Following the Money: Financial System Integrity Makes Identity a National Security Issue
The threat to the integrity of the U.S. and global financial system posed by the crisis in online identity is a national security issue, a senior Treasury Department official told the 2021 Federal Identity Forum and Expo Monday.
“We … view identity as a national security issue,” explained Kay Turner, senior counselor for digital identity, inclusion and payment infrastructure to the director of the Financial Crimes Enforcement Network. FinCEN is a bureau of the Treasury Department that collects and analyzes information about financial transactions and markets to combat money laundering, terrorist financing and other banking-related crimes.
She laid out a series of threats from cyber criminals, exploiting weaknesses in the security of identity processes at every level of the banking system: From fraudulent account creation enabled by the mass breach of supposedly secret personal data like Social Security numbers, to credential stuffing attacks and account takeover of existing accounts.
Repeated massive data breaches, dumped on the dark web, “have permanently exposed billions of personally identifiable information and credentials, placing an asymmetric burden on customers and society,” she observed.
“We're seeing criminals increasingly exploit vulnerabilities in identity systems to commit fraud, cyber crime and other illicit activities,” Turner said.
The billions of dollars of fraud in COVID-19 relief payments perpetrated by international gangs of online criminals have “forced” the Treasury Department and the U.S. government as a whole “to take a hard look at how identity is managed, verified and authenticated,” Turner said.
”Digital payments can provide transparency to governments and financial institutions, and help us to detect illicit actors and trace financial flows,” Turner noted. “Digital Services of all kinds have the potential to enhance inclusion, to expand access and lower the cost of entry to the financial system,” including for the traditionally unbanked.
But moving so much COVID aid online had exposed the government to a wave of fraudulent applications for pandemic unemployment assistance and small business relief.
“This digital migration also brings in new and enhanced risks,” Turner acknowledged, especially when accompanied by “uneven implementation of identity standards.”
Synthetic identity fraud—when a genuine Social Security number is used alongside a false name and date of birth to get credit or open a bank account continues to be a problem, she added.
“To get financial services right, we need to get [online] identity right, and to do so in a way that preserves privacy, while also ensuring the integrity of the financial system so that people who need fiscal support are getting it,” Turner said.
She said the government could better combat fraud by creating and expanding “secure identity attribute validation services,” like the Social Security Administration’s electronic Consent Based Social Security Number Verification, or eCBSV, service, which allows financial service providers and other “permitted entities” to verify if an individual’s SSN, name and date of birth combination matches Social Security records, as long as they get an applicant’s consent.
This model, of the government vouching online for the accuracy of identity information, mirrors the offline identity ecosystem, where for decades a government-issued ID like a driver license or a social security card has been the guarantor of identity.
In a subsequent panel discussion, other officials from different parts of the Treasury Department gave their perspectives on identity issues.
Sean Evans. acting chief of the cyber and emerging technology section in the Intelligence Division of FinCEN, added scary depth to Turner’s thumbnail portrait of the wave of identity fraud, pointing out that weaknesses in the online identity system had enabled the Russian influence operation directed against the 2016 U.S. election—the Russian Internet Research Association trolls orchestrating the effort to discredit then-Democratic contender Hilary Clinton and elect GOP candidate Donald Trump had opened their social media accounts using fraudulent U.S. identities for sale online.
He noted that the mushrooming of online influence operations—multiple adversaries, not just Russia, had attempted or contemplated influence operations in the 2020 election (although none succeeded)—was happening “just as emerging technologies such as artificial intelligence and deep fakes are rapidly becoming ubiquitous and enabling the imitation of voice and video.”
These emerging technologies could be exploited to break even the latest identity proofing technology, Evans said, concluding, “The current system of (online) identity verification is in crisis and doing nothing is itself risky.”