After Breach, IRS Considers PINs for All Taxpayers

The first step to enhance security on an Internal Revenue Service website that identity thieves rigged to steal other people's tax returns was to pull the cord on it. Now, the tax agency is contemplating a range of identity-theft protections, including issuing taxpayers annual passcodes, before bringing the "Get Transcript" service back online, according to IRS officials.

IRS officials said they realized the service's original login safeguards were insufficient after ID thieves accessed 100,000 tax returns, and then filed for 15,000 fraudulent refunds using the information on the returns. 

The sign-on method relied on an arguably outdated process of relying in part on answering security questions. Such "knowledge-based authentication" quizzes include questions like "Which of these lenders do you make mortgage payments to?" The answers often can be found on publicly available databases or social media networks. 

Among the options now under consideration for expanding online security: Giving every taxpayer the option to use an IRS-supplied PIN number.

Currently, only a small portion of the taxpaying population -- about 1.5 million individuals -- is given the added protection of PIN number verification. Taxpayers who have previously suffered ID theft are mailed a passcode that expires after one year. Taxpayers are required to register for a new one each and every year they file a return, IRS Commissioner John Koskinen told the committee.

The IRS has begun testing PIN access on a larger user base to identify ways of easing the process, he said. Taxpayers residing in Florida, Georgia and Washington, D.C., – locations particularly susceptible to refund fraud – are eligible to ask fora PIN, even if they have never been targeted by an ID thief. Officials now are examining the possibility of allowing people to use the same PIN for several years or to switch back to a Social Security Number, rather than having to renew their PINs every year.

Another possible fraud-control mechanism might be to keep tabs on the location of the computer interacting with the IRS. By identifying the IP address of the user, the agency can see if someone has switched devices to make a second request, IRS Chief Technology Officer Terence Milholland said at the hearing.

Also on the table is authorizing one email address for each taxpayer associated with that individual's Social Security number. This security mechanism might prove too cumbersome, however.

"Suppose the person wants to change the email address," Milholland said in response to a question from committee chairman, Sen. Ron Johnson, R-Wis. "How easy do we make that? All those what-ifs, unfortunately, Mr. Chairman, increases cost and complexity of the solution we want to put out,"

The Department of Health and Human Services' HealthCare.gov and the Social Security Administration are still using knowledge-based authentication to detect impostors.

Johnson asked the IRS commissioner and Milholland if they have been contacted by other department heads for advice on strengthening KBA verification. 

"I have not been contacted" by any of the other agencies, Koskinen said, but, he added, they are dealing with their own unique circumstances. 

"So you have not been contacted by [HHS Secretary] Sylvia Burwell? None of the agencies that are using this have contacted you directly to just talk about your experience?" Johnson asked again. "If they are watching here, I would highly recommend that they get in touch with you gentlemen and start thinking very long and hard about whether or not they ought to be taking their websites down or changing this very quickly."

Earlier that afternoon, a security expert had said KBA likely will become even more vulnerable now that everyone knows how to outwit the questions.  

"This is not the first successful compromise of KBA, but it has certainly received the most publicity," said Jeffrey E. Greene, former committee senior counsel and now director of government affairs at Symantec. "Most people don't get into crime to work hard. Copycats are pretty common. I think we are likely to see more KBA attacks both on the private sector entities that use it and in the government."

He recommended that organizations reliant on the mechanism add a second source of verification or ratchet up monitoring. "I suspect that there are criminals out there right now looking at this successful attack and saying, ‘How can I duplicate that somewhere else?’" Greene said. 

Others at IRS have had conversations with Social Security, as recently as Friday, about that agency's authentication practices, Milholland said.

On Thursday, a Social Security spokeswoman told Nextgov the agency uses KBA, or "out-of-wallet," questions, and offers people "optional two-factor authentication."

"We also verify a user’s information matches our internal records and records of an external authentication service provider," Social Security spokeswoman Nicole Tiggemann said in an email. The agency works "regularly with an external service provider to enhance our approach for using these types of out-of-wallet questions."

(Image via PKpix/ Shutterstock.com)