IRS Outlines ID Theft, Fraud SafeguardsPrivacy Experts Question Effectiveness of New Measures
"If what has been published is all that is planned, while it is a start, it is far from enough," says privacy and security consultant Rebecca Herold, CEO of The Privacy Professor.
The IRS on June 11 announced the collaborative initiative with tax preparation and software firms, payroll and tax financial product processors and state tax administrators.
The effort is an outgrowth of a March 19 security summit the IRS held with stakeholders that focused on developing ways to validate the authenticity of taxpayers and information included on tax return submissions, share information to improve detection and expand prevention of refund fraud and threat assessment and strategy development to prevent risks and threats.
"We share a common enemy in those stealing personal information and perpetrating refund fraud, and we share a common goal of protecting taxpayers," IRS Commissioner John Koskinen said in announcing the program. "We want to build these changes into the DNA of the entire tax system to make it safer."
Koskinen's announcement comes three weeks after he revealed that hackers circumvented authentication protections to breach more than 100,000 accounts of taxpayers who had used the IRS's Get Transcript application (see Controls Might Have Averted IRS Breach). The IRS says it's working toward enhancing authentication of users of that application.
Identifying Taxpayers, Detecting Fraud
The exact processes and technologies that the new effort will use to detect identity theft and fraud have yet to be determined. However, the IRS says initiative participants have identified issues to address to help define those processes and technologies, including reviewing:
- The transmission of the tax returns, including the improper and/or repetitive use of Internet addresses from which returns originate;
- Computer device identification data tied to returns' origin;
- The time it takes to complete a tax return, so computer mechanized fraud can be detected.
The IRS says the collaborators also will consider capturing metadata from computer transactions that might detect identity theft-related fraud.
Voluntary participants in the collaborative effort will make many major system and process changes this summer and fall to be ready for the 2016 filing season, according to the IRS. The public-private partnership also will continue this collaborative approach to address longer-term issues facing the tax community and taxpayers.
Indiana Tax Commissioner Mike Alley said in testimony before Congress earlier this year that strengthening the collaboration among the IRS, state tax administrators and tax preparation services and software makers will help combat identity theft and refund fraud through enhanced analytics, sharing of information and implementation of best practices. "This sharing and collaboration must be in real time, not days or weeks down the road," Alley said. "Delays in digesting new information or implementing good ideas leaves the window of vulnerability open longer for fraudsters to enter."
Under terms of the initiative, when filing tax returns online to the IRS and state agencies, tax preparers who voluntarily participate in the program would transmit additional information, such as Internet addresses and computer device identification, the IRS says.
Seeking 'Bad Apples'
Privacy lawyer Francoise Gilbert says the IRS seems to be putting the fraud-detection burden on private tax preparers. "The IRS is completely missing the boat, and is putting a smoke screen over a project with a totally different goal - which they are not identifying - such as attacking the tax preparation industry, trying to find the bad apples in the tax prep industry," says Gilbert, founding partner of the IT Law Group. "I wonder whether there has been an assessment of the actual needs, an evaluation of the actual issues, an identification of the primary causes of identity theft."
Herold, the consultant, questions whether the IRS has gone far enough to truly safeguard taxpayers' identity as well as to protect them from fraud. "Nothing I could find in the published reports mentions increased use of encryption," she says. "The recent [Office of Personnel Management] breach should provide a clear lesson that personal information needs to be encrypted in storage, wherever that storage is located, in addition to in transit and while being collected digitally."
Gilbert says the IRS outline of the initiative fails to address a major component of fraud: the theft of tax refund checks. "We have seen recently a significant increase in fraud where a criminal misappropriated an individual's tax identification number or Social Security number and intercepted tax refund checks," she says. "It would have been good to see that IRS exercise efforts in preventing this type of fraud by implementing appropriate measures to ensure that the recipient of the tax refund check is the actual individual to whom the check is issued. For example, the IRS could increase its own control at the time of the receipt of change of address."
Mulling a New ISAC for Refund Fraud
Much of what the new collaborative initiative will encompass is still being developed. To facilitate information sharing on fraud, stakeholders are considering creating the Refund Fraud Information Sharing and Assessment Center. Plus, tax industry partners have agreed to work with the IRS and state tax agencies in adopting the cybersecurity framework issued by the National Institute of Standards and Technology.
A memorandum of understanding signed by industry stakeholders to collaborate on the IRS initiative "is a good first step, but it is just a small first step," says Bill Cobb, CEO of the tax preparation service H&R Block, noting that developing authentication standards is key to stopping fraud.