, training programs and additional security personnel have to be budgeted, and this can mean a long planning cycle. That’s why a strategic plan is needed to help shepherd these programs through the approval process. Meanwhile, agencies can make incremental changes to get closer to their digital identity management goals.
Since they exist to serve the public, government agencies need to make interactions as frictionless as possible while at the same time safeguarding their systems and, ultimately, the public from the effects of fraud. Through a multifactor approach, training and the right application of technology, agencies can put the fraudsters on the defensive while lowering the barriers to valid interactions with legitimate users.