Dear Internal Revenue Service,
It’s time to look for root causes. Please join me. It’s time to take some tactical steps to help hard-working Americans and protect taxpayer money. In light of the reports of theft of stimulus checks (which one headlined called “pure hell”), I’ve been looking back at recent breaches of IRS systems and processes. There’s a common thread in these publicized fraud attacks: inadequate identity proofing. To get a stimulus check, you’ve been asking people to provide an SSN, date of birth, tax filing status, and street address. Unfortunately, much of that data has long been compromised and available for exploitation, and far too many Americans suffer as a result.
For years, as a privacy officer, I’ve tried to educate folks on the risks of stolen tax information and identity theft in general. I’ve alerted colleagues, friends, and the public about the “GetTranscript” account feature that opened the door to 334,000 stolen tax refunds as well as the risks exposed in 2016 by the theft of over 100,000 e-file PINS. But now it’s happening all over again, and I’m feeling like I should just talk to you directly.
For years, the GAO (Government Accountability Office) has recommended that you shore up your identity verification and authentication methods. In 2015, it said that enhanced authentication could combat refund fraud, but that you were lacking useful estimates of the costs, benefits, and risks of taking on improvements. In 2016, the GAO got more specific: it pointed out that knowledge-based authentication (KBA) procedures, such as taxpayer questions and checks against third-party submitted information, had such gaps as to possibly have caused over $200M in tax refund payouts to illegitimate recipients. The 2016 report also called out your reliance on remote authentication as incentivizing fraudsters because of the ease of making high volumes of attempts. Then in 2018, the GAO spoke to the dire reality that identity proofing had become harder in the wake of massive data breaches of PII — including the breaches at the IRS.
I submit that the problem is not to be solved by making authentication harder, but rather by looking to innovative identity verification. Recently, we pointed out this key flaw to CNBC:
“The IRS is asking consumers for their mailing addresses, email addresses – it’s all appropriate information,” said Rivka Little, Sr. Vice President of Marketing and Strategy at Socure. “But all of those points of data are out there; they’re already breached and attainable,” she said.
The 2018 GAO report concluded that the IRS had made insufficient progress in prioritizing authentication improvements, assessing and monitoring multi-channel risks, and evaluating available authentication technologies. In spite of all these findings, you continue to rely upon these tried-and-failed methods that facilitate unauthorized access to taxpayer accounts (even by a property manager looking to see if tenants received their stimulus check):
- Submission of PII (personally identifying information)
- KBA (knowledge-based authentication) questions
- Static PINs (personal identification numbers) that are mailed to taxpayers
You also use methods that are hackable and/or costly to carry out.
- Multi-factor authentication such as OTP (one-time passwords) delivered via mobile phone SMS
- Submission of identity documents in person or via correspondence
I ask you directly, IRS, if you have already lamented that “ the sources of stolen identities are limitless,” — including the answers to KBA questions — then why do you continue to ask taxpayers to use these compromised sources to prove themselves?
Here’s my advice on what needs to happen. Shake it off and reboot your whole way of thinking. Not your systems, but your paradigm. Let’s execute a paradigm shift at the IRS. Let’s stop putting the burden of identity proofing on the individual: many of them fail in their attempts to prove themselves anyway. You can put the burden on experts and proven technologies. These exist! With a few simple inputs from the purported taxpayer, it is possible to independently judge the veracity of the soul that is on the other side of the Internet from you.
The technologies referenced above have proven that it’s not about the quantity of identifying data, but the quality of each element and how they fit together. Best-in-class solutions look at boatloads of online and offline data. They correlate that data with device and browser intelligence. They study the data to surface insights into all manner of fraudsters and fraudulent methods. They use artificial intelligence’s machine learning techniques. They iterate and improve to keep pace with developments on the fraudsters’ side. They are automated. So instead of asking more and more of genuine taxpayers, you can ask for less but get better determinations as to the authenticity of requests for access.
Indulge me for a #GoT moment: it’s like you’ve been building a bigger and bigger wall to keep out the White Walkers’ army of the dead. But, the Wall didn’t keep them out of the North for thousands of years just because of its sheer quantity of ice — it was due to the magic that imbued the Wall. We live in times where fraudsters employ the most sophisticated methods of deceit, so the defenses must also be built of the best technology, like fighting magic with magic.
It’s entirely possible to effectuate this paradigm shift because it’s already happened for most modern financial services organizations. They use data-driven solutions to catch fraud, improve automatic acceptance rates, comply with regulatory “know your customer (KYC)” obligations, and even to smooth out the consumer experience. The White House has urged governmental agencies to leverage AI to “help the Federal government work smarter in its own services and missions in trustworthy ways,” NOW is the time to take that advice. In addition to staunching the flow of fraud with stimulus payouts, there are over 100 kinds of interactions between Americans and the IRS that require authentication and could benefit from smarter, technology-driven verification measures.
In the meantime, companies such as financial institutions will need to maintain laser-sharp focus in preventing the funds from getting into fraudsters’ wallets. With hyper-vigilant money laundering and fraud prevention controls, FIs must do what they can to root out money mules and illegitimate transactions. While the IRS leaks these desperately needed checks, the banks can at least try to keep the checks from being cashed. All the while, we will be asking: IRS, Will you wake up to the new paradigm and deal with the root cause?
Annie C. Bai, Esq.
Privacy Lead, Socure