Contagion of fraud: PPP exploits designed to bypass ID verification
In the face of COVID-19, members of the U.S. government have scrambled to offer programs that can prop up both individuals and companies, one of which is the Pa...
In the face of COVID-19, members of the U.S. government have scrambled to offer programs that can prop up both individuals and companies, one of which is the Paycheck Protection Program (PPP). But often, where there is a crisis, there are fraudsters waiting in the wings to exploit weaknesses. PPP is no different.
When rushing to help doesn’t
One big problem that relates to PPP, fraud, and COVID-19 is that government leaders didn’t have a lot of time to come up with programs to help the public. They had to roll out a stimulus package to save the economy extremely quickly, which meant accepting some shortcuts to get to the point of being able to send people the stimulus checks they needed right away. One such shortcut was not addressing the fact that many government agencies still rely heavily on knowledge-based answers/authentication (KBA).
KBA is based on common questions, such as what the color of your first car was, the address you last lived at, and similar points. It’s nice for legitimate users in that it’s usually pretty easy stuff to remember. Unfortunately, it’s also data that’s easy for fraudsters to grab on the dark web, and the answers aren’t all that tough for unauthorized people to figure out. So hackers can get into systems based on KBA (including those intended for PPP or other services), act like they’re you, and get checks mailed to them pretty easily.
Higher service demand means increased fraud
Even if KBA weren’t lingering in the background within government programs for COVID-19, there’s also the issue of increased user demand. Many systems simply were not set up to handle the volume of cases agencies have been seeing. This not only increases the risk of technology-related delays but also makes it harder to detect fraudulent or malicious activity and respond fast.
Perhaps the best example here is the increased interest around unemployment insurance claims fraud, since the number of people who are qualifying and applying for unemployment is still staggeringly high. With agencies admitting that their systems can’t keep up, fraudsters are taking advantage. And attackers aren’t just individuals. They include national and international crime rings, too.
Getting a little more specific, many fraudsters are heading to the dark web and grabbing information that allows them to steal an identity. They use that data to file for unemployment as if they are someone else. And what fraudsters are doing with unemployment is actually quite similar to a previous issue that plagued the IRS’ Get Transcript system. Criminals went onto the dark web to get ID information and then bypassed very simple KBA. If they saw that a tax return was positive, then they’d refile the return as if they were the victim, only with a different bank routing number. Victims wouldn’t realize anything was wrong until they went to file their taxes.
Beyond unemployment, we must also look at other government systems that fraudsters could potentially hit as the COVID-19 recovery continues. For example, areas like DMV license renewal, auto renewals, tax submissions — all of these things that were deferred because people weren’t getting paid or didn’t have the resources available likely will be forced online. And it could be that all of these areas are going to get hit, too.
To complicate the ethics and logistics of this whole situation even more, we have to remember that these assistance programs and systems are designed to get money into the hands of consumers to help keep the economy going and get people back to work. From this perspective, adding a layer of protection from fraud potentially adds more friction into the process, slowing it. The question becomes whether the government should simply accept that a certain percentage of cases or claims are going to be fraudulent to keep that money flowing or whether they should be more rigorous and go after the fraud they see even if it could slow down helping the people who really need the funds.
How to stop the fraud
Government and other agencies that are trying to help with COVID-19 recovery are starting to figure out that fraud related to their programs is happening, and they do seem to care. One of their strongest weapons is multifactor device and identity authentication, which is based broadly on verifying something you know, something you are, and something you have. Some agencies already gather reports on devices that are trying to do fraudulent things. Government officials can use device and identity authentication in parallel to determine whether a device that’s trying to talk to their system is one they’ve seen, whether it’s behaving properly, and whether to report or shut it down. Compared to the legacy, dinosaur approach of KBAs, multifactor authentication is a much smarter and more secure path.
As an example, the IRS used to focus heavily on the “something you are” portion of multifactor authentication, which was readily available on the dark web and easy to guess. But then they also started to include “something you have.” They did things like send tokens or passcodes to a verified phone number linked to an account where you are seen as the owner. Another layer is to look at where the transaction is occurring. In the case of the fraudulent tax returns, the IRS discovered that many of those cases were coming from overseas, which should have been a red flag. Differences in location aren’t always fraud, but they can trigger agencies to dig deeper and search for other evidence, such as cloud-based IP addresses, underlying languages, proxy servers, or IP masking.
Importantly, multifactor authentication precautions can work for any kind of stimulus that people might consume online, whether it’s PPP, SBA loans, or other types of help.
Using technology in a middle-ground approach helps honest users
Generally speaking, most government agencies aren’t in the business of looking for significant technologies that are available to keep fraudsters in check. Their main job is simply to look out for consumers and the economy on an everyday level. Nevertheless, good technologies do exist that can help stop criminal activity within support programs, and organizations are already using these tools effectively. Government agencies can leverage these technologies and potentially save millions or even billions of dollars, which can lessen anxiety about the ballooning national debt and free resources up for a more effective COVID-19 response. And so, education and awareness about these technologies is vital.
Finally, there’s no getting around the fact that COVID-19 is ravaging the country during a time of intense division. However, people seem relatively unified in the idea that the government needs to ensure that it is honest citizens in need who get the assistance support programs are meant to give — not fraudsters. Rather than clamping down tight or having no stop gaps, agencies can implement processes that gradually increase friction and complexity with each step, and that can allow a user to skate through with good information or be halted because of suspicious answers. With a middle-ground approach to multifactor authentication, legitimate applicants — not the fraudsters — will win.
Jonathan McDonald is executive vice president of public sector for TransUnion.
Contagion of fraud: PPP exploits designed to bypass ID verification
In the face of COVID-19, members of the U.S. government have scrambled to offer programs that can prop up both individuals and companies, one of which is the Pa...
