IG: Identity verification flawed without biometrics

Homeland Security Department procedures for verifying identities of people applying for U.S. residency and citizenship are still vulnerable to fraud and are overly reliant on paper documents, according to a new report from the department's Inspector General Richard Skinner.

To reduce fraud and better check identities, the U.S. Citizenship and Immigration Services agency should make greater use of biometrics, but to date there are no firm plans for doing so, the report said.

"USCIS security checks are overly reliant on the integrity of names and documents that applicants submit; consequently, better use of biometric data is needed to verify applicants' identity," the report states.

The agency also needs better coordination and strategic planning overall to improve its security checks. "There is no apparent effort to develop a strategic plan for selecting and conducting security checks. USCIS needs to develop such a plan, using risk assessment to prioritize efforts and allocate screening resources," the report said.

USCIS completed processing on 7.3 million benefit applications in fiscal 2004 and received 5.9 million more. As part of the process, the agency checks with border inspector databases, FBI fingerprint and name databases, and the Automated Biometric Identification System (IDENT), among other databases.

However, most of the identity verification occurs with paper records, which rely on applicants to provide accurate information. Fewer than 25 percent of the applicants are subjected to fingerprint checks and fewer than 2 percent receive automated biometric checks, the inspector general said.

In a separate report, also released today, the inspector general audited the homeland security department's network security programs on selected wired-based sensitive but unclassified IT networks.

While some progress has been made, there still is no departmentwide testing program, and DHS component agencies still have not completely implemented proper security controls for security testing, audit trails, patch management and contingency planning, the report concluded.