Agencies at all levels of government aren’t doing enough to prevent digital fraud, particularly account-takeover attacks, according to a survey published this week by the credit-monitoring firm Transunion. This is despite an increase, the company said, in the number of reported incidents over the duration of the COVID-19 pandemic.
In the survey, which interviewed 594 IT and cybersecurity professionals in federal, state and local governments, 53% said the number of account-takeover incidents — in which a malicious actor co-opted a legitimate online profile — have increased over the past two years, while 60% said such attacks are becoming more severe.
The survey also found that few agency leaders are taking more aggressive steps to stop account takeover fraud: 41% of respondents said their bosses are making prevention a priority, while just 38% said their agency regularly assesses their abilities to detect and stop fraud.
Transunion also found similarly dismal assessments of the citizen-facing services where account fraud occurs. Just 43% said their agency possesses security technologies “necessary to provide customers with both a secure and convenient online experience when accessing their accounts.” Meanwhile, only 37% agreed with the statement, “Our agency makes it as easy as possible for customers to reach us if they believe account has been compromised.”
An inability to stop account takeovers can cause havoc in a range of government services, including Social Security, Medicaid and especially unemployment insurance, said Stuart Levy, a leader in Transunion’s public-sector identity practice. Unemployment fraud spiked last year after the creation of emergency pandemic-related programs, with billions lost to phony claims. The U.S. Secret Service said last month it had recovered $2 billion in bogus pandemic-relief payments so far. These crimes often prevent people from accessing benefits to which they are lawfully entitled, he said.
But Levy also said state unemployment systems — and other IT systems — have been ill-equipped to stop fraud, as identity-management technology has not kept up with the pace of other modernization efforts.
“Government agencies have a good focus on IT infrastructure, but we also find at the same time, the identity environment has suffered from not having the same rigor as software development,” he said. “Only a year or two before the pandemic, agencies realized they have to pay attention to the identity environment.”
Account-takeover attacks can begin through a variety of methods, Transunion found, including social engineering, password guessing and outright theft. Levy said some incidents stem from disgruntled family members gaining access to a trusting relative’s accounts. He said elder-care facilities are a common target.
Many states have taken steps recently to improve their identity and access management policies, including more adoption of zero-trust security on digital identification programs. Colorado’s digital ID, a mobile app called myColorado that includes a range of services, including a digital driver’s license, requires residents to go through multi-factor authentication.
Levy said there are other steps agencies can take to improve their fraud prevention. He said agencies should look to the National Institute of Standards and Technology’s identity-management framework and recommended using artificial intelligence to sift through an ever-increasing amount of data.
“We think AI is useful for observing patterns across large data sets,” he said. “You can see attributes associated with devices, attributes of identity, the likelihood people are not who they say they are.”
A 65% majority of the survey’s respondents agreed that AI technologies could improve their agencies’ ability to track users’ identities and improve the security of online accounts.