Reducing government fraud: a discussion with SecureKey’s Andre Boysen
In August, 2021, a Tarzana, California couple went on the run. They escaped while on house arrest by removing their tracking bracelets, and left the country without even telling their kids. The couple had been convicted of fraudulently obtaining over $20 million dollars in pandemic assistance funding through a COVID-19 fraud ring which submitted Paycheck Protection Program (PPP) loans using shell companies, forged tax returns and faked payroll documents. Last month, in February 2022, they were caught in Montenegro.
Then there is this story, an inside job by an Employment Development Department employee and former tax preparer, who used her past customers’ PII to create and authenticate false claims to receive over $4.3 million. U.S. states paid out over $500 billion in total fraudulent claims, with California’s share being over $114 Billion. To date California has stopped over $60 billion in fraud, 95 percent of which was from the Pandemic Unemployment Assistance. How were these crimes attempted and committed so easily, when the private sector keeps releasing advanced security tools?
“Criminals are more aware of the systems because they have studied them in order to take advantage of them,” says Andre Boysen, chief identity officer of SecureKey. “People don’t log into government systems everyday, so if they can’t log in, they assume they’ve forgotten their password, not that their account has been compromised.”
Government services are important, but a lot of us do not use them on a regular basis. This means we do not have the kind of daily familiarity authenticating with government websites as we do with say, Google or Amazon. Once or maybe twice a year, I interact with the online versions of the California DMV, property tax collector, business tax office, local government to renew my AirBnB permit, as well as less frequently with agencies to renew my global entry card, and the System for Award Management to participate in government contracting. Other government services include unemployment assistance, food stamps, WIC and CalFresh. Because many of these services are run by different levels of government, varying from the city, county, state and federal levels, the accounts and user interfaces for them are all different.
“Because I don’t use these websites except once or twice a year, I may not remember my password, unless I use a password manager. When I forget my password, I have to jump through a lot of hoops to reauthenticate. That’s a huge amount of effort for users who have to reset their password every time they go to a website,” says Boysen. “Is the solution a national ID card? For some countries, this is a great solution, but for other nations this goes against deep-seated values.”
Government sites could use some of the security functions that are used in the private sector, like SMS authentication or authenticator apps. But at the same time, government services must serve all constituents, not just the ones that use a smartphone. So there have to be alternate ways for people to prove their identity if they do not have access to the latest private sector technology.
And then there is the backlash. Why is it fine for me to unlock sensitive apps on my phone with my face, but there is a backlash about using face biometrics software to prove my identity on a government website? There is a fear that governments will misuse this kind of data, but over and over I have seen the private sector weaponize any scrap of data collected about us against us for advertising and to increase app engagement. To me this is much worse, and yet, as users we have no choice other than choosing not to use the private sector products. Governments do not have the luxury of shutting out a segment of their “market.”
Boysen thinks government identity systems need to hide security from the user, like how the EMV chip is hidden in our credit cards, but how would this solution help the aforementioned less technical users, especially in countries that do not like the idea of a national ID card? Government systems must be designed to protect the user – all the users, even the most vulnerable ones — like those who have lost jobs, homes or are otherwise down on their luck, while protecting the system from criminals.
It is a challenge to design systems that balance security best practices, usable interfaces, accurate online identity verification, while solving for the most underserved who may not be online and need support the most. I do not envy the government’s challenge to do so.
About the author
Heather Vescent is a digital identity industry thought leader and futurist with more than a decade of experience delivering strategic intelligence consulting to governments, corporations and entrepreneurs. Vescent’s research has been covered in the New York Times, CNN, American Banker, CNBC, Fox and the Atlantic. She is co-author of the The Secrets of Spies, The Cyber Attack Survival Manual and The Comprehensive Guide to Self Sovereign Identity.