In light of the reports of theft of COVID-19 stimulus checks (which one headline called “pure hell”), it’s instructive to look back at recent breaches of IRS systems and processes. There’s a common thread in these publicized fraud attacks: inadequate identity proofing. To get a stimulus check, the IRS has been asking people to provide an SSN, date of birth, tax filing status and street address. Unfortunately, much of that data has long been compromised and available for exploitation, and far too many Americans suffer as a result.
For years, as a privacy officer, I’ve tried to educate the public on the risks of stolen tax information and identity theft in general. I’ve alerted colleagues, friends, and the public about the “GetTranscript” account feature that opened the door to 334,000 stolen tax refunds, as well as the risks exposed in 2016 by the theft of over 100,000 e-file PINS. Now, during the COVID-19 pandemic, it’s happening all over again.
For years, the GAO (Government Accountability Office) has recommended that the IRA shore up its identity verification and authentication methods. In 2015, it said that enhanced authentication could combat refund fraud, but that the agency was lacking useful estimates of the costs, benefits, and risks of taking on improvements. In 2016, the GAO got more specific: it pointed out that knowledge-based authentication (KBA) procedures, such as taxpayer questions and checks against third-party submitted information, might have caused over $200M in tax refund payouts to be issued to illegitimate recipients. The 2016 report also called out the IRS’ reliance on remote authentication as incentivizing fraudsters because of the ease of making high volumes of attempts. Then in 2018, the GAO spoke to the dire reality that identity proofing had become harder in the wake of massive data breaches of PII — including the breaches at the IRS.
I submit that the IRs’ woes are not to be solved by making authentication harder, but rather by looking to innovative identity verification. Recently, my colleague Rivka Little pointed out this flaw to CNBC, “The IRS is asking consumers for their mailing addresses, email addresses – it’s all appropriate information. But all of those points of data are out there; they’re already breached and attainable.”
The 2018 GAO report also concluded that the IRS had made insufficient progress in prioritizing authentication improvements, assessing and monitoring multi-channel risks and evaluating available authentication technologies. In spite of all these findings, the agency continues to rely upon a number of tried-and-failed methods that facilitate unauthorized access to taxpayer accounts:
- Submission of PII (personally identifying information)
- KBA (knowledge-based authentication) questions
- PINs (personal identification numbers) that are mailed to taxpayers
They also use methods that are hackable and/or costly to carry out.
- Multi-factor authentication such as OTP (one-time passwords) delivered via mobile phone SMS
- Submission of identity documents in person or via correspondence
If the IRS has already lamented that “ the sources of stolen identities are limitless,” — including the answers to KBA questions — then why do they continue to ask taxpayers to use these compromised sources to prove themselves?
What will it take for things to change? In short, the IRS needs to reboot its whole paradigm and stop putting the burden of identity proofing on the individual.
With a few simple inputs from the purported taxpayer, it is possible to independently judge the veracity of the soul that is on the other side of the Internet from you. Best-in-class solutions look at boatloads of online and offline data. They correlate that data with device and browser intelligence. They study the data to surface insights into all manner of fraudsters and fraudulent methods. They use artificial intelligence’s machine learning techniques. They iterate and improve to keep pace with developments on the fraudsters’ side. They are automated. So instead of asking more and more of genuine taxpayers, the IRS can ask for less but get better determinations as to the authenticity of requests for access.
It’s entirely possible to effectuate this paradigm shift because it’s already happened for most modern financial services organizations. They use data-driven solutions to catch fraud, improve automatic acceptance rates, comply with regulatory “know your customer (KYC)” obligations, and even to smooth out the consumer experience. The White House has urged governmental agencies to leverage AI to “help the Federal government work smarter in its own services and missions in trustworthy ways.” In addition to staunching the flow of fraud with stimulus payouts, there are more than 100 kinds of interactions between Americans and the IRS that require authentication and could benefit from smarter, technology-driven verification measures.
In the meantime, financial institutions will need to maintain laser-sharp focus in preventing COVID-19 stimulus funds from getting into fraudsters’ wallets. With hypervigilant money laundering and fraud prevention controls, FIs must do what they can to root out money mules and illegitimate transactions. While the IRS distributes these desperately needed checks, the banks can at least try to keep fraudulent checks from being cashed. All the while, we will be asking: IRS, Will you wake up to the new paradigm and deal with the root cause?