Fraud Protection for Government Agencies

Posted March 13, 2018

Fraud Protection for Government Agencies

If you think “Meltdown” and “Spectre” are scary, just take a look at some of the other threats facing government agencies this year.

As The Hill reports, the Department of Homeland Security has issued guidance on mitigating these twin vulnerabilities, which exist within the processing chips found in virtually every modern computing device—laptops, desktops, mobile phones, cloud-based infrastructure and more.

Patches are being put in place, though the issue will still cost federal, state and local governments plenty of time and money in coming months and even years. Meanwhile, cybercriminals, foreign governments and state-sponsored hacker groups are no doubt looking for ways to exploit these vulnerabilities.

But today, there are far scarier cyber-threats on the horizon that should keep agency officials up at night.

The good news: A renewed push to implement the Cybersecurity Framework put forth by the National Institute of Standards and Technology (NIST) could offer a path forward to agencies at every level—provided agencies put the right solutions in place. But, they’d be wise to accelerate their efforts.

Clear and Present Danger

According to the Government Accountability Office (GA), 30,899 cyberattacks were perpetrated against federal government agencies in 2016. Then 2017 happened.

In just 12 short months:

  • The CIA’s infamous “Vault 7” and the NSA’s EternalBlue hacking tools were exposed online.
  • The IRS discovered cyber-thieves had made off with $30 million by filing as many as 8,000 fraudulent loans through the agency’s online Application for Federal Aid service.
  • The FDIC announced it has suffered more than 50 breaches in recent years, potentially compromising the personally identifiable information of 113,00 individuals.
  • North Korean-backed hacker group Lazarus is believed to be behind the theft of up to 235 gigabytes of sensitive military operations involving joint operations between the U.S. and South Korea. In its spare time, the group also launched the WannaCry ransomware attack that crippled hospitals, financial services and critical infrastructure in 150 countries last spring.
  • The Kansas Department of Commerce suffered a breach that exposed 5.5 million social security numbers.

Keep in mind, this is just a sample of what was publicly reported. All of this leaves little doubt that we live in a “post-breach” era. But, what does this mean?

Identity is Everything

Post-breach means that it is no longer safe to assume the confidentiality of personal information, including social security numbers, payment details, log-in credentials and the like. Today, 80 percent of successful cyberattacks involve thieves using stolen identity credentials, according to reports in CSO. Which means, as constituents go online to claim tax refunds, file for disaster benefits, apply for loans, register vehicles, submit contracts and more, agencies should be asking themselves:

  • Does this individual even exist?
  • Is the individual who they claim to be?
  • Is it safe to transact with this individual?
  • Is it legal to transact with this individual?

Sure, technologies such as two-factor authentication can help. But shifting the overall burden of identity assessment and authentication to online visitors doesn’t make sense. Why? Because treating every online constituent as an imposter defeats the efficacy of digital channels. With added friction, online users simply abandon the channel and flood phone, email and offices. Service delivery slows, and manual reviews and processes add time and costly overhead. No agency wants this reputation.

But, by not asking every visitor to undergo this level of authentication, how can any online visitor be trusted? Any one of them could be a fraudster using a synthetic identity, stolen credentials or scripted bot attacks to divert government benefits payments, steal highly sensitive corporate and government regulatory data, and even target our national security apparatus.

The answer that the deployment of digital identity solutions provides us is that we simply need to know far more about a visitor than we can possibly ask them online. Digital identity gives organizations the insight they need, using hundreds of attributes about every online visitor, their global behavioral history and the power of machine learning to sort through it all. Let’s take a deeper look.

Don’t Trust, Verify—Fast

We know from digital identity deployments that 95 percent of online visitors can typically be identified instantly and transparently the moment they attempt to transact. Among those, typically 92 percent are recognized as legitimate users, 2 percent as fraudsters and the remaining 6 percent as questionable to varying degrees. Of course, every organization is going to have their unique mix, but those statistics can be used as a basis for a business-improvement strategy fueled by digital identity. Here’s how that works.

Digital identity provides the ability to remove friction from the vast majority of online visitors where a high-level of trust can be established. But, digital identity also identifies to a high degree of accuracy confirmed fraudsters hiding behind the anonymity of the web. Those individuals can then be ushered out of core processes (in an appropriate way) and likely off the web property.

But digital identity does more. It provides an enterprise platform for evaluating the unknown visitors and those that are of questionable reputation. Digital identity provides fraud analysts with comprehensive tools to perform forensic analysis and automate the review process, enabling the continuous improvement of fraud operations. And automated policy rules tend to get more effective at protecting the organization over time, resulting in more confirmed legitimate and fraudulent identities, fewer manual reviews and faster exception handling when reviews are necessary.

Unlike traditional user authentication technologies that depend solely on static identity credentials, digital identity solutions help organizations progressively remove risk and the overhead that comes with it.

According to one government agency that has deployed such solutions, it now meets NIST standards, including its Digital Identity Guidelines (Special Publication 800-63-3) on best practices for identity proofing, and is able to instantly differentiate legitimate users from cybercriminals. Now, 30- to 40-percent of fraudulent applications for this agency’s services is spotted before processing even begins.

Is that enough for every organization’s fraud protection operations? Time will tell. But with government agencies contending with a growing number of threats, we’d better all hope they’re on to something.

To learn more about how digital identity-based solutions can help protect government programs even while reducing user friction, click here.

Mike Cichon

Mike Cichon

Vice President, Marketing, ThreatMetrix

close btn