New Efforts to Investigate Pandemic Fraud are Admirable; Strong NIST Standards Must Guide Future Efforts
By Blake Hall
President Biden’s plan to combat fraud and identity theft is a major step forward. We are encouraged by major investments to investigate and prosecute these crimes, holding the thieves of hard-earned taxpayer money accountable for their actions. Everyday Americans seeking unemployment benefits were devastated by the alarming influx of fraud and abuse. It is imperative the nation learns from shortcomings exposed during the pandemic so we can better protect and serve Americans.
We believe the answer starts with deploying existing government standards more effectively, particularly the Identity Assurance Level 2 (IAL2) guidelines set forth by the National Institute of Standards and Technology (NIST). Six states have publicly come forward and credited ID.me, which adheres to NIST standards, with helping to stop over $240 billion in fraudulent payments. ID.me and state workforce agencies saw firsthand how moving agencies from a lower-security policy to NIST IAL2 dramatically reduced fraudulent claims and allowed agencies to process backlogs of legitimate claims faster.
Given the involvement of nation-state-sponsored actors attacking benefits programs, pandemic fraud is a national security issue. When our government moved to distribute trillions of dollars of aid to American people and businesses in need, sophisticated crime rings and hackers surged identity theft efforts. A digital social safety net must reflect this new reality to effectively blend security with customer service.
ID.me believes three critical areas must be addressed: secure identity verification, equitable identity verification, and performance measurement.
Given the involvement of nation-state-sponsored actors attacking benefits programs, pandemic fraud is a national security issue. When our government moved to distribute trillions of dollars of aid to American people and businesses in need, sophisticated crime rings and hackers surged identity theft efforts. A digital social safety net must reflect this new reality to effectively blend security with customer service.
Secure identity verification is our best tool for preventing fraud and identity theft in the future. Any identity verification system introduced to fight fraud must comply with the security and privacy guidelines established by the Department of Commerce and NIST. Our experience working with 27 states during the pandemic shows that any policy that does not comply with NIST IAL2 will result in identity theft and fraud that could have been prevented. When fraud increases, access and equity decreases.
Criminals attacked our systems using stolen identities and through scams to fool victims into identity theft schemes. Federal Trade Commission data showed “identity theft reports” tied to government benefits increased by an astonishing 2,920% in 2020. Multiple states were forced to shut down their programs because they were overrun by fraud and could not tell real people in need apart from fraudsters.
Investigative reports show that secure identity verification compliant with federal standards dramatically reduced fraud and identity theft. States that adopted secure identity verification were able to greatly reduce fraud from continuing. Many criminals moved to other targets after NIST IAL2 security was introduced.
Online monitoring of the dark web shows criminals actively seek to target programs and government agencies that do not follow the federal standards for identity verification. This is hard for us to watch as Americans. The vast majority of identity theft and third party fraud can be prevented upfront if government agencies simply align to the government’s own standards for secure identity verification.
Equitable identity verification means vendors and agencies must support applicants in ways that “meet users where they are.” Identity verification systems should be available online, through video chat, and at in-person locations. These various pathways should be available in multiple languages to ensure an intuitive experience for individuals who do not speak English as their first language.
Any verification solution that uses data brokers alone for online verification is not an equitable option. Such a system requires an individual to go to an in-person location to prove their identity simply because they don’t have credit history or they moved recently. The NIST IAL2 standard allows for video chat agents to serve individuals as a first-level relief valve for automated verification failures. Digital equity in the context of identity verification means solutions that allow people to have the option to continue verifying online or at an in-person location.
The American people deserve transparency and accountability. We need an accessibility, equity, and security scoreboard so solutions can be measured and held accountable.
Online relief valves are particularly important in the context of the pandemic. Most government agencies were closed for in-person service delivery. If a similar situation repeats in the future, equity features must be resilient against known limitations of service delivery to prevent data brokers from acting as digital gatekeepers for access to online services. Twenty-seven states adopted ID.me for identity verification during the pandemic in large part because those same data brokers had serious access, equity, and security limitations.
Performance measurement is necessary to compare the relative success of systems through the lens of access, equity, security, and fraud prevention. These tenets must not become buzzwords — they must be measured and proven. Government agencies and vendors should be held accountable for their performance and regulatory compliance in a fair and transparent manner. Solutions should report on:
- Access Rates: Access rate for legitimate applicants net of fraudulent applicants.
- Equity Rates: Access rates framed through the lens of specific demographics and communities.
- Fraud Rates: Fraud rates showing fraudulent attempts that succeeded and failed.
To ensure a level playing field, government agencies should use auditors to examine applicant cohorts where competing identity verification solutions were offered for the same government program. This impartial audit will prevent solution provider gamesmanship to show which vendor served constituents most effectively in speeding access to benefits and to protect against cases of fraud and identity theft.
The American people deserve transparency and accountability. We need an accessibility, equity, and security scoreboard so solutions can be measured and held accountable. This new status quo will foster a competitive marketplace to ensure a more secure and accessible future for all Americans.
Blake Hall is the founder and CEO of ID.me.