Some state revenue agencies and motor vehicle departments are receiving federal funds to verify the smartphone selfies of taxpayers, say government and corporate officials involved.
Individuals residing in North Carolina and Georgia will be allowed late next year to download a facial recognition app -- for selfie matching -- that should bar others from claiming tax refunds in their name.
Why enlist the DMV?
"They do a fantastic job of in-person proofing someone's identity, and that's a necessary step to get into a high-level assurance for any kind of electronic credential that you might want to issue," Mark DiFraia, a senior director at biometric technology provider MorphoTrust, said in an interview.
Now that so much of our personal information is readily available online, confidential biographical data alone is not enough protection against ID theft, experts say.
In August, the federal government disclosed that crooks gamed an Internal Revenue Service online tool, by entering stolen private information on about 334,000 individuals, and filed for $39 million in fraudulent refunds.
Earlier this year, TurboTax temporarily unplugged state return e-filing after several states reported criminals using false identities to attempt to collect refunds.
But come late 2016, thousands of state residents will be able to block anyone from filing for their refund who does not have the same facial features, personal information and driver's license, according to officials. The new service will be offered as a preemptive measure for the tax season that begins Jan. 5, 2017.
Here's how the anti-spoofing mechanism will work:
- An individual downloads a MorphoTrust app that will be available on many types of smartphones.
- The user scans the barcode on the driver's license with the phone.
- The person uses the phone to take a picture of the front of the license so the DMV can verify it is a valid card.
- And, then "they actually take a selfie," by bringing the camera up and taking a self-portrait, DiFraia said.
- The taxpayer consents to having the barcode scan and pictures cross-matched with data in the DMV's records.
The images transmitted are not stored by MorphoTrust, the DMV or the state tax collector, DiFraia said. The DMV is not sharing any personal information in its records with the tax collector. The revenue agency only receives a confirmation or denial of a match. The selfie stays on the user's phone.
"This whole service is built from the core with privacy and consent as their key tenets," DiFraia said. "We're not giving DMV any data they don't already have."
The trial aims to sign up at least 75,000 individuals across both North Carolina and Georgia.
A federally funded, industry-led initiative to secure online transactions with credentials other than passwords has granted the project $1.8 million, officials announced this week. H&R Block also is a partner in the selfie-authentication effort.
Mike Garcia, acting director of the National Strategy for Trusted Identities in Cyberspace National Program Office, tells Nextgov the service "creates this sort of componentized separation, so the interaction that is occurring with the DMV is completely distinct from the interaction that's occurring with the department of taxation of revenue. That's intentional. That's, from our view, a privacy feature."
As of now, federal-level tax returns are not part of the project.
"We do not have any plans with the IRS as of yet for this solution," DiFraia said. "But we're optimistic that what we're demonstrating and the ideas contained within the grants would be interesting to them and something that they might consider as a way of providing users with another option where they can proactively do something to try to mitigate the risk of this kind of fraud."
The IRS paid out $5.8 billion to criminals in 2013, according to the Government Accountability Office.
When ID bandits struck TurboTax earlier, H&R Block reportedly said there was no indication of a similar problem with its tax returns. H&R Block's security safeguards included requiring a federal e-filed return to be accepted by the IRS before transmitting a state e-filed return. With TurboTax, it was possible to file a state return online without sending a federal return.
This is not H&R Block's first foray into biometrics. On Aug. 31, the tax software provider announced a partnership with the Transportation Security Administration to house fingerprinting kiosks in H&R Block offices where customers can enroll in TSA's PreCheck expedited screening program.
Garcia said of the taxpayer verification service, "if done right, it's actually about putting less information out there." The data already captured at the DMV, eliminates the need for "going through another proofing event with the office of taxation and revenue," he added.
Some privacy advocates questioned an anti-fraud program that relies on biometric databases, especially as the Office of Personnel Management just announced the compromise of fingerprints of millions of national security workers.
“No amount of authentication can compensate for insecure hardware and software,” Electronic Frontier Foundation senior staff attorney Lee Tien said. “Plus, we just saw that OPM admitted something like 5.6 million fingerprints were compromised—isn’t biometric authentication wonderful?”
In the taxpayer security situation, “here, I guess the issue is face recognition—but if I can make my phone send a picture of you, is that enough?” he wondered.
(Image via kaisorn/ Shutterstock.com)