To meet new threats, IRS might need an old tool

The bad news: In the age of Facebook, Google and widespread data breaches, your personal information cannot be kept safe.

The better news: If they get the right people, the IRS says it can try to stay one step ahead of hackers.

In a pair of hearings on Capitol Hill on the heels of a breach involving roughly 104,500 taxpayers, the Senate Finance and Homeland Security and Governmental Affairs committees heard IRS Commissioner John Koskinen extoll the merits of streamlined critical pay, even as he and others admitted there is no “silver bullet” to protect data.

Scope of breach

Koskinen offered a breakdown of the 104,500 figure:

• 35,000 of the affected taxpayers had already filed 2014 income tax returns, meaning their most recent refunds were safe but they could face future problems.
• For another 33,000 cases of stolen info, there simply is no tax return for the past year (some of the SSNs, for instance, are associated with children).
• 23,500 unsuccessful, probably fraudulent returns.
• 13,000 suspect returns filed and $39 million in refunds issued.

“It’s not 104,000 new stolen identities,” he noted, stressing that the personal information of the affected taxpayers had apparently been compromised prior to the IRS breach — personal information is how hackers got through the IRS’ knowledge-based authentication system, after all.

Hackers breaking into the “Get Transcript” application had to answer four multiple-choice questions, the answers for which were easily Googleable.

Making matters worse, the IRS’s second factor of authentication was an email — sent to the email address the fraudster had just supplied.

The IRS wasn’t checking to ensure that the same email address wasn’t used for multiple taxpayer accounts.

“They didn’t have to be [separate emails],” said IRS CTO Terry Millholland. “That’s one of the design flaws.”

Fraudulent pulls only became clearly visible to the IRS -- “shrouded” as they had been in the “huge volume” of legitimate “Get Transcript” requests -- when tax-filing season ended but hackers continued making large numbers of transcript requests as legitimate taxpayers stopped making them.

Lots of fixes, none of them perfect

An IP PIN?

It’s great “as long you don’t lose it,” Koskinen said.

IRS Identity Protection Personal Identification Numbers are available only to identity theft victims and residents of Florida, Georgia and D.C. though as another piece of identifying info, they could help cut down on fraud.

But the IRS can’t just start offering them willy-nilly Koskinen said, because they’d be one more piece of complexity and citizens might questions why “big brother” needs another piece of data on them.

Even if IP PINs were only offered to people who wanted them, that could pose a problem.

“If you give PINs to 50 million people and half of them lose them, [the ensuing chaos] would create lots of background noise” as the IRS wrangled replacement PINs, Koskinen noted.

Koskinen also advocated limiting the number of companies producing W-2 forms, to make it easier for the IRS to detect sketchy forms, and masking Social Security numbers on those forms to help protect data.

Sen. Johnny Isakson (R-Ga.) suggested eliminating the personal income tax altogether, replacing it with a national sales tax, which Koskinen had to agree would, “by definition,” kill the threat that personal information is stolen from the IRS.

Streamlined critical pay

Assuming his agency continues to exist, however, Koskinen said what the IRS needs most is talent.

Restoring the IRS’s streamlined critical pay authority -- a special category that the agency can use to fill posts that "require expertise of an extremely high level" and "are critical to the Internal Revenue Service’s successful accomplishment of an important mission." -- could prove crucial in the fight to keep taxpayer information safe.

Koskinen estimated implementing streamlined critical pay would cost the government between $400,000 and $500,000, in the form of hiring a handful of highly qualified tech people.

Those 30 or so hires could help the IRS combat tens of millions of dollars’ worth of fraud, Koskinen and Treasury Inspector General for Tax Administration Russell George said.

George wouldn’t give an overall savings dollar figure when prompted, but he affirmed that the streamlined critical pay program at the IRS seemed to have been a well-managed program until its expiration in September 2013.

While the authority would enable the IRS to pay more, Koskinen said that money isn’t always the issue with tech talent.

Many highly skilled individuals simply don’t want to go through the government’s months-long hiring process, and streamlined critical pay authority would enable the IRS to bypass that for top tech talent.

“We can find somebody, make them an offer, they accept it and we start immediately,” Koskinen said, noting that many key roles at the IRS — including CTO Millholland’s — are currently filled by people hired under the prior special authority.

A never-ending battle

Fraud will never disappear, and as personal data becomes ever-less private, the old methods of security just won’t fly.

Two-factor identification seems a likely wave of the future.

“Perhaps use of biometrics, perhaps Connect.gov,” speculated Millholland.

And as the struggle to stay ahead of hackers continues, the familiar debate over IRS funding will continue as well.

Koskinen stressed that he did not want to make the hearings “a budget issue,” though he noted the IRS’s budget has been trimmed in recent years.

On the other hand, as he heard the IRS had not implemented a number of inspector general suggestions, Sen. Tim Scott (R-S.C.) was struck by the same thought that has occurred to government watchdogs.

“These do not sound like resource issues, these sound like management issues,” he said.

“I agree sir,” said George. “I agree.”