In the face of COVID-19, members of the U.S. government have scrambled to offer programs that can prop up both individuals and companies, one of which is the Paycheck Protection Program (PPP). But often, where there is a crisis, there are fraudsters waiting in the wings to exploit weaknesses. PPP is no different.
When rushing to help doesn’t
One big problem that relates to PPP, fraud, and COVID-19 is that government leaders didn’t have a lot of time to come up with programs to help the public. They had to roll out a stimulus package to save the economy extremely quickly, which meant accepting some shortcuts to get to the point of being able to send people the stimulus checks they needed right away. One such shortcut was not addressing the fact that many government agencies still rely heavily on knowledge-based answers/authentication (KBA).
KBA is based on common questions, such as what the color of your first car was, the address you last lived at, and similar points. It’s nice for legitimate users in that it’s usually pretty easy stuff to remember. Unfortunately, it’s also data that’s easy for fraudsters to grab on the dark web, and the answers aren’t all that tough for unauthorized people to figure out. So hackers can get into systems based on KBA (including those intended for PPP or other services), act like they’re you, and get checks mailed to them pretty easily.
Higher service demand means increased fraud
Even if KBA weren’t lingering in the background within government programs for COVID-19, there’s also the issue of increased user demand. Many systems simply were not set up to handle the volume of cases agencies have been seeing. This not only increases the risk of technology-related delays but also makes it harder to detect fraudulent or malicious activity and respond fast.
Learn how DLA, GSA’s Federal Acquisition Service and the State Department are modernizing their contract and acquisition processes to make procurement an all-around better experience for everyone involved.
Perhaps the best example here is the increased interest around unemployment insurance claims fraud, since the number of people who are qualifying and applying for unemployment is still staggeringly high. With agencies admitting that their systems can’t keep up, fraudsters are taking advantage. And attackers aren’t just individuals. They include national and international crime rings, too.
Getting a little more specific, many fraudsters are heading to the dark web and grabbing information that allows them to steal an identity. They use that data to file for unemployment as if they are someone else. And what fraudsters are doing with unemployment is actually quite similar to a previous issue that plagued the IRS’ Get Transcript system. Criminals went onto the dark web to get ID information and then bypassed very simple KBA. If they saw that a tax return was positive, then they’d refile the return as if they were the victim, only with a different bank routing number. Victims wouldn’t realize anything was wrong until they went to file their taxes.
Beyond unemployment, we must also look at other government systems that fraudsters could potentially hit as the COVID-19 recovery continues. For example, areas like DMV license renewal, auto renewals, tax submissions — all of these things that were deferred because people weren’t getting paid or didn’t have the resources available likely will be forced online. And it could be that all of these areas are going to get hit, too.
To complicate the ethics and logistics of this whole situation even more, we have to remember that these assistance programs and systems are designed to get money into the hands of consumers to help keep the economy going and get people back to work. From this perspective, adding a layer of protection from fraud potentially adds more friction into the process, slowing it. The question becomes whether the government should simply accept that a certain percentage of cases or claims are going to be fraudulent to keep that money flowing or whether they should be more rigorous and go after the fraud they see even if it could slow down helping the people who really need the funds.
How to stop the fraud
Government and other agencies that are trying to help with COVID-19 recovery are starting to figure out that fraud related to their programs is happening, and they do seem to care. One of their strongest weapons is multifactor device and identity authentication, which is based broadly on verifying something you know, something you are, and something you have. Some agencies already gather reports on devices that are trying to do fraudulent things. Government officials can use device and identity authentication in parallel to determine whether a device that’s trying to talk to their system is one they’ve seen, whether it’s behaving properly, and whether to report or shut it down. Compared to the legacy, dinosaur approach of KBAs, multifactor authentication is a much smarter and more secure path.
As an example, the IRS used to focus heavily on the “something you are” portion of multifactor authentication, which was readily available on the dark web and easy to guess. But then they also started to include “something you have.” They did things like send tokens or passcodes to a verified phone number linked to an account where you are seen as the owner. Another layer is to look at where the transaction is occurring. In the case of the fraudulent tax returns, the IRS discovered that many of those cases were coming from overseas, which should have been a red flag. Differences in location aren’t always fraud, but they can trigger agencies to dig deeper and search for other evidence, such as cloud-based IP addresses, underlying languages, proxy servers, or IP masking.
Importantly, multifactor authentication precautions can work for any kind of stimulus that people might consume online, whether it’s PPP, SBA loans, or other types of help.
Using technology in a middle-ground approach helps honest users
Generally speaking, most government agencies aren’t in the business of looking for significant technologies that are available to keep fraudsters in check. Their main job is simply to look out for consumers and the economy on an everyday level. Nevertheless, good technologies do exist that can help stop criminal activity within support programs, and organizations are already using these tools effectively. Government agencies can leverage these technologies and potentially save millions or even billions of dollars, which can lessen anxiety about the ballooning national debt and free resources up for a more effective COVID-19 response. And so, education and awareness about these technologies is vital.
Read more: Commentary
Finally, there’s no getting around the fact that COVID-19 is ravaging the country during a time of intense division. However, people seem relatively unified in the idea that the government needs to ensure that it is honest citizens in need who get the assistance support programs are meant to give — not fraudsters. Rather than clamping down tight or having no stop gaps, agencies can implement processes that gradually increase friction and complexity with each step, and that can allow a user to skate through with good information or be halted because of suspicious answers. With a middle-ground approach to multifactor authentication, legitimate applicants — not the fraudsters — will win.
Jonathan McDonald is executive vice president of public sector for TransUnion.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
What the UK gets about remote work that the US doesn’t
Network connectivity: An urgent matter of national security
NIST’s quantum standards: The time for upgrades is now