The IRS fights to stay at least one step ahead of the fraudsters that use stolen taxpayer credentials to file tax returns. But the frequency of data breaches, both in and out of the government, gives its adversaries more ammunition.
“The proliferation of personally identifiable information that is out in the ecosystem makes it fundamentally more difficult to authenticate an individual,” Edward Killen, the IRS’ chief privacy officer, told members of the House Ways and Means Committee on Wednesday.
The Government Accountability Office, in its latest report on agency efforts to combat identity theft, found that criminals tried to claim more than $12 billion in fraudulent refunds in 2016 using stolen credentials. Of that, the IRS paid out least $1.6 billion in fraudulent tax returns.
“The growing number of security breaches across the public and private sector often make it difficult for the agency to verify the real taxpayer,” said Rep. Elijah Cummings (D-Md.), the ranking member of the oversight subcommittee. “In many cases, criminals combine sensitive taxpayer information that they stole from several sources. The thieves use this information to access the taxpayers online account or file a fraudulent tax return.”
In June 2015, hackers obtained personally identifiable information (PII) on nearly 22 million people, many of them current or former federal employees, from the Office of Personnel Management.
Meanwhile, the 2017 Equifax data breach may have exposed the PII of about 143 million people.
“When we heard about all of the different breaches, I was very concerned with how much data was out there and how that data could be used against us,” Gina Garza, the IRS chief information officer, said.
About a year-and-a-half ago, the IRS launched a review of every single transaction the agency has with taxpayers on all of its online systems.
“We went through did a very detailed analysis to identify what data was needed in order to be able to get access, and what kind of authentication procedures or protocols we needed to have in place for all of those applications. Garza said. “We went through and did that, and basically fortified and secured online applications.”
Sprawl of IRS portals: A ‘disaster waiting to happen?’
As the IRS continues to expand its taxpayer services online, Rep. Mike Bishop (R-Mich.) raised concerns over the agency’s 52 public-facing web applications, which he said creates many possible avenues for fraud to occur.
“It seems to me that that many forward-facing portals is a disaster waiting to happen,” Bishop said.
While Killen said it’s important to continuously assess whether there’s a “true business need” for its web applications, he added the IRS’ current portfolio of web apps exists to meet the needs of taxpayers and tax preparers.
“Each application that we have is there because some taxpayers somewhere, some group of taxpayers, find great value in it,” he said.
While nearly all data requested from the IRS requires some level of authentication, Killen said the challenge lies in determining the “level of rigor” users need to prove their identity, versus the “sensitivity of the data” those users are seeking.
“There may be one level of rigor associated with making a payment with us. There may be yet another level of rigor associated with if you need a transcript,” Killen said. “My point to that is that assessing measures against each and every one of those transactions is something that’s probably not practical.”