Jump to ↓
Keeping up with the enemy |
Guarding the front door |
During the last 10 years, government agencies have been providing more and more services online. Citizens are filing and paying taxes, obtaining licenses, and applying for benefits. By and large, citizens have become comfortable interacting with government agencies digitally. In fact, they’re increasingly preferring it. They don’t want to have to go to an office or even talk to a person on the phone. Agencies themselves have welcomed digital interaction because it saves them staff time and resources.
But for all its advantages, the expansion of digitally delivered services also has provided more and more opportunities for fraud, especially digital identity fraud. Fraudsters are discovering and capitalizing on weak spots in government IT systems, resulting in data breach exploitation and illicitly obtained benefits.
The problem exploded during the pandemic as bad actors unlawfully accessed government benefits and financial support initiatives. All this has put pressure on agencies to establish robust protections that ensure benefits and services are being provided to those who truly need them. At the same time, agencies can’t make it more difficult for legitimate users of online government services to access them. What’s needed is a rigorous identity verification strategy that verifies identities at the front end—a strategy that uses digital technology to battle digitally powered fraud.
Keeping up with the enemy
To better understand the need for a stronger identify verification strategy, government entities need to understand what they’re up against when it comes to digital fraud risk. Though the pandemic has subsided, fraudulent activity has not. In fact, fraud continues to evolve. Those engaged in defrauding the government have numerous techniques for appearing to be someone that they’re not. These include:
- Generating synthetic identities
- Device farming
These strategies aren’t necessarily new. But fraudsters are constantly “innovating,” making their attacks harder to detect. One newer tool that has the potential to wreak tremendous havoc is generative AI (GenAI). This emerging technology can generate emails and even phone calls that can be remarkably and alarmingly capable of making perpetrators appear to be someone they’re not.
The need for digital security also isn’t new, of course. Government agencies are aware of the need to verify the identities of those accessing their websites. But not all of them understand how fraud techniques have evolved, and that they’re always evolving. Agencies have shifted from “traditional” password and username verification to knowledge-based authentication (KBA) and both multifactor authentication (MFA).
But in some respects, that’s fighting the last war. These verification strategies were considered best practices not so long ago. But fraudsters have figured out ways to get around them, fooling IT networks into “believing” that their identities are legitimate.
One such technique is called Adversary-in-the-Middle (AitM). This describes an attack where the threat actor intercepts messages between the sender and recipient, letting them steal sensitive identification data. AitM techniques are so sophisticated that they can completely bypass MFA and KBA methods.
In short, government agencies need to verify users of their digital services before they can get in and cause trouble. This will require them to consider more rigorous and more up-to-date verification strategies, such as biometrics and device identification. Just as importantly, they also need to look at how they’re managing their risk at every point in their interaction and determine where the gaps lie, and then put in place strategies for addressing them
Strengthening identity verification strategies at the front end provides several advantages. This approach can keep government entities from having to investigate fraud after the fact and attempt to claw back illicitly gained benefits and funds. Shifting from “pay-and-chase” to prevent-and-detect can save government entities precious resources of money and staff time.
There’s something that complicates this situation. Constituents have gotten so used to interacting with the government online that they expect that agencies will, in a sense, act like financial institutions. That means they want to feel confident that government entities will rigorously protect their private data. They also want their interactions to be “frictionless”—that is, they want digital interfaces that are easy to use and navigate. They don’t want to be slowed down or confused by security protocols. Government agencies will need security solutions that maximize protection while minimizing friction.
Guarding the front door
In many ways, the increasing use of digital interactions between government and constituents has been a boon to both parties. But it has also provided more tricks fraudsters and cyber-attackers can use to unlawfully access and steal benefits and sensitive data. The pandemic period and ongoing technology innovation have generated added opportunities for identity fraud and data breaches.
Then, it is critical that government agencies establish a preventive identity solution while not making it difficult for citizens to obtain the services and benefits they need. While agencies may view strengthening their identity verification strategies while minimizing friction as a significant IT expense, it will save them time and money while reducing program losses. To learn more about how agencies can better protect themselves and their constituents by establishing a vigorous front-end identity verification strategy, visit Thomson Reuters Risk & Fraud Solutions.
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA.
By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.