A performance audit of six U.S. government agencies found that four of them are still using knowledge-based questions to verify the identities of individuals applying for federal benefits or services, even though this practice is considered outdated and insecure, especially in light of the 2017 Equifax breach.

Knowledge-based verification questions are typically created by credit reporting agencies such as Equifax, and in theory, only legitimate users should know the answers to their questions. But in reality, criminals could use data stolen in the Equifax breach and similar incidents to successfully impersonate individuals and commit fraud, warns the Government Accountability Office (GAO), which conducted the review from November 2017 to May 2019 and publicly released a report on its findings earlier this week.

For this very reason, the Commerce Department's National Institute of Standards and Technology declared in 2017 that federal agencies should eliminate knowledge-based questions for sensitive applications and replace them with more secure, advanced methods of identification such as the remote inspection of digitally-imaged physical credentials and the examination of cell phone carrier records.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.