Government’s role in protecting identity in an age of data breaches

Data breaches have become so common that they hardly register as a blip on our radar these days. We hear about them on the news. Or worse,  we learn about them if we are unlucky enough to receive a letter in the mail notifying us that we are among the victims.

According to the Identity Theft Resource Center, there have been more than 7,500 data breaches since 2005, involving more than 898 million records. Since the U.S. population consists of around 325 million people, that means there is a strong likelihood that most everyone’s records have been stolen at least once. Here’s why: stolen personal identification information is big business.

Hackers sell identity data to organized criminals. I’ve seen basic personally identifiable information (i.e., name, date of birth, Social Security number and address) sell for as low as $2 on the dark web. The more information that can be packaged to help with authentication of the basic identity, the higher the price. A recent study found the going rate of basic PII, coupled with information such as banking data or credit card numbers, is $15.

Organized criminal groups, both foreign and domestic, buy these stolen identities to commit all types of fraud -- medical identity fraud, credit card fraud and more -- at scale. One type of identity fraud that has increased in recent years is government identity fraud.

Government identity fraud: Why now?

Government identity fraud occurs when a criminal uses someone else’s identity to apply for and receive government benefits or services. In 2016, employment- or tax-related fraud was the No. 1 type of identity theft reported to the Federal Trade Commission by consumers. Even so, government benefits fraud is one of the most underreported types of identity theft because the individuals whose identities were used to steal benefits usually never find out. Unless a person files for unemployment benefits in his state, he will never know if someone else used his identity to receive those benefits. It’s never going to appear on a credit report. The smart criminals will simply use a victim’s identity outside of his home state.

Unfortunately, identity fraud is an unintended consequence of governments’ efforts to increase efficiency and convenience to citizens by moving programs online. Not so long ago people used to queue up at state and federal offices to register and receive benefits for unemployment, housing or food stamps. Face-to-face contact was a great way to ensure that people were who they said they were.

Since the advent of online services, however, government identity fraud has spiked. When agencies went digital, they removed many of the fraud barriers created by in-person appointments. During this transition agencies did not install the necessary validation and authentication processes for individuals who came to request benefits online.

It didn’t take long for fraudsters to discover the vulnerabilities. Public assistance programs have become a frequent and lucrative fraud target for criminals who use stolen or false identities to illegally obtain, trade or sell government benefits. For instance, organized crime groups in one southern state are using fraudulent identities to collect tax refunds and then sell this information to other criminals who use it for unemployment benefits, often across multiple state lines.

The losses to taxpayers have been staggering. The federal government estimates $36.3 billion in improper Medicaid payments, $3.9 billion in the unemployment insurance program and $2.4 billion in the Supplemental Nutrition Assistance Program annually. Other public assistance programs have similar improper payment rates. More importantly, the money earned from this type of fraud is being used to fund drug crime, terrorism and human trafficking.

The solution

I’m not suggesting we revert back to the brick-and-mortar model of waiting in long lines for in-person appointments. What government agencies must do is erect new fraud barriers using data, analytics and improved identity authentication techniques.

For example, some states combat unemployment insurance fraud with multilayered authentication, a security technique requiring multiple forms of personal information to verify a person’s identity. It uses data matching technologies that tap into an external database with billions of public records to verify a broad range of personal information and prove applicants’ identities. Similar techniques are used by some states to prevent identity fraud in Medicaid and tax refund programs.

Other ideas for fraud barriers in today’s digital world include the following:

• Text or email a time-sensitive password to a previously established phone number or email address.
• Go back to the face-to-face model in a virtual sense, requiring people to submit selfies from a smartphone along with a driver’s license, SSN or other identity document.
• Share their participant data with other states to gain an upper hand in stopping fraudsters who cross state lines to collect benefits.

The war on identity theft has already been lost. The new battle is stamping out identity fraud. We can’t go back to the old model of making people stand in line at government offices, but government must protect the identities of individuals requesting benefits and services. And we as citizens must be willing to sacrifice some of the online conveniences to ensure our identities are protected